letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update cfssl to latest. (#4719) 

This pulls in an upgrade to zlint 2.0.0.
This commit is contained in:
Jacob Hoffman-Andrews 2020-03-26 10:11:05 -07:00 committed by GitHub
parent 93cb918ce4
commit 9e2e08ece6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
303 changed files with 27627 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ca/ca_test.go
View File

@ -28,7 +28,7 @@ import (
cttls "github.com/google/certificate-transparency-go/tls"
"github.com/jmhodges/clock"
"github.com/prometheus/client_golang/prometheus"
"github.com/zmap/zlint/lints"
"github.com/zmap/zlint/v2/lint"
"golang.org/x/crypto/ocsp"
ca_config "github.com/letsencrypt/boulder/ca/config"
@ -1241,13 +1241,13 @@ func TestIssuePrecertificateLinting(t *testing.T) {
// two LintResults.
ca.defaultIssuer.eeSigner = &linttrapSigner{
lintErr: &local.LintError{
ErrorResults: map[string]lints.LintResult{
"foobar": lints.LintResult{
Status: lints.Error,
ErrorResults: map[string]lint.LintResult{
"foobar": lint.LintResult{
Status: lint.Error,
Details: "foobar is error",
},
"foobar2": lints.LintResult{
Status: lints.Warn,
"foobar2": lint.LintResult{
Status: lint.Warn,
Details: "foobar2 is warning",
},
},

6
go.mod
View File

@ -5,7 +5,7 @@ go 1.12
require (
github.com/apoydence/onpar v0.0.0-20181125144932-f2f06780798d // indirect
github.com/beeker1121/goque v0.0.0-20170321141813-4044bc29b280
github.com/cloudflare/cfssl v1.4.0
github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4
github.com/eggsampler/acme/v3 v3.0.0
github.com/go-gorp/gorp v2.0.0+incompatible // indirect
github.com/go-sql-driver/mysql v1.4.1
@ -20,7 +20,6 @@ require (
github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548
github.com/letsencrypt/challtestsrv v1.0.2
github.com/letsencrypt/pkcs11key/v4 v4.0.0
github.com/lib/pq v1.1.0 // indirect
github.com/lyft/protoc-gen-validate v0.0.13 // indirect
github.com/miekg/dns v1.1.8
github.com/miekg/pkcs11 v1.0.3
@ -34,7 +33,8 @@ require (
github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf
github.com/zmap/zlint v1.1.0
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708
github.com/zmap/zlint/v2 v2.0.0
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68
golang.org/x/net v0.0.0-20191112182307-2180aed22343
golang.org/x/text v0.3.2
google.golang.org/grpc v1.25.1

14
go.sum
View File

@ -30,6 +30,10 @@ github.com/cloudflare/backoff v0.0.0-20161212185259-647f3cdfc87a h1:8d1CEOF1xlde
github.com/cloudflare/backoff v0.0.0-20161212185259-647f3cdfc87a/go.mod h1:rzgs2ZOiguV6/NpiDgADjRLPNyZlApIWxKpkT+X8SdY=
github.com/cloudflare/cfssl v1.4.0 h1:TdyQbj/bDUMUHf2IkcHU2EHUmzCmRLuJ3fFd8EYMg1E=
github.com/cloudflare/cfssl v1.4.0/go.mod h1:KManx/OJPb5QY+y0+o/898AMcM128sF0bURvoVUSjTo=
github.com/cloudflare/cfssl v1.4.1 h1:vScfU2DrIUI9VPHBVeeAQ0q5A+9yshO1Gz+3QoUQiKw=
github.com/cloudflare/cfssl v1.4.1/go.mod h1:KManx/OJPb5QY+y0+o/898AMcM128sF0bURvoVUSjTo=
github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4 h1:gpoY5xZd+Qeb1aXvwFlPELPg6SJiPjV5kuH6e2dcoxw=
github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4/go.mod h1:jbHlfTdWTKrKYWLgXBVDoL6rdr8deJ3CnGruukZnPC8=
github.com/cloudflare/go-metrics v0.0.0-20151117154305-6a9aea36fb41 h1:/8sZyuGTAU2+fYv0Sz9lBcipqX0b7i4eUl8pSStk/4g=
github.com/cloudflare/go-metrics v0.0.0-20151117154305-6a9aea36fb41/go.mod h1:eaZPlJWD+G9wseg1BuRXlHnjntPMrywMsyxf+LTOdP4=
github.com/cloudflare/redoctober v0.0.0-20171127175943-746a508df14c h1:p0Q1GvgWtVf46XpMMibupKiE7aQxPYUIb+/jLTTK2kM=
@ -122,6 +126,8 @@ github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJ
github.com/lib/pq v0.0.0-20180201184707-88edab080323/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.1.0 h1:/5u4a+KGJptBRqGzPvYQL9p0d/tPR4S31+Tnzj9lEO4=
github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.3.0 h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU=
github.com/lib/pq v1.3.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
github.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o=
github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
@ -150,6 +156,7 @@ github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1Cpa
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@ -208,6 +215,9 @@ github.com/zmap/zlint v1.0.3-0.20191115164049-eea5fe83935a h1:QaoQc5dqoKaxmebnB1
github.com/zmap/zlint v1.0.3-0.20191115164049-eea5fe83935a/go.mod h1:29UiAJNsiVdvTBFCJW8e3q6dcDbOoPkhMgttOSCIMMY=
github.com/zmap/zlint v1.1.0 h1:Vyh2GmprXw5TLmKmkTa2BgFvvYAFBValBFesqkKsszM=
github.com/zmap/zlint v1.1.0/go.mod h1:3MvSF/QhEftzpxKhh3jkBIOvugsSDYMCofl+UaIv0ww=
github.com/zmap/zlint v2.0.0+incompatible h1:Yz3KtcdJLHzjGTd+Em6ss9jUPbAitN5xkVLAstULF3I=
github.com/zmap/zlint/v2 v2.0.0 h1:Ve+1yR76LZhTXsxonKA35d5S8dIIW1pmIlr4ahrskhs=
github.com/zmap/zlint/v2 v2.0.0/go.mod h1:0jpqZ7cVjm8ABh/PTOp74MK50bPiN+HW+NjjESDxLVA=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@ -215,6 +225,8 @@ golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49N
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 h1:pXVtWnwHkrWD9ru3sDxY/qFK/bfc0egRovX91EjWjf4=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@ -231,6 +243,7 @@ golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980 h1:dfGZHvZk057jK2MCeWus/TowKpJ8y4AmooUzdBSR9GU=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191112182307-2180aed22343 h1:00ohfJ4K98s3m6BGUoBd8nyfp4Yl0GoIKvw5abItTjI=
golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -260,6 +273,7 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
golang.org/x/tools v0.0.0-20190311212946-11955173bddd h1:/e+gpKk9r3dJobndpTytxS2gOy6m5uvpg+ISQoEcusQ=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A=
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=

58
vendor/github.com/cloudflare/cfssl/config/config.go generated vendored
View File

@ -19,7 +19,9 @@ import (
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/log"
ocspConfig "github.com/cloudflare/cfssl/ocsp/config"
"github.com/zmap/zlint/lints"
// empty import of zlint/v2 required to have lints registered.
_ "github.com/zmap/zlint/v2"
"github.com/zmap/zlint/v2/lint"
)
// A CSRWhitelist stores booleans for fields in the CSR. If a CSRWhitelist is
@ -99,11 +101,12 @@ type SigningProfile struct {
// 5 = all lint results except pass, notice and warn are considered errors
// 6 = all lint results except pass, notice, warn and error are considered errors.
// 7 = lint is performed, no lint results are treated as errors.
LintErrLevel lints.LintStatus `json:"lint_error_level"`
// IgnoredLints lists zlint lint names to ignore. Any lint results from
// matching lints will be ignored no matter what the configured LintErrLevel
// is.
IgnoredLints []string `json:"ignored_lints"`
LintErrLevel lint.LintStatus `json:"lint_error_level"`
// ExcludeLints lists ZLint lint names to exclude from preissuance linting.
ExcludeLints []string `json:"ignored_lints"`
// ExcludeLintSources lists ZLint lint sources to exclude from preissuance
// linting.
ExcludeLintSources []string `json:"ignored_lint_sources"`
Policies []CertificatePolicy
Expiry time.Duration
@ -118,9 +121,11 @@ type SigningProfile struct {
NameWhitelist *regexp.Regexp
ExtensionWhitelist map[string]bool
ClientProvidesSerialNumbers bool
// IgnoredLintsMap is a bool map created from IgnoredLints when the profile is
// loaded. It facilitates set membership testing.
IgnoredLintsMap map[string]bool
// LintRegistry is the collection of lints that should be used if
// LintErrLevel is configured. By default all ZLint lints are used. If
// ExcludeLints or ExcludeLintSources are set then this registry will be
// filtered in populate() to exclude the named lints and lint sources.
LintRegistry lint.Registry
}
// UnmarshalJSON unmarshals a JSON string into an OID.
@ -324,9 +329,38 @@ func (p *SigningProfile) populate(cfg *Config) error {
p.ExtensionWhitelist[asn1.ObjectIdentifier(oid).String()] = true
}
p.IgnoredLintsMap = map[string]bool{}
for _, lintName := range p.IgnoredLints {
p.IgnoredLintsMap[lintName] = true
// By default perform any required preissuance linting with all ZLint lints.
p.LintRegistry = lint.GlobalRegistry()
// If ExcludeLintSources are present in config build a lint.SourceList while
// validating that no unknown sources were specified.
var excludedSources lint.SourceList
if len(p.ExcludeLintSources) > 0 {
for _, sourceName := range p.ExcludeLintSources {
var lintSource lint.LintSource
lintSource.FromString(sourceName)
if lintSource == lint.UnknownLintSource {
return cferr.Wrap(cferr.PolicyError, cferr.InvalidPolicy,
fmt.Errorf("failed to build excluded lint source list: unknown source %q",
sourceName))
}
excludedSources = append(excludedSources, lintSource)
}
}
opts := lint.FilterOptions{
ExcludeNames: p.ExcludeLints,
ExcludeSources: excludedSources,
}
if !opts.Empty() {
// If ExcludeLints or ExcludeLintSources were not empty then filter out the
// lints we don't want to use for preissuance linting with this profile.
filteredRegistry, err := p.LintRegistry.Filter(opts)
if err != nil {
return cferr.Wrap(cferr.PolicyError, cferr.InvalidPolicy,
fmt.Errorf("failed to build filtered lint registry: %v", err))
}
p.LintRegistry = filteredRegistry
}
return nil

50
vendor/github.com/cloudflare/cfssl/helpers/derhelpers/derhelpers-legacy.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
// +build !go1.13
// Package derhelpers implements common functionality
// on DER encoded data
package derhelpers
import (
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509"
cferr "github.com/cloudflare/cfssl/errors"
"golang.org/x/crypto/ed25519"
)
// ParsePrivateKeyDER parses a PKCS #1, PKCS #8, ECDSA, or Ed25519 DER-encoded
// private key. The key must not be in PEM format.
func ParsePrivateKeyDER(keyDER []byte) (key crypto.Signer, err error) {
generalKey, err := x509.ParsePKCS8PrivateKey(keyDER)
if err != nil {
generalKey, err = x509.ParsePKCS1PrivateKey(keyDER)
if err != nil {
generalKey, err = x509.ParseECPrivateKey(keyDER)
if err != nil {
generalKey, err = ParseEd25519PrivateKey(keyDER)
if err != nil {
// We don't include the actual error into
// the final error. The reason might be
// we don't want to leak any info about
// the private key.
return nil, cferr.New(cferr.PrivateKeyError,
cferr.ParseFailed)
}
}
}
}
switch generalKey.(type) {
case *rsa.PrivateKey:
return generalKey.(*rsa.PrivateKey), nil
case *ecdsa.PrivateKey:
return generalKey.(*ecdsa.PrivateKey), nil
case ed25519.PrivateKey:
return generalKey.(ed25519.PrivateKey), nil
}
// should never reach here
return nil, cferr.New(cferr.PrivateKeyError, cferr.ParseFailed)
}

4
vendor/github.com/cloudflare/cfssl/helpers/derhelpers/derhelpers.go generated vendored
View File

@ -1,3 +1,5 @@
// +build go1.13
// Package derhelpers implements common functionality
// on DER encoded data
package derhelpers
@ -5,11 +7,11 @@ package derhelpers
import (
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/x509"
cferr "github.com/cloudflare/cfssl/errors"
"golang.org/x/crypto/ed25519"
)
// ParsePrivateKeyDER parses a PKCS #1, PKCS #8, ECDSA, or Ed25519 DER-encoded

12
vendor/github.com/cloudflare/cfssl/helpers/helpers.go generated vendored
View File

@ -18,7 +18,7 @@ import (
"io/ioutil"
"os"
"github.com/google/certificate-transparency-go"
ct "github.com/google/certificate-transparency-go"
cttls "github.com/google/certificate-transparency-go/tls"
ctx509 "github.com/google/certificate-transparency-go/x509"
"golang.org/x/crypto/ocsp"
@ -378,7 +378,15 @@ func ParsePrivateKeyPEMWithPassword(keyPEM []byte, password []byte) (key crypto.
// GetKeyDERFromPEM parses a PEM-encoded private key and returns DER-format key bytes.
func GetKeyDERFromPEM(in []byte, password []byte) ([]byte, error) {
keyDER, _ := pem.Decode(in)
// Ignore any EC PARAMETERS blocks when looking for a key (openssl includes
// them by default).
var keyDER *pem.Block
for {
keyDER, in = pem.Decode(in)
if keyDER == nil || keyDER.Type != "EC PARAMETERS" {
break
}
}
if keyDER != nil {
if procType, ok := keyDER.Headers["Proc-Type"]; ok {
if strings.Contains(procType, "ENCRYPTED") {

35
vendor/github.com/cloudflare/cfssl/signer/local/local.go generated vendored
View File

@ -34,8 +34,8 @@ import (
"github.com/google/certificate-transparency-go/jsonclient"
zx509 "github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint"
"github.com/zmap/zlint/lints"
"github.com/zmap/zlint/v2"
"github.com/zmap/zlint/v2/lint"
"golang.org/x/net/context"
)
@ -131,7 +131,7 @@ func NewSignerFromFile(caFile, caKeyFile string, policy *config.Signing) (*Signe
// concrete zlint LintResults so that callers can further inspect the cause of
// the failing lints.
type LintError struct {
ErrorResults map[string]lints.LintResult
ErrorResults map[string]lint.LintResult
}
func (e *LintError) Error() string {
@ -140,14 +140,12 @@ func (e *LintError) Error() string {
}
// lint performs pre-issuance linting of a given TBS certificate template when
// the provided errLevel is > 0. Any lint results with a status higher than the
// errLevel that isn't created by a lint in the ignoreMap will result in
// a LintError being returned to the caller. Note that the template is provided
// by-value and not by-reference. This is important as the lint function needs
// to mutate the template's signature algorithm to match the lintPriv.
func (s *Signer) lint(template x509.Certificate, errLevel lints.LintStatus, ignoreMap map[string]bool) error {
// Always return nil when linting is disabled (lints.Reserved == 0).
if errLevel == lints.Reserved {
// the provided errLevel is > 0. Note that the template is provided by-value and
// not by-reference. This is important as the lint function needs to mutate the
// template's signature algorithm to match the lintPriv.
func (s *Signer) lint(template x509.Certificate, errLevel lint.LintStatus, lintRegistry lint.Registry) error {
// Always return nil when linting is disabled (lint.Reserved == 0).
if errLevel == lint.Reserved {
return nil
}
// without a lintPriv key to use to sign the tbsCertificate we can't lint it.
@ -174,12 +172,9 @@ func (s *Signer) lint(template x509.Certificate, errLevel lints.LintStatus, igno
if err != nil {
return cferr.Wrap(cferr.CertificateError, cferr.ParseFailed, err)
}
errorResults := map[string]lints.LintResult{}
results := zlint.LintCertificate(prelintCert)
errorResults := map[string]lint.LintResult{}
results := zlint.LintCertificateEx(prelintCert, lintRegistry)
for name, res := range results.Results {
if ignoreMap[name] {
continue
}
if res.Status > errLevel {
errorResults[name] = *res
}
@ -192,7 +187,7 @@ func (s *Signer) lint(template x509.Certificate, errLevel lints.LintStatus, igno
return nil
}
func (s *Signer) sign(template *x509.Certificate, lintErrLevel lints.LintStatus, lintIgnore map[string]bool) (cert []byte, err error) {
func (s *Signer) sign(template *x509.Certificate, lintErrLevel lint.LintStatus, lintRegistry lint.Registry) (cert []byte, err error) {
var initRoot bool
if s.ca == nil {
if !template.IsCA {
@ -206,7 +201,7 @@ func (s *Signer) sign(template *x509.Certificate, lintErrLevel lints.LintStatus,
initRoot = true
}
if err := s.lint(*template, lintErrLevel, lintIgnore); err != nil {
if err := s.lint(*template, lintErrLevel, lintRegistry); err != nil {
return nil, err
}
@ -454,7 +449,7 @@ func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
var poisonExtension = pkix.Extension{Id: signer.CTPoisonOID, Critical: true, Value: []byte{0x05, 0x00}}
var poisonedPreCert = certTBS
poisonedPreCert.ExtraExtensions = append(safeTemplate.ExtraExtensions, poisonExtension)
cert, err = s.sign(&poisonedPreCert, profile.LintErrLevel, profile.IgnoredLintsMap)
cert, err = s.sign(&poisonedPreCert, profile.LintErrLevel, profile.LintRegistry)
if err != nil {
return
}
@ -499,7 +494,7 @@ func (s *Signer) Sign(req signer.SignRequest) (cert []byte, err error) {
}
var signedCert []byte
signedCert, err = s.sign(&certTBS, profile.LintErrLevel, profile.IgnoredLintsMap)
signedCert, err = s.sign(&certTBS, profile.LintErrLevel, profile.LintRegistry)
if err != nil {
return nil, err
}

30
vendor/github.com/zmap/zlint/v2/.goreleaser.yml generated vendored Normal file
View File

@ -0,0 +1,30 @@
project_name: zlint
before:
hooks:
- go mod tidy
builds:
-
main: ./cmd/zlint/main.go
binary: zlint
env:
- CGO_ENABLED=0
goos:
- linux
- freebsd
- windows
- darwin
goarch:
- amd64
archives:
-
wrap_in_directory: true
replacements:
darwin: Darwin
linux: Linux
windows: Windows
amd64: x86_64
snapshot:
name_template: "{{ .Tag }}-next"
release:
draft: true
prerelease: auto

202
vendor/github.com/zmap/zlint/v2/LICENSE generated vendored Normal file
View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2020 Regents of the University of Michigan
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

12
vendor/github.com/zmap/zlint/v2/go.mod generated vendored Normal file
View File

@ -0,0 +1,12 @@
module github.com/zmap/zlint/v2
require (
github.com/sirupsen/logrus v1.3.0
github.com/weppos/publicsuffix-go v0.4.0
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68
golang.org/x/net v0.0.0-20190620200207-3b0461eec859
golang.org/x/text v0.3.0
)
go 1.13

47
vendor/github.com/zmap/zlint/v2/go.sum generated vendored Normal file
View File

@ -0,0 +1,47 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.3.0 h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME=
github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/weppos/publicsuffix-go v0.4.0 h1:YSnfg3V65LcCFKtIGKGoBhkyKolEd0hlipcXaOjdnQw=
github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8pnycDn3HwpQuTygphu9M/7KYqU=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 h1:u+LnwYTOOW7Ukr/fppxEb1Nwz0AtPflrblfvUudpo+I=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

96
vendor/github.com/zmap/zlint/v2/lint/base.go generated vendored Normal file
View File

@ -0,0 +1,96 @@
package lint
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/util"
)
// LintInterface is implemented by each Lint.
type LintInterface interface {
// Initialize runs once per-lint. It is called during RegisterLint().
Initialize() error
// CheckApplies runs once per certificate. It returns true if the Lint should
// run on the given certificate. If CheckApplies returns false, the Lint
// result is automatically set to NA without calling CheckEffective() or
// Run().
CheckApplies(c *x509.Certificate) bool
// Execute() is the body of the lint. It is called for every certificate for
// which CheckApplies() returns true.
Execute(c *x509.Certificate) *LintResult
}
// A Lint struct represents a single lint, e.g.
// "e_basic_constraints_not_critical". It contains an implementation of LintInterface.
type Lint struct {
// Name is a lowercase underscore-separated string describing what a given
// Lint checks. If Name beings with "w", the lint MUST NOT return Error, only
// Warn. If Name beings with "e", the Lint MUST NOT return Warn, only Error.
Name string `json:"name,omitempty"`
// A human-readable description of what the Lint checks. Usually copied
// directly from the CA/B Baseline Requirements or RFC 5280.
Description string `json:"description,omitempty"`
// The source of the check, e.g. "BRs: 6.1.6" or "RFC 5280: 4.1.2.6".
Citation string `json:"citation,omitempty"`
// Programmatic source of the check, BRs, RFC5280, or ZLint
Source LintSource `json:"source"`
// Lints automatically returns NE for all certificates where CheckApplies() is
// true but with NotBefore < EffectiveDate. This check is bypassed if
// EffectiveDate is zero.
EffectiveDate time.Time `json:"-"`
// The implementation of the lint logic.
Lint LintInterface `json:"-"`
}
// CheckEffective returns true if c was issued on or after the EffectiveDate. If
// EffectiveDate is zero, CheckEffective always returns true.
func (l *Lint) CheckEffective(c *x509.Certificate) bool {
if l.EffectiveDate.IsZero() || !l.EffectiveDate.After(c.NotBefore) {
return true
}
return false
}
// Execute runs the lint against a certificate. For lints that are
// sourced from the CA/B Forum Baseline Requirements, we first determine
// if they are within the purview of the BRs. See LintInterface for details
// about the other methods called. The ordering is as follows:
//
// CheckApplies()
// CheckEffective()
// Execute()
func (l *Lint) Execute(cert *x509.Certificate) *LintResult {
if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
return &LintResult{Status: NA}
}
if !l.Lint.CheckApplies(cert) {
return &LintResult{Status: NA}
} else if !l.CheckEffective(cert) {
return &LintResult{Status: NE}
}
res := l.Lint.Execute(cert)
return res
}

351
vendor/github.com/zmap/zlint/v2/lint/registration.go generated vendored Normal file
View File

@ -0,0 +1,351 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package lint
import (
"encoding/json"
"errors"
"fmt"
"io"
"regexp"
"sort"
"strings"
"sync"
)
// FilterOptions is a struct used by Registry.Filter to create a sub registry
// containing only lints that meet the filter options specified.
//
// Source based exclusion/inclusion is evaluated before Lint name based
// exclusion/inclusion. In both cases exclusion is processed before inclusion.
//
// Only one of NameFilter or IncludeNames/ExcludeNames can be provided at
// a time.
type FilterOptions struct {
// NameFilter is a regexp used to filter lints by their name. It is mutually
// exclusive with IncludeNames and ExcludeNames.
NameFilter *regexp.Regexp
// IncludeNames is a case sensitive list of lint names to include in the
// registry being filtered.
IncludeNames []string
// ExcludeNames is a case sensitive list of lint names to exclude from the
// registry being filtered.
ExcludeNames []string
// IncludeSource is a SourceList of LintSource's to be included in the
// registry being filtered.
IncludeSources SourceList
// ExcludeSources is a SourceList of LintSources's to be excluded in the
// registry being filtered.
ExcludeSources SourceList
}
// Empty returns true if the FilterOptions is empty and does not specify any
// elements to filter by.
func (opts FilterOptions) Empty() bool {
return opts.NameFilter == nil &&
len(opts.IncludeNames) == 0 &&
len(opts.ExcludeNames) == 0 &&
len(opts.IncludeSources) == 0 &&
len(opts.ExcludeSources) == 0
}
// Registry is an interface describing a collection of registered lints.
// A Registry instance can be given to zlint.LintCertificateEx() to control what
// lints are run for a given certificate.
//
// Typically users will interact with the global Registry returned by
// GlobalRegistry(), or a filtered Registry created by applying FilterOptions to
// the GlobalRegistry()'s Filter function.
type Registry interface {
// Names returns a list of all of the lint names that have been registered
// in string sorted order.
Names() []string
// Sources returns a SourceList of registered LintSources. The list is not
// sorted but can be sorted by the caller with sort.Sort() if required.
Sources() SourceList
// ByName returns a pointer to the registered lint with the given name, or nil
// if there is no such lint registered in the registry.
ByName(name string) *Lint
// BySource returns a list of registered lints that have the same LintSource as
// provided (or nil if there were no such lints in the registry).
BySource(s LintSource) []*Lint
// Filter returns a new Registry containing only lints that match the
// FilterOptions criteria.
Filter(opts FilterOptions) (Registry, error)
// WriteJSON writes a description of each registered lint as
// a JSON object, one object per line, to the provided writer.
WriteJSON(w io.Writer)
}
// registryImpl implements the Registry interface to provide a global collection
// of Lints that have been registered.
type registryImpl struct {
sync.RWMutex
// lintsByName is a map of all registered lints by name.
lintsByName map[string]*Lint
// lintNames is a sorted list of all of the registered lint names. It is
// equivalent to collecting the keys from lintsByName into a slice and sorting
// them lexicographically.
lintNames []string
// lintsBySource is a map of all registered lints by source category. Lints
// are added to the lintsBySource map by RegisterLint.
lintsBySource map[LintSource][]*Lint
}
var (
// errNilLint is returned from registry.Register if the provided lint was nil.
errNilLint = errors.New("can not register a nil lint")
// errNilLintPtr is returned from registry.Register if the provided lint had
// a nil Lint field.
errNilLintPtr = errors.New("can not register a lint with a nil Lint pointer")
// errEmptyName is returned from registry.Register if the provided lint had an
// empty Name field.
errEmptyName = errors.New("can not register a lint with an empty Name")
)
// errDuplicateName is returned from registry.Register if the provided lint had
// a Name field matching a lint that was previously registered.
type errDuplicateName struct {
lintName string
}
func (e errDuplicateName) Error() string {
return fmt.Sprintf(
"can not register lint with name %q - it has already been registered",
e.lintName)
}
// errBadInit is returned from registry.Register if the provided lint's
// Initialize function returned an error.
type errBadInit struct {
lintName string
err error
}
func (e errBadInit) Error() string {
return fmt.Sprintf(
"failed to register lint with name %q - failed to Initialize: %q",
e.lintName, e.err)
}
// register adds the provided lint to the Registry. If initialize is true then
// the lint's Initialize() function will be called before registering the lint.
//
// An error is returned if the lint or lint's Lint pointer is nil, if the Lint
// has an empty Name or if the Name was previously registered.
func (r *registryImpl) register(l *Lint, initialize bool) error {
if l == nil {
return errNilLint
}
if l.Lint == nil {
return errNilLintPtr
}
if l.Name == "" {
return errEmptyName
}
if existing := r.ByName(l.Name); existing != nil {
return &errDuplicateName{l.Name}
}
if initialize {
if err := l.Lint.Initialize(); err != nil {
return &errBadInit{l.Name, err}
}
}
r.Lock()
defer r.Unlock()
r.lintNames = append(r.lintNames, l.Name)
r.lintsByName[l.Name] = l
r.lintsBySource[l.Source] = append(r.lintsBySource[l.Source], l)
sort.Strings(r.lintNames)
return nil
}
// ByName returns the Lint previously registered under the given name with
// Register, or nil if no matching lint name has been registered.
func (r *registryImpl) ByName(name string) *Lint {
r.RLock()
defer r.RUnlock()
return r.lintsByName[name]
}
// Names returns a list of all of the lint names that have been registered
// in string sorted order.
func (r *registryImpl) Names() []string {
r.RLock()
defer r.RUnlock()
return r.lintNames
}
// BySource returns a list of registered lints that have the same LintSource as
// provided (or nil if there were no such lints).
func (r *registryImpl) BySource(s LintSource) []*Lint {
r.RLock()
defer r.RUnlock()
return r.lintsBySource[s]
}
// Sources returns a SourceList of registered LintSources. The list is not
// sorted but can be sorted by the caller with sort.Sort() if required.
func (r *registryImpl) Sources() SourceList {
r.RLock()
defer r.RUnlock()
var results SourceList
for k := range r.lintsBySource {
results = append(results, k)
}
return results
}
// lintNamesToMap converts a list of lit names into a bool hashmap useful for
// filtering. If any of the lint names are not known by the registry an error is
// returned.
func (r *registryImpl) lintNamesToMap(names []string) (map[string]bool, error) {
if len(names) == 0 {
return nil, nil
}
namesMap := make(map[string]bool, len(names))
for _, n := range names {
n = strings.TrimSpace(n)
if l := r.ByName(n); l == nil {
return nil, fmt.Errorf("unknown lint name %q", n)
}
namesMap[n] = true
}
return namesMap, nil
}
func sourceListToMap(sources SourceList) map[LintSource]bool {
if len(sources) == 0 {
return nil
}
sourceMap := make(map[LintSource]bool, len(sources))
for _, s := range sources {
sourceMap[s] = true
}
return sourceMap
}
// Filter creates a new Registry with only the lints that meet the FilterOptions
// criteria included.
//
// FilterOptions are applied in the following order of precedence:
// ExcludeSources > IncludeSources > NameFilter > ExcludeNames > IncludeNames
func (r *registryImpl) Filter(opts FilterOptions) (Registry, error) {
// If there's no filtering to be done, return the existing Registry.
if opts.Empty() {
return r, nil
}
filteredRegistry := NewRegistry()
sourceExcludes := sourceListToMap(opts.ExcludeSources)
sourceIncludes := sourceListToMap(opts.IncludeSources)
nameExcludes, err := r.lintNamesToMap(opts.ExcludeNames)
if err != nil {
return nil, err
}
nameIncludes, err := r.lintNamesToMap(opts.IncludeNames)
if err != nil {
return nil, err
}
if opts.NameFilter != nil && (len(nameExcludes) != 0 || len(nameIncludes) != 0) {
return nil, errors.New(
"FilterOptions.NameFilter cannot be used at the same time as " +
"FilterOptions.ExcludeNames or FilterOptions.IncludeNames")
}
for _, name := range r.Names() {
l := r.ByName(name)
if sourceExcludes != nil && sourceExcludes[l.Source] {
continue
}
if sourceIncludes != nil && !sourceIncludes[l.Source] {
continue
}
if opts.NameFilter != nil && !opts.NameFilter.MatchString(name) {
continue
}
if nameExcludes != nil && nameExcludes[name] {
continue
}
if nameIncludes != nil && !nameIncludes[name] {
continue
}
// when adding lints to a filtered registry we do not want Initialize() to
// be called a second time, so provide false as the initialize argument.
if err := filteredRegistry.register(l, false); err != nil {
return nil, err
}
}
return filteredRegistry, nil
}
// WriteJSON writes a description of each registered lint as
// a JSON object, one object per line, to the provided writer.
func (r *registryImpl) WriteJSON(w io.Writer) {
enc := json.NewEncoder(w)
enc.SetEscapeHTML(false)
for _, name := range r.Names() {
_ = enc.Encode(r.ByName(name))
}
}
// NewRegistry constructs a Registry implementation that can be used to register
// lints.
func NewRegistry() *registryImpl {
return &registryImpl{
lintsByName: make(map[string]*Lint),
lintsBySource: make(map[LintSource][]*Lint),
}
}
// globalRegistry is the Registry used by all loaded lints that call
// RegisterLint().
var globalRegistry *registryImpl = NewRegistry()
// RegisterLint must be called once for each lint to be executed. Normally,
// RegisterLint is called from the Go init() function of a lint implementation.
//
// RegsterLint will call l.Lint's Initialize() function as part of the
// registration process.
//
// IMPORTANT: RegisterLint will panic if given a nil lint, or a lint with a nil
// Lint pointer, or if the lint's Initialize function errors, or if the lint
// name matches a previously registered lint's name. These conditions all
// indicate a bug that should be addressed by a developer.
func RegisterLint(l *Lint) {
// RegisterLint always sets initialize to true. It's assumed this is called by
// the package init() functions and therefore must be doing the first
// initialization of a lint.
if err := globalRegistry.register(l, true); err != nil {
panic(fmt.Sprintf("RegisterLint error: %v\n", err.Error()))
}
}
// GlobalRegistry is the Registry used by RegisterLint and contains all of the
// lints that are loaded.
//
// If you want to run only a subset of the globally registered lints use
// GloablRegistry().Filter with FilterOptions to create a filtered
// Registry.
func GlobalRegistry() Registry {
return globalRegistry
}

106
vendor/github.com/zmap/zlint/v2/lint/result.go generated vendored Normal file
View File

@ -0,0 +1,106 @@
package lint
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"encoding/json"
"fmt"
"strings"
)
// LintStatus is an enum returned by lints inside of a LintResult.
type LintStatus int
// Known LintStatus values
const (
// Unused / unset LintStatus
Reserved LintStatus = 0
// Not Applicable
NA LintStatus = 1
// Not Effective
NE LintStatus = 2
Pass LintStatus = 3
Notice LintStatus = 4
Warn LintStatus = 5
Error LintStatus = 6
Fatal LintStatus = 7
)
var (
// statusLabelToLintStatus is used to work backwards from
// a LintStatus.String() to the LintStatus. This is used by
// LintStatus.Unmarshal.
statusLabelToLintStatus = map[string]LintStatus{
Reserved.String(): Reserved,
NA.String(): NA,
NE.String(): NE,
Pass.String(): Pass,
Notice.String(): Notice,
Warn.String(): Warn,
Error.String(): Error,
Fatal.String(): Fatal,
}
)
// LintResult contains a LintStatus, and an optional human-readable description.
// The output of a lint is a LintResult.
type LintResult struct {
Status LintStatus `json:"result"`
Details string `json:"details,omitempty"`
}
// MarshalJSON implements the json.Marshaler interface.
func (e LintStatus) MarshalJSON() ([]byte, error) {
s := e.String()
return json.Marshal(s)
}
// UnmarshalJSON implements the json.Unmarshaler interface.
func (e *LintStatus) UnmarshalJSON(data []byte) error {
key := strings.ReplaceAll(string(data), `"`, "")
if status, ok := statusLabelToLintStatus[key]; ok {
*e = status
} else {
return fmt.Errorf("bad LintStatus JSON value: %s", string(data))
}
return nil
}
// String returns the canonical representation of a LintStatus as a string.
func (e LintStatus) String() string {
switch e {
case Reserved:
return "reserved"
case NA:
return "NA"
case NE:
return "NE"
case Pass:
return "pass"
case Notice:
return "info"
case Warn:
return "warn"
case Error:
return "error"
case Fatal:
return "fatal"
default:
return ""
}
}

132
vendor/github.com/zmap/zlint/v2/lint/source.go generated vendored Normal file
View File

@ -0,0 +1,132 @@
package lint
import (
"encoding/json"
"fmt"
"strings"
)
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// LintSource is a type representing a known lint source that lints cite
// requirements from.
type LintSource string
const (
UnknownLintSource LintSource = "Unknown"
RFC5280 LintSource = "RFC5280"
RFC5480 LintSource = "RFC5480"
RFC5891 LintSource = "RFC5891"
CABFBaselineRequirements LintSource = "CABF_BR"
CABFEVGuidelines LintSource = "CABF_EV"
MozillaRootStorePolicy LintSource = "Mozilla"
AppleCTPolicy LintSource = "Apple"
ZLint LintSource = "ZLint"
AWSLabs LintSource = "AWSLabs"
EtsiEsi LintSource = "ETSI_ESI"
)
// UnmarshalJSON implements the json.Unmarshaler interface. It ensures that the
// unmarshaled value is a known LintSource.
func (s *LintSource) UnmarshalJSON(data []byte) error {
var throwAway string
if err := json.Unmarshal(data, &throwAway); err != nil {
return err
}
switch LintSource(throwAway) {
case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, MozillaRootStorePolicy, AppleCTPolicy, ZLint, AWSLabs, EtsiEsi:
*s = LintSource(throwAway)
return nil
default:
*s = UnknownLintSource
return fmt.Errorf("unknown LintSource value %q", throwAway)
}
}
// FromString sets the LintSource value based on the source string provided
// (case sensitive). If the src string does not match any of the known
// LintSource's then s is set to the UnknownLintSource.
func (s *LintSource) FromString(src string) {
// Start with the unknown lint source
*s = UnknownLintSource
// Trim space and try to match a known value
src = strings.TrimSpace(src)
switch LintSource(src) {
case RFC5280:
*s = RFC5280
case RFC5480:
*s = RFC5480
case RFC5891:
*s = RFC5891
case CABFBaselineRequirements:
*s = CABFBaselineRequirements
case CABFEVGuidelines:
*s = CABFEVGuidelines
case MozillaRootStorePolicy:
*s = MozillaRootStorePolicy
case AppleCTPolicy:
*s = AppleCTPolicy
case ZLint:
*s = ZLint
case AWSLabs:
*s = AWSLabs
case EtsiEsi:
*s = EtsiEsi
}
}
// SourceList is a slice of LintSources that can be sorted.
type SourceList []LintSource
// Len returns the length of the list.
func (l SourceList) Len() int {
return len(l)
}
// Swap swaps the LintSource at index i and j in the list.
func (l SourceList) Swap(i, j int) {
l[i], l[j] = l[j], l[i]
}
// Less compares the LintSources at index i and j lexicographically.
func (l SourceList) Less(i, j int) bool {
return l[i] < l[j]
}
// FromString populates a SourceList (replacing any existing content) with the
// comma separated list of sources provided in raw. If any of the comma
// separated values are not known LintSource's an error is returned.
func (l *SourceList) FromString(raw string) error {
// Start with an empty list
*l = SourceList{}
values := strings.Split(raw, ",")
for _, val := range values {
val = strings.TrimSpace(val)
if val == "" {
continue
}
// Populate the LintSource with the trimmed value.
var src LintSource
src.FromString(val)
// If the LintSource is UnknownLintSource then return an error.
if src == UnknownLintSource {
return fmt.Errorf("unknown lint source in list: %q", val)
}
*l = append(*l, src)
}
return nil
}

157
vendor/github.com/zmap/zlint/v2/lints/apple/lint_ct_sct_policy_count_unsatisfied.go generated vendored Normal file
View File

@ -0,0 +1,157 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package apple
import (
"fmt"
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zcrypto/x509/ct"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type sctPolicyCount struct{}
// Initialize for a sctPolicyCount instance does nothing.
func (l *sctPolicyCount) Initialize() error {
return nil
}
// CheckApplies returns true for any subscriber certificates that are not
// precertificates (e.g. that do not have the CT poison extension defined in RFC
// 6962.
func (l *sctPolicyCount) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID)
}
// Execute checks if the provided certificate has embedded SCTs from
// a sufficient number of unique CT logs to meet Apple's CT log policy[0],
// effective Oct 15th, 2018.
//
// The number of required SCTs from different logs is calculated based on the
// Certificate's lifetime. If the number of required SCTs are not embedded in
// the certificate a Notice level lint.LintResult is returned.
//
// | Certificate lifetime | # of SCTs from separate logs |
// -------------------------------------------------------
// | Less than 15 months | 2 |
// | 15 to 27 months | 3 |
// | 27 to 39 months | 4 |
// | More than 39 months | 5 |
// -------------------------------------------------------
//
// Important note 1: We can't know whether additional SCTs were presented
// alongside the certificate via OCSP stapling. This linter assumes only
// embedded SCTs are used and ignores the portion of the Apple policy related to
// SCTs delivered via OCSP. This is one limitation that restricts the linter's
// findings to Notice level. See more background discussion in Issue 226[1].
//
// Important note 2: The linter doesn't maintain a list of Apple's trusted
// logs. The SCTs embedded in the certificate may not be from log's Apple
// actually trusts. Similarly the embedded SCT signatures are not validated
// in any way.
//
// [0]: https://support.apple.com/en-us/HT205280
// [1]: https://github.com/zmap/zlint/issues/226
func (l *sctPolicyCount) Execute(c *x509.Certificate) *lint.LintResult {
// Determine the required number of SCTs from separate logs
expected := appleCTPolicyExpectedSCTs(c)
// If there are no SCTs then the job is easy. We can return a Notice
// lint.LintResult immediately.
if len(c.SignedCertificateTimestampList) == 0 && expected > 0 {
return &lint.LintResult{
Status: lint.Notice,
Details: fmt.Sprintf(
"Certificate had 0 embedded SCTs. Browser policy may require %d for this certificate.",
expected),
}
}
// Build a map from LogID to SCT so that we can count embedded SCTs by unique
// log.
sctsByLogID := make(map[ct.SHA256Hash]*ct.SignedCertificateTimestamp)
for _, sct := range c.SignedCertificateTimestampList {
sctsByLogID[sct.LogID] = sct
}
// If the number of embedded SCTs from separate logs meets expected return
// a lint.Pass result.
if len(sctsByLogID) >= expected {
return &lint.LintResult{Status: lint.Pass}
}
// Otherwise return a Notice result - there weren't enough SCTs embedded in
// the certificate. More must be provided by OCSP stapling if the certificate
// is to meet Apple's CT policy.
return &lint.LintResult{
Status: lint.Notice,
Details: fmt.Sprintf(
"Certificate had %d embedded SCTs from distinct log IDs. "+
"Browser policy may require %d for this certificate.",
len(sctsByLogID), expected),
}
}
// appleCTPolicyExpectedSCTs returns a count of the number of SCTs expected to
// be embedded in the given certificate based on its lifetime.
//
// For this function the relevant portion of Apple's policy is the table
// "Number of embedded SCTs based on certificate lifetime" (Also reproduced in
// the `Execute` godoc comment).
func appleCTPolicyExpectedSCTs(cert *x509.Certificate) int {
// Lifetime is relative to the certificate's NotBefore date.
start := cert.NotBefore
// Thresholds is an ordered array of lifetime periods and their expected # of
// SCTs. A lifetime period is defined by the cutoff date relative to the
// start of the certificate's lifetime.
thresholds := []struct {
CutoffDate time.Time
Expected int
}{
// Start date ... 15 months
{CutoffDate: start.AddDate(0, 15, 0), Expected: 2},
// Start date ... 27 months
{CutoffDate: start.AddDate(0, 27, 0), Expected: 3},
// Start date ... 39 months
{CutoffDate: start.AddDate(0, 39, 0), Expected: 4},
}
// If the certificate's lifetime falls into any of the cutoff date ranges then
// we expect that range's expected # of SCTs for this certificate. This loop
// assumes the `thresholds` list is sorted in ascending order.
for _, threshold := range thresholds {
if cert.NotAfter.Before(threshold.CutoffDate) {
return threshold.Expected
}
}
// The certificate had a validity > 39 months.
return 5
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ct_sct_policy_count_unsatisfied",
Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy",
Citation: "https://support.apple.com/en-us/HT205280",
Source: lint.AppleCTPolicy,
EffectiveDate: util.AppleCTPolicyDate,
Lint: &sctPolicyCount{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_common_name_missing.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caCommonNameMissing struct{}
func (l *caCommonNameMissing) Initialize() error {
return nil
}
func (l *caCommonNameMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsCACert(c)
}
func (l *caCommonNameMissing) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName == "" {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_common_name_missing",
Description: "CA Certificates common name MUST be included.",
Citation: "BRs: 7.1.4.3.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV148Date,
Lint: &caCommonNameMissing{},
})
}

63
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_country_name_invalid.go generated vendored Normal file
View File

@ -0,0 +1,63 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following:
countryName (OID 2.5.4.6).
This field MUST contain the twoletter ISO 31661 country code for the country
in which the CAs place of business is located.
************************************************/
type caCountryNameInvalid struct{}
func (l *caCountryNameInvalid) Initialize() error {
return nil
}
func (l *caCountryNameInvalid) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caCountryNameInvalid) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.Country != nil {
for _, j := range c.Subject.Country {
if !util.IsISOCountryCode(j) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.NA}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_invalid",
Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameInvalid{},
})
}

58
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_country_name_missing.go generated vendored Normal file
View File

@ -0,0 +1,58 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following:
countryName (OID 2.5.4.6).
This field MUST contain the twoletter ISO 31661 country code for the country
in which the CAs place of business is located.
************************************************/
type caCountryNameMissing struct{}
func (l *caCountryNameMissing) Initialize() error {
return nil
}
func (l *caCountryNameMissing) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caCountryNameMissing) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.Country != nil && c.Subject.Country[0] != "" {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameMissing{},
})
}

57
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_crl_sign_not_set.go generated vendored Normal file
View File

@ -0,0 +1,57 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for
keyCertSign and cRLSign MUST be set. If the Root CA Private Key is used for
signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
type caCRLSignNotSet struct{}
func (l *caCRLSignNotSet) Initialize() error {
return nil
}
func (l *caCRLSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caCRLSignNotSet) Execute(c *x509.Certificate) *lint.LintResult {
if c.KeyUsage&x509.KeyUsageCRLSign != 0 {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_crl_sign_not_set",
Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCRLSignNotSet{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_digital_signature_not_set.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caDigSignNotSet struct{}
func (l *caDigSignNotSet) Initialize() error {
return nil
}
func (l *caDigSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caDigSignNotSet) Execute(c *x509.Certificate) *lint.LintResult {
if c.KeyUsage&x509.KeyUsageDigitalSignature != 0 {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Notice}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "n_ca_digital_signature_not_set",
Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caDigSignNotSet{},
})
}

63
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_is_ca.go generated vendored Normal file
View File

@ -0,0 +1,63 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caIsCA struct{}
type basicConstraints struct {
IsCA bool `asn1:"optional"`
MaxPathLen int `asn1:"optional,default:-1"`
}
func (l *caIsCA) Initialize() error {
return nil
}
func (l *caIsCA) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.KeyUsageOID) && c.KeyUsage&x509.KeyUsageCertSign != 0 && util.IsExtInCert(c, util.BasicConstOID)
}
func (l *caIsCA) Execute(c *x509.Certificate) *lint.LintResult {
e := util.GetExtFromCert(c, util.BasicConstOID)
var constraints basicConstraints
_, err := asn1.Unmarshal(e.Value, &constraints)
if err != nil {
return &lint.LintResult{Status: lint.Fatal}
}
if constraints.IsCA {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_is_ca",
Description: "Root and Sub CA Certificate: The CA field MUST be set to true.",
Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caIsCA{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_key_cert_sign_not_set.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caKeyCertSignNotSet struct{}
func (l *caKeyCertSignNotSet) Initialize() error {
return nil
}
func (l *caKeyCertSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caKeyCertSignNotSet) Execute(c *x509.Certificate) *lint.LintResult {
if c.KeyUsage&x509.KeyUsageCertSign != 0 {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_cert_sign_not_set",
Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyCertSignNotSet{},
})
}

58
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_key_usage_missing.go generated vendored Normal file
View File

@ -0,0 +1,58 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.2.1.3
Conforming CAs MUST include this extension in certificates that
contain public keys that are used to validate digital signatures on
other public key certificates or CRLs. When present, conforming CAs
SHOULD mark this extension as critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caKeyUsageMissing struct{}
func (l *caKeyUsageMissing) Initialize() error {
return nil
}
func (l *caKeyUsageMissing) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caKeyUsageMissing) Execute(c *x509.Certificate) *lint.LintResult {
if c.KeyUsage != x509.KeyUsage(0) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_missing",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be present",
Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC3280Date,
Lint: &caKeyUsageMissing{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_key_usage_not_critical.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caKeyUsageNotCrit struct{}
func (l *caKeyUsageNotCrit) Initialize() error {
return nil
}
func (l *caKeyUsageNotCrit) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caKeyUsageNotCrit) Execute(c *x509.Certificate) *lint.LintResult {
if e := util.GetExtFromCert(c, util.KeyUsageOID); e.Critical {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_not_critical",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyUsageNotCrit{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ca_organization_name_missing.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following: organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CAs name or DBA as verified under Section 3.2.2.2.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caOrganizationNameMissing struct{}
func (l *caOrganizationNameMissing) Initialize() error {
return nil
}
func (l *caOrganizationNameMissing) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caOrganizationNameMissing) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.Organization != nil && c.Subject.Organization[0] != "" {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_organization_name_missing",
Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caOrganizationNameMissing{},
})
}

52
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go generated vendored Normal file
View File

@ -0,0 +1,52 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type certPolicyConflictsWithLocality struct{}
func (l *certPolicyConflictsWithLocality) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithLocality) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithLocality) Execute(cert *x509.Certificate) *lint.LintResult {
if util.TypeInName(&cert.Subject, util.LocalityNameOID) {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_locality",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithLocality{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_org.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type certPolicyConflictsWithOrg struct{}
func (l *certPolicyConflictsWithOrg) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithOrg) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithOrg) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.OrganizationNameOID) {
out.Status = lint.Error
} else {
out.Status = lint.Pass
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_org",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithOrg{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type certPolicyConflictsWithPostal struct{}
func (l *certPolicyConflictsWithPostal) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithPostal) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithPostal) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.PostalCodeOID) {
out.Status = lint.Error
} else {
out.Status = lint.Pass
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_postal",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithPostal{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_province.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type certPolicyConflictsWithProvince struct{}
func (l *certPolicyConflictsWithProvince) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithProvince) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithProvince) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) {
out.Status = lint.Error
} else {
out.Status = lint.Pass
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_province",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithProvince{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_dv_conflicts_with_street.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type certPolicyConflictsWithStreet struct{}
func (l *certPolicyConflictsWithStreet) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithStreet) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithStreet) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.StreetAddressOID) {
out.Status = lint.Error
} else {
out.Status = lint.Pass
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_street",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithStreet{},
})
}

54
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_iv_requires_personal_name.go generated vendored Normal file
View File

@ -0,0 +1,54 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type CertPolicyRequiresPersonalName struct{}
func (l *CertPolicyRequiresPersonalName) Initialize() error {
return nil
}
func (l *CertPolicyRequiresPersonalName) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID) && !util.IsCACert(cert)
}
func (l *CertPolicyRequiresPersonalName) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.OrganizationNameOID) || (util.TypeInName(&cert.Subject, util.GivenNameOID) && util.TypeInName(&cert.Subject, util.SurnameOID)) {
out.Status = lint.Pass
} else {
out.Status = lint.Error
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_iv_requires_personal_name",
Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyRequiresPersonalName{},
})
}

54
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cab_ov_requires_org.go generated vendored Normal file
View File

@ -0,0 +1,54 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type CertPolicyRequiresOrg struct{}
func (l *CertPolicyRequiresOrg) Initialize() error {
return nil
}
func (l *CertPolicyRequiresOrg) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID) && !util.IsCACert(cert)
}
func (l *CertPolicyRequiresOrg) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.OrganizationNameOID) {
out.Status = lint.Pass
} else {
out.Status = lint.Error
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_ov_requires_org",
Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyRequiresOrg{},
})
}

54
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_iv_requires_country.go generated vendored Normal file
View File

@ -0,0 +1,54 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type CertPolicyIVRequiresCountry struct{}
func (l *CertPolicyIVRequiresCountry) Initialize() error {
return nil
}
func (l *CertPolicyIVRequiresCountry) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID)
}
func (l *CertPolicyIVRequiresCountry) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.CountryNameOID) {
out.Status = lint.Pass
} else {
out.Status = lint.Error
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_iv_requires_country",
Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresCountry{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.
// 7.1.4.2.2 applies only to subscriber certificates.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type CertPolicyIVRequiresProvinceOrLocal struct{}
func (l *CertPolicyIVRequiresProvinceOrLocal) Initialize() error {
return nil
}
func (l *CertPolicyIVRequiresProvinceOrLocal) CheckApplies(cert *x509.Certificate) bool {
return util.IsSubscriberCert(cert) && util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID)
}
func (l *CertPolicyIVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.LocalityNameOID) || util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) {
out.Status = lint.Pass
} else {
out.Status = lint.Error
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_iv_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresProvinceOrLocal{},
})
}

54
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_ov_requires_country.go generated vendored Normal file
View File

@ -0,0 +1,54 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type CertPolicyOVRequiresCountry struct{}
func (l *CertPolicyOVRequiresCountry) Initialize() error {
return nil
}
func (l *CertPolicyOVRequiresCountry) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID)
}
func (l *CertPolicyOVRequiresCountry) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.CountryNameOID) {
out.Status = lint.Pass
} else {
out.Status = lint.Error
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_ov_requires_country",
Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresCountry{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
// 7.1.4.2.2 applies only to subscriber certificates.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type CertPolicyOVRequiresProvinceOrLocal struct{}
func (l *CertPolicyOVRequiresProvinceOrLocal) Initialize() error {
return nil
}
func (l *CertPolicyOVRequiresProvinceOrLocal) CheckApplies(cert *x509.Certificate) bool {
return util.IsSubscriberCert(cert) && util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID)
}
func (l *CertPolicyOVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *lint.LintResult {
var out lint.LintResult
if util.TypeInName(&cert.Subject, util.LocalityNameOID) || util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) {
out.Status = lint.Pass
} else {
out.Status = lint.Error
}
return &out
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cert_policy_ov_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresProvinceOrLocal{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dh_params_missing.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type dsaParamsMissing struct{}
func (l *dsaParamsMissing) Initialize() error {
return nil
}
func (l *dsaParamsMissing) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaParamsMissing) Execute(c *x509.Certificate) *lint.LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &lint.LintResult{Status: lint.Fatal}
}
params := dsaKey.Parameters
if params.P.BitLen() == 0 || params.Q.BitLen() == 0 || params.G.BitLen() == 0 {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_params_missing",
Description: "DSA: Certificates MUST include all domain parameters",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaParamsMissing{},
})
}

64
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_bad_character_in_label.go generated vendored Normal file
View File

@ -0,0 +1,64 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"regexp"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameProperCharacters struct {
CompiledExpression *regexp.Regexp
}
func (l *DNSNameProperCharacters) Initialize() error {
const dnsNameRegexp = `^(\*\.)?(\?\.)*([A-Za-z0-9*_-]+\.)*[A-Za-z0-9*_-]*$`
var err error
l.CompiledExpression, err = regexp.Compile(dnsNameRegexp)
return err
}
func (l *DNSNameProperCharacters) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameProperCharacters) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if !l.CompiledExpression.MatchString(c.Subject.CommonName) {
return &lint.LintResult{Status: lint.Error}
}
}
for _, dns := range c.DNSNames {
if !l.CompiledExpression.MatchString(dns) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_bad_character_in_label",
Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameProperCharacters{},
})
}

67
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go generated vendored Normal file
View File

@ -0,0 +1,67 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameLeftLabelWildcardCheck struct{}
func (l *DNSNameLeftLabelWildcardCheck) Initialize() error {
return nil
}
func (l *DNSNameLeftLabelWildcardCheck) CheckApplies(c *x509.Certificate) bool {
return true
}
func wildcardInLeftLabelIncorrect(domain string) bool {
labels := strings.Split(domain, ".")
if len(labels) >= 1 {
leftLabel := labels[0]
if strings.Contains(leftLabel, "*") && leftLabel != "*" {
return true
}
}
return false
}
func (l *DNSNameLeftLabelWildcardCheck) Execute(c *x509.Certificate) *lint.LintResult {
if wildcardInLeftLabelIncorrect(c.Subject.CommonName) {
return &lint.LintResult{Status: lint.Error}
}
for _, dns := range c.DNSNames {
if wildcardInLeftLabelIncorrect(dns) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_left_label_wildcard_correct",
Description: "Wildcards in the left label of DNSName should only be *",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLeftLabelWildcardCheck{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type dnsNameContainsBareIANASuffix struct{}
func (l *dnsNameContainsBareIANASuffix) Initialize() error {
return nil
}
func (l *dnsNameContainsBareIANASuffix) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *dnsNameContainsBareIANASuffix) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if util.IsInTLDMap(c.Subject.CommonName) {
return &lint.LintResult{Status: lint.Error}
}
}
for _, dns := range c.DNSNames {
if util.IsInTLDMap(dns) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_contains_bare_iana_suffix",
Description: "DNSNames should not contain a bare IANA suffix.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dnsNameContainsBareIANASuffix{},
})
}

68
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_contains_empty_label.go generated vendored Normal file
View File

@ -0,0 +1,68 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameEmptyLabel struct{}
func (l *DNSNameEmptyLabel) Initialize() error {
return nil
}
func (l *DNSNameEmptyLabel) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func domainHasEmptyLabel(domain string) bool {
labels := strings.Split(domain, ".")
for _, elem := range labels {
if elem == "" {
return true
}
}
return false
}
func (l *DNSNameEmptyLabel) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if domainHasEmptyLabel(c.Subject.CommonName) {
return &lint.LintResult{Status: lint.Error}
}
}
for _, dns := range c.DNSNames {
if domainHasEmptyLabel(dns) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_empty_label",
Description: "DNSNames should not have an empty label.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameEmptyLabel{},
})
}

67
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_hyphen_in_sld.go generated vendored Normal file
View File

@ -0,0 +1,67 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameHyphenInSLD struct{}
func (l *DNSNameHyphenInSLD) Initialize() error {
return nil
}
func (l *DNSNameHyphenInSLD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameHyphenInSLD) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if strings.HasPrefix(domainInfo.ParsedDomain.SLD, "-") || strings.HasSuffix(domainInfo.ParsedDomain.SLD, "-") {
return &lint.LintResult{Status: lint.Error}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if strings.HasPrefix(parsedSANDNSNames[i].ParsedDomain.SLD, "-") ||
strings.HasSuffix(parsedSANDNSNames[i].ParsedDomain.SLD, "-") {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_hyphen_in_sld",
Description: "DNSName should not have a hyphen beginning or ending the SLD",
Citation: "BRs 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameHyphenInSLD{},
})
}

70
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_label_too_long.go generated vendored Normal file
View File

@ -0,0 +1,70 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameLabelLengthTooLong struct{}
func (l *DNSNameLabelLengthTooLong) Initialize() error {
return nil
}
func (l *DNSNameLabelLengthTooLong) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func labelLengthTooLong(domain string) bool {
labels := strings.Split(domain, ".")
for _, label := range labels {
if len(label) > 63 {
return true
}
}
return false
}
func (l *DNSNameLabelLengthTooLong) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
labelTooLong := labelLengthTooLong(c.Subject.CommonName)
if labelTooLong {
return &lint.LintResult{Status: lint.Error}
}
}
for _, dns := range c.DNSNames {
labelTooLong := labelLengthTooLong(dns)
if labelTooLong {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_label_too_long",
Description: "DNSName labels MUST be less than or equal to 63 characters",
Citation: "RFC 1035",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLabelLengthTooLong{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_right_label_valid_tld.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameValidTLD struct{}
func (l *DNSNameValidTLD) Initialize() error {
return nil
}
func (l *DNSNameValidTLD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameValidTLD) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if !util.HasValidTLD(c.Subject.CommonName, c.NotBefore) {
return &lint.LintResult{Status: lint.Error}
}
}
for _, dns := range c.DNSNames {
if !util.HasValidTLD(dns, c.NotBefore) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_not_valid_tld",
Description: "DNSNames must have a valid TLD.",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameValidTLD{},
})
}

67
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_underscore_in_sld.go generated vendored Normal file
View File

@ -0,0 +1,67 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameUnderscoreInSLD struct{}
func (l *DNSNameUnderscoreInSLD) Initialize() error {
return nil
}
func (l *DNSNameUnderscoreInSLD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameUnderscoreInSLD) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if strings.Contains(domainInfo.ParsedDomain.SLD, "_") {
return &lint.LintResult{Status: lint.Error}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if strings.Contains(parsedSANDNSNames[i].ParsedDomain.SLD, "_") {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_underscore_in_sld",
Description: "DNSName should not have underscore in SLD",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInSLD{},
})
}

68
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_underscore_in_trd.go generated vendored Normal file
View File

@ -0,0 +1,68 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameUnderscoreInTRD struct{}
func (l *DNSNameUnderscoreInTRD) Initialize() error {
return nil
}
func (l *DNSNameUnderscoreInTRD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameUnderscoreInTRD) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if strings.Contains(domainInfo.ParsedDomain.TRD, "_") {
return &lint.LintResult{Status: lint.Warn}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if strings.Contains(parsedSANDNSNames[i].ParsedDomain.TRD, "_") {
return &lint.LintResult{Status: lint.Warn}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_dnsname_underscore_in_trd",
Description: "DNSName should not have an underscore in labels left of the ETLD+1",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInTRD{},
})
}

67
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go generated vendored Normal file
View File

@ -0,0 +1,67 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameWildcardLeftofPublicSuffix struct{}
func (l *DNSNameWildcardLeftofPublicSuffix) Initialize() error {
return nil
}
func (l *DNSNameWildcardLeftofPublicSuffix) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameWildcardLeftofPublicSuffix) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if domainInfo.ParsedDomain.SLD == "*" {
return &lint.LintResult{Status: lint.Warn}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &lint.LintResult{Status: lint.NA}
}
if parsedSANDNSNames[i].ParsedDomain.SLD == "*" {
return &lint.LintResult{Status: lint.Warn}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_dnsname_wildcard_left_of_public_suffix",
Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registrycontrolled” label or “public suffix”",
Citation: "BRs: 3.2.2.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardLeftofPublicSuffix{},
})
}

69
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go generated vendored Normal file
View File

@ -0,0 +1,69 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type DNSNameWildcardOnlyInLeftlabel struct{}
func (l *DNSNameWildcardOnlyInLeftlabel) Initialize() error {
return nil
}
func (l *DNSNameWildcardOnlyInLeftlabel) CheckApplies(c *x509.Certificate) bool {
return true
}
func wildcardNotInLeftLabel(domain string) bool {
labels := strings.Split(domain, ".")
if len(labels) > 1 {
labels = labels[1:]
for _, label := range labels {
if strings.Contains(label, "*") {
return true
}
}
}
return false
}
func (l *DNSNameWildcardOnlyInLeftlabel) Execute(c *x509.Certificate) *lint.LintResult {
if wildcardNotInLeftLabel(c.Subject.CommonName) {
return &lint.LintResult{Status: lint.Error}
}
for _, dns := range c.DNSNames {
if wildcardNotInLeftLabel(dns) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dnsname_wildcard_only_in_left_label",
Description: "DNSName should not have wildcards except in the left-most label",
Citation: "BRs: 7.1.4.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardOnlyInLeftlabel{},
})
}

66
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go generated vendored Normal file
View File

@ -0,0 +1,66 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type dsaSubgroup struct{}
func (l *dsaSubgroup) Initialize() error {
return nil
}
func (l *dsaSubgroup) CheckApplies(c *x509.Certificate) bool {
if c.PublicKeyAlgorithm != x509.DSA {
return false
}
if _, ok := c.PublicKey.(*dsa.PublicKey); !ok {
return false
}
return true
}
func (l *dsaSubgroup) Execute(c *x509.Certificate) *lint.LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &lint.LintResult{Status: lint.NA}
}
output := big.Int{}
// Enforce that Y^Q == 1 mod P, e.g. that Order(Y) == Q mod P.
output.Exp(dsaKey.Y, dsaKey.Q, dsaKey.P)
if output.Cmp(big.NewInt(1)) == 0 {
return &lint.LintResult{Status: lint.Pass}
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_correct_order_in_subgroup",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaSubgroup{},
})
}

57
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go generated vendored Normal file
View File

@ -0,0 +1,57 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type dsaImproperSize struct{}
func (l *dsaImproperSize) Initialize() error {
return nil
}
func (l *dsaImproperSize) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaImproperSize) Execute(c *x509.Certificate) *lint.LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &lint.LintResult{Status: lint.NA}
}
L := dsaKey.Parameters.P.BitLen()
N := dsaKey.Parameters.Q.BitLen()
if (L == 2048 && N == 224) || (L == 2048 && N == 256) || (L == 3072 && N == 256) {
return &lint.LintResult{Status: lint.Pass}
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_improper_modulus_or_divisor_size",
Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaImproperSize{},
})
}

59
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go generated vendored Normal file
View File

@ -0,0 +1,59 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type dsaTooShort struct{}
func (l *dsaTooShort) Initialize() error {
return nil
}
func (l *dsaTooShort) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaTooShort) Execute(c *x509.Certificate) *lint.LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &lint.LintResult{Status: lint.NA}
}
dsaParams := dsaKey.Parameters
L := dsaParams.P.BitLen()
N := dsaParams.Q.BitLen()
if L >= 2048 && N >= 244 {
return &lint.LintResult{Status: lint.Pass}
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_shorter_than_2048_bits",
Description: "DSA modulus size must be at least 2048 bits",
Citation: "BRs: 6.1.5",
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaTooShort{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_dsa_unique_correct_representation.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type dsaUniqueCorrectRepresentation struct{}
func (l *dsaUniqueCorrectRepresentation) Initialize() error {
return nil
}
func (l *dsaUniqueCorrectRepresentation) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaUniqueCorrectRepresentation) Execute(c *x509.Certificate) *lint.LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &lint.LintResult{Status: lint.NA}
}
// Verify that 2 ≤ y ≤ p-2.
two := big.NewInt(2)
pMinusTwo := big.NewInt(0)
pMinusTwo.Sub(dsaKey.P, two)
if two.Cmp(dsaKey.Y) > 0 || dsaKey.Y.Cmp(pMinusTwo) > 0 {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_dsa_unique_correct_representation",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaUniqueCorrectRepresentation{},
})
}

71
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ec_improper_curves.go generated vendored Normal file
View File

@ -0,0 +1,71 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 6.1.5
Certificates MUST meet the following requirements for algorithm type and key size.
ECC Curve: NIST P-256, P-384, or P-521
************************************************/
import (
"crypto/ecdsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type ecImproperCurves struct{}
func (l *ecImproperCurves) Initialize() error {
return nil
}
func (l *ecImproperCurves) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.ECDSA
}
func (l *ecImproperCurves) Execute(c *x509.Certificate) *lint.LintResult {
/* Declare theKey to be a ECDSA Public Key */
var theKey *ecdsa.PublicKey
/* Need to do different things based on what c.PublicKey is */
switch keyType := c.PublicKey.(type) {
case *x509.AugmentedECDSA:
theKey = keyType.Pub
case *ecdsa.PublicKey:
theKey = keyType
}
/* Now can actually check the params */
theParams := theKey.Curve.Params()
switch theParams.Name {
case "P-256", "P-384", "P-521":
return &lint.LintResult{Status: lint.Pass}
default:
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ec_improper_curves",
Description: "Only one of NIST P256, P384, or P521 can be used",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
EffectiveDate: util.ZeroDate,
Lint: &ecImproperCurves{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ev_business_category_missing.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type evNoBiz struct{}
func (l *evNoBiz) Initialize() error {
return nil
}
func (l *evNoBiz) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evNoBiz) Execute(c *x509.Certificate) *lint.LintResult {
if util.TypeInName(&c.Subject, util.BusinessOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ev_business_category_missing",
Description: "EV certificates must include businessCategory in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evNoBiz{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ev_country_name_missing.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type evCountryMissing struct{}
func (l *evCountryMissing) Initialize() error {
return nil
}
func (l *evCountryMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evCountryMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.TypeInName(&c.Subject, util.CountryNameOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ev_country_name_missing",
Description: "EV certificates must include countryName in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evCountryMissing{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ev_organization_name_missing.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type evOrgMissing struct{}
func (l *evOrgMissing) Initialize() error {
return nil
}
func (l *evOrgMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evOrgMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.TypeInName(&c.Subject, util.OrganizationNameOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ev_organization_name_missing",
Description: "EV certificates must include organizationName in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evOrgMissing{},
})
}

49
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ev_serial_number_missing.go generated vendored Normal file
View File

@ -0,0 +1,49 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type evSNMissing struct{}
func (l *evSNMissing) Initialize() error {
return nil
}
func (l *evSNMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evSNMissing) Execute(c *x509.Certificate) *lint.LintResult {
if len(c.Subject.SerialNumber) == 0 {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ev_serial_number_missing",
Description: "EV certificates must include serialNumber in subject",
Citation: "EV gudelines: 9.2.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evSNMissing{},
})
}

49
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ev_valid_time_too_long.go generated vendored Normal file
View File

@ -0,0 +1,49 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type evValidTooLong struct{}
func (l *evValidTooLong) Initialize() error {
return nil
}
func (l *evValidTooLong) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evValidTooLong) Execute(c *x509.Certificate) *lint.LintResult {
if c.NotBefore.AddDate(0, 0, 825).Before(c.NotAfter) {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ev_valid_time_too_long",
Description: "EV certificates must be 825 days in validity or less",
Citation: "BRs: 6.3.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evValidTooLong{},
})
}

61
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_contains_reserved_ip.go generated vendored Normal file
View File

@ -0,0 +1,61 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.4.2.1
Also as of the Effective Date, the CA SHALL NOT
issue a certificate with an Expiry Date later than
1 November 2015 with a subjectAlternativeName extension
or Subject commonName field containing a Reserved IP
Address or Internal Name.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANReservedIP struct{}
func (l *SANReservedIP) Initialize() error {
return nil
}
func (l *SANReservedIP) CheckApplies(c *x509.Certificate) bool {
return c.NotAfter.After(util.NoReservedIP)
}
func (l *SANReservedIP) Execute(c *x509.Certificate) *lint.LintResult {
for _, ip := range c.IPAddresses {
if util.IsIANAReserved(ip) {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_contains_reserved_ip",
Description: "Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANReservedIP{},
})
}

61
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go generated vendored Normal file
View File

@ -0,0 +1,61 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
Further, if the only subject identity included in the certificate is an
alternative name form (e.g., an electronic mail address), then the subject
distinguished name MUST be empty (an empty sequence), and the subjectAltName
extension MUST be present. If the subject field contains an empty sequence,
then the issuing CA MUST include a subjectAltName extension that is marked as
critical. When including the subjectAltName extension in a certificate that
has a non-empty subject distinguished name, conforming CAs SHOULD mark the
subjectAltName extension as non-critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type ExtSANCriticalWithSubjectDN struct{}
func (l *ExtSANCriticalWithSubjectDN) Initialize() error {
return nil
}
func (l *ExtSANCriticalWithSubjectDN) CheckApplies(cert *x509.Certificate) bool {
return util.IsExtInCert(cert, util.SubjectAlternateNameOID)
}
func (l *ExtSANCriticalWithSubjectDN) Execute(cert *x509.Certificate) *lint.LintResult {
san := util.GetExtFromCert(cert, util.SubjectAlternateNameOID)
if san.Critical && util.NotAllNameFieldsAreEmpty(&cert.Subject) {
return &lint.LintResult{Status: lint.Warn}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ext_san_critical_with_subject_dn",
Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical",
Citation: "RFC 5280: 4.2.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &ExtSANCriticalWithSubjectDN{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_directory_name_present.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing
the FullyQualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST
confirm that the Applicant controls the FullyQualified Domain Name or IP address or has been granted the
right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANDirName struct{}
func (l *SANDirName) Initialize() error {
return nil
}
func (l *SANDirName) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID)
}
func (l *SANDirName) Execute(c *x509.Certificate) *lint.LintResult {
if c.DirectoryNames != nil {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_directory_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANDirName{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_edi_party_name_present.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing
the FullyQualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST
confirm that the Applicant controls the FullyQualified Domain Name or IP address or has been granted the
right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANEDI struct{}
func (l *SANEDI) Initialize() error {
return nil
}
func (l *SANEDI) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID)
}
func (l *SANEDI) Execute(c *x509.Certificate) *lint.LintResult {
if c.EDIPartyNames != nil {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_edi_party_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANEDI{},
})
}

57
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_missing.go generated vendored Normal file
View File

@ -0,0 +1,57 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.4.2.1
Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANMissing struct{}
func (l *SANMissing) Initialize() error {
return nil
}
func (l *SANMissing) CheckApplies(c *x509.Certificate) bool {
return !util.IsCACert(c)
}
func (l *SANMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.SubjectAlternateNameOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_missing",
Description: "Subscriber certificates MUST contain the Subject Alternate Name extension",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANMissing{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_other_name_present.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing
the FullyQualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST
confirm that the Applicant controls the FullyQualified Domain Name or IP address or has been granted the
right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANOtherName struct{}
func (l *SANOtherName) Initialize() error {
return nil
}
func (l *SANOtherName) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID)
}
func (l *SANOtherName) Execute(c *x509.Certificate) *lint.LintResult {
if c.OtherNames != nil {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_other_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANOtherName{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_registered_id_present.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing
the FullyQualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST
confirm that the Applicant controls the FullyQualified Domain Name or IP address or has been granted the
right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANRegId struct{}
func (l *SANRegId) Initialize() error {
return nil
}
func (l *SANRegId) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID)
}
func (l *SANRegId) Execute(c *x509.Certificate) *lint.LintResult {
if c.RegisteredIDs != nil {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_registered_id_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANRegId{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_rfc822_name_present.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing
the FullyQualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST
confirm that the Applicant controls the FullyQualified Domain Name or IP address or has been granted the
right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANRfc822 struct{}
func (l *SANRfc822) Initialize() error {
return nil
}
func (l *SANRfc822) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID)
}
func (l *SANRfc822) Execute(c *x509.Certificate) *lint.LintResult {
if c.EmailAddresses != nil {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_rfc822_name_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANRfc822{},
})
}

60
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go generated vendored Normal file
View File

@ -0,0 +1,60 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.4.2.1. Subject Alternative Name Extension
Certificate Field: extensions:subjectAltName
Required/Optional: Required
Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing
the FullyQualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST
confirm that the Applicant controls the FullyQualified Domain Name or IP address or has been granted the
right to use it by the Domain Name Registrant or IP address assignee, as appropriate.
Wildcard FQDNs are permitted.
*************************************************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type SANURI struct{}
func (l *SANURI) Initialize() error {
return nil
}
func (l *SANURI) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID)
}
func (l *SANURI) Execute(c *x509.Certificate) *lint.LintResult {
if c.URIs != nil {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_san_uniform_resource_identifier_present",
Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types",
Citation: "BRs: 7.1.4.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANURI{},
})
}

213
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go generated vendored Normal file
View File

@ -0,0 +1,213 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package cabf_br
import (
"fmt"
"net/url"
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
const onionTLD = ".onion"
type torServiceDescHashInvalid struct{}
func (l *torServiceDescHashInvalid) Initialize() error {
// There is nothing to initialize for a torServiceDescHashInvalid linter.
return nil
}
// CheckApplies returns true if the certificate is a subscriber certificate that
// contains a subject name ending in `.onion`.
func (l *torServiceDescHashInvalid) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, onionTLD)
}
// failResult is a small utility function for creating a failed lint result.
func failResult(format string, args ...interface{}) *lint.LintResult {
return &lint.LintResult{
Status: lint.Error,
Details: fmt.Sprintf(format, args...),
}
}
// torServiceDescExtName is a common string prefix used in many lint result
// detail messages to identify the extension at fault.
var torServiceDescExtName = fmt.Sprintf(
"TorServiceDescriptor extension (oid %s)",
util.BRTorServiceDescriptor.String())
// lintOnionURL verifies that an Onion URI value from a TorServiceDescriptorHash
// is:
//
// 1) a valid parseable url.
// 2) a URL with a non-empty hostname
// 3) a URL with an https:// protocol scheme
//
// If all of the above hold then nil is returned. If any of the above conditions
// are not met an error lint result pointer is returned.
func lintOnionURL(onion string) *lint.LintResult {
if onionURL, err := url.Parse(onion); err != nil {
return failResult(
"%s contained "+
"TorServiceDescriptorHash object with invalid Onion URI",
torServiceDescExtName)
} else if onionURL.Host == "" {
return failResult(
"%s contained "+
"TorServiceDescriptorHash object with Onion URI missing a hostname",
torServiceDescExtName)
} else if onionURL.Scheme != "https" {
return failResult(
"%s contained "+
"TorServiceDescriptorHash object with Onion URI using a non-HTTPS "+
"protocol scheme",
torServiceDescExtName)
}
return nil
}
// Execute will lint the provided certificate. An lint.Error lint.LintResult will be
// returned if:
//
// 1) There is no TorServiceDescriptor extension present.
// 2) There were no TorServiceDescriptors parsed by zcrypto
// 3) There are TorServiceDescriptorHash entries with an invalid Onion URL.
// 4) There are TorServiceDescriptorHash entries with an unknown hash
// algorithm or incorrect hash bit length.
// 5) There is a TorServiceDescriptorHash entry that doesn't correspond to
// an onion subject in the cert.
// 6) There is an onion subject in the cert that doesn't correspond to
// a TorServiceDescriptorHash.
func (l *torServiceDescHashInvalid) Execute(c *x509.Certificate) *lint.LintResult {
// If the BRTorServiceDescriptor extension is missing return a lint error. We
// know the cert contains one or more `.onion` subjects because of
// `CheckApplies` and all such certs are expected to have this extension after
// util.CABV201Date.
if ext := util.GetExtFromCert(c, util.BRTorServiceDescriptor); ext == nil {
return failResult(
"certificate contained a %s domain but is missing a TorServiceDescriptor "+
"extension (oid %s)",
onionTLD, util.BRTorServiceDescriptor.String())
}
// The certificate should have at least one TorServiceDescriptorHash in the
// TorServiceDescriptor extension.
descriptors := c.TorServiceDescriptors
if len(descriptors) == 0 {
return failResult(
"certificate contained a %s domain but TorServiceDescriptor "+
"extension (oid %s) had no TorServiceDescriptorHash objects",
onionTLD, util.BRTorServiceDescriptor.String())
}
// Build a map of all the eTLD+1 onion subjects in the cert to compare against
// the service descriptors.
onionETLDPlusOneMap := make(map[string]string)
for _, subj := range append(c.DNSNames, c.Subject.CommonName) {
if !strings.HasSuffix(subj, onionTLD) {
continue
}
labels := strings.Split(subj, ".")
if len(labels) < 2 {
return failResult("certificate contained a %s domain with too few "+
"labels: %q",
onionTLD, subj)
}
eTLDPlusOne := strings.Join(labels[len(labels)-2:], ".")
onionETLDPlusOneMap[eTLDPlusOne] = subj
}
expectedHashBits := map[string]int{
"SHA256": 256,
"SHA384": 384,
"SHA512": 512,
}
// Build a map of onion hostname -> TorServiceDescriptorHash using the parsed
// TorServiceDescriptors from zcrypto.
descriptorMap := make(map[string]*x509.TorServiceDescriptorHash)
for _, descriptor := range descriptors {
// each descriptor's Onion URL must be valid
if errResult := lintOnionURL(descriptor.Onion); errResult != nil {
return errResult
}
// each descriptor should have a known hash algorithm and the correct
// corresponding size of hash.
if expectedBits, found := expectedHashBits[descriptor.AlgorithmName]; !found {
return failResult(
"%s contained a TorServiceDescriptorHash for Onion URI %q with an "+
"unknown hash algorithm",
torServiceDescExtName, descriptor.Onion)
} else if expectedBits != descriptor.HashBits {
return failResult(
"%s contained a TorServiceDescriptorHash with hash algorithm %q but "+
"only %d bits of hash not %d",
torServiceDescExtName, descriptor.AlgorithmName,
descriptor.HashBits, expectedBits)
}
// NOTE(@cpu): Throwing out the err result here because lintOnionURL already
// ensured the URL is valid.
url, _ := url.Parse(descriptor.Onion)
hostname := url.Hostname()
// there should only be one TorServiceDescriptorHash for each Onion hostname.
if _, exists := descriptorMap[hostname]; exists {
return failResult(
"%s contained more than one TorServiceDescriptorHash for base "+
"Onion URI %q",
torServiceDescExtName, descriptor.Onion)
}
// there shouldn't be a TorServiceDescriptorHash for a Onion hostname that
// isn't an eTLD+1 in the certificate's subjects.
if _, found := onionETLDPlusOneMap[hostname]; !found {
return failResult(
"%s contained a TorServiceDescriptorHash with a hostname (%q) not "+
"present as a subject in the certificate",
torServiceDescExtName, hostname)
}
descriptorMap[hostname] = descriptor
}
// Check if any of the onion subjects in the certificate don't have
// a TorServiceDescriptorHash for the eTLD+1 in the descriptorMap.
for eTLDPlusOne, subjDomain := range onionETLDPlusOneMap {
if _, found := descriptorMap[eTLDPlusOne]; !found {
return failResult(
"%s subject domain name %q does not have a corresponding "+
"TorServiceDescriptorHash for its eTLD+1",
onionTLD, subjDomain)
}
}
// Everything checks out!
return &lint.LintResult{
Status: lint.Pass,
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ext_tor_service_descriptor_hash_invalid",
Description: "certificates with .onion names need valid TorServiceDescriptors in extension",
Citation: "BRS: Ballot 201",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV201Date,
Lint: &torServiceDescHashInvalid{},
})
}

52
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_extra_subject_common_names.go generated vendored Normal file
View File

@ -0,0 +1,52 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package cabf_br
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type extraSubjectCommonNames struct{}
func (l *extraSubjectCommonNames) Initialize() error {
return nil
}
func (l *extraSubjectCommonNames) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c)
}
func (l *extraSubjectCommonNames) Execute(c *x509.Certificate) *lint.LintResult {
// Multiple subject commonName fields are not expressly prohibited by section
// 7.1.4.2.2 but do seem to run afoul of the intent. For that reason we return
// only a lint.Warn level finding here.
if len(c.Subject.CommonNames) > 1 {
return &lint.LintResult{Status: lint.Warn}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_extra_subject_common_names",
Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name",
Citation: "BRs: 7.1.4.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &extraSubjectCommonNames{},
})
}

53
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_invalid_certificate_version.go generated vendored Normal file
View File

@ -0,0 +1,53 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
Certificates MUST be of type X.509 v3.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type InvalidCertificateVersion struct{}
func (l *InvalidCertificateVersion) Initialize() error {
return nil
}
func (l *InvalidCertificateVersion) CheckApplies(cert *x509.Certificate) bool {
return true
}
func (l *InvalidCertificateVersion) Execute(cert *x509.Certificate) *lint.LintResult {
if cert.Version != 3 {
return &lint.LintResult{Status: lint.Error}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_invalid_certificate_version",
Description: "Certificates MUST be of type X.590 v3",
Citation: "BRs: 7.1.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV130Date,
Lint: &InvalidCertificateVersion{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCaModSize struct{}
func (l *rootCaModSize) Initialize() error {
return nil
}
func (l *rootCaModSize) CheckApplies(c *x509.Certificate) bool {
issueDate := c.NotBefore
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA && util.IsRootCA(c) && issueDate.Before(util.NoRSA1024RootDate)
}
func (l *rootCaModSize) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if key.N.BitLen() < 2048 {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_root_ca_rsa_mod_less_than_2048_bits",
Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &rootCaModSize{},
})
}

59
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go generated vendored Normal file
View File

@ -0,0 +1,59 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// CHANGE THIS COMMENT TO MATCH SOURCE TEXT
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCaModSize struct{}
func (l *subCaModSize) Initialize() error {
return nil
}
func (l *subCaModSize) CheckApplies(c *x509.Certificate) bool {
issueDate := c.NotBefore
endDate := c.NotAfter
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && util.IsSubCA(c) && issueDate.Before(util.NoRSA1024RootDate) && endDate.Before(util.NoRSA1024Date)
}
func (l *subCaModSize) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if key.N.BitLen() < 1024 {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits",
Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test
EffectiveDate: util.ZeroDate,
Lint: &subCaModSize{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subModSize struct{}
func (l *subModSize) Initialize() error {
return nil
}
func (l *subModSize) CheckApplies(c *x509.Certificate) bool {
endDate := c.NotAfter
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA && !util.IsCACert(c) && endDate.Before(util.NoRSA1024Date)
}
func (l *subModSize) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if key.N.BitLen() < 1024 {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits",
Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
// since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test
EffectiveDate: util.ZeroDate,
Lint: &subModSize{},
})
}

51
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_public_key_type_not_allowed.go generated vendored Normal file
View File

@ -0,0 +1,51 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type publicKeyAllowed struct{}
func (l *publicKeyAllowed) Initialize() error {
return nil
}
func (l *publicKeyAllowed) CheckApplies(c *x509.Certificate) bool {
return true
}
func (l *publicKeyAllowed) Execute(c *x509.Certificate) *lint.LintResult {
alg := c.PublicKeyAlgorithm
if alg != x509.UnknownPublicKeyAlgorithm {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_public_key_type_not_allowed",
Description: "Certificates MUST have RSA, DSA, or ECDSA public key type",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &publicKeyAllowed{},
})
}

71
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go generated vendored Normal file
View File

@ -0,0 +1,71 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************************************************
7.1.2.1. Root CA Certificate
a. basicConstraints
This extension MUST appear as a critical extension. The cA field MUST be set true. The pathLenConstraint field SHOULD NOT be present.
***********************************************************************************************************/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCaPathLenPresent struct{}
func (l *rootCaPathLenPresent) Initialize() error {
return nil
}
func (l *rootCaPathLenPresent) CheckApplies(c *x509.Certificate) bool {
return util.IsRootCA(c) && util.IsExtInCert(c, util.BasicConstOID)
}
func (l *rootCaPathLenPresent) Execute(c *x509.Certificate) *lint.LintResult {
bc := util.GetExtFromCert(c, util.BasicConstOID)
var seq asn1.RawValue
var isCa bool
_, err := asn1.Unmarshal(bc.Value, &seq)
if err != nil {
return &lint.LintResult{Status: lint.Fatal}
}
if len(seq.Bytes) == 0 {
return &lint.LintResult{Status: lint.Pass}
}
rest, err := asn1.Unmarshal(seq.Bytes, &isCa)
if err != nil {
return &lint.LintResult{Status: lint.Fatal}
}
if len(rest) > 0 {
return &lint.LintResult{Status: lint.Warn}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_root_ca_basic_constraints_path_len_constraint_field_present",
Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCaPathLenPresent{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_contains_cert_policy.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1c certificatePolicies
This extension SHOULD NOT be present.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCAContainsCertPolicy struct{}
func (l *rootCAContainsCertPolicy) Initialize() error {
return nil
}
func (l *rootCAContainsCertPolicy) CheckApplies(c *x509.Certificate) bool {
return util.IsRootCA(c)
}
func (l *rootCAContainsCertPolicy) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.CertPolicyOID) {
return &lint.LintResult{Status: lint.Warn}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_root_ca_contains_cert_policy",
Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCAContainsCertPolicy{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_extended_key_usage_present.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1d extendedKeyUsage
This extension MUST NOT be present.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCAContainsEKU struct{}
func (l *rootCAContainsEKU) Initialize() error {
return nil
}
func (l *rootCAContainsEKU) CheckApplies(c *x509.Certificate) bool {
return util.IsRootCA(c)
}
func (l *rootCAContainsEKU) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.EkuSynOid) {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_extended_key_usage_present",
Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &rootCAContainsEKU{},
})
}

51
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go generated vendored Normal file
View File

@ -0,0 +1,51 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCAKeyUsageMustBeCritical struct{}
func (l *rootCAKeyUsageMustBeCritical) Initialize() error {
return nil
}
func (l *rootCAKeyUsageMustBeCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsRootCA(c) && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *rootCAKeyUsageMustBeCritical) Execute(c *x509.Certificate) *lint.LintResult {
keyUsageExtension := util.GetExtFromCert(c, util.KeyUsageOID)
if keyUsageExtension.Critical {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_key_usage_must_be_critical",
Description: "Root CA certificates MUST have Key Usage Extension marked critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC2459Date,
Lint: &rootCAKeyUsageMustBeCritical{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_root_ca_key_usage_present.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rootCAKeyUsagePresent struct{}
func (l *rootCAKeyUsagePresent) Initialize() error {
return nil
}
func (l *rootCAKeyUsagePresent) CheckApplies(c *x509.Certificate) bool {
return util.IsRootCA(c)
}
func (l *rootCAKeyUsagePresent) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.KeyUsageOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_root_ca_key_usage_present",
Description: "Root CA certificates MUST have Key Usage Extension Present",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC2459Date,
Lint: &rootCAKeyUsagePresent{},
})
}

59
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go generated vendored Normal file
View File

@ -0,0 +1,59 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**************************************************************************************************
6.1.6. Public Key Parameters Generation and Quality Checking
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 216+1 and 2256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 80089].
**************************************************************************************************/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaModSmallFactor struct{}
func (l *rsaModSmallFactor) Initialize() error {
return nil
}
func (l *rsaModSmallFactor) CheckApplies(c *x509.Certificate) bool {
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA
}
func (l *rsaModSmallFactor) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if util.PrimeNoSmallerThan752(key.N) {
return &lint.LintResult{Status: lint.Pass}
}
return &lint.LintResult{Status: lint.Warn}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_mod_factors_smaller_than_752",
Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaModSmallFactor{},
})
}

54
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go generated vendored Normal file
View File

@ -0,0 +1,54 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsKeySize struct{}
func (l *rsaParsedTestsKeySize) Initialize() error {
return nil
}
func (l *rsaParsedTestsKeySize) CheckApplies(c *x509.Certificate) bool {
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA && c.NotAfter.After(util.NoRSA1024Date.Add(-1))
}
func (l *rsaParsedTestsKeySize) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if key.N.BitLen() < 2048 {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_mod_less_than_2048_bits",
Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &rsaParsedTestsKeySize{},
})
}

61
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_mod_not_odd.go generated vendored Normal file
View File

@ -0,0 +1,61 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsKeyModOdd struct{}
func (l *rsaParsedTestsKeyModOdd) Initialize() error {
return nil
}
func (l *rsaParsedTestsKeyModOdd) CheckApplies(c *x509.Certificate) bool {
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA
}
func (l *rsaParsedTestsKeyModOdd) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
z := big.NewInt(0)
if (z.Mod(key.N, big.NewInt(2)).Cmp(big.NewInt(1))) == 0 {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Warn}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_mod_not_odd",
Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsKeyModOdd{},
})
}

65
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go generated vendored Normal file
View File

@ -0,0 +1,65 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsExpInRange struct {
upperBound *big.Int
}
func (l *rsaParsedTestsExpInRange) Initialize() error {
l.upperBound = &big.Int{}
l.upperBound.Exp(big.NewInt(2), big.NewInt(256), nil)
return nil
}
func (l *rsaParsedTestsExpInRange) CheckApplies(c *x509.Certificate) bool {
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA
}
func (l *rsaParsedTestsExpInRange) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
exponent := key.E
const lowerBound = 65536 // 2^16 + 1
if exponent > lowerBound && l.upperBound.Cmp(big.NewInt(int64(exponent))) == 1 {
return &lint.LintResult{Status: lint.Pass}
}
return &lint.LintResult{Status: lint.Warn}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_rsa_public_exponent_not_in_range",
Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsExpInRange{},
})
}

59
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_public_exponent_not_odd.go generated vendored Normal file
View File

@ -0,0 +1,59 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsKeyExpOdd struct{}
func (l *rsaParsedTestsKeyExpOdd) Initialize() error {
return nil
}
func (l *rsaParsedTestsKeyExpOdd) CheckApplies(c *x509.Certificate) bool {
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA
}
func (l *rsaParsedTestsKeyExpOdd) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if key.E%2 == 1 {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_public_exponent_not_odd",
Description: "RSA: Value of public exponent is an odd number equal to 3 or more.",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsKeyExpOdd{},
})
}

59
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_rsa_public_exponent_too_small.go generated vendored Normal file
View File

@ -0,0 +1,59 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************************************************
"BRs: 6.1.6"
RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89].
*******************************************************************************************************/
import (
"crypto/rsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type rsaParsedTestsExpBounds struct{}
func (l *rsaParsedTestsExpBounds) Initialize() error {
return nil
}
func (l *rsaParsedTestsExpBounds) CheckApplies(c *x509.Certificate) bool {
_, ok := c.PublicKey.(*rsa.PublicKey)
return ok && c.PublicKeyAlgorithm == x509.RSA
}
func (l *rsaParsedTestsExpBounds) Execute(c *x509.Certificate) *lint.LintResult {
key := c.PublicKey.(*rsa.PublicKey)
if key.E >= 3 { //If Cmp returns 1, means N > E
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_rsa_public_exponent_too_small",
Description: "RSA: Value of public exponent is an odd number equal to 3 or more.",
Citation: "BRs: 6.1.6",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV113Date,
Lint: &rsaParsedTestsExpBounds{},
})
}

68
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go generated vendored Normal file
View File

@ -0,0 +1,68 @@
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package cabf_br
import (
"fmt"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type onionNotEV struct{}
// Initialize for an onionNotEV linter is a NOP.
func (l *onionNotEV) Initialize() error {
return nil
}
// CheckApplies returns true if the certificate is a subscriber certificate that
// contains a subject name ending in `.onion`.
func (l *onionNotEV) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, util.OnionTLD)
}
// Execute returns an lint.Error lint.LintResult if the certificate is not an EV
// certificate. CheckApplies has already verified the certificate contains one
// or more `.onion` subjects and so it must be an EV certificate.
func (l *onionNotEV) Execute(c *x509.Certificate) *lint.LintResult {
/*
* Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an
* Internal Name using onion as the right-most label in an entry in the
* subjectAltName Extension or commonName field unless such Certificate was
* issued in accordance with Appendix F of the EV Guidelines.
*/
if !util.IsEV(c.PolicyIdentifiers) {
return &lint.LintResult{
Status: lint.Error,
Details: fmt.Sprintf(
"certificate contains one or more %s subject domains but is not an EV certificate",
util.OnionTLD),
}
}
return &lint.LintResult{Status: lint.Pass}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_san_dns_name_onion_not_ev_cert",
Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines",
Citation: "CABF Ballot 144",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.OnionOnlyEVDate,
Lint: &onionNotEV{},
})
}

87
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_signature_algorithm_not_supported.go generated vendored Normal file
View File

@ -0,0 +1,87 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
var (
// Any of the following x509.SignatureAlgorithms are acceptable per §6.1.5 of
// the BRs.
passSigAlgs = map[x509.SignatureAlgorithm]bool{
x509.SHA256WithRSA: true,
x509.SHA384WithRSA: true,
x509.SHA512WithRSA: true,
x509.DSAWithSHA256: true,
x509.ECDSAWithSHA256: true,
x509.ECDSAWithSHA384: true,
x509.ECDSAWithSHA512: true,
// NOTE: BRs section §6.1.5 does not include SHA1 digest algorithms in the
// current version. We allow these here for historic reasons and check for
// SHA1 usage after the deprecation date in the separate
// `e_sub_cert_or_sub_ca_using_sha1` lint.
x509.SHA1WithRSA: true,
x509.DSAWithSHA1: true,
x509.ECDSAWithSHA1: true,
}
// The BRs do not forbid the use of RSA-PSS as a signature scheme in
// certificates but it is not broadly supported by user-agents. Since
// the BRs do not forbid the practice we return a warning result.
// NOTE: The Mozilla root program policy *does* forbid their use since v2.7.
// This should be covered by a lint scoped to the Mozilla source instead of in
// this CABF lint.
warnSigAlgs = map[x509.SignatureAlgorithm]bool{
x509.SHA256WithRSAPSS: true,
x509.SHA384WithRSAPSS: true,
x509.SHA512WithRSAPSS: true,
}
)
type signatureAlgorithmNotSupported struct{}
func (l *signatureAlgorithmNotSupported) Initialize() error {
return nil
}
func (l *signatureAlgorithmNotSupported) CheckApplies(c *x509.Certificate) bool {
return true
}
func (l *signatureAlgorithmNotSupported) Execute(c *x509.Certificate) *lint.LintResult {
sigAlg := c.SignatureAlgorithm
status := lint.Error
if passSigAlgs[sigAlg] {
status = lint.Pass
} else if warnSigAlgs[sigAlg] {
status = lint.Warn
}
return &lint.LintResult{
Status: status,
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_signature_algorithm_not_supported",
Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512",
Citation: "BRs: 6.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &signatureAlgorithmNotSupported{},
})
}

61
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go generated vendored Normal file
View File

@ -0,0 +1,61 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************
CAB 7.1.2.2c
With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be
marked critical, and it MUST contain the HTTP URL of the Issuing CAs OCSP responder (accessMethod
= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CAs certificate
(accessMethod = 1.3.6.1.5.5.7.48.2).
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCaIssuerUrl struct{}
func (l *subCaIssuerUrl) Initialize() error {
return nil
}
func (l *subCaIssuerUrl) CheckApplies(c *x509.Certificate) bool {
return util.IsCACert(c) && !util.IsRootCA(c)
}
func (l *subCaIssuerUrl) Execute(c *x509.Certificate) *lint.LintResult {
for _, url := range c.IssuingCertificateURL {
if strings.HasPrefix(url, "http://") {
return &lint.LintResult{Status: lint.Pass}
}
}
return &lint.LintResult{Status: lint.Warn}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url",
Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCaIssuerUrl{},
})
}

61
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_does_not_contain_ocsp_url.go generated vendored Normal file
View File

@ -0,0 +1,61 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************
CAB 7.1.2.2c
With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be
marked critical, and it MUST contain the HTTP URL of the Issuing CAs OCSP responder (accessMethod
= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CAs certificate
(accessMethod = 1.3.6.1.5.5.7.48.2).
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCaOcspUrl struct{}
func (l *subCaOcspUrl) Initialize() error {
return nil
}
func (l *subCaOcspUrl) CheckApplies(c *x509.Certificate) bool {
return util.IsCACert(c) && !util.IsRootCA(c)
}
func (l *subCaOcspUrl) Execute(c *x509.Certificate) *lint.LintResult {
for _, url := range c.OCSPServer {
if strings.HasPrefix(url, "http://") {
return &lint.LintResult{Status: lint.Pass}
}
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_does_not_contain_ocsp_url",
Description: "Subordinate CA certificates authorityInformationAccess extension must contain the HTTP URL of the issuing CAs OCSP responder",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCaOcspUrl{},
})
}

51
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_marked_critical.go generated vendored Normal file
View File

@ -0,0 +1,51 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCaAIAMarkedCritical struct{}
func (l *subCaAIAMarkedCritical) Initialize() error {
return nil
}
func (l *subCaAIAMarkedCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c) && util.IsExtInCert(c, util.AiaOID)
}
func (l *subCaAIAMarkedCritical) Execute(c *x509.Certificate) *lint.LintResult {
e := util.GetExtFromCert(c, util.AiaOID)
if e.Critical {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_marked_critical",
Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &subCaAIAMarkedCritical{},
})
}

58
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_aia_missing.go generated vendored Normal file
View File

@ -0,0 +1,58 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************
CAB 7.1.2.2c
With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be
marked critical, and it MUST contain the HTTP URL of the Issuing CAs OCSP responder (accessMethod
= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CAs certificate
(accessMethod = 1.3.6.1.5.5.7.48.2).
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type caAiaMissing struct{}
func (l *caAiaMissing) Initialize() error {
return nil
}
func (l *caAiaMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsCACert(c) && !util.IsRootCA(c)
}
func (l *caAiaMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.AiaOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_aia_missing",
Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caAiaMissing{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.2a certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACertPolicyCrit struct{}
func (l *subCACertPolicyCrit) Initialize() error {
return nil
}
func (l *subCACertPolicyCrit) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c) && util.IsExtInCert(c, util.CertPolicyOID)
}
func (l *subCACertPolicyCrit) Execute(c *x509.Certificate) *lint.LintResult {
if e := util.GetExtFromCert(c, util.CertPolicyOID); e.Critical {
return &lint.LintResult{Status: lint.Warn}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_certificate_policies_marked_critical",
Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACertPolicyCrit{},
})
}

55
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go generated vendored Normal file
View File

@ -0,0 +1,55 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.2a certificatePolicies
This extension MUST be present and SHOULD NOT be marked critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACertPolicyMissing struct{}
func (l *subCACertPolicyMissing) Initialize() error {
return nil
}
func (l *subCACertPolicyMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c)
}
func (l *subCACertPolicyMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.CertPolicyOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_certificate_policies_missing",
Description: "Subordinate CA certificates must have a certificatePolicies extension",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACertPolicyMissing{},
})
}

59
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go generated vendored Normal file
View File

@ -0,0 +1,59 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.2b cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical.
It MUST contain the HTTP URL of the CAs CRL service.
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACRLDistNoUrl struct{}
func (l *subCACRLDistNoUrl) Initialize() error {
return nil
}
func (l *subCACRLDistNoUrl) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c) && util.IsExtInCert(c, util.CrlDistOID)
}
func (l *subCACRLDistNoUrl) Execute(c *x509.Certificate) *lint.LintResult {
for _, s := range c.CRLDistributionPoints {
if strings.HasPrefix(s, "http://") {
return &lint.LintResult{Status: lint.Pass}
}
}
return &lint.LintResult{Status: lint.Error}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_does_not_contain_url",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistNoUrl{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.2b cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical.
It MUST contain the HTTP URL of the CAs CRL service.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACRLDistCrit struct{}
func (l *subCACRLDistCrit) Initialize() error {
return nil
}
func (l *subCACRLDistCrit) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c) && util.IsExtInCert(c, util.CrlDistOID)
}
func (l *subCACRLDistCrit) Execute(c *x509.Certificate) *lint.LintResult {
if e := util.GetExtFromCert(c, util.CrlDistOID); e.Critical {
return &lint.LintResult{Status: lint.Error}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_marked_critical",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistCrit{},
})
}

56
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go generated vendored Normal file
View File

@ -0,0 +1,56 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.2b cRLDistributionPoints
This extension MUST be present and MUST NOT be marked critical.
It MUST contain the HTTP URL of the CAs CRL service.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCACRLDistMissing struct{}
func (l *subCACRLDistMissing) Initialize() error {
return nil
}
func (l *subCACRLDistMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c)
}
func (l *subCACRLDistMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.CrlDistOID) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_sub_ca_crl_distribution_points_missing",
Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCACRLDistMissing{},
})
}

58
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_eku_critical.go generated vendored Normal file
View File

@ -0,0 +1,58 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.2g extkeyUsage (optional)
For Subordinate CA Certificates to be Technically constrained in line with section 7.1.5, then either the value
idkpserverAuth [RFC5280] or idkpclientAuth [RFC5280] or both values MUST be present**.
Other values MAY be present.
If present, this extension SHOULD be marked noncritical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCAEKUCrit struct{}
func (l *subCAEKUCrit) Initialize() error {
return nil
}
func (l *subCAEKUCrit) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c) && util.IsExtInCert(c, util.EkuSynOid)
}
func (l *subCAEKUCrit) Execute(c *x509.Certificate) *lint.LintResult {
if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical {
return &lint.LintResult{Status: lint.Warn}
} else {
return &lint.LintResult{Status: lint.Pass}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_sub_ca_eku_critical",
Description: "Subordinate CA certificate extkeyUsage extension should be marked non-critical if present",
Citation: "BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV116Date,
Lint: &subCAEKUCrit{},
})
}

50
vendor/github.com/zmap/zlint/v2/lints/cabf_br/lint_sub_ca_eku_missing.go generated vendored Normal file
View File

@ -0,0 +1,50 @@
package cabf_br
/*
* ZLint Copyright 2020 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v2/lint"
"github.com/zmap/zlint/v2/util"
)
type subCAEKUMissing struct{}
func (l *subCAEKUMissing) Initialize() error {
return nil
}
func (l *subCAEKUMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsSubCA(c)
}
func (l *subCAEKUMissing) Execute(c *x509.Certificate) *lint.LintResult {
if util.IsExtInCert(c, util.EkuSynOid) {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Notice}
}
}
func init() {
lint.RegisterLint(&lint.Lint{
Name: "n_sub_ca_eku_missing",
Description: "To be considered Technically Constrained, the Subordinate CA certificate MUST have extkeyUsage extension",
Citation: "BRs: 7.1.5",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &subCAEKUMissing{},
})
}

Some files were not shown because too many files have changed in this diff Show More