letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update zlint to v3.1.0 (#5373) 

Update the pinned version of zlint from v2.2.1 to v3.1.0.
Also update the relevant path from v2 to v3 in both go.mod
and in individual imports. Update the vendored files to match.

No changes from v2.2.1 to v3.1.0 appear to affect the lints
we directly care about (e.g. those that we explicitly ignore).

Fixes #5206
This commit is contained in:
Aaron Gable 2021-03-31 11:42:01 -07:00 committed by GitHub
parent b5471f36f0
commit 8e3c5325c6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
579 changed files with 30091 additions and 15556 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/cert-checker/main.go
View File

@ -17,8 +17,8 @@ import (
"github.com/jmhodges/clock"
"github.com/prometheus/client_golang/prometheus"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v3"
"github.com/zmap/zlint/v3/lint"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"

8
go.mod
View File

@ -25,11 +25,11 @@ require (
github.com/syndtr/goleveldb v0.0.0-20180331014930-714f901b98fd // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
github.com/weppos/publicsuffix-go v0.13.1-0.20210219130033-d67cf1da5bfc
github.com/zmap/zcrypto v0.0.0-20200513165325-16679db567ff
github.com/zmap/zlint/v2 v2.2.1
github.com/zmap/zcrypto v0.0.0-20210123152837-9cf5beac6d91
github.com/zmap/zlint/v3 v3.1.0
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f
golang.org/x/net v0.0.0-20200202094626-16171245cfb2
golang.org/x/text v0.3.3
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
golang.org/x/text v0.3.4
google.golang.org/grpc v1.29.0
google.golang.org/protobuf v1.23.0
gopkg.in/square/go-jose.v2 v2.4.1

19
go.sum
View File

@ -185,6 +185,7 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@ -199,6 +200,7 @@ github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyC
github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.5.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.13.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.13.1-0.20200526195454-983d101becd6 h1:ZRXyUEzq0HIULzh5VO/7Igju+LG0hGc8u1FX5SWdTcg=
github.com/weppos/publicsuffix-go v0.13.1-0.20200526195454-983d101becd6/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
github.com/weppos/publicsuffix-go v0.13.1-0.20200721065424-2c0d957a7459 h1:HSg0sbamo0i1wQa89tIuoUekIeonTumvEOuhlMwNnIU=
@ -217,6 +219,10 @@ github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8p
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
github.com/zmap/zcrypto v0.0.0-20200513165325-16679db567ff h1:0DDYlvtXPb8EMtQPZ2TJDcM+adqtzy77QOndkCW79JQ=
github.com/zmap/zcrypto v0.0.0-20200513165325-16679db567ff/go.mod h1:TxpejqcVKQjQaVVmMGfzx5HnmFMdIU+vLtaCyPBfGI4=
github.com/zmap/zcrypto v0.0.0-20201128221613-3719af1573cf h1:LEJcSlvjRUl6T7E0+mvKFxS61NsP1Z/+5jvHr4JQVVU=
github.com/zmap/zcrypto v0.0.0-20201128221613-3719af1573cf/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ=
github.com/zmap/zcrypto v0.0.0-20210123152837-9cf5beac6d91 h1:vg8K1+q3S7SgNp4kV/uA+u190QWzi0IWTzvxnuxPdyw=
github.com/zmap/zcrypto v0.0.0-20210123152837-9cf5beac6d91/go.mod h1:R/deQh6+tSWlgI9tb4jNmXxn8nSCabl5ZQsBX9//I/E=
github.com/zmap/zlint/v2 v2.0.0 h1:Ve+1yR76LZhTXsxonKA35d5S8dIIW1pmIlr4ahrskhs=
github.com/zmap/zlint/v2 v2.0.0/go.mod h1:0jpqZ7cVjm8ABh/PTOp74MK50bPiN+HW+NjjESDxLVA=
github.com/zmap/zlint/v2 v2.1.0 h1:PU8w7/Cf1rr9jnCewH8i7cXDc5enHkhPE78KBkfsPnk=
@ -225,6 +231,10 @@ github.com/zmap/zlint/v2 v2.1.1-0.20200821023125-9ab0643df8f6 h1:gQnSKREhWm6xn3u
github.com/zmap/zlint/v2 v2.1.1-0.20200821023125-9ab0643df8f6/go.mod h1:Va5dIi3W4ZBvl3HHg9p23Mz/5TN5fHlgiCnsW54AWdQ=
github.com/zmap/zlint/v2 v2.2.1 h1:b2kI/ToXX16h2wjV2c6Da65eT6aTMtkLHKetXuM9EtI=
github.com/zmap/zlint/v2 v2.2.1/go.mod h1:ixPWsdq8qLxYRpNUTbcKig3R7WgmspsHGLhCCs6rFAM=
github.com/zmap/zlint/v3 v3.0.0 h1:mCCruybkWbiO8KlCXDqR48YOv+CTZyq9U8cOvXjfayU=
github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
github.com/zmap/zlint/v3 v3.1.0 h1:WjVytZo79m/L1+/Mlphl09WBob6YTGljN5IGWZFpAv0=
github.com/zmap/zlint/v3 v3.1.0/go.mod h1:L7t8s3sEKkb0A2BxGy1IWrxt1ZATa1R4QfJZaQOD3zU=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@ -232,6 +242,8 @@ golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f h1:aZp0e2vLN4MToVqnjNEYEtrEA8RH8U8FN1CU7JgqsPU=
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -254,6 +266,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -276,12 +290,17 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201126233918-771906719818 h1:f1CIuDlJhwANEC2MM87MBEVMr3jl5bifgsfj90XAF9c=
golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=

4
lint/lint.go
View File

@ -10,8 +10,8 @@ import (
"strings"
zlintx509 "github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v3"
"github.com/zmap/zlint/v3/lint"
)
// Check accomplishes the entire process of linting: it generates a throwaway

18
vendor/github.com/zmap/zcrypto/x509/extensions.go generated vendored
View File

@ -209,6 +209,7 @@ type NameConstraints struct {
PermittedDNSNames []GeneralSubtreeString
PermittedEmailAddresses []GeneralSubtreeString
PermittedURIs []GeneralSubtreeString
PermittedIPAddresses []GeneralSubtreeIP
PermittedDirectoryNames []GeneralSubtreeName
PermittedEdiPartyNames []GeneralSubtreeEdi
@ -216,6 +217,7 @@ type NameConstraints struct {
ExcludedEmailAddresses []GeneralSubtreeString
ExcludedDNSNames []GeneralSubtreeString
ExcludedURIs []GeneralSubtreeString
ExcludedIPAddresses []GeneralSubtreeIP
ExcludedDirectoryNames []GeneralSubtreeName
ExcludedEdiPartyNames []GeneralSubtreeEdi
@ -227,6 +229,7 @@ type NameConstraintsJSON struct {
PermittedDNSNames []string `json:"permitted_names,omitempty"`
PermittedEmailAddresses []string `json:"permitted_email_addresses,omitempty"`
PermittedURIs []string `json:"permitted_uris,omitempty"`
PermittedIPAddresses []GeneralSubtreeIP `json:"permitted_ip_addresses,omitempty"`
PermittedDirectoryNames []pkix.Name `json:"permitted_directory_names,omitempty"`
PermittedEdiPartyNames []pkix.EDIPartyName `json:"permitted_edi_party_names,omitempty"`
@ -234,6 +237,7 @@ type NameConstraintsJSON struct {
ExcludedDNSNames []string `json:"excluded_names,omitempty"`
ExcludedEmailAddresses []string `json:"excluded_email_addresses,omitempty"`
ExcludedURIs []string `json:"excluded_uris,omitempty"`
ExcludedIPAddresses []GeneralSubtreeIP `json:"excluded_ip_addresses,omitempty"`
ExcludedDirectoryNames []pkix.Name `json:"excluded_directory_names,omitempty"`
ExcludedEdiPartyNames []pkix.EDIPartyName `json:"excluded_edi_party_names,omitempty"`
@ -252,6 +256,9 @@ func (nc *NameConstraints) UnmarshalJSON(b []byte) error {
for _, email := range ncJson.PermittedEmailAddresses {
nc.PermittedEmailAddresses = append(nc.PermittedEmailAddresses, GeneralSubtreeString{Data: email})
}
for _, uri := range ncJson.PermittedURIs {
nc.PermittedURIs = append(nc.PermittedURIs, GeneralSubtreeString{Data: uri})
}
for _, constraint := range ncJson.PermittedIPAddresses {
nc.PermittedIPAddresses = append(nc.PermittedIPAddresses, constraint)
}
@ -281,6 +288,9 @@ func (nc *NameConstraints) UnmarshalJSON(b []byte) error {
for _, email := range ncJson.ExcludedEmailAddresses {
nc.ExcludedEmailAddresses = append(nc.ExcludedEmailAddresses, GeneralSubtreeString{Data: email})
}
for _, uri := range ncJson.ExcludedURIs {
nc.ExcludedURIs = append(nc.ExcludedURIs, GeneralSubtreeString{Data: uri})
}
for _, constraint := range ncJson.ExcludedIPAddresses {
nc.ExcludedIPAddresses = append(nc.ExcludedIPAddresses, constraint)
}
@ -314,6 +324,9 @@ func (nc NameConstraints) MarshalJSON() ([]byte, error) {
for _, email := range nc.PermittedEmailAddresses {
out.PermittedEmailAddresses = append(out.PermittedEmailAddresses, email.Data)
}
for _, uri := range nc.PermittedURIs {
out.PermittedURIs = append(out.PermittedURIs, uri.Data)
}
out.PermittedIPAddresses = nc.PermittedIPAddresses
for _, directory := range nc.PermittedDirectoryNames {
out.PermittedDirectoryNames = append(out.PermittedDirectoryNames, directory.Data)
@ -331,6 +344,9 @@ func (nc NameConstraints) MarshalJSON() ([]byte, error) {
for _, email := range nc.ExcludedEmailAddresses {
out.ExcludedEmailAddresses = append(out.ExcludedEmailAddresses, email.Data)
}
for _, uri := range nc.ExcludedURIs {
out.ExcludedURIs = append(out.ExcludedURIs, uri.Data)
}
for _, ip := range nc.ExcludedIPAddresses {
out.ExcludedIPAddresses = append(out.ExcludedIPAddresses, ip)
}
@ -747,6 +763,7 @@ func (c *Certificate) jsonifyExtensions() (*CertificateExtensions, UnknownCertif
exts.NameConstraints.PermittedDNSNames = c.PermittedDNSNames
exts.NameConstraints.PermittedEmailAddresses = c.PermittedEmailAddresses
exts.NameConstraints.PermittedURIs = c.PermittedURIs
exts.NameConstraints.PermittedIPAddresses = c.PermittedIPAddresses
exts.NameConstraints.PermittedDirectoryNames = c.PermittedDirectoryNames
exts.NameConstraints.PermittedEdiPartyNames = c.PermittedEdiPartyNames
@ -754,6 +771,7 @@ func (c *Certificate) jsonifyExtensions() (*CertificateExtensions, UnknownCertif
exts.NameConstraints.ExcludedEmailAddresses = c.ExcludedEmailAddresses
exts.NameConstraints.ExcludedDNSNames = c.ExcludedDNSNames
exts.NameConstraints.ExcludedURIs = c.ExcludedURIs
exts.NameConstraints.ExcludedIPAddresses = c.ExcludedIPAddresses
exts.NameConstraints.ExcludedDirectoryNames = c.ExcludedDirectoryNames
exts.NameConstraints.ExcludedEdiPartyNames = c.ExcludedEdiPartyNames

62
vendor/github.com/zmap/zcrypto/x509/json.go generated vendored
View File

@ -428,6 +428,39 @@ type JSONCertificate struct {
Redacted bool `json:"redacted"`
}
// CollectAllNames - Collect and validate all DNS / URI / IP Address names for a given certificate
func (c *Certificate) CollectAllNames() []string {
var names []string
if isValidName(c.Subject.CommonName) {
names = append(names, c.Subject.CommonName)
}
for _, name := range c.DNSNames {
if isValidName(name) {
names = append(names, name)
} else if !strings.Contains(name, ".") { //just a TLD
names = append(names, name)
}
}
for _, name := range c.URIs {
if util.IsURL(name) {
names = append(names, name)
}
}
for _, name := range c.IPAddresses {
str := name.String()
if util.IsURL(str) {
names = append(names, str)
}
}
return purgeNameDuplicates(names)
}
func (c *Certificate) MarshalJSON() ([]byte, error) {
// Fill out the certificate
jc := new(JSONCertificate)
@ -441,34 +474,7 @@ func (c *Certificate) MarshalJSON() ([]byte, error) {
jc.Validity.ValidityPeriod = c.ValidityPeriod
jc.Subject = c.Subject
jc.SubjectDN = c.Subject.String()
if isValidName(c.Subject.CommonName) {
jc.Names = append(jc.Names, c.Subject.CommonName)
}
for _, name := range c.DNSNames {
if isValidName(name) {
jc.Names = append(jc.Names, name)
} else if !strings.Contains(name, ".") { //just a TLD
jc.Names = append(jc.Names, name)
}
}
for _, name := range c.URIs {
if util.IsURL(name) {
jc.Names = append(jc.Names, name)
}
}
for _, name := range c.IPAddresses {
str := name.String()
if util.IsURL(str) {
jc.Names = append(jc.Names, str)
}
}
jc.Names = purgeNameDuplicates(jc.Names)
jc.Names = c.CollectAllNames()
jc.Redacted = false
for _, name := range jc.Names {
if strings.HasPrefix(name, "?") {

7
vendor/github.com/zmap/zcrypto/x509/qc_statements.go generated vendored
View File

@ -3,6 +3,7 @@ package x509
import (
"encoding/asn1"
"encoding/json"
"errors"
)
type QCStatementASN struct {
@ -110,6 +111,9 @@ func (q *QCStatements) Parse(in *QCStatementsASN) error {
q.StatementIDs[i] = s.StatementID.String()
if s.StatementID.Equal(oidEtsiQcsQcCompliance) {
known.ETSICompliance = append(known.ETSICompliance, true)
if val != nil {
return errors.New("EtsiQcsQcCompliance QCStatement must not contain a statementInfo")
}
} else if s.StatementID.Equal(oidEtsiQcsQcLimitValue) {
// TODO
mvs := monetaryValueASNString{}
@ -135,6 +139,9 @@ func (q *QCStatements) Parse(in *QCStatementsASN) error {
known.RetentionPeriod = append(known.RetentionPeriod, retentionPeriod)
} else if s.StatementID.Equal(oidEtsiQcsQcSSCD) {
known.SSCD = append(known.SSCD, true)
if val != nil {
return errors.New("EtsiQcsQcSSCD QCStatement must not contain a statementInfo")
}
} else if s.StatementID.Equal(oidEtsiQcsQcEuPDS) {
locations := make([]PDSLocation, 0)
if _, err := asn1.Unmarshal(val, &locations); err != nil {

6
vendor/github.com/zmap/zcrypto/x509/x509.go generated vendored
View File

@ -785,6 +785,8 @@ type Certificate struct {
ExcludedDNSNames []GeneralSubtreeString
PermittedEmailAddresses []GeneralSubtreeString
ExcludedEmailAddresses []GeneralSubtreeString
PermittedURIs []GeneralSubtreeString
ExcludedURIs []GeneralSubtreeString
PermittedIPAddresses []GeneralSubtreeIP
ExcludedIPAddresses []GeneralSubtreeIP
PermittedDirectoryNames []GeneralSubtreeName
@ -1656,6 +1658,8 @@ func parseCertificate(in *certificate) (*Certificate, error) {
return out, err
}
out.PermittedEdiPartyNames = append(out.PermittedEdiPartyNames, GeneralSubtreeEdi{Data: ediName, Max: subtree.Max, Min: subtree.Min})
case 6:
out.PermittedURIs = append(out.PermittedURIs, GeneralSubtreeString{Data: string(subtree.Value.Bytes), Max: subtree.Max, Min: subtree.Min})
case 7:
switch len(subtree.Value.Bytes) {
case net.IPv4len * 2:
@ -1699,6 +1703,8 @@ func parseCertificate(in *certificate) (*Certificate, error) {
return out, err
}
out.ExcludedEdiPartyNames = append(out.ExcludedEdiPartyNames, GeneralSubtreeEdi{Data: ediName, Max: subtree.Max, Min: subtree.Min})
case 6:
out.ExcludedURIs = append(out.ExcludedURIs, GeneralSubtreeString{Data: string(subtree.Value.Bytes), Max: subtree.Max, Min: subtree.Min})
case 7:
switch len(subtree.Value.Bytes) {
case net.IPv4len * 2:

12
vendor/github.com/zmap/zlint/v2/go.mod generated vendored
View File

@ -1,12 +0,0 @@
module github.com/zmap/zlint/v2
require (
github.com/sirupsen/logrus v1.3.0
github.com/weppos/publicsuffix-go v0.4.0
github.com/zmap/zcrypto v0.0.0-20200513165325-16679db567ff
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68
golang.org/x/net v0.0.0-20190620200207-3b0461eec859
golang.org/x/text v0.3.3
)
go 1.14

59
vendor/github.com/zmap/zlint/v2/lints/rfc/lint_ext_duplicate_extension.go generated vendored
View File

@ -1,59 +0,0 @@
package rfc
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
"A certificate MUST NOT include more than one instance of a particular extension."
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type ExtDuplicateExtension struct{}
func (l *ExtDuplicateExtension) Initialize() error {
return nil
}
func (l *ExtDuplicateExtension) CheckApplies(cert *x509.Certificate) bool {
return cert.Version == 3
}
func (l *ExtDuplicateExtension) Execute(cert *x509.Certificate) *lint.LintResult {
// O(n^2) is not terrible here because n is capped around 10
for i := 0; i < len(cert.Extensions); i++ {
for j := i + 1; j < len(cert.Extensions); j++ {
if i != j && cert.Extensions[i].Id.Equal(cert.Extensions[j].Id) {
return &lint.LintResult{Status: lint.Error}
}
}
}
// Nested loop will return if it finds a duplicate, so safe to assume pass
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_duplicate_extension",
Description: "A certificate MUST NOT include more than one instance of a particular extension",
Citation: "RFC 5280: 4.2",
Source: lint.RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &ExtDuplicateExtension{},
})
}

0
vendor/github.com/zmap/zlint/v2/.goreleaser.yml → vendor/github.com/zmap/zlint/v3/.goreleaser.yml generated vendored
View File

0
vendor/github.com/zmap/zlint/v2/LICENSE → vendor/github.com/zmap/zlint/v3/LICENSE generated vendored
View File

12
vendor/github.com/zmap/zlint/v3/go.mod generated vendored Normal file
View File

@ -0,0 +1,12 @@
module github.com/zmap/zlint/v3
require (
github.com/sirupsen/logrus v1.7.0
github.com/zmap/zcrypto v0.0.0-20210123152837-9cf5beac6d91
golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
golang.org/x/sys v0.0.0-20201126233918-771906719818 // indirect
golang.org/x/text v0.3.4
)
go 1.15

39
vendor/github.com/zmap/zlint/v2/go.sum → vendor/github.com/zmap/zlint/v3/go.sum generated vendored
View File

@ -8,48 +8,59 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474 h1:oKIteTqeSpenyTrOVj5zkiyCaflLa8B+CD0324otT+o=
github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.3.0 h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME=
github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/weppos/publicsuffix-go v0.4.0 h1:YSnfg3V65LcCFKtIGKGoBhkyKolEd0hlipcXaOjdnQw=
github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.13.1-0.20210123135404-5fd73613514e h1:X8mSlwys/CsazsP+x4De5k6JaltoDTpx72EV7KdEtNk=
github.com/weppos/publicsuffix-go v0.13.1-0.20210123135404-5fd73613514e/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521 h1:kKCF7VX/wTmdg2ZjEaqlq99Bjsoiz7vH6sFniF/vI4M=
github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4 h1:17HHAgFKlLcZsDOjBOUrd5hDihb1ggf+1a5dTbkgkIY=
github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8pnycDn3HwpQuTygphu9M/7KYqU=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
github.com/zmap/zcrypto v0.0.0-20200513165325-16679db567ff h1:0DDYlvtXPb8EMtQPZ2TJDcM+adqtzy77QOndkCW79JQ=
github.com/zmap/zcrypto v0.0.0-20200513165325-16679db567ff/go.mod h1:TxpejqcVKQjQaVVmMGfzx5HnmFMdIU+vLtaCyPBfGI4=
github.com/zmap/zcrypto v0.0.0-20210123152837-9cf5beac6d91 h1:vg8K1+q3S7SgNp4kV/uA+u190QWzi0IWTzvxnuxPdyw=
github.com/zmap/zcrypto v0.0.0-20210123152837-9cf5beac6d91/go.mod h1:R/deQh6+tSWlgI9tb4jNmXxn8nSCabl5ZQsBX9//I/E=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 h1:u+LnwYTOOW7Ukr/fppxEb1Nwz0AtPflrblfvUudpo+I=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 h1:xYJJ3S178yv++9zXV/hnr29plCAGO9vAFG9dorqaFQc=
golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201126233918-771906719818 h1:f1CIuDlJhwANEC2MM87MBEVMr3jl5bifgsfj90XAF9c=
golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

4
vendor/github.com/zmap/zlint/v2/lint/base.go → vendor/github.com/zmap/zlint/v3/lint/base.go generated vendored
View File

@ -1,7 +1,7 @@
package lint
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,7 +18,7 @@ import (
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/util"
)
// LintInterface is implemented by each Lint.

2
vendor/github.com/zmap/zlint/v2/lint/registration.go → vendor/github.com/zmap/zlint/v3/lint/registration.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy

2
vendor/github.com/zmap/zlint/v2/lint/result.go → vendor/github.com/zmap/zlint/v3/lint/result.go generated vendored
View File

@ -1,7 +1,7 @@
package lint
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy

19
vendor/github.com/zmap/zlint/v2/lint/source.go → vendor/github.com/zmap/zlint/v3/lint/source.go generated vendored
View File

@ -7,7 +7,7 @@ import (
)
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -32,9 +32,8 @@ const (
CABFBaselineRequirements LintSource = "CABF_BR"
CABFEVGuidelines LintSource = "CABF_EV"
MozillaRootStorePolicy LintSource = "Mozilla"
AppleCTPolicy LintSource = "Apple"
ZLint LintSource = "ZLint"
AWSLabs LintSource = "AWSLabs"
AppleRootStorePolicy LintSource = "Apple"
Community LintSource = "Community"
EtsiEsi LintSource = "ETSI_ESI"
)
@ -47,7 +46,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error {
}
switch LintSource(throwAway) {
case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, MozillaRootStorePolicy, AppleCTPolicy, ZLint, AWSLabs, EtsiEsi:
case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi:
*s = LintSource(throwAway)
return nil
default:
@ -77,12 +76,10 @@ func (s *LintSource) FromString(src string) {
*s = CABFEVGuidelines
case MozillaRootStorePolicy:
*s = MozillaRootStorePolicy
case AppleCTPolicy:
*s = AppleCTPolicy
case ZLint:
*s = ZLint
case AWSLabs:
*s = AWSLabs
case AppleRootStorePolicy:
*s = AppleRootStorePolicy
case Community:
*s = Community
case EtsiEsi:
*s = EtsiEsi
}

28
vendor/github.com/zmap/zlint/v2/lints/apple/lint_ct_sct_policy_count_unsatisfied.go → vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -20,12 +20,23 @@ import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zcrypto/x509/ct"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type sctPolicyCount struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ct_sct_policy_count_unsatisfied",
Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy",
Citation: "https://support.apple.com/en-us/HT205280",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleCTPolicyDate,
Lint: &sctPolicyCount{},
})
}
// Initialize for a sctPolicyCount instance does nothing.
func (l *sctPolicyCount) Initialize() error {
return nil
@ -144,14 +155,3 @@ func appleCTPolicyExpectedSCTs(cert *x509.Certificate) int {
// The certificate had a validity > 39 months.
return 5
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ct_sct_policy_count_unsatisfied",
Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy",
Citation: "https://support.apple.com/en-us/HT205280",
Source: lint.AppleCTPolicy,
EffectiveDate: util.AppleCTPolicyDate,
Lint: &sctPolicyCount{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go → vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,24 @@ import (
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type serverCertValidityTooLong struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_tls_server_cert_valid_time_longer_than_398_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC must not have a validity period greater than 398 days",
Citation: "https://support.apple.com/en-us/HT211025",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
Lint: &serverCertValidityTooLong{},
})
}
func (l *serverCertValidityTooLong) Initialize() error {
return nil
}
@ -33,14 +45,9 @@ func (l *serverCertValidityTooLong) CheckApplies(c *x509.Certificate) bool {
}
func (l *serverCertValidityTooLong) Execute(c *x509.Certificate) *lint.LintResult {
// "398 days is measured with a day being equal to 86,400 seconds. Any time
// greater than this indicates an additional day of validity."
dayLength := 86400 * time.Second
// "TLS server certificates issued on or after September 1, 2020 00:00 GMT/UTC
// must not have a validity period greater than 398 days."
maxValidity := 398 * dayLength
// "We recommend that certificates be issued with a maximum validity of 397 days."
warnValidity := 397 * dayLength
maxValidity := 398 * appleDayLength
// RFC 5280, section 4.1.2.5: "The validity period for a certificate is the period
// of time from notBefore through notAfter, inclusive."
@ -48,32 +55,7 @@ func (l *serverCertValidityTooLong) Execute(c *x509.Certificate) *lint.LintResul
if certValidity > maxValidity {
return &lint.LintResult{Status: lint.Error}
} else if certValidity > warnValidity {
return &lint.LintResult{
// RFC 2119 has SHOULD and RECOMMENDED as equal. Since Apple recommends
// 397 days we treat this as a lint.Warn result as a violation of
// a SHOULD.
Status: lint.Warn,
Details: "Apple recommends that certificates be issued with a maximum " +
"validity of 397 days.",
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_tls_server_cert_valid_time_longer_than_398_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC must not have a validity period greater than 398 days",
Citation: "https://support.apple.com/en-us/HT211025",
// TODO(@cpu): The Source should be `lint.ApplePolicy` or something similar.
// The "CT" bit is too specific. Unfortunately since the constant is
// exported by the `util` package we can't change it without bumping the
// major version. See https://github.com/zmap/zlint/issues/418
Source: lint.AppleCTPolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
Lint: &serverCertValidityTooLong{},
})
}

67
vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go generated vendored Normal file
View File

@ -0,0 +1,67 @@
/*
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package apple
import (
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type serverCertValidityAlmostTooLong struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_tls_server_cert_valid_time_longer_than_397_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC should not have a validity period greater than 397 days",
Citation: "https://support.apple.com/en-us/HT211025",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
Lint: &serverCertValidityAlmostTooLong{},
})
}
func (l *serverCertValidityAlmostTooLong) Initialize() error {
return nil
}
func (l *serverCertValidityAlmostTooLong) CheckApplies(c *x509.Certificate) bool {
return util.IsServerAuthCert(c) && !c.IsCA
}
func (l *serverCertValidityAlmostTooLong) Execute(c *x509.Certificate) *lint.LintResult {
// "We recommend that certificates be issued with a maximum validity of 397 days."
warnValidity := 397 * appleDayLength
// RFC 5280, section 4.1.2.5: "The validity period for a certificate is the period
// of time from notBefore through notAfter, inclusive."
certValidity := c.NotAfter.Add(1 * time.Second).Sub(c.NotBefore)
if certValidity > warnValidity {
return &lint.LintResult{
// RFC 2119 has SHOULD and RECOMMENDED as equal. Since Apple recommends
// 397 days we treat this as a lint.Warn result as a violation of
// a SHOULD.
Status: lint.Warn,
Details: "Apple recommends that certificates be issued with a maximum " +
"validity of 397 days.",
}
}
return &lint.LintResult{Status: lint.Pass}
}

13
vendor/github.com/zmap/zlint/v3/lints/apple/time.go generated vendored Normal file
View File

@ -0,0 +1,13 @@
package apple
import "time"
// In the context of a root policy update on trusted certificate lifetimes[0]
// Apple provided an unambiguous definition for the length of a day:
// "398 days is measured with a day being equal to 86,400 seconds. Any time
// greater than this indicates an additional day of validity."
//
// We provide that value as a constant here for lints to use.
//
// [0]: https://support.apple.com/en-us/HT211025
var appleDayLength = 86400 * time.Second

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_common_name_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caCommonNameMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_common_name_missing",
Description: "CA Certificates common name MUST be included.",
Citation: "BRs: 7.1.4.3.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV148Date,
Lint: &caCommonNameMissing{},
})
}
func (l *caCommonNameMissing) Initialize() error {
return nil
}
@ -37,14 +48,3 @@ func (l *caCommonNameMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_common_name_missing",
Description: "CA Certificates common name MUST be included.",
Citation: "BRs: 7.1.4.3.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV148Date,
Lint: &caCommonNameMissing{},
})
}

30
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_country_name_invalid.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,10 +16,12 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caCountryNameInvalid struct{}
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following:
@ -28,7 +30,16 @@ This field MUST contain the twoletter ISO 31661 country code for the count
in which the CAs place of business is located.
************************************************/
type caCountryNameInvalid struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_invalid",
Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameInvalid{},
})
}
func (l *caCountryNameInvalid) Initialize() error {
return nil
@ -50,14 +61,3 @@ func (l *caCountryNameInvalid) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.NA}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_invalid",
Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameInvalid{},
})
}

30
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_country_name_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,10 +16,12 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caCountryNameMissing struct{}
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following:
@ -28,7 +30,16 @@ This field MUST contain the twoletter ISO 31661 country code for the count
in which the CAs place of business is located.
************************************************/
type caCountryNameMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameMissing{},
})
}
func (l *caCountryNameMissing) Initialize() error {
return nil
@ -45,14 +56,3 @@ func (l *caCountryNameMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameMissing{},
})
}

30
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_crl_sign_not_set.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,10 +16,12 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caCRLSignNotSet struct{}
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for
@ -27,7 +29,16 @@ keyCertSign and cRLSign MUST be set. If the Root CA Private Key is used for
signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
type caCRLSignNotSet struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_crl_sign_not_set",
Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCRLSignNotSet{},
})
}
func (l *caCRLSignNotSet) Initialize() error {
return nil
@ -44,14 +55,3 @@ func (l *caCRLSignNotSet) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_crl_sign_not_set",
Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCRLSignNotSet{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_digital_signature_not_set.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caDigSignNotSet struct{}
/************************************************
BRs: 7.1.2.1b: Root CA Certificate keyUsage
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
@ -24,13 +32,16 @@ This extension MUST be present and MUST be marked critical. Bit positions for ke
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caDigSignNotSet struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "n_ca_digital_signature_not_set",
Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caDigSignNotSet{},
})
}
func (l *caDigSignNotSet) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *caDigSignNotSet) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Notice}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "n_ca_digital_signature_not_set",
Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caDigSignNotSet{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_is_ca.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caIsCA struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_is_ca",
Description: "Root and Sub CA Certificate: The CA field MUST be set to true.",
Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caIsCA{},
})
}
type basicConstraints struct {
IsCA bool `asn1:"optional"`
MaxPathLen int `asn1:"optional,default:-1"`
@ -50,14 +61,3 @@ func (l *caIsCA) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_is_ca",
Description: "Root and Sub CA Certificate: The CA field MUST be set to true.",
Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caIsCA{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_key_cert_sign_not_set.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,19 +14,30 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caKeyCertSignNotSet struct{}
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caKeyCertSignNotSet struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_cert_sign_not_set",
Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyCertSignNotSet{},
})
}
func (l *caKeyCertSignNotSet) Initialize() error {
return nil
@ -43,14 +54,3 @@ func (l *caKeyCertSignNotSet) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_cert_sign_not_set",
Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyCertSignNotSet{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_key_usage_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caKeyUsageMissing struct{}
/************************************************
RFC 5280: 4.2.1.3
Conforming CAs MUST include this extension in certificates that
@ -22,13 +30,16 @@ Conforming CAs MUST include this extension in certificates that
SHOULD mark this extension as critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caKeyUsageMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_missing",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be present",
Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC3280Date,
Lint: &caKeyUsageMissing{},
})
}
func (l *caKeyUsageMissing) Initialize() error {
return nil
@ -45,14 +56,3 @@ func (l *caKeyUsageMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_missing",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be present",
Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC3280Date,
Lint: &caKeyUsageMissing{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_key_usage_not_critical.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,19 +14,30 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caKeyUsageNotCrit struct{}
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caKeyUsageNotCrit struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_not_critical",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyUsageNotCrit{},
})
}
func (l *caKeyUsageNotCrit) Initialize() error {
return nil
@ -43,14 +54,3 @@ func (l *caKeyUsageNotCrit) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_not_critical",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyUsageNotCrit{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_organization_name_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,18 +14,29 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caOrganizationNameMissing struct{}
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following: organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CAs name or DBA as verified under Section 3.2.2.2.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caOrganizationNameMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_organization_name_missing",
Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caOrganizationNameMissing{},
})
}
func (l *caOrganizationNameMissing) Initialize() error {
return nil
@ -42,14 +53,3 @@ func (l *caOrganizationNameMissing) Execute(c *x509.Certificate) *lint.LintResul
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_organization_name_missing",
Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caOrganizationNameMissing{},
})
}

6
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -19,8 +19,8 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type certPolicyConflictsWithLocality struct{}

41
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_org.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type certPolicyConflictsWithOrg struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.1
If the Certificate complies with these requirements and lacks Subject identity information that
has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.
Such Certificates MUST NOT include organizationName, givenName, surname,
streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject
field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_org",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithOrg{},
})
}
func (l *certPolicyConflictsWithOrg) Initialize() error {
return nil
}
@ -42,14 +60,3 @@ func (l *certPolicyConflictsWithOrg) Execute(cert *x509.Certificate) *lint.LintR
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_org",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithOrg{},
})
}

41
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type certPolicyConflictsWithPostal struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.1
If the Certificate complies with these requirements and lacks Subject identity information that
has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.
Such Certificates MUST NOT include organizationName, givenName, surname,
streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject
field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_postal",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithPostal{},
})
}
func (l *certPolicyConflictsWithPostal) Initialize() error {
return nil
}
@ -42,14 +60,3 @@ func (l *certPolicyConflictsWithPostal) Execute(cert *x509.Certificate) *lint.Li
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_postal",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithPostal{},
})
}

41
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_province.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type certPolicyConflictsWithProvince struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.1
If the Certificate complies with these requirements and lacks Subject identity information that
has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.
Such Certificates MUST NOT include organizationName, givenName, surname,
streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject
field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_province",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithProvince{},
})
}
func (l *certPolicyConflictsWithProvince) Initialize() error {
return nil
}
@ -42,14 +60,3 @@ func (l *certPolicyConflictsWithProvince) Execute(cert *x509.Certificate) *lint.
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_province",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithProvince{},
})
}

41
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_street.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type certPolicyConflictsWithStreet struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.1
If the Certificate complies with these requirements and lacks Subject identity information that
has been verified in accordance with Section 3.2.2.1 or Section 3.2.3.
Such Certificates MUST NOT include organizationName, givenName, surname,
streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject
field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_street",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithStreet{},
})
}
func (l *certPolicyConflictsWithStreet) Initialize() error {
return nil
}
@ -42,14 +60,3 @@ func (l *certPolicyConflictsWithStreet) Execute(cert *x509.Certificate) *lint.Li
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_street",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithStreet{},
})
}

41
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_iv_requires_personal_name.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,16 +14,36 @@ package cabf_br
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type CertPolicyRequiresPersonalName struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.3
If the Certificate complies with these Requirements and includes Subject Identity Information
that is verified in accordance with Section 3.2.3.
Such Certificates MUST also include either organizationName or both givenName and
surname, localityName (to the extent such field is required under Section 7.1.4.2.2),
stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and countryName in
the Subject field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_iv_requires_personal_name",
Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyRequiresPersonalName{},
})
}
func (l *CertPolicyRequiresPersonalName) Initialize() error {
return nil
}
@ -41,14 +61,3 @@ func (l *CertPolicyRequiresPersonalName) Execute(cert *x509.Certificate) *lint.L
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_iv_requires_personal_name",
Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyRequiresPersonalName{},
})
}

40
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_ov_requires_org.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,16 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type CertPolicyRequiresOrg struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.2
If the Certificate complies with these Requirements and includes Subject Identity Information
that is verified in accordance with Section 3.2.2.1.
Such Certificates MUST also include organizationName, localityName (to the extent such
field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is
required under Section 7.1.4.2.2), and countryName in the Subject field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_ov_requires_org",
Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyRequiresOrg{},
})
}
func (l *CertPolicyRequiresOrg) Initialize() error {
return nil
}
@ -41,14 +60,3 @@ func (l *CertPolicyRequiresOrg) Execute(cert *x509.Certificate) *lint.LintResult
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_ov_requires_org",
Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyRequiresOrg{},
})
}

41
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_iv_requires_country.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,16 +14,36 @@ package cabf_br
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type CertPolicyIVRequiresCountry struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.3
If the Certificate complies with these Requirements and includes Subject Identity Information
that is verified in accordance with Section 3.2.3.
Such Certificates MUST also include either organizationName or both givenName and
surname, localityName (to the extent such field is required under Section 7.1.4.2.2),
stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and countryName in
the Subject field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_iv_requires_country",
Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresCountry{},
})
}
func (l *CertPolicyIVRequiresCountry) Initialize() error {
return nil
}
@ -41,14 +61,3 @@ func (l *CertPolicyIVRequiresCountry) Execute(cert *x509.Certificate) *lint.Lint
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_iv_requires_country",
Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresCountry{},
})
}

43
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,37 @@ package cabf_br
* permissions and limitations under the License.
*/
// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.
// 7.1.4.2.2 applies only to subscriber certificates.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type CertPolicyIVRequiresProvinceOrLocal struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.3
If the Certificate complies with these Requirements and includes Subject Identity Information
that is verified in accordance with Section 3.2.3.
Such Certificates MUST also include either organizationName or both givenName and
surname, localityName (to the extent such field is required under Section 7.1.4.2.2),
stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and countryName in
the Subject field.
************************************************/
// 7.1.4.2.2 applies only to subscriber certificates.
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_iv_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresProvinceOrLocal{},
})
}
func (l *CertPolicyIVRequiresProvinceOrLocal) Initialize() error {
return nil
}
@ -42,14 +62,3 @@ func (l *CertPolicyIVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *l
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_iv_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresProvinceOrLocal{},
})
}

40
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_ov_requires_country.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,16 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type CertPolicyOVRequiresCountry struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.2
If the Certificate complies with these Requirements and includes Subject Identity Information
that is verified in accordance with Section 3.2.2.1.
Such Certificates MUST also include organizationName, localityName (to the extent such
field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is
required under Section 7.1.4.2.2), and countryName in the Subject field.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_ov_requires_country",
Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresCountry{},
})
}
func (l *CertPolicyOVRequiresCountry) Initialize() error {
return nil
}
@ -41,14 +60,3 @@ func (l *CertPolicyOVRequiresCountry) Execute(cert *x509.Certificate) *lint.Lint
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_ov_requires_country",
Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresCountry{},
})
}

43
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,37 @@ package cabf_br
* permissions and limitations under the License.
*/
// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
// 7.1.4.2.2 applies only to subscriber certificates.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type CertPolicyOVRequiresProvinceOrLocal struct{}
/************************************************
BRs: 7.1.6.4
Certificate Policy Identifier: 2.23.140.1.2.2
If the Certificate complies with these Requirements and includes Subject Identity Information
that is verified in accordance with Section 3.2.2.1.
Such Certificates MUST also include organizationName, localityName (to the extent such
field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is
required under Section 7.1.4.2.2), and countryName in the Subject field.
Note: 7.1.4.2.2 applies only to subscriber certificates.
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_ov_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresProvinceOrLocal{},
})
}
func (l *CertPolicyOVRequiresProvinceOrLocal) Initialize() error {
return nil
}
@ -42,14 +62,3 @@ func (l *CertPolicyOVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *l
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_ov_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresProvinceOrLocal{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dh_params_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type dsaParamsMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_params_missing",
Description: "DSA: Certificates MUST include all domain parameters",
Citation: "BRs v1.7.0: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaParamsMissing{},
})
}
func (l *dsaParamsMissing) Initialize() error {
return nil
}
@ -43,14 +54,3 @@ func (l *dsaParamsMissing) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_params_missing",
Description: "DSA: Certificates MUST include all domain parameters",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaParamsMissing{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_bad_character_in_label.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,14 +18,25 @@ import (
"regexp"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameProperCharacters struct {
CompiledExpression *regexp.Regexp
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_bad_character_in_label",
Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameProperCharacters{},
})
}
func (l *DNSNameProperCharacters) Initialize() error {
const dnsNameRegexp = `^(\*\.)?(\?\.)*([A-Za-z0-9*_-]+\.)*[A-Za-z0-9*_-]*$`
var err error
@ -51,14 +62,3 @@ func (l *DNSNameProperCharacters) Execute(c *x509.Certificate) *lint.LintResult
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_bad_character_in_label",
Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameProperCharacters{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameLeftLabelWildcardCheck struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_left_label_wildcard_correct",
Description: "Wildcards in the left label of DNSName should only be *",
Citation: "BRs: 1.6.1, Wildcard Certificate and Wildcard Domain Name",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLeftLabelWildcardCheck{},
})
}
func (l *DNSNameLeftLabelWildcardCheck) Initialize() error {
return nil
}
@ -54,14 +65,3 @@ func (l *DNSNameLeftLabelWildcardCheck) Execute(c *x509.Certificate) *lint.LintR
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_left_label_wildcard_correct",
Description: "Wildcards in the left label of DNSName should only be *",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLeftLabelWildcardCheck{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type dnsNameContainsBareIANASuffix struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_contains_bare_iana_suffix",
Description: "DNSNames should not contain a bare IANA suffix.",
Citation: "BRs: 1.6.1, Base Domain Name",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dnsNameContainsBareIANASuffix{},
})
}
func (l *dnsNameContainsBareIANASuffix) Initialize() error {
return nil
}
@ -43,14 +54,3 @@ func (l *dnsNameContainsBareIANASuffix) Execute(c *x509.Certificate) *lint.LintR
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_contains_bare_iana_suffix",
Description: "DNSNames should not contain a bare IANA suffix.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dnsNameContainsBareIANASuffix{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_contains_empty_label.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameEmptyLabel struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_empty_label",
Description: "DNSNames should not have an empty label.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameEmptyLabel{},
})
}
func (l *DNSNameEmptyLabel) Initialize() error {
return nil
}
@ -55,14 +66,3 @@ func (l *DNSNameEmptyLabel) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_empty_label",
Description: "DNSNames should not have an empty label.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameEmptyLabel{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_hyphen_in_sld.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameHyphenInSLD struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_hyphen_in_sld",
Description: "DNSName should not have a hyphen beginning or ending the SLD",
Citation: "BRs 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameHyphenInSLD{},
})
}
func (l *DNSNameHyphenInSLD) Initialize() error {
return nil
}
@ -54,14 +65,3 @@ func (l *DNSNameHyphenInSLD) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_hyphen_in_sld",
Description: "DNSName should not have a hyphen beginning or ending the SLD",
Citation: "BRs 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameHyphenInSLD{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_label_too_long.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameLabelLengthTooLong struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_label_too_long",
Description: "DNSName labels MUST be less than or equal to 63 characters",
Citation: "RFC 1035",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLabelLengthTooLong{},
})
}
func (l *DNSNameLabelLengthTooLong) Initialize() error {
return nil
}
@ -57,14 +68,3 @@ func (l *DNSNameLabelLengthTooLong) Execute(c *x509.Certificate) *lint.LintResul
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_label_too_long",
Description: "DNSName labels MUST be less than or equal to 63 characters",
Citation: "RFC 1035",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLabelLengthTooLong{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_right_label_valid_tld.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameValidTLD struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_not_valid_tld",
Description: "DNSNames must have a valid TLD.",
Citation: "BRs: 3.2.2.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameValidTLD{},
})
}
func (l *DNSNameValidTLD) Initialize() error {
return nil
}
@ -43,14 +54,3 @@ func (l *DNSNameValidTLD) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_not_valid_tld",
Description: "DNSNames must have a valid TLD.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameValidTLD{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_underscore_in_sld.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameUnderscoreInSLD struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_underscore_in_sld",
Description: "DNSName MUST NOT contain underscore characters",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInSLD{},
})
}
func (l *DNSNameUnderscoreInSLD) Initialize() error {
return nil
}
@ -54,14 +65,3 @@ func (l *DNSNameUnderscoreInSLD) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_underscore_in_sld",
Description: "DNSName should not have underscore in SLD",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInSLD{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_underscore_in_trd.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameUnderscoreInTRD struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_dnsname_underscore_in_trd",
Description: "DNSName MUST NOT contain underscore characters",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInTRD{},
})
}
func (l *DNSNameUnderscoreInTRD) Initialize() error {
return nil
}
@ -55,14 +66,3 @@ func (l *DNSNameUnderscoreInTRD) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_dnsname_underscore_in_trd",
Description: "DNSName should not have an underscore in labels left of the ETLD+1",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInTRD{},
})
}

32
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameWildcardLeftofPublicSuffix struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "n_dnsname_wildcard_left_of_public_suffix",
Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registrycontrolled” label or “public suffix”",
Citation: "BRs: 3.2.2.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardLeftofPublicSuffix{},
})
}
func (l *DNSNameWildcardLeftofPublicSuffix) Initialize() error {
return nil
}
@ -38,7 +49,7 @@ func (l *DNSNameWildcardLeftofPublicSuffix) Execute(c *x509.Certificate) *lint.L
}
if domainInfo.ParsedDomain.SLD == "*" {
return &lint.LintResult{Status: lint.Warn}
return &lint.LintResult{Status: lint.Notice}
}
}
@ -49,19 +60,8 @@ func (l *DNSNameWildcardLeftofPublicSuffix) Execute(c *x509.Certificate) *lint.L
}
if parsedSANDNSNames[i].ParsedDomain.SLD == "*" {
return &lint.LintResult{Status: lint.Warn}
return &lint.LintResult{Status: lint.Notice}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_dnsname_wildcard_left_of_public_suffix",
Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registrycontrolled” label or “public suffix”",
Citation: "BRs: 3.2.2.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardLeftofPublicSuffix{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type DNSNameWildcardOnlyInLeftlabel struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_wildcard_only_in_left_label",
Description: "DNSName should not have wildcards except in the left-most label",
Citation: "BRs: 1.6.1, Wildcard Domain Name",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardOnlyInLeftlabel{},
})
}
func (l *DNSNameWildcardOnlyInLeftlabel) Initialize() error {
return nil
}
@ -56,14 +67,3 @@ func (l *DNSNameWildcardOnlyInLeftlabel) Execute(c *x509.Certificate) *lint.Lint
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_wildcard_only_in_left_label",
Description: "DNSName should not have wildcards except in the left-most label",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardOnlyInLeftlabel{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -19,12 +19,23 @@ import (
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type dsaSubgroup struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_correct_order_in_subgroup",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs v1.7.0: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaSubgroup{},
})
}
func (l *dsaSubgroup) Initialize() error {
return nil
}
@ -53,14 +64,3 @@ func (l *dsaSubgroup) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_correct_order_in_subgroup",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaSubgroup{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type dsaImproperSize struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_improper_modulus_or_divisor_size",
Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256",
Citation: "BRs v1.7.0: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaImproperSize{},
})
}
func (l *dsaImproperSize) Initialize() error {
return nil
}
@ -44,14 +55,3 @@ func (l *dsaImproperSize) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_improper_modulus_or_divisor_size",
Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaImproperSize{},
})
}

30
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,24 @@ import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type dsaTooShort struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_shorter_than_2048_bits",
Description: "DSA modulus size must be at least 2048 bits",
Citation: "BRs v1.7.0: 6.1.5",
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaTooShort{},
})
}
func (l *dsaTooShort) Initialize() error {
return nil
}
@ -45,15 +57,3 @@ func (l *dsaTooShort) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_shorter_than_2048_bits",
Description: "DSA modulus size must be at least 2048 bits",
Citation: "BRs: 6.1.5",
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaTooShort{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_unique_correct_representation.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -19,12 +19,23 @@ import (
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type dsaUniqueCorrectRepresentation struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_unique_correct_representation",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs v1.7.0: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaUniqueCorrectRepresentation{},
})
}
func (l *dsaUniqueCorrectRepresentation) Initialize() error {
return nil
}
@ -47,14 +58,3 @@ func (l *dsaUniqueCorrectRepresentation) Execute(c *x509.Certificate) *lint.Lint
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_unique_correct_representation",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaUniqueCorrectRepresentation{},
})
}

44
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ec_improper_curves.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,21 +14,33 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"crypto/ecdsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type ecImproperCurves struct{}
/************************************************
BRs: 6.1.5
Certificates MUST meet the following requirements for algorithm type and key size.
ECC Curve: NIST P-256, P-384, or P-521
************************************************/
import (
"crypto/ecdsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type ecImproperCurves struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ec_improper_curves",
Description: "Only one of NIST P256, P384, or P521 can be used",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
EffectiveDate: util.ZeroDate,
Lint: &ecImproperCurves{},
})
}
func (l *ecImproperCurves) Initialize() error {
return nil
@ -57,15 +69,3 @@ func (l *ecImproperCurves) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ec_improper_curves",
Description: "Only one of NIST P256, P384, or P521 can be used",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
EffectiveDate: util.ZeroDate,
Lint: &ecImproperCurves{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type NCReservedIPNet struct{}
/************************************************
BRs: 7.1.5
(b) For each iPAddress range in permittedSubtrees, the CA MUST confirm that the
@ -25,13 +33,16 @@ CAs SHALL NOT issue certificates with a subjectAlternativeName extension or
Subject commonName field containing a Reserved IP Address or Internal Name.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type NCReservedIPNet struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_nc_intersects_reserved_ip",
Description: "iPAddress name constraint intersects an IANA reserved network",
Citation: "BRs: 7.1.5 / 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &NCReservedIPNet{},
})
}
func (l *NCReservedIPNet) Initialize() error {
return nil
@ -50,14 +61,3 @@ func (l *NCReservedIPNet) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_nc_intersects_reserved_ip",
Description: "iPAddress name constraint intersects an IANA reserved network",
Citation: "BRs: 7.1.5 / 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &NCReservedIPNet{},
})
}

37
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_contains_reserved_ip.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,23 +14,25 @@ package cabf_br
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.4.2.1
Also as of the Effective Date, the CA SHALL NOT
issue a certificate with an Expiry Date later than
1 November 2015 with a subjectAlternativeName extension
or Subject commonName field containing a Reserved IP
Address or Internal Name.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANReservedIP struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_contains_reserved_ip",
Description: "CAs SHALL NOT issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANReservedIP{},
})
}
func (l *SANReservedIP) Initialize() error {
return nil
}
@ -48,14 +50,3 @@ func (l *SANReservedIP) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_contains_reserved_ip",
Description: "Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANReservedIP{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type ExtSANCriticalWithSubjectDN struct{}
/************************************************
Further, if the only subject identity included in the certificate is an
alternative name form (e.g., an electronic mail address), then the subject
@ -25,13 +33,16 @@ Further, if the only subject identity included in the certificate is an
subjectAltName extension as non-critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type ExtSANCriticalWithSubjectDN struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ext_san_critical_with_subject_dn",
Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical",
Citation: "RFC 5280: 4.2.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &ExtSANCriticalWithSubjectDN{},
})
}
func (l *ExtSANCriticalWithSubjectDN) Initialize() error {
return nil
@ -48,14 +59,3 @@ func (l *ExtSANCriticalWithSubjectDN) Execute(cert *x509.Certificate) *lint.Lint
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ext_san_critical_with_subject_dn",
Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical",
Citation: "RFC 5280: 4.2.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &ExtSANCriticalWithSubjectDN{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_directory_name_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANDirName struct{}
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
@ -25,13 +33,16 @@ right to use it by the Domain Name Registrant or IP address assignee, as appropr
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANDirName struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_directory_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANDirName{},
})
}
func (l *SANDirName) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *SANDirName) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_directory_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANDirName{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_edi_party_name_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANEDI struct{}
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
@ -25,13 +33,16 @@ right to use it by the Domain Name Registrant or IP address assignee, as appropr
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANEDI struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_edi_party_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANEDI{},
})
}
func (l *SANEDI) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *SANEDI) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_edi_party_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANEDI{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANMissing struct{}
/************************************************
BRs: 7.1.4.2.1
Subject Alternative Name Extension
@ -21,13 +29,16 @@ Certificate Field: extensions:subjectAltName
Required/Optional: Required
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_missing",
Description: "Subscriber certificates MUST contain the Subject Alternate Name extension",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANMissing{},
})
}
func (l *SANMissing) Initialize() error {
return nil
@ -44,14 +55,3 @@ func (l *SANMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_missing",
Description: "Subscriber certificates MUST contain the Subject Alternate Name extension",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANMissing{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_other_name_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANOtherName struct{}
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
@ -25,13 +33,16 @@ right to use it by the Domain Name Registrant or IP address assignee, as appropr
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANOtherName struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_other_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANOtherName{},
})
}
func (l *SANOtherName) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *SANOtherName) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_other_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANOtherName{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_registered_id_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANRegId struct{}
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
@ -25,13 +33,16 @@ right to use it by the Domain Name Registrant or IP address assignee, as appropr
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANRegId struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_registered_id_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANRegId{},
})
}
func (l *SANRegId) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *SANRegId) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_registered_id_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANRegId{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_rfc822_name_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANRfc822 struct{}
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
@ -25,13 +33,16 @@ right to use it by the Domain Name Registrant or IP address assignee, as appropr
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANRfc822 struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_rfc822_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANRfc822{},
})
}
func (l *SANRfc822) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *SANRfc822) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_rfc822_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANRfc822{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type SANURI struct{}
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
@ -25,13 +33,16 @@ right to use it by the Domain Name Registrant or IP address assignee, as appropr
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANURI struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_uniform_resource_identifier_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANURI{},
})
}
func (l *SANURI) Initialize() error {
return nil
@ -47,14 +58,3 @@ func (l *SANURI) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_uniform_resource_identifier_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANURI{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -20,12 +20,23 @@ import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type torServiceDescHashInvalid struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_tor_service_descriptor_hash_invalid",
Description: "certificates with v2 .onion names need valid TorServiceDescriptors in extension",
Citation: "BRs: Ballot 201, Ballot SC27",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV201Date,
Lint: &torServiceDescHashInvalid{},
})
}
func (l *torServiceDescHashInvalid) Initialize() error {
// There is nothing to initialize for a torServiceDescHashInvalid linter.
return nil
@ -207,14 +218,3 @@ func (l *torServiceDescHashInvalid) Execute(c *x509.Certificate) *lint.LintResul
Status: lint.Pass,
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_tor_service_descriptor_hash_invalid",
Description: "certificates with v2 .onion names need valid TorServiceDescriptors in extension",
Citation: "BRs: Ballot 201, Ballot SC27",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV201Date,
Lint: &torServiceDescHashInvalid{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_extra_subject_common_names.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type extraSubjectCommonNames struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_extra_subject_common_names",
Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name",
Citation: "BRs: 7.1.4.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &extraSubjectCommonNames{},
})
}
func (l *extraSubjectCommonNames) Initialize() error {
return nil
}
@ -39,14 +50,3 @@ func (l *extraSubjectCommonNames) Execute(c *x509.Certificate) *lint.LintResult
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_extra_subject_common_names",
Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name",
Citation: "BRs: 7.1.4.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &extraSubjectCommonNames{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_invalid_certificate_version.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,17 +14,28 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type InvalidCertificateVersion struct{}
/************************************************
Certificates MUST be of type X.509 v3.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type InvalidCertificateVersion struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_invalid_certificate_version",
Description: "Certificates MUST be of type X.590 v3",
Citation: "BRs: 7.1.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV130Date,
Lint: &InvalidCertificateVersion{},
})
}
func (l *InvalidCertificateVersion) Initialize() error {
return nil
@ -40,14 +51,3 @@ func (l *InvalidCertificateVersion) Execute(cert *x509.Certificate) *lint.LintRe
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_invalid_certificate_version",
Description: "Certificates MUST be of type X.590 v3",
Citation: "BRs: 7.1.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV130Date,
Lint: &InvalidCertificateVersion{},
})
}

55
vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
/*
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth",
Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" +
" defined by RFC6960",
Citation: "BRs: 4.9.9",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth{},
})
}
func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) Initialize() error {
return nil
}
func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) CheckApplies(c *x509.Certificate) bool {
return util.IsDelegatedOCSPResponderCert(c) && util.IsServerAuthCert(c)
}
func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) Execute(c *x509.Certificate) *lint.LintResult {
// If the id-pkix-ocsp-nocheck extension, as specified in RFC 6960, Section 4.2.2.2.1, is present, then
// the certificate complies.
if util.IsExtInCert(c, util.OscpNoCheckOID) {
return &lint.LintResult{Status: lint.Pass}
}
// This certificate is a TLS certificate, so the Baseline Requirements apply, which require the presence
// of id-pkix-ocsp-nocheck as an extension.
return &lint.LintResult{Status: lint.Error}
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rootCaModSize struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_root_ca_rsa_mod_less_than_2048_bits",
Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &rootCaModSize{},
})
}
func (l *rootCaModSize) Initialize() error {
return nil
}
@ -42,14 +53,3 @@ func (l *rootCaModSize) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_root_ca_rsa_mod_less_than_2048_bits",
Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &rootCaModSize{},
})
}

30
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -20,12 +20,24 @@ import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCaModSize struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits",
Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test
EffectiveDate: util.ZeroDate,
Lint: &subCaModSize{},
})
}
func (l *subCaModSize) Initialize() error {
return nil
}
@ -45,15 +57,3 @@ func (l *subCaModSize) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits",
Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test
EffectiveDate: util.ZeroDate,
Lint: &subCaModSize{},
})
}

30
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,24 @@ import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subModSize struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits",
Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test
EffectiveDate: util.ZeroDate,
Lint: &subModSize{},
})
}
func (l *subModSize) Initialize() error {
return nil
}
@ -42,15 +54,3 @@ func (l *subModSize) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits",
Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test
EffectiveDate: util.ZeroDate,
Lint: &subModSize{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_public_key_type_not_allowed.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type publicKeyAllowed struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_public_key_type_not_allowed",
Description: "Certificates MUST have RSA, DSA, or ECDSA public key type",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &publicKeyAllowed{},
})
}
func (l *publicKeyAllowed) Initialize() error {
return nil
}
@ -38,14 +49,3 @@ func (l *publicKeyAllowed) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_public_key_type_not_allowed",
Description: "Certificates MUST have RSA, DSA, or ECDSA public key type",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &publicKeyAllowed{},
})
}

42
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,21 +14,32 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rootCaPathLenPresent struct{}
/************************************************************************************************************
7.1.2.1. Root CA Certificate
a. basicConstraints
This extension MUST appear as a critical extension. The cA field MUST be set true. The pathLenConstraint field SHOULD NOT be present.
***********************************************************************************************************/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCaPathLenPresent struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_root_ca_basic_constraints_path_len_constraint_field_present",
Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCaPathLenPresent{},
})
}
func (l *rootCaPathLenPresent) Initialize() error {
return nil
@ -58,14 +69,3 @@ func (l *rootCaPathLenPresent) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_root_ca_basic_constraints_path_len_constraint_field_present",
Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCaPathLenPresent{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_contains_cert_policy.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,18 +14,29 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rootCAContainsCertPolicy struct{}
/************************************************
BRs: 7.1.2.1c certificatePolicies
This extension SHOULD NOT be present.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCAContainsCertPolicy struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_root_ca_contains_cert_policy",
Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCAContainsCertPolicy{},
})
}
func (l *rootCAContainsCertPolicy) Initialize() error {
return nil
@ -42,14 +53,3 @@ func (l *rootCAContainsCertPolicy) Execute(c *x509.Certificate) *lint.LintResult
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_root_ca_contains_cert_policy",
Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCAContainsCertPolicy{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_extended_key_usage_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,18 +14,29 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rootCAContainsEKU struct{}
/************************************************
BRs: 7.1.2.1d extendedKeyUsage
This extension MUST NOT be present.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCAContainsEKU struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_extended_key_usage_present",
Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCAContainsEKU{},
})
}
func (l *rootCAContainsEKU) Initialize() error {
return nil
@ -42,14 +53,3 @@ func (l *rootCAContainsEKU) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_extended_key_usage_present",
Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCAContainsEKU{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rootCAKeyUsageMustBeCritical struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_key_usage_must_be_critical",
Description: "Root CA certificates MUST have Key Usage Extension marked critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC2459Date,
Lint: &rootCAKeyUsageMustBeCritical{},
})
}
func (l *rootCAKeyUsageMustBeCritical) Initialize() error {
return nil
}
@ -38,14 +49,3 @@ func (l *rootCAKeyUsageMustBeCritical) Execute(c *x509.Certificate) *lint.LintRe
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_key_usage_must_be_critical",
Description: "Root CA certificates MUST have Key Usage Extension marked critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC2459Date,
Lint: &rootCAKeyUsageMustBeCritical{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_key_usage_present.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rootCAKeyUsagePresent struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_key_usage_present",
Description: "Root CA certificates MUST have Key Usage Extension Present",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC2459Date,
Lint: &rootCAKeyUsagePresent{},
})
}
func (l *rootCAKeyUsagePresent) Initialize() error {
return nil
}
@ -37,14 +48,3 @@ func (l *rootCAKeyUsagePresent) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_key_usage_present",
Description: "Root CA certificates MUST have Key Usage Extension Present",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC2459Date,
Lint: &rootCAKeyUsagePresent{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,21 +14,32 @@ package cabf_br
* permissions and limitations under the License.
*/
/**************************************************************************************************
6.1.6. Public Key Parameters Generation and Quality Checking
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 216+1 and 2256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 80089].
**************************************************************************************************/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rsaModSmallFactor struct{}
/**************************************************************************************************
6.1.6. Public Key Parameters Generation and Quality Checking
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 80089].
**************************************************************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_mod_factors_smaller_than_752",
Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaModSmallFactor{},
})
}
func (l *rsaModSmallFactor) Initialize() error {
return nil
}
@ -46,14 +57,3 @@ func (l *rsaModSmallFactor) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Warn}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_mod_factors_smaller_than_752",
Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaModSmallFactor{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rsaParsedTestsKeySize struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_mod_less_than_2048_bits",
Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &rsaParsedTestsKeySize{},
})
}
func (l *rsaParsedTestsKeySize) Initialize() error {
return nil
}
@ -41,14 +52,3 @@ func (l *rsaParsedTestsKeySize) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_mod_less_than_2048_bits",
Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &rsaParsedTestsKeySize{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_mod_not_odd.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,22 +14,33 @@ package cabf_br
* permissions and limitations under the License.
*/
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rsaParsedTestsKeyModOdd struct{}
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 80089].
*******************************************************************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_mod_not_odd",
Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsKeyModOdd{},
})
}
func (l *rsaParsedTestsKeyModOdd) Initialize() error {
return nil
}
@ -48,14 +59,3 @@ func (l *rsaParsedTestsKeyModOdd) Execute(c *x509.Certificate) *lint.LintResult
return &lint.LintResult{Status: lint.Warn}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_mod_not_odd",
Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsKeyModOdd{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,24 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rsaParsedTestsExpInRange struct {
upperBound *big.Int
}
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_public_exponent_not_in_range",
Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsExpInRange{},
})
}
func (l *rsaParsedTestsExpInRange) Initialize() error {
l.upperBound = &big.Int{}
l.upperBound.Exp(big.NewInt(2), big.NewInt(256), nil)
@ -52,14 +63,3 @@ func (l *rsaParsedTestsExpInRange) Execute(c *x509.Certificate) *lint.LintResult
}
return &lint.LintResult{Status: lint.Warn}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_public_exponent_not_in_range",
Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsExpInRange{},
})
}

42
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_public_exponent_not_odd.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,20 +14,31 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rsaParsedTestsKeyExpOdd struct{}
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsKeyExpOdd struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_public_exponent_not_odd",
Description: "RSA: Value of public exponent is an odd number equal to 3 or more.",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsKeyExpOdd{},
})
}
func (l *rsaParsedTestsKeyExpOdd) Initialize() error {
return nil
@ -46,14 +57,3 @@ func (l *rsaParsedTestsKeyExpOdd) Execute(c *x509.Certificate) *lint.LintResult
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_public_exponent_not_odd",
Description: "RSA: Value of public exponent is an odd number equal to 3 or more.",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsKeyExpOdd{},
})
}

42
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_public_exponent_too_small.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,20 +14,31 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type rsaParsedTestsExpBounds struct{}
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsExpBounds struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_public_exponent_too_small",
Description: "RSA: Value of public exponent is an odd number equal to 3 or more.",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsExpBounds{},
})
}
func (l *rsaParsedTestsExpBounds) Initialize() error {
return nil
@ -46,14 +57,3 @@ func (l *rsaParsedTestsExpBounds) Execute(c *x509.Certificate) *lint.LintResult
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_public_exponent_too_small",
Description: "RSA: Value of public exponent is an odd number equal to 3 or more.",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsExpBounds{},
})
}

94
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_san_dns_name_onion_invalid.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -12,6 +12,42 @@
* permissions and limitations under the License.
*/
package cabf_br
import (
"fmt"
"regexp"
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
var (
// Per 2.4 of Rendezvous v2:
// Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
onionV2Len = 16
// Per 1.2 of Rendezvous v3:
// A hidden service's name is its long term master identity key. This is
// encoded as a hostname by encoding the entire key in Base 32, including
// a version byte and a checksum, and then appending the string ".onion"
// at the end. The result is a 56-character domain name.
onionV3Len = 56
// Per RFC 4648, Section 6, the Base-32 alphabet is A-Z, 2-7, and =.
// Because v2/v3 addresses are always aligned, they should never be padded,
// and so omit = from the character set, as it's also not permitted in a
// domain in the "preferred name syntax". Because `.onion` names appear in
// DNS, which is case insensitive, the alphabet is extended to include a-z,
// as the names are tested for well-formedness prior to normalization to
// uppercase.
base32SubsetRegex = regexp.MustCompile(`^[a-zA-Z2-7]+$`)
)
type onionNotValid struct{}
/*******************************************************************
https://tools.ietf.org/html/rfc7686#section-1
@ -41,41 +77,16 @@ requires the `.onion` name to be well-formed, even prior to RFC 7686.
See also https://github.com/cabforum/documents/issues/191
*******************************************************************/
package cabf_br
import (
"fmt"
"regexp"
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
var (
// Per 2.4 of Rendezvous v2:
// Valid onion addresses contain 16 characters in a-z2-7 plus ".onion"
onionV2Len = 16
// Per 1.2 of Rendezvous v3:
// A hidden service's name is its long term master identity key. This is
// encoded as a hostname by encoding the entire key in Base 32, including
// a version byte and a checksum, and then appending the string ".onion"
// at the end. The result is a 56-character domain name.
onionV3Len = 56
// Per RFC 4648, Section 6, the Base-32 alphabet is A-Z, 2-7, and =.
// Because v2/v3 addresses are always aligned, they should never be padded,
// and so omit = from the character set, as it's also not permitted in a
// domain in the "preferred name syntax". Because `.onion` names appear in
// DNS, which is case insensitive, the alphabet is extended to include a-z,
// as the names are tested for well-formedness prior to normalization to
// uppercase.
base32SubsetRegex = regexp.MustCompile(`^[a-zA-Z2-7]+$`)
)
type onionNotValid struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_san_dns_name_onion_invalid",
Description: "certificates with a .onion subject name must be issued in accordance with the Tor address/rendezvous specification",
Citation: "RFC 7686, EVGs v1.7.2: Appendix F, BRs v1.6.9: Appendix C",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.OnionOnlyEVDate,
Lint: &onionNotValid{},
})
}
func (l *onionNotValid) Initialize() error {
return nil
@ -138,14 +149,3 @@ func (l *onionNotValid) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_san_dns_name_onion_invalid",
Description: "certificates with a .onion subject name must be issued in accordance with the Tor address/rendezvous specification",
Citation: "RFC 7686, EVGs v1.7.2: Appendix F, BRs v1.6.9: Appendix C",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.OnionOnlyEVDate,
Lint: &onionNotValid{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go generated vendored
View File

@ -1,5 +1,5 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -18,12 +18,23 @@ import (
"fmt"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type onionNotEV struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_san_dns_name_onion_not_ev_cert",
Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines",
Citation: "CABF Ballot 144",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.OnionOnlyEVDate,
Lint: &onionNotEV{},
})
}
func (l *onionNotEV) Initialize() error {
return nil
}
@ -56,14 +67,3 @@ func (l *onionNotEV) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_san_dns_name_onion_not_ev_cert",
Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines",
Citation: "CABF Ballot 144",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.OnionOnlyEVDate,
Lint: &onionNotEV{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_signature_algorithm_not_supported.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,8 +16,8 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
var (
@ -54,6 +54,17 @@ var (
type signatureAlgorithmNotSupported struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_signature_algorithm_not_supported",
Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &signatureAlgorithmNotSupported{},
})
}
func (l *signatureAlgorithmNotSupported) Initialize() error {
return nil
}
@ -74,14 +85,3 @@ func (l *signatureAlgorithmNotSupported) Execute(c *x509.Certificate) *lint.Lint
Status: status,
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_signature_algorithm_not_supported",
Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &signatureAlgorithmNotSupported{},
})
}

44
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,24 +14,35 @@ package cabf_br
* permissions and limitations under the License.
*/
/***********************************************
CAB 7.1.2.2c
With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be
marked critical, and it MUST contain the HTTP URL of the Issuing CAs OCSP responder (accessMethod
= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CAs certificate
(accessMethod = 1.3.6.1.5.5.7.48.2).
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCaIssuerUrl struct{}
/***********************************************
BRs: 7.1.2.2c
This extension SHOULD be present. It MUST NOT be marked critical.
It SHOULD contain the HTTP URL of the Issuing CAs certificate (accessMethod =
1.3.6.1.5.5.7.48.2). It MAY contain the HTTP URL of the Issuing CAs OCSP responder
(accessMethod = 1.3.6.1.5.5.7.48.1).
************************************************/
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url",
Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCaIssuerUrl{},
})
}
func (l *subCaIssuerUrl) Initialize() error {
return nil
}
@ -48,14 +59,3 @@ func (l *subCaIssuerUrl) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Warn}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url",
Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCaIssuerUrl{},
})
}

28
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_marked_critical.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -16,12 +16,23 @@ package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCaAIAMarkedCritical struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_marked_critical",
Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &subCaAIAMarkedCritical{},
})
}
func (l *subCaAIAMarkedCritical) Initialize() error {
return nil
}
@ -38,14 +49,3 @@ func (l *subCaAIAMarkedCritical) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_marked_critical",
Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &subCaAIAMarkedCritical{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,6 +14,14 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type caAiaMissing struct{}
/***********************************************
CAB 7.1.2.2c
With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be
@ -22,13 +30,16 @@ marked critical, and it MUST contain the HTTP URL of the Issuing CAs OCSP res
(accessMethod = 1.3.6.1.5.5.7.48.2).
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caAiaMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_missing",
Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caAiaMissing{},
})
}
func (l *caAiaMissing) Initialize() error {
return nil
@ -45,14 +56,3 @@ func (l *caAiaMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_missing",
Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caAiaMissing{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,18 +14,29 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCACertPolicyCrit struct{}
/************************************************
BRs: 7.1.2.2a certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACertPolicyCrit struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_certificate_policies_marked_critical",
Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACertPolicyCrit{},
})
}
func (l *subCACertPolicyCrit) Initialize() error {
return nil
@ -43,14 +54,3 @@ func (l *subCACertPolicyCrit) Execute(c *x509.Certificate) *lint.LintResult {
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_certificate_policies_marked_critical",
Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACertPolicyCrit{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,18 +14,29 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCACertPolicyMissing struct{}
/************************************************
BRs: 7.1.2.2a certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACertPolicyMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_certificate_policies_missing",
Description: "Subordinate CA certificates must have a certificatePolicies extension",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACertPolicyMissing{},
})
}
func (l *subCACertPolicyMissing) Initialize() error {
return nil
@ -42,14 +53,3 @@ func (l *subCACertPolicyMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_certificate_policies_missing",
Description: "Subordinate CA certificates must have a certificatePolicies extension",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACertPolicyMissing{},
})
}

42
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,21 +14,32 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCACRLDistNoUrl struct{}
/************************************************
BRs: 7.1.2.2b cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical.
It MUST contain the HTTP URL of the CAs CRL service.
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACRLDistNoUrl struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_does_not_contain_url",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistNoUrl{},
})
}
func (l *subCACRLDistNoUrl) Initialize() error {
return nil
@ -46,14 +57,3 @@ func (l *subCACRLDistNoUrl) Execute(c *x509.Certificate) *lint.LintResult {
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_does_not_contain_url",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistNoUrl{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,19 +14,30 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCACRLDistCrit struct{}
/************************************************
BRs: 7.1.2.2b cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical.
It MUST contain the HTTP URL of the CAs CRL service.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACRLDistCrit struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_marked_critical",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistCrit{},
})
}
func (l *subCACRLDistCrit) Initialize() error {
return nil
@ -43,14 +54,3 @@ func (l *subCACRLDistCrit) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_marked_critical",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistCrit{},
})
}

38
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go → vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go generated vendored
View File

@ -1,7 +1,7 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
@ -14,19 +14,30 @@ package cabf_br
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type subCACRLDistMissing struct{}
/************************************************
BRs: 7.1.2.2b cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical.
It MUST contain the HTTP URL of the CAs CRL service.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACRLDistMissing struct{}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_missing",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistMissing{},
})
}
func (l *subCACRLDistMissing) Initialize() error {
return nil
@ -43,14 +54,3 @@ func (l *subCACRLDistMissing) Execute(c *x509.Certificate) *lint.LintResult {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_missing",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistMissing{},
})
}

Some files were not shown because too many files have changed in this diff Show More