letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move cert-checker to zlint v2. (#4779) 

And run go mod tidy, which removes v1 of zlint from our go.mod.
This commit is contained in:
Jacob Hoffman-Andrews 2020-04-15 17:35:15 -07:00 committed by GitHub
parent bc528cf8cd
commit f3e48d6931
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
287 changed files with 4 additions and 26760 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/cert-checker/main.go
View File

@ -17,8 +17,8 @@ import (
"github.com/jmhodges/clock"
"github.com/prometheus/client_golang/prometheus"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint"
"github.com/zmap/zlint/lints"
"github.com/zmap/zlint/v2"
"github.com/zmap/zlint/v2/lint"
"github.com/letsencrypt/boulder/cmd"
"github.com/letsencrypt/boulder/core"
@ -227,7 +227,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b
// Run zlint checks
results := zlint.LintCertificate(parsedCert)
for name, res := range results.Results {
if ignoredLints[name] || res.Status <= lints.Pass {
if ignoredLints[name] || res.Status <= lint.Pass {
continue
}
prob := fmt.Sprintf("zlint %s: %s", res.Status, name)

4
go.mod
View File

@ -9,8 +9,6 @@ require (
github.com/eggsampler/acme/v3 v3.0.0
github.com/go-gorp/gorp v2.0.0+incompatible // indirect
github.com/go-sql-driver/mysql v1.4.1
github.com/gogo/googleapis v1.1.0 // indirect
github.com/gogo/protobuf v1.2.0 // indirect
github.com/golang/mock v1.3.1
github.com/golang/protobuf v1.3.2
github.com/golang/snappy v0.0.0-20170215233205-553a64147049 // indirect
@ -20,7 +18,6 @@ require (
github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548
github.com/letsencrypt/challtestsrv v1.0.2
github.com/letsencrypt/pkcs11key/v4 v4.0.0
github.com/lyft/protoc-gen-validate v0.0.13 // indirect
github.com/miekg/dns v1.1.8
github.com/miekg/pkcs11 v1.0.3
github.com/onsi/ginkgo v1.8.0 // indirect
@ -32,7 +29,6 @@ require (
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf
github.com/zmap/zlint v1.1.0
github.com/zmap/zlint/v2 v2.0.0
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68
golang.org/x/net v0.0.0-20191112182307-2180aed22343

40
go.sum
View File

@ -28,10 +28,6 @@ github.com/cespare/xxhash/v2 v2.1.0/go.mod h1:dgIUBU3pDso/gPgZ1osOZ0iQf77oPR28Tj
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
github.com/cloudflare/backoff v0.0.0-20161212185259-647f3cdfc87a h1:8d1CEOF1xldesKds5tRG3tExBsMOgWYownMHNCsev54=
github.com/cloudflare/backoff v0.0.0-20161212185259-647f3cdfc87a/go.mod h1:rzgs2ZOiguV6/NpiDgADjRLPNyZlApIWxKpkT+X8SdY=
github.com/cloudflare/cfssl v1.4.0 h1:TdyQbj/bDUMUHf2IkcHU2EHUmzCmRLuJ3fFd8EYMg1E=
github.com/cloudflare/cfssl v1.4.0/go.mod h1:KManx/OJPb5QY+y0+o/898AMcM128sF0bURvoVUSjTo=
github.com/cloudflare/cfssl v1.4.1 h1:vScfU2DrIUI9VPHBVeeAQ0q5A+9yshO1Gz+3QoUQiKw=
github.com/cloudflare/cfssl v1.4.1/go.mod h1:KManx/OJPb5QY+y0+o/898AMcM128sF0bURvoVUSjTo=
github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4 h1:gpoY5xZd+Qeb1aXvwFlPELPg6SJiPjV5kuH6e2dcoxw=
github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4/go.mod h1:jbHlfTdWTKrKYWLgXBVDoL6rdr8deJ3CnGruukZnPC8=
github.com/cloudflare/go-metrics v0.0.0-20151117154305-6a9aea36fb41 h1:/8sZyuGTAU2+fYv0Sz9lBcipqX0b7i4eUl8pSStk/4g=
@ -46,7 +42,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/eggsampler/acme/v3 v3.0.0 h1:Fl1fWD94NcdC7Ensb6Ed/CJZ6S24PpekLo/jZB6Ltg8=
github.com/eggsampler/acme/v3 v3.0.0/go.mod h1:gw64Ckma6iKulWks9BtE/g/9z/Vdz9D1lM7x7M1X1Ag=
github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g=
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
@ -61,19 +56,13 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-sql-driver/mysql v1.3.0 h1:pgwjLi/dvffoP9aabwkT3AKpXQM93QARkjFhDDqC1UE=
github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-sql-driver/mysql v1.4.1-0.20191114115753-b4242bab7dc5 h1:TPdJVmaDpKVlxYKc2CTaU6iY51jeQqbRooWdI1ATYG4=
github.com/go-sql-driver/mysql v1.4.1-0.20191114115753-b4242bab7dc5/go.mod h1:XIaZU7xtUgusUqDPXOOPcmC5Dyyw3F1pbh54fHzaehk=
github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@ -91,8 +80,6 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170826090648-0dafe0d496ea h1:Bzd/0fcg24qAEJyr7pTtDOn806SRBtzyloCuLTEvSOo=
github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170826090648-0dafe0d496ea/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
@ -123,12 +110,8 @@ github.com/letsencrypt/challtestsrv v1.0.2 h1:nBAQjKvVMLhpj4cg2Px6jMyvMbQNdJrCEd
github.com/letsencrypt/challtestsrv v1.0.2/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg=
github.com/letsencrypt/pkcs11key/v4 v4.0.0 h1:qLc/OznH7xMr5ARJgkZCCWk+EomQkiNTOoOF5LAgagc=
github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
github.com/lib/pq v0.0.0-20180201184707-88edab080323/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.1.0 h1:/5u4a+KGJptBRqGzPvYQL9p0d/tPR4S31+Tnzj9lEO4=
github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.3.0 h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU=
github.com/lib/pq v1.3.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
github.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o=
github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
@ -196,26 +179,14 @@ github.com/valyala/fasttemplate v1.0.1 h1:tY9CJiPnMXf1ERmG2EyK7gNUd+c6RKGD0IfU8W
github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8=
github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.5.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.10.1-0.20191119120252-3dd5f42d2d87 h1:atBJZP3ARnSmu6xeR2b0ksATs8da4d6er1f6VnrucoY=
github.com/weppos/publicsuffix-go v0.10.1-0.20191119120252-3dd5f42d2d87/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.10.1-0.20191207085315-342bab737784 h1:lZIkUyvJURGx8O0gx4TmYsHyj/oRKpzA7Okuzy0NSIU=
github.com/weppos/publicsuffix-go v0.10.1-0.20191207085315-342bab737784/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134 h1:PIGnoA+Z23Mup4SOVq24dJPGqt7bce45/ZLrMZdViKc=
github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=
github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e h1:mvOa4+/DXStR4ZXOks/UsjeFdn5O5JpLUtzqk9U8xXw=
github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8pnycDn3HwpQuTygphu9M/7KYqU=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
github.com/zmap/zlint v0.0.0-20190806154020-fd021b4cfbeb/go.mod h1:29UiAJNsiVdvTBFCJW8e3q6dcDbOoPkhMgttOSCIMMY=
github.com/zmap/zlint v1.0.3-0.20191115164049-eea5fe83935a h1:QaoQc5dqoKaxmebnB1fCIrBxHCdrIinK8SAsWC/v720=
github.com/zmap/zlint v1.0.3-0.20191115164049-eea5fe83935a/go.mod h1:29UiAJNsiVdvTBFCJW8e3q6dcDbOoPkhMgttOSCIMMY=
github.com/zmap/zlint v1.1.0 h1:Vyh2GmprXw5TLmKmkTa2BgFvvYAFBValBFesqkKsszM=
github.com/zmap/zlint v1.1.0/go.mod h1:3MvSF/QhEftzpxKhh3jkBIOvugsSDYMCofl+UaIv0ww=
github.com/zmap/zlint v2.0.0+incompatible h1:Yz3KtcdJLHzjGTd+Em6ss9jUPbAitN5xkVLAstULF3I=
github.com/zmap/zlint/v2 v2.0.0 h1:Ve+1yR76LZhTXsxonKA35d5S8dIIW1pmIlr4ahrskhs=
github.com/zmap/zlint/v2 v2.0.0/go.mod h1:0jpqZ7cVjm8ABh/PTOp74MK50bPiN+HW+NjjESDxLVA=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@ -223,8 +194,6 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 h1:pXVtWnwHkrWD9ru3sDxY/qFK/bfc0egRovX91EjWjf4=
golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0=
golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -250,8 +219,7 @@ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAG
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI=
golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -279,13 +247,9 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190415143225-d1146b9035b9 h1:SymueV2ZwWqdojv3IQn27haYaNer4MttGly0aZCMpoc=
google.golang.org/genproto v0.0.0-20190415143225-d1146b9035b9/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.0 h1:DlsSIrgEBuZAUFJcta2B5i/lzeHHbnfkNFAfFXLVFYQ=
google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.25.1 h1:wdKvqQk7IttEw92GoRyKG2IDrUIpgpj6H6m81yfeMW0=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
@ -298,8 +262,6 @@ gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/go-gorp/gorp.v2 v2.0.1-0.20180410155428-6032c66e0f5f h1:OuFU7cfzlNAFNOXX0F3uy5jrC8YHSR0UeNponDkdZO8=
gopkg.in/go-gorp/gorp.v2 v2.0.1-0.20180410155428-6032c66e0f5f/go.mod h1:eJwu1bWCXesk9aw26U78PFtctx3Y8haXGmL7x3VJlrw=
gopkg.in/square/go-jose.v2 v2.4.0 h1:0kXPskUMGAXXWJlP05ktEMOV0vmzFQUWw6d+aZJQU8A=
gopkg.in/square/go-jose.v2 v2.4.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/square/go-jose.v2 v2.4.1 h1:H0TmLt7/KmzlrDOpa1F+zr0Tk90PbJYBfsVUmRLrf9Y=
gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=

123
vendor/github.com/zmap/zlint/.gitignore generated vendored
View File

@ -1,123 +0,0 @@
# Created by https://www.gitignore.io/api/osx,intellij,go
### OSX ###
*.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
### Vim ###
*.swp
### Intellij ###
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff:
.idea/workspace.xml
.idea/tasks.xml
# Sensitive or high-churn files:
.idea/dataSources/
.idea/dataSources.ids
.idea/dataSources.xml
.idea/dataSources.local.xml
.idea/sqlDataSources.xml
.idea/dynamic.xml
.idea/uiDesigner.xml
# Gradle:
.idea/gradle.xml
.idea/libraries
# Mongo Explorer plugin:
.idea/mongoSettings.xml
## File-based project format:
*.iws
## Plugin-specific files:
# IntelliJ
/out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
### Intellij Patch ###
# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
*.iml
.idea
# modules.xml
# .idea/misc.xml
# *.ipr
### Go ###
# Compiled Object files, Static and Dynamic libs (Shared Objects)
*.o
*.a
*.so
# Folders
_obj
_test
# Architecture specific extensions/prefixes
*.[568vq]
[568vq].out
*.cgo1.go
*.cgo2.c
_cgo_defun.c
_cgo_gotypes.go
_cgo_export.*
_testmain.go
*.exe
*.test
*.prof
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# external packages folder
0
### Build Targets ###
/zlint
cmd/zlint/zlint
/zlint-gtld-update
cmd/zlint-gtld-update/zlint-gtld-update
### Integration test data ###
data

24
vendor/github.com/zmap/zlint/.travis.yml generated vendored
View File

@ -1,24 +0,0 @@
language: go
dist: trusty
go:
- "1.13.x"
script:
# Fast-fail on non-zero exit codes
- set -e
# Build commands
- make
# Verify that all files have been gofmt'd with simplification
- make format-check
# Run unit tests
- make test
# Run integration tests
- make integration PARALLELISM=3
notifications:
email:
- dkumar11@illinois.edu
slack:
secure: VNYGBpmWMR6pfTgz5m5V9EkVReKXvD10p44RqTMeBf5vrkClM0TPaqkxgl7N2mXIWbls1yJFh30eHPodZEdGONmQKguEpz3j+1AO1lJVljjLsCNsBW2wRXn2aMDn2oNfwDBbMzFrdvmCQESLx9bk7y8xkwH2g2J01kxU9JEbkdwZ9cbDy6RDJncgD0oflGbAAH0q60ZCi2mfFE0mhRFMCaoVaSNoJdFDyv7pzTH0H5cB4rNvJjo7Au/dekepHCUuWp2rj/4i7n8Non8L27AgU11cX8Nbn8vyFhjIQvCrGJWv4uA3z86dOe4Mf/raO0M/KBQSe8pPVLeUF8krdOG0zy9EBE+fYrBuMsnIb+QpNobdtw6VMlpVg7V+o0PxsM1mCVaeOEcapKmxWxC0HmruBbjZ+RitMcDeQEF/GIcx7UY03C6Fnz7TO01UwFnmiskO5I1KBtPiUdB96RVe5c9PMU0STkJekIz2g0WauoJpiOlemHMmvZH92e07LQPVjiawKmP/6VoGIxAwFE8jvCQSyi0jaQxqUnnjqhk0zWbFTXz3QzOufBh0YoT5Q9AWKa2iMthrLfY4LIFl7AN7fKJfFiFY083uhnhWDia3BMk6vJ+o2I2fUNOKx0L+Jj8H8vsf4XL7JVtpq536JjQhL429qNvBm8kRaH2XHHFD3bjiO5Q=

202
vendor/github.com/zmap/zlint/LICENSE generated vendored
View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2017 Regents of the University of Michigan
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

221
vendor/github.com/zmap/zlint/README.md generated vendored
View File

@ -1,221 +0,0 @@
ZLint
=====
[![Build Status](https://travis-ci.org/zmap/zlint.svg?branch=master)](https://travis-ci.org/zmap/zlint)
[![Go Report Card](https://goreportcard.com/badge/github.com/zmap/zlint)](https://goreportcard.com/report/github.com/zmap/zlint)
ZLint is a X.509 certificate linter written in Go that checks for consistency
with [RFC 5280](https://www.ietf.org/rfc/rfc5280.txt) and the CA/Browser Forum
Baseline Requirements
([v.1.4.8](https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf)).
A detailed list of BR coverage can be found here:
https://docs.google.com/spreadsheets/d/1ywp0op9mkTaggigpdF2YMTubepowJ50KQBhc_b00e-Y.
Requirements
------------
ZLint requires [Go 1.13.x or newer](https://golang.org/doc/install) be
installed. The command line setup instructions assume the `go` command is in
your `$PATH`.
Versioning
----------
ZLint aims to follow [semantic versioning](https://semver.org/). The addition of
new lints will generally result in a MINOR version revision. Since downstream
projects depend on lint results and names for policy decisions changes of this
nature will result in MAJOR version revision.
Command Line Usage
------------------
ZLint can be used on the command-line through a simple bundled executable
_ZLint_ as well as through
[ZCertificate](https://github.com/zmap/zcertificate), a more full-fledged
command-line certificate parser that links against ZLint.
Example ZLint CLI usage:
go get github.com/zmap/zlint/cmd/zlint
zlint mycert.pem
Library Usage
-------------
ZLint can also be used as a library:
```go
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint"
)
parsed, err := x509.ParseCertificate(raw)
if err != nil {
// The certificate could not be parsed. Either error or halt.
log.Fatalf("could not parse certificate: %s", err)
}
zlintResultSet := zlint.LintCertificate(parsed)
```
See https://github.com/zmap/zlint/blob/master/cmd/zlint/main.go for an example.
Adding New Lints
----------------
**Generating Lint Scaffolding.** The scaffolding for a new lints can be created
by running `./newLint.sh <lint_name> <structName>`. Lint names are generally of
the form `e_subject_common_name_not_from_san` where the first letter is one of:
`e`, `w`, or `n` (error, warning, or notice respectively). Struct names
following Go conventions, e.g., `subjectCommonNameNotFromSAN`. Example:
`./newLint.sh e_subject_common_name_not_from_san subjectCommonNameNotFromSAN`.
This will generate a new lint in the `lints` directory with the necessary
fields filled out.
**Choosing a Lint Result Level.** When choosing what `lints.LintStatus` your new
lint should return (e.g. `Notice`,`Warn`, `Error`, or `Fatal`) the following
general guidance may help. `Error` should be used for clear violations of RFC/BR
`MUST` or `MUST NOT` requirements and include strong citations. `Warn` should be
used for violations of RFC/BR `SHOULD` or `SHOULD NOT` requirements and again
should include strong citations. `Notice` should be used for more general "FYI"
statements that violate non-codified community standards or for cases where
citations are unclear. Lastly `Fatal` should be used when there is an
unresolvable error in `zlint`, `zcrypto` or some other part of the certificate
processing.
**Scoping a Lint.** Lints are executed in three steps. First, the ZLint
framework determines whether a certificate falls within the scope of a given
lint by calling `CheckApplies`. This is often used to scope lints to only check
subscriber, intermediate CA, or root CAs. This function commonly calls one of a
select number of helper functions: `IsCA`, `IsSubscriber`, `IsExtInCert`, or
`DNSNamesExist`. Example:
```go
func (l *caCRLSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
```
Next, the framework determines whether the certificate was issued after the
effective date of a Lint by checking whether the certificate was issued prior
to the lint's `EffectiveDate`. You'll also need to fill out the source and
description of what the lint is checking. We encourage you to copy text
directly from the BR or RFC here. Example:
```go
func init() {
RegisterLint(&Lint{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
EffectiveDate: util.CABEffectiveDate,
Test: &caCountryNameMissing{},
})
}
```
The meat of the lint is contained within the `RunTest` function, which is
passed `x509.Certificate`. **Note:** This is an X.509 object from
[ZCrypto](https://github.com/zmap/zcrypto) not the Go standard library. Lints
should perform their described test and then return a `ResultStruct` that
contains a Result and optionally a `Details` string, e.g.,
`ResultStruct{Result: Pass}`. If you encounter a situation in which you
typically would return a Go `error` object, instead return
`ResultStruct{Result: Fatal}`.
Example:
```go
func (l *caCRLSignNotSet) RunTest(c *x509.Certificate) *ResultStruct {
if c.KeyUsage&x509.KeyUsageCRLSign != 0 {
return &ResultStruct{Result: Pass}
}
return &ResultStruct{Result: Error}
}
```
**Creating Unit Tests.** Every lint should also have two corresponding unit
tests for a success and failure condition. We have typically generated test
certificates using Go (see https://golang.org/pkg/crypto/x509/#CreateCertificate
for details), but OpenSSL could also be used. Test certificates should be placed
in `testlint/testCerts` and called from the test file created by `newLint.sh`.
Prepend the PEM with the output of `openssl x509 -text`.
Example:
```go
func TestBasicConstNotCritical(t *testing.T) {
// Only need to change these two values and the lint name
inputPath := "../testlint/testCerts/caBasicConstNotCrit.pem"
expected := Error
out, _ := Lints["e_basic_constraints_not_critical"].ExecuteTest(ReadCertificate(inputPath))
if out.Result != expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
}
}
```
**Integration Tests.** ZLint's [continuous
integration](https://travis-ci.org/zmap/zlint) includes an integration test
phase where all lints are run against a large corpus of certificates. The number
of notice, warning, error and fatal results for each lint are captured and
compared to a set of expected values in a configuration file. You may need to
update these expected values when you add/change lints. Please see the
[integration tests
README](https://github.com/zmap/zlint/blob/master/integration/README.md) for
more information.
Updating the TLD Map
--------------------
ZLint maintains [a map of
top-level-domains](https://github.com/zmap/zlint/blob/master/util/gtld_map.go)
and their validity periods that is referenced by linters. As ICANN adds and
removes TLDs this map need to be updated. To do so, ensure the
`zlint-gtld-update` command is installed and in your `$PATH` and run `go
generate`:
go get github.com/zmap/zlint/cmd/zlint-gtld-update
go generate github.com/zmap/zlint/...
Zlint Users/Integrations
-------------------------
Pre-issuance linting is **strongly recommended** by the [Mozilla root
program](https://wiki.allizom.org/CA/Required_or_Recommended_Practices#Pre-Issuance_Linting).
Here are some projects/CAs known to integrate with ZLint in some fashion:
* [Camerfirma](https://bugzilla.mozilla.org/show_bug.cgi?id=1556806#c5)
* [CFSSL](https://github.com/cloudflare/cfssl/pull/1015)
* [Sectigo and crt.sh](https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/sjXswrcsvrE/Nl3OLd4PAAAJ)
* [Digicert](https://bugzilla.mozilla.org/show_bug.cgi?id=1550645#c9)
* [EJBCA](https://download.primekey.com/docs/EJBCA-Enterprise/6_11_1/adminguide.html#Post%20Processing%20Validators%20(Pre-Certificate%20or%20Certificate%20Validation))
* [Government of Spain, FNMT](https://bugzilla.mozilla.org/show_bug.cgi?id=1495507#c8)
* [Globalsign](https://cabforum.org/pipermail/public/2018-April/013233.html)
* [GoDaddy](https://bugzilla.mozilla.org/show_bug.cgi?id=1462844#c6)
* [Izenpe](https://bugzilla.mozilla.org/show_bug.cgi?id=1528290#c5)
* [Let's Encrypt](https://letsencrypt.org) and [Boulder](https://github.com/letsencrypt/boulder)
* [Siemens](https://bugzilla.mozilla.org/show_bug.cgi?id=1391063#c32)
* [QuoVadis](https://bugzilla.mozilla.org/show_bug.cgi?id=1521950#c3)
Please submit a pull request to update the README if you are aware of
another CA/project that uses zlint.
License and Copyright
---------------------
ZMap Copyright 2019 Regents of the University of Michigan
Licensed under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of the
License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See LICENSE for the specific
language governing permissions and limitations under the License.

12
vendor/github.com/zmap/zlint/go.mod generated vendored
View File

@ -1,12 +0,0 @@
module github.com/zmap/zlint
require (
github.com/sirupsen/logrus v1.3.0
github.com/weppos/publicsuffix-go v0.4.0
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3
golang.org/x/text v0.3.0
)
go 1.13

45
vendor/github.com/zmap/zlint/go.sum generated vendored
View File

@ -1,45 +0,0 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/sirupsen/logrus v1.3.0 h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME=
github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/weppos/publicsuffix-go v0.4.0 h1:YSnfg3V65LcCFKtIGKGoBhkyKolEd0hlipcXaOjdnQw=
github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e h1:mvOa4+/DXStR4ZXOks/UsjeFdn5O5JpLUtzqk9U8xXw=
github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8pnycDn3HwpQuTygphu9M/7KYqU=
github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 h1:u+LnwYTOOW7Ukr/fppxEb1Nwz0AtPflrblfvUudpo+I=
golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc=
golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

127
vendor/github.com/zmap/zlint/lints/base.go generated vendored
View File

@ -1,127 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
var (
// Lints is a map of all known lints by name. Add a Lint to the map by calling
// RegisterLint.
Lints = make(map[string]*Lint)
)
// LintInterface is implemented by each Lint.
type LintInterface interface {
// Initialize runs once per-lint. It is called during RegisterLint().
Initialize() error
// CheckApplies runs once per certificate. It returns true if the Lint should
// run on the given certificate. If CheckApplies returns false, the Lint
// result is automatically set to NA without calling CheckEffective() or
// Run().
CheckApplies(c *x509.Certificate) bool
// Execute() is the body of the lint. It is called for every certificate for
// which CheckApplies() returns true.
Execute(c *x509.Certificate) *LintResult
}
// An Enum to programmatically represent the source of a lint
type LintSource int
const (
UnknownLintSource LintSource = iota
CABFBaselineRequirements
RFC5280
RFC5480
RFC5891
ZLint
AWSLabs
EtsiEsi // ETSI - Electronic Signatures and Infrastructures (ESI)
CABFEVGuidelines
AppleCTPolicy // https://support.apple.com/en-us/HT205280
)
// A Lint struct represents a single lint, e.g.
// "e_basic_constraints_not_critical". It contains an implementation of LintInterface.
type Lint struct {
// Name is a lowercase underscore-separated string describing what a given
// Lint checks. If Name beings with "w", the lint MUST NOT return Error, only
// Warn. If Name beings with "e", the Lint MUST NOT return Warn, only Error.
Name string `json:"name,omitempty"`
// A human-readable description of what the Lint checks. Usually copied
// directly from the CA/B Baseline Requirements or RFC 5280.
Description string `json:"description,omitempty"`
// The source of the check, e.g. "BRs: 6.1.6" or "RFC 5280: 4.1.2.6".
Citation string `json:"citation,omitempty"`
// Programmatic source of the check, BRs, RFC5280, or ZLint
Source LintSource `json:"-"`
// Lints automatically returns NE for all certificates where CheckApplies() is
// true but with NotBefore < EffectiveDate. This check is bypassed if
// EffectiveDate is zero.
EffectiveDate time.Time `json:"-"`
// The implementation of the lint logic.
Lint LintInterface `json:"-"`
}
// CheckEffective returns true if c was issued on or after the EffectiveDate. If
// EffectiveDate is zero, CheckEffective always returns true.
func (l *Lint) CheckEffective(c *x509.Certificate) bool {
if l.EffectiveDate.IsZero() || !l.EffectiveDate.After(c.NotBefore) {
return true
}
return false
}
// Execute runs the lint against a certificate. For lints that are
// sourced from the CA/B Forum Baseline Requirements, we first determine
// if they are within the purview of the BRs. See LintInterface for details
// about the other methods called. The ordering is as follows:
//
// CheckApplies()
// CheckEffective()
// Execute()
func (l *Lint) Execute(cert *x509.Certificate) *LintResult {
if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
return &LintResult{Status: NA}
}
if !l.Lint.CheckApplies(cert) {
return &LintResult{Status: NA}
} else if !l.CheckEffective(cert) {
return &LintResult{Status: NE}
}
res := l.Lint.Execute(cert)
return res
}
// RegisterLint must be called once for each lint to be excuted. Duplicate lint
// names are squashed. Normally, RegisterLint is called during init().
func RegisterLint(l *Lint) {
if err := l.Lint.Initialize(); err != nil {
panic("could not initialize lint: " + l.Name + ": " + err.Error())
}
Lints[l.Name] = l
}

66
vendor/github.com/zmap/zlint/lints/lint_basic_constraints_not_critical.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
/************************************************
RFC 5280: 4.2.1.9
Conforming CAs MUST include this extension in all CA certificates that contain
public keys used to validate digital signatures on certificates and MUST mark
the extension as critical in such certificates. This extension MAY appear as a
critical or non- critical extension in CA certificates that contain public keys
used exclusively for purposes other than validating digital signatures on
certificates. Such CA certificates include ones that contain public keys used
exclusively for validating digital signatures on CRLs and ones that contain key
management public keys used with certificate.
************************************************/
type basicConstCrit struct{}
func (l *basicConstCrit) Initialize() error {
return nil
}
func (l *basicConstCrit) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.BasicConstOID)
}
func (l *basicConstCrit) Execute(c *x509.Certificate) *LintResult {
// Add actual lint here
if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil {
if e.Critical {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
} else {
return &LintResult{Status: NA}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_basic_constraints_not_critical",
Description: "basicConstraints MUST appear as a critical extension",
Citation: "RFC 5280: 4.2.1.9",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &basicConstCrit{},
})
}

49
vendor/github.com/zmap/zlint/lints/lint_ca_common_name_missing.go generated vendored
View File

@ -1,49 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caCommonNameMissing struct{}
func (l *caCommonNameMissing) Initialize() error {
return nil
}
func (l *caCommonNameMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsCACert(c)
}
func (l *caCommonNameMissing) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName == "" {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_common_name_missing",
Description: "CA Certificates common name MUST be included.",
Citation: "BRs: 7.1.4.3.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABV148Date,
Lint: &caCommonNameMissing{},
})
}

62
vendor/github.com/zmap/zlint/lints/lint_ca_country_name_invalid.go generated vendored
View File

@ -1,62 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following:
countryName (OID 2.5.4.6).
This field MUST contain the twoletter ISO 31661 country code for the country
in which the CAs place of business is located.
************************************************/
type caCountryNameInvalid struct{}
func (l *caCountryNameInvalid) Initialize() error {
return nil
}
func (l *caCountryNameInvalid) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caCountryNameInvalid) Execute(c *x509.Certificate) *LintResult {
if c.Subject.Country != nil {
for _, j := range c.Subject.Country {
if !util.IsISOCountryCode(j) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: NA}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_country_name_invalid",
Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameInvalid{},
})
}

57
vendor/github.com/zmap/zlint/lints/lint_ca_country_name_missing.go generated vendored
View File

@ -1,57 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following:
countryName (OID 2.5.4.6).
This field MUST contain the twoletter ISO 31661 country code for the country
in which the CAs place of business is located.
************************************************/
type caCountryNameMissing struct{}
func (l *caCountryNameMissing) Initialize() error {
return nil
}
func (l *caCountryNameMissing) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caCountryNameMissing) Execute(c *x509.Certificate) *LintResult {
if c.Subject.Country != nil && c.Subject.Country[0] != "" {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCountryNameMissing{},
})
}

56
vendor/github.com/zmap/zlint/lints/lint_ca_crl_sign_not_set.go generated vendored
View File

@ -1,56 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for
keyCertSign and cRLSign MUST be set. If the Root CA Private Key is used for
signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
type caCRLSignNotSet struct{}
func (l *caCRLSignNotSet) Initialize() error {
return nil
}
func (l *caCRLSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caCRLSignNotSet) Execute(c *x509.Certificate) *LintResult {
if c.KeyUsage&x509.KeyUsageCRLSign != 0 {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_crl_sign_not_set",
Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caCRLSignNotSet{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ca_digital_signature_not_set.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caDigSignNotSet struct{}
func (l *caDigSignNotSet) Initialize() error {
return nil
}
func (l *caDigSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caDigSignNotSet) Execute(c *x509.Certificate) *LintResult {
if c.KeyUsage&x509.KeyUsageDigitalSignature != 0 {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Notice}
}
}
func init() {
RegisterLint(&Lint{
Name: "n_ca_digital_signature_not_set",
Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caDigSignNotSet{},
})
}

62
vendor/github.com/zmap/zlint/lints/lint_ca_is_ca.go generated vendored
View File

@ -1,62 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caIsCA struct{}
type basicConstraints struct {
IsCA bool `asn1:"optional"`
MaxPathLen int `asn1:"optional,default:-1"`
}
func (l *caIsCA) Initialize() error {
return nil
}
func (l *caIsCA) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.KeyUsageOID) && c.KeyUsage&x509.KeyUsageCertSign != 0 && util.IsExtInCert(c, util.BasicConstOID)
}
func (l *caIsCA) Execute(c *x509.Certificate) *LintResult {
e := util.GetExtFromCert(c, util.BasicConstOID)
var constraints basicConstraints
_, err := asn1.Unmarshal(e.Value, &constraints)
if err != nil {
return &LintResult{Status: Fatal}
}
if constraints.IsCA == true {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_is_ca",
Description: "Root and Sub CA Certificate: The CA field MUST be set to true.",
Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caIsCA{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ca_key_cert_sign_not_set.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caKeyCertSignNotSet struct{}
func (l *caKeyCertSignNotSet) Initialize() error {
return nil
}
func (l *caKeyCertSignNotSet) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caKeyCertSignNotSet) Execute(c *x509.Certificate) *LintResult {
if c.KeyUsage&x509.KeyUsageCertSign != 0 {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_key_cert_sign_not_set",
Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyCertSignNotSet{},
})
}

57
vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_missing.go generated vendored
View File

@ -1,57 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.2.1.3
Conforming CAs MUST include this extension in certificates that
contain public keys that are used to validate digital signatures on
other public key certificates or CRLs. When present, conforming CAs
SHOULD mark this extension as critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caKeyUsageMissing struct{}
func (l *caKeyUsageMissing) Initialize() error {
return nil
}
func (l *caKeyUsageMissing) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caKeyUsageMissing) Execute(c *x509.Certificate) *LintResult {
if c.KeyUsage != x509.KeyUsage(0) {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_key_usage_missing",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be present",
Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3",
Source: CABFBaselineRequirements,
EffectiveDate: util.RFC3280Date,
Lint: &caKeyUsageMissing{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_not_critical.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1b
This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set.
If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caKeyUsageNotCrit struct{}
func (l *caKeyUsageNotCrit) Initialize() error {
return nil
}
func (l *caKeyUsageNotCrit) CheckApplies(c *x509.Certificate) bool {
return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *caKeyUsageNotCrit) Execute(c *x509.Certificate) *LintResult {
if e := util.GetExtFromCert(c, util.KeyUsageOID); e.Critical {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_key_usage_not_critical",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caKeyUsageNotCrit{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_ca_organization_name_missing.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.2.1e
The Certificate Subject MUST contain the following: organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CAs name or DBA as verified under Section 3.2.2.2.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caOrganizationNameMissing struct{}
func (l *caOrganizationNameMissing) Initialize() error {
return nil
}
func (l *caOrganizationNameMissing) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caOrganizationNameMissing) Execute(c *x509.Certificate) *LintResult {
if c.Subject.Organization != nil && c.Subject.Organization[0] != "" {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_organization_name_missing",
Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &caOrganizationNameMissing{},
})
}

61
vendor/github.com/zmap/zlint/lints/lint_ca_subject_field_empty.go generated vendored
View File

@ -1,61 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.1.2.6
The subject field identifies the entity associated with the public
key stored in the subject public key field. The subject name MAY be
carried in the subject field and/or the subjectAltName extension. If
the subject is a CA (e.g., the basic constraints extension, as
discussed in Section 4.2.1.9, is present and the value of cA is
TRUE), then the subject field MUST be populated with a non-empty
distinguished name matching the contents of the issuer field (Section
4.1.2.4) in all certificates issued by the subject CA.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type caSubjectEmpty struct{}
func (l *caSubjectEmpty) Initialize() error {
return nil
}
func (l *caSubjectEmpty) CheckApplies(c *x509.Certificate) bool {
return c.IsCA
}
func (l *caSubjectEmpty) Execute(c *x509.Certificate) *LintResult {
if &c.Subject != nil && util.NotAllNameFieldsAreEmpty(&c.Subject) {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ca_subject_field_empty",
Description: "CA Certificates subject field MUST not be empty and MUST have a non-empty distingushed name",
Citation: "RFC 5280: 4.1.2.6",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &caSubjectEmpty{},
})
}

51
vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_locality.go generated vendored
View File

@ -1,51 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type certPolicyConflictsWithLocality struct{}
func (l *certPolicyConflictsWithLocality) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithLocality) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithLocality) Execute(cert *x509.Certificate) *LintResult {
if util.TypeInName(&cert.Subject, util.LocalityNameOID) {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_dv_conflicts_with_locality",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithLocality{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_org.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type certPolicyConflictsWithOrg struct{}
func (l *certPolicyConflictsWithOrg) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithOrg) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithOrg) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.OrganizationNameOID) {
out.Status = Error
} else {
out.Status = Pass
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_dv_conflicts_with_org",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithOrg{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_postal.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type certPolicyConflictsWithPostal struct{}
func (l *certPolicyConflictsWithPostal) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithPostal) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithPostal) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.PostalCodeOID) {
out.Status = Error
} else {
out.Status = Pass
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_dv_conflicts_with_postal",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithPostal{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_province.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type certPolicyConflictsWithProvince struct{}
func (l *certPolicyConflictsWithProvince) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithProvince) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithProvince) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) {
out.Status = Error
} else {
out.Status = Pass
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_dv_conflicts_with_province",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithProvince{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_street.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include
// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type certPolicyConflictsWithStreet struct{}
func (l *certPolicyConflictsWithStreet) Initialize() error {
return nil
}
func (l *certPolicyConflictsWithStreet) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert)
}
func (l *certPolicyConflictsWithStreet) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.StreetAddressOID) {
out.Status = Error
} else {
out.Status = Pass
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_dv_conflicts_with_street",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &certPolicyConflictsWithStreet{},
})
}

53
vendor/github.com/zmap/zlint/lints/lint_cab_iv_requires_personal_name.go generated vendored
View File

@ -1,53 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertPolicyRequiresPersonalName struct{}
func (l *CertPolicyRequiresPersonalName) Initialize() error {
return nil
}
func (l *CertPolicyRequiresPersonalName) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID) && !util.IsCACert(cert)
}
func (l *CertPolicyRequiresPersonalName) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.OrganizationNameOID) || (util.TypeInName(&cert.Subject, util.GivenNameOID) && util.TypeInName(&cert.Subject, util.SurnameOID)) {
out.Status = Pass
} else {
out.Status = Error
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_iv_requires_personal_name",
Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyRequiresPersonalName{},
})
}

53
vendor/github.com/zmap/zlint/lints/lint_cab_ov_requires_org.go generated vendored
View File

@ -1,53 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertPolicyRequiresOrg struct{}
func (l *CertPolicyRequiresOrg) Initialize() error {
return nil
}
func (l *CertPolicyRequiresOrg) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID) && !util.IsCACert(cert)
}
func (l *CertPolicyRequiresOrg) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.OrganizationNameOID) {
out.Status = Pass
} else {
out.Status = Error
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cab_ov_requires_org",
Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyRequiresOrg{},
})
}

61
vendor/github.com/zmap/zlint/lints/lint_cert_contains_unique_identifier.go generated vendored
View File

@ -1,61 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1).
These fields MUST NOT appear if the version is 1. The subject and issuer
unique identifiers are present in the certificate to handle the possibility
of reuse of subject and/or issuer names over time. This profile RECOMMENDS
that names not be reused for different entities and that Internet certificates
not make use of unique identifiers. CAs conforming to this profile MUST NOT
generate certificates with unique identifiers. Applications conforming to
this profile SHOULD be capable of parsing certificates that include unique
identifiers, but there are no processing requirements associated with the
unique identifiers.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertContainsUniqueIdentifier struct{}
func (l *CertContainsUniqueIdentifier) Initialize() error {
return nil
}
func (l *CertContainsUniqueIdentifier) CheckApplies(cert *x509.Certificate) bool {
return true
}
func (l *CertContainsUniqueIdentifier) Execute(cert *x509.Certificate) *LintResult {
if cert.IssuerUniqueId.Bytes == nil && cert.SubjectUniqueId.Bytes == nil {
return &LintResult{Status: Pass}
} //else
return &LintResult{Status: Error}
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_contains_unique_identifier",
Description: "CAs MUST NOT generate certificate with unique identifiers",
Source: RFC5280,
Citation: "RFC 5280: 4.1.2.8",
EffectiveDate: util.RFC5280Date,
Lint: &CertContainsUniqueIdentifier{},
})
}

67
vendor/github.com/zmap/zlint/lints/lint_cert_extensions_version_not_3.go generated vendored
View File

@ -1,67 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
4.1.2.1. Version
This field describes the version of the encoded certificate. When
extensions are used, as expected in this profile, version MUST be 3
(value is 2). If no extensions are present, but a UniqueIdentifier
is present, the version SHOULD be 2 (value is 1); however, the version
MAY be 3. If only basic fields are present, the version SHOULD be 1
(the value is omitted from the certificate as the default value);
however, the version MAY be 2 or 3.
Implementations SHOULD be prepared to accept any version certificate.
At a minimum, conforming implementations MUST recognize version 3 certificates.
4.1.2.9. Extensions
This field MUST only appear if the version is 3 (Section 4.1.2.1).
If present, this field is a SEQUENCE of one or more certificate
extensions. The format and content of certificate extensions in the
Internet PKI are defined in Section 4.2.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertExtensionsVersonNot3 struct{}
func (l *CertExtensionsVersonNot3) Initialize() error {
return nil
}
func (l *CertExtensionsVersonNot3) CheckApplies(cert *x509.Certificate) bool {
return true
}
func (l *CertExtensionsVersonNot3) Execute(cert *x509.Certificate) *LintResult {
if cert.Version != 3 && len(cert.Extensions) != 0 {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_extensions_version_not_3",
Description: "The extensions field MUST only appear in version 3 certificates",
Citation: "RFC 5280: 4.1.2.9",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &CertExtensionsVersonNot3{},
})
}

53
vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_country.go generated vendored
View File

@ -1,53 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertPolicyIVRequiresCountry struct{}
func (l *CertPolicyIVRequiresCountry) Initialize() error {
return nil
}
func (l *CertPolicyIVRequiresCountry) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID)
}
func (l *CertPolicyIVRequiresCountry) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.CountryNameOID) {
out.Status = Pass
} else {
out.Status = Error
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_policy_iv_requires_country",
Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresCountry{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_province_or_locality.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.
// 7.1.4.2.2 applies only to subscriber certificates.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertPolicyIVRequiresProvinceOrLocal struct{}
func (l *CertPolicyIVRequiresProvinceOrLocal) Initialize() error {
return nil
}
func (l *CertPolicyIVRequiresProvinceOrLocal) CheckApplies(cert *x509.Certificate) bool {
return util.IsSubscriberCert(cert) && util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID)
}
func (l *CertPolicyIVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.LocalityNameOID) || util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) {
out.Status = Pass
} else {
out.Status = Error
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_policy_iv_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABV131Date,
Lint: &CertPolicyIVRequiresProvinceOrLocal{},
})
}

53
vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_country.go generated vendored
View File

@ -1,53 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertPolicyOVRequiresCountry struct{}
func (l *CertPolicyOVRequiresCountry) Initialize() error {
return nil
}
func (l *CertPolicyOVRequiresCountry) CheckApplies(cert *x509.Certificate) bool {
return util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID)
}
func (l *CertPolicyOVRequiresCountry) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.CountryNameOID) {
out.Status = Pass
} else {
out.Status = Error
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_policy_ov_requires_country",
Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresCountry{},
})
}

54
vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_province_or_locality.go generated vendored
View File

@ -1,54 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/
// 7.1.4.2.2 applies only to subscriber certificates.
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type CertPolicyOVRequiresProvinceOrLocal struct{}
func (l *CertPolicyOVRequiresProvinceOrLocal) Initialize() error {
return nil
}
func (l *CertPolicyOVRequiresProvinceOrLocal) CheckApplies(cert *x509.Certificate) bool {
return util.IsSubscriberCert(cert) && util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID)
}
func (l *CertPolicyOVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *LintResult {
var out LintResult
if util.TypeInName(&cert.Subject, util.LocalityNameOID) || util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) {
out.Status = Pass
} else {
out.Status = Error
}
return &out
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_policy_ov_requires_province_or_locality",
Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &CertPolicyOVRequiresProvinceOrLocal{},
})
}

63
vendor/github.com/zmap/zlint/lints/lint_cert_unique_identifier_version_not_2_or_3.go generated vendored
View File

@ -1,63 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**************************************************************************
RFC 5280: 4.1.2.8
These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1).
These fields MUST NOT appear if the version is 1. The subject and issuer
unique identifiers are present in the certificate to handle the possibility
of reuse of subject and/or issuer names over time. This profile RECOMMENDS
that names not be reused for different entities and that Internet certificates
not make use of unique identifiers. CAs conforming to this profile MUST NOT
generate certificates with unique identifiers. Applications conforming to
this profile SHOULD be capable of parsing certificates that include unique
identifiers, but there are no processing requirements associated with the
unique identifiers.
****************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type certUniqueIdVersion struct{}
func (l *certUniqueIdVersion) Initialize() error {
return nil
}
func (l *certUniqueIdVersion) CheckApplies(c *x509.Certificate) bool {
return c.IssuerUniqueId.Bytes != nil || c.SubjectUniqueId.Bytes != nil
}
func (l *certUniqueIdVersion) Execute(c *x509.Certificate) *LintResult {
if (c.Version) != 2 && (c.Version) != 3 {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_cert_unique_identifier_version_not_2_or_3",
Description: "Unique identifiers MUST only appear if the X.509 version is 2 or 3",
Citation: "RFC 5280: 4.1.2.8",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &certUniqueIdVersion{},
})
}

156
vendor/github.com/zmap/zlint/lints/lint_ct_sct_policy_count_unsatisfied.go generated vendored
View File

@ -1,156 +0,0 @@
/*
* ZLint Copyright 2019 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package lints
import (
"fmt"
"time"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zcrypto/x509/ct"
"github.com/zmap/zlint/util"
)
type sctPolicyCount struct{}
// Initialize for a sctPolicyCount instance does nothing.
func (l *sctPolicyCount) Initialize() error {
return nil
}
// CheckApplies returns true for any subscriber certificates that are not
// precertificates (e.g. that do not have the CT poison extension defined in RFC
// 6962.
func (l *sctPolicyCount) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID)
}
// Execute checks if the provided certificate has embedded SCTs from
// a sufficient number of unique CT logs to meet Apple's CT log policy[0],
// effective Oct 15th, 2018.
//
// The number of required SCTs from different logs is calculated based on the
// Certificate's lifetime. If the number of required SCTs are not embedded in
// the certificate a Notice level LintResult is returned.
//
// | Certificate lifetime | # of SCTs from separate logs |
// -------------------------------------------------------
// | Less than 15 months | 2 |
// | 15 to 27 months | 3 |
// | 27 to 39 months | 4 |
// | More than 39 months | 5 |
// -------------------------------------------------------
//
// Important note 1: We can't know whether additional SCTs were presented
// alongside the certificate via OCSP stapling. This linter assumes only
// embedded SCTs are used and ignores the portion of the Apple policy related to
// SCTs delivered via OCSP. This is one limitation that restricts the linter's
// findings to Notice level. See more background discussion in Issue 226[1].
//
// Important note 2: The linter doesn't maintain a list of Apple's trusted
// logs. The SCTs embedded in the certificate may not be from log's Apple
// actually trusts. Similarly the embedded SCT signatures are not validated
// in any way.
//
// [0]: https://support.apple.com/en-us/HT205280
// [1]: https://github.com/zmap/zlint/issues/226
func (l *sctPolicyCount) Execute(c *x509.Certificate) *LintResult {
// Determine the required number of SCTs from separate logs
expected := appleCTPolicyExpectedSCTs(c)
// If there are no SCTs then the job is easy. We can return a Notice
// LintResult immediately.
if len(c.SignedCertificateTimestampList) == 0 && expected > 0 {
return &LintResult{
Status: Notice,
Details: fmt.Sprintf(
"Certificate had 0 embedded SCTs. Browser policy may require %d for this certificate.",
expected),
}
}
// Build a map from LogID to SCT so that we can count embedded SCTs by unique
// log.
sctsByLogID := make(map[ct.SHA256Hash]*ct.SignedCertificateTimestamp)
for _, sct := range c.SignedCertificateTimestampList {
sctsByLogID[sct.LogID] = sct
}
// If the number of embedded SCTs from separate logs meets expected return
// a Pass result.
if len(sctsByLogID) >= expected {
return &LintResult{Status: Pass}
}
// Otherwise return a Notice result - there weren't enough SCTs embedded in
// the certificate. More must be provided by OCSP stapling if the certificate
// is to meet Apple's CT policy.
return &LintResult{
Status: Notice,
Details: fmt.Sprintf(
"Certificate had %d embedded SCTs from distinct log IDs. "+
"Browser policy may require %d for this certificate.",
len(sctsByLogID), expected),
}
}
// appleCTPolicyExpectedSCTs returns a count of the number of SCTs expected to
// be embedded in the given certificate based on its lifetime.
//
// For this function the relevant portion of Apple's policy is the table
// "Number of embedded SCTs based on certificate lifetime" (Also reproduced in
// the `Execute` godoc comment).
func appleCTPolicyExpectedSCTs(cert *x509.Certificate) int {
// Lifetime is relative to the certificate's NotBefore date.
start := cert.NotBefore
// Thresholds is an ordered array of lifetime periods and their expected # of
// SCTs. A lifetime period is defined by the cutoff date relative to the
// start of the certificate's lifetime.
thresholds := []struct {
CutoffDate time.Time
Expected int
}{
// Start date ... 15 months
{CutoffDate: start.AddDate(0, 15, 0), Expected: 2},
// Start date ... 27 months
{CutoffDate: start.AddDate(0, 27, 0), Expected: 3},
// Start date ... 39 months
{CutoffDate: start.AddDate(0, 39, 0), Expected: 4},
}
// If the certificate's lifetime falls into any of the cutoff date ranges then
// we expect that range's expected # of SCTs for this certificate. This loop
// assumes the `thresholds` list is sorted in ascending order.
for _, threshold := range thresholds {
if cert.NotAfter.Before(threshold.CutoffDate) {
return threshold.Expected
}
}
// The certificate had a validity > 39 months.
return 5
}
func init() {
RegisterLint(&Lint{
Name: "w_ct_sct_policy_count_unsatisfied",
Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy",
Citation: "https://support.apple.com/en-us/HT205280",
Source: AppleCTPolicy,
EffectiveDate: util.AppleCTPolicyDate,
Lint: &sctPolicyCount{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_dh_params_missing.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type dsaParamsMissing struct{}
func (l *dsaParamsMissing) Initialize() error {
return nil
}
func (l *dsaParamsMissing) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaParamsMissing) Execute(c *x509.Certificate) *LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &LintResult{Status: Fatal}
}
params := dsaKey.Parameters
if params.P.BitLen() == 0 || params.Q.BitLen() == 0 || params.G.BitLen() == 0 {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dsa_params_missing",
Description: "DSA: Certificates MUST include all domain parameters",
Citation: "BRs: 6.1.6",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaParamsMissing{},
})
}

84
vendor/github.com/zmap/zlint/lints/lint_distribution_point_incomplete.go generated vendored
View File

@ -1,84 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/********************************************************************
The cRLDistributionPoints extension is a SEQUENCE of
DistributionPoint. A DistributionPoint consists of three fields,
each of which is optional: distributionPoint, reasons, and cRLIssuer.
While each of these fields is optional, a DistributionPoint MUST NOT
consist of only the reasons field; either distributionPoint or
cRLIssuer MUST be present. If the certificate issuer is not the CRL
issuer, then the cRLIssuer field MUST be present and contain the Name
of the CRL issuer. If the certificate issuer is also the CRL issuer,
then conforming CAs MUST omit the cRLIssuer field and MUST include
the distributionPoint field.
********************************************************************/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zcrypto/x509/pkix"
"github.com/zmap/zlint/util"
)
type distributionPoint struct {
DistributionPoint distributionPointName `asn1:"optional,tag:0"`
Reason asn1.BitString `asn1:"optional,tag:1"`
CRLIssuer asn1.RawValue `asn1:"optional,tag:2"`
}
type distributionPointName struct {
FullName asn1.RawValue `asn1:"optional,tag:0"`
RelativeName pkix.RDNSequence `asn1:"optional,tag:1"`
}
type dpIncomplete struct{}
func (l *dpIncomplete) Initialize() error {
return nil
}
func (l *dpIncomplete) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.CrlDistOID)
}
func (l *dpIncomplete) Execute(c *x509.Certificate) *LintResult {
dp := util.GetExtFromCert(c, util.CrlDistOID)
var cdp []distributionPoint
_, err := asn1.Unmarshal(dp.Value, &cdp)
if err != nil {
return &LintResult{Status: Fatal}
}
for _, dp := range cdp {
if dp.Reason.BitLength != 0 && len(dp.DistributionPoint.FullName.Bytes) == 0 &&
dp.DistributionPoint.RelativeName == nil && len(dp.CRLIssuer.Bytes) == 0 {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_distribution_point_incomplete",
Description: "A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present",
Citation: "RFC 5280: 4.2.1.13",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &dpIncomplete{},
})
}

57
vendor/github.com/zmap/zlint/lints/lint_distribution_point_missing_ldap_or_uri.go generated vendored
View File

@ -1,57 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.2.1.13
When present, DistributionPointName SHOULD include at least one LDAP or HTTP URI.
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type distribNoLDAPorURI struct{}
func (l *distribNoLDAPorURI) Initialize() error {
return nil
}
func (l *distribNoLDAPorURI) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.CrlDistOID)
}
func (l *distribNoLDAPorURI) Execute(c *x509.Certificate) *LintResult {
for _, point := range c.CRLDistributionPoints {
if point = strings.ToLower(point); strings.HasPrefix(point, "http://") || strings.HasPrefix(point, "ldap://") {
return &LintResult{Status: Pass}
}
}
return &LintResult{Status: Warn}
}
func init() {
RegisterLint(&Lint{
Name: "w_distribution_point_missing_ldap_or_uri",
Description: "When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI",
Citation: "RFC 5280: 4.2.1.13",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &distribNoLDAPorURI{},
})
}

63
vendor/github.com/zmap/zlint/lints/lint_dnsname_bad_character_in_label.go generated vendored
View File

@ -1,63 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"regexp"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameProperCharacters struct {
CompiledExpression *regexp.Regexp
}
func (l *DNSNameProperCharacters) Initialize() error {
const dnsNameRegexp = `^(\*\.)?(\?\.)*([A-Za-z0-9*_-]+\.)*[A-Za-z0-9*_-]*$`
var err error
l.CompiledExpression, err = regexp.Compile(dnsNameRegexp)
return err
}
func (l *DNSNameProperCharacters) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameProperCharacters) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if !l.CompiledExpression.MatchString(c.Subject.CommonName) {
return &LintResult{Status: Error}
}
}
for _, dns := range c.DNSNames {
if !l.CompiledExpression.MatchString(dns) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_bad_character_in_label",
Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameProperCharacters{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_dnsname_check_left_label_wildcard.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameLeftLabelWildcardCheck struct{}
func (l *DNSNameLeftLabelWildcardCheck) Initialize() error {
return nil
}
func (l *DNSNameLeftLabelWildcardCheck) CheckApplies(c *x509.Certificate) bool {
return true
}
func wildcardInLeftLabelIncorrect(domain string) bool {
labels := strings.Split(domain, ".")
if len(labels) >= 1 {
leftLabel := labels[0]
if strings.Contains(leftLabel, "*") && leftLabel != "*" {
return true
}
}
return false
}
func (l *DNSNameLeftLabelWildcardCheck) Execute(c *x509.Certificate) *LintResult {
if wildcardInLeftLabelIncorrect(c.Subject.CommonName) {
return &LintResult{Status: Error}
}
for _, dns := range c.DNSNames {
if wildcardInLeftLabelIncorrect(dns) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_left_label_wildcard_correct",
Description: "Wildcards in the left label of DNSName should only be *",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLeftLabelWildcardCheck{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_bare_iana_suffix.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2017 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type dnsNameContainsBareIANASuffix struct{}
func (l *dnsNameContainsBareIANASuffix) Initialize() error {
return nil
}
func (l *dnsNameContainsBareIANASuffix) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *dnsNameContainsBareIANASuffix) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if util.IsInTLDMap(c.Subject.CommonName) {
return &LintResult{Status: Error}
}
}
for _, dns := range c.DNSNames {
if util.IsInTLDMap(dns) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_contains_bare_iana_suffix",
Description: "DNSNames should not contain a bare IANA suffix.",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dnsNameContainsBareIANASuffix{},
})
}

67
vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_empty_label.go generated vendored
View File

@ -1,67 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameEmptyLabel struct{}
func (l *DNSNameEmptyLabel) Initialize() error {
return nil
}
func (l *DNSNameEmptyLabel) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func domainHasEmptyLabel(domain string) bool {
labels := strings.Split(domain, ".")
for _, elem := range labels {
if elem == "" {
return true
}
}
return false
}
func (l *DNSNameEmptyLabel) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if domainHasEmptyLabel(c.Subject.CommonName) {
return &LintResult{Status: Error}
}
}
for _, dns := range c.DNSNames {
if domainHasEmptyLabel(dns) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_empty_label",
Description: "DNSNames should not have an empty label.",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameEmptyLabel{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_dnsname_hyphen_in_sld.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameHyphenInSLD struct{}
func (l *DNSNameHyphenInSLD) Initialize() error {
return nil
}
func (l *DNSNameHyphenInSLD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameHyphenInSLD) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &LintResult{Status: NA}
}
if strings.HasPrefix(domainInfo.ParsedDomain.SLD, "-") || strings.HasSuffix(domainInfo.ParsedDomain.SLD, "-") {
return &LintResult{Status: Error}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &LintResult{Status: NA}
}
if strings.HasPrefix(parsedSANDNSNames[i].ParsedDomain.SLD, "-") ||
strings.HasSuffix(parsedSANDNSNames[i].ParsedDomain.SLD, "-") {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_hyphen_in_sld",
Description: "DNSName should not have a hyphen beginning or ending the SLD",
Citation: "BRs 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameHyphenInSLD{},
})
}

69
vendor/github.com/zmap/zlint/lints/lint_dnsname_label_too_long.go generated vendored
View File

@ -1,69 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameLabelLengthTooLong struct{}
func (l *DNSNameLabelLengthTooLong) Initialize() error {
return nil
}
func (l *DNSNameLabelLengthTooLong) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func labelLengthTooLong(domain string) bool {
labels := strings.Split(domain, ".")
for _, label := range labels {
if len(label) > 63 {
return true
}
}
return false
}
func (l *DNSNameLabelLengthTooLong) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
labelTooLong := labelLengthTooLong(c.Subject.CommonName)
if labelTooLong {
return &LintResult{Status: Error}
}
}
for _, dns := range c.DNSNames {
labelTooLong := labelLengthTooLong(dns)
if labelTooLong {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_label_too_long",
Description: "DNSName labels MUST be less than or equal to 63 characters",
Citation: "RFC 1035",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameLabelLengthTooLong{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_dnsname_right_label_valid_tld.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameValidTLD struct{}
func (l *DNSNameValidTLD) Initialize() error {
return nil
}
func (l *DNSNameValidTLD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameValidTLD) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
if !util.HasValidTLD(c.Subject.CommonName, c.NotBefore) {
return &LintResult{Status: Error}
}
}
for _, dns := range c.DNSNames {
if !util.HasValidTLD(dns, c.NotBefore) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_not_valid_tld",
Description: "DNSNames must have a valid TLD.",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameValidTLD{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_sld.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameUnderscoreInSLD struct{}
func (l *DNSNameUnderscoreInSLD) Initialize() error {
return nil
}
func (l *DNSNameUnderscoreInSLD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameUnderscoreInSLD) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &LintResult{Status: NA}
}
if strings.Contains(domainInfo.ParsedDomain.SLD, "_") {
return &LintResult{Status: Error}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &LintResult{Status: NA}
}
if strings.Contains(parsedSANDNSNames[i].ParsedDomain.SLD, "_") {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_underscore_in_sld",
Description: "DNSName should not have underscore in SLD",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInSLD{},
})
}

67
vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_trd.go generated vendored
View File

@ -1,67 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameUnderscoreInTRD struct{}
func (l *DNSNameUnderscoreInTRD) Initialize() error {
return nil
}
func (l *DNSNameUnderscoreInTRD) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameUnderscoreInTRD) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &LintResult{Status: NA}
}
if strings.Contains(domainInfo.ParsedDomain.TRD, "_") {
return &LintResult{Status: Warn}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &LintResult{Status: NA}
}
if strings.Contains(parsedSANDNSNames[i].ParsedDomain.TRD, "_") {
return &LintResult{Status: Warn}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_dnsname_underscore_in_trd",
Description: "DNSName should not have an underscore in labels left of the ETLD+1",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.RFC5280Date,
Lint: &DNSNameUnderscoreInTRD{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_left_of_public_suffix.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameWildcardLeftofPublicSuffix struct{}
func (l *DNSNameWildcardLeftofPublicSuffix) Initialize() error {
return nil
}
func (l *DNSNameWildcardLeftofPublicSuffix) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.DNSNamesExist(c)
}
func (l *DNSNameWildcardLeftofPublicSuffix) Execute(c *x509.Certificate) *LintResult {
if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) {
domainInfo := c.GetParsedSubjectCommonName(false)
if domainInfo.ParseError != nil {
return &LintResult{Status: NA}
}
if domainInfo.ParsedDomain.SLD == "*" {
return &LintResult{Status: Warn}
}
}
parsedSANDNSNames := c.GetParsedDNSNames(false)
for i := range c.GetParsedDNSNames(false) {
if parsedSANDNSNames[i].ParseError != nil {
return &LintResult{Status: NA}
}
if parsedSANDNSNames[i].ParsedDomain.SLD == "*" {
return &LintResult{Status: Warn}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_dnsname_wildcard_left_of_public_suffix",
Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registrycontrolled” label or “public suffix”",
Citation: "BRs: 3.2.2.6",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardLeftofPublicSuffix{},
})
}

68
vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_only_in_left_label.go generated vendored
View File

@ -1,68 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type DNSNameWildcardOnlyInLeftlabel struct{}
func (l *DNSNameWildcardOnlyInLeftlabel) Initialize() error {
return nil
}
func (l *DNSNameWildcardOnlyInLeftlabel) CheckApplies(c *x509.Certificate) bool {
return true
}
func wildcardNotInLeftLabel(domain string) bool {
labels := strings.Split(domain, ".")
if len(labels) > 1 {
labels = labels[1:]
for _, label := range labels {
if strings.Contains(label, "*") {
return true
}
}
}
return false
}
func (l *DNSNameWildcardOnlyInLeftlabel) Execute(c *x509.Certificate) *LintResult {
if wildcardNotInLeftLabel(c.Subject.CommonName) {
return &LintResult{Status: Error}
}
for _, dns := range c.DNSNames {
if wildcardNotInLeftLabel(dns) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dnsname_wildcard_only_in_left_label",
Description: "DNSName should not have wildcards except in the left-most label",
Citation: "BRs: 7.1.4.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &DNSNameWildcardOnlyInLeftlabel{},
})
}

65
vendor/github.com/zmap/zlint/lints/lint_dsa_correct_order_in_subgroup.go generated vendored
View File

@ -1,65 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type dsaSubgroup struct{}
func (l *dsaSubgroup) Initialize() error {
return nil
}
func (l *dsaSubgroup) CheckApplies(c *x509.Certificate) bool {
if c.PublicKeyAlgorithm != x509.DSA {
return false
}
if _, ok := c.PublicKey.(*dsa.PublicKey); !ok {
return false
}
return true
}
func (l *dsaSubgroup) Execute(c *x509.Certificate) *LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &LintResult{Status: NA}
}
output := big.Int{}
// Enforce that Y^Q == 1 mod P, e.g. that Order(Y) == Q mod P.
output.Exp(dsaKey.Y, dsaKey.Q, dsaKey.P)
if output.Cmp(big.NewInt(1)) == 0 {
return &LintResult{Status: Pass}
}
return &LintResult{Status: Error}
}
func init() {
RegisterLint(&Lint{
Name: "e_dsa_correct_order_in_subgroup",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs: 6.1.6",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaSubgroup{},
})
}

56
vendor/github.com/zmap/zlint/lints/lint_dsa_improper_modulus_or_divisor_size.go generated vendored
View File

@ -1,56 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type dsaImproperSize struct{}
func (l *dsaImproperSize) Initialize() error {
return nil
}
func (l *dsaImproperSize) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaImproperSize) Execute(c *x509.Certificate) *LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &LintResult{Status: NA}
}
L := dsaKey.Parameters.P.BitLen()
N := dsaKey.Parameters.Q.BitLen()
if (L == 2048 && N == 224) || (L == 2048 && N == 256) || (L == 3072 && N == 256) {
return &LintResult{Status: Pass}
}
return &LintResult{Status: Error}
}
func init() {
RegisterLint(&Lint{
Name: "e_dsa_improper_modulus_or_divisor_size",
Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256",
Citation: "BRs: 6.1.5",
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaImproperSize{},
})
}

58
vendor/github.com/zmap/zlint/lints/lint_dsa_shorter_than_2048_bits.go generated vendored
View File

@ -1,58 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type dsaTooShort struct{}
func (l *dsaTooShort) Initialize() error {
return nil
}
func (l *dsaTooShort) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaTooShort) Execute(c *x509.Certificate) *LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &LintResult{Status: NA}
}
dsaParams := dsaKey.Parameters
L := dsaParams.P.BitLen()
N := dsaParams.Q.BitLen()
if L >= 2048 && N >= 244 {
return &LintResult{Status: Pass}
}
return &LintResult{Status: Error}
}
func init() {
RegisterLint(&Lint{
Name: "e_dsa_shorter_than_2048_bits",
Description: "DSA modulus size must be at least 2048 bits",
Citation: "BRs: 6.1.5",
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &dsaTooShort{},
})
}

59
vendor/github.com/zmap/zlint/lints/lint_dsa_unique_correct_representation.go generated vendored
View File

@ -1,59 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"crypto/dsa"
"math/big"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type dsaUniqueCorrectRepresentation struct{}
func (l *dsaUniqueCorrectRepresentation) Initialize() error {
return nil
}
func (l *dsaUniqueCorrectRepresentation) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.DSA
}
func (l *dsaUniqueCorrectRepresentation) Execute(c *x509.Certificate) *LintResult {
dsaKey, ok := c.PublicKey.(*dsa.PublicKey)
if !ok {
return &LintResult{Status: NA}
}
// Verify that 2 ≤ y ≤ p-2.
two := big.NewInt(2)
pMinusTwo := big.NewInt(0)
pMinusTwo.Sub(dsaKey.P, two)
if two.Cmp(dsaKey.Y) > 0 || dsaKey.Y.Cmp(pMinusTwo) > 0 {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_dsa_unique_correct_representation",
Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup",
Citation: "BRs: 6.1.6",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &dsaUniqueCorrectRepresentation{},
})
}

71
vendor/github.com/zmap/zlint/lints/lint_ec_improper_curves.go generated vendored
View File

@ -1,71 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 6.1.5
Certificates MUST meet the following requirements for algorithm type and key size.
ECC Curve: NIST P-256, P-384, or P-521
************************************************/
import (
"crypto/ecdsa"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ecImproperCurves struct{}
func (l *ecImproperCurves) Initialize() error {
return nil
}
func (l *ecImproperCurves) CheckApplies(c *x509.Certificate) bool {
return c.PublicKeyAlgorithm == x509.ECDSA
}
func (l *ecImproperCurves) Execute(c *x509.Certificate) *LintResult {
/* Declare theKey to be a ECDSA Public Key */
var theKey *ecdsa.PublicKey
/* Need to do different things based on what c.PublicKey is */
switch c.PublicKey.(type) {
case *x509.AugmentedECDSA:
temp := c.PublicKey.(*x509.AugmentedECDSA)
theKey = temp.Pub
case *ecdsa.PublicKey:
theKey = c.PublicKey.(*ecdsa.PublicKey)
}
/* Now can actually check the params */
theParams := theKey.Curve.Params()
switch theParams.Name {
case "P-256", "P-384", "P-521":
return &LintResult{Status: Pass}
default:
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ec_improper_curves",
Description: "Only one of NIST P256, P384, or P521 can be used",
Citation: "BRs: 6.1.5",
Source: CABFBaselineRequirements,
// Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally
EffectiveDate: util.ZeroDate,
Lint: &ecImproperCurves{},
})
}

98
vendor/github.com/zmap/zlint/lints/lint_ecdsa_ee_invalid_ku.go generated vendored
View File

@ -1,98 +0,0 @@
/*
* ZLint Copyright 2019 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
package lints
import (
"fmt"
"sort"
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ecdsaInvalidKU struct{}
// Initialize is a no-op for this lint.
func (l *ecdsaInvalidKU) Initialize() error {
return nil
}
// CheckApplies returns true when the certificate is a subscriber cert using an
// ECDSA public key algorithm.
func (l *ecdsaInvalidKU) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA
}
// Execute returns a Notice level LintResult if the ECDSA end entity certificate
// being linted has Key Usage bits set other than digitalSignature,
// nonRepudiation/contentCommentment, and keyAgreement.
func (l *ecdsaInvalidKU) Execute(c *x509.Certificate) *LintResult {
// RFC 5480, Section 3 "Key Usage Bits" says:
//
// If the keyUsage extension is present in an End Entity (EE)
// certificate that indicates id-ecPublicKey in SubjectPublicKeyInfo,
// then any combination of the following values MAY be present:
//
// digitalSignature;
// nonRepudiation; and
// keyAgreement.
//
// So we set up `allowedKUs` to match. Note that per RFC 5280: recent editions
// of X.509 renamed "nonRepudiation" to "contentCommitment", which is the name
// of the Go x509 constant we use here alongside the digitalSignature and
// keyAgreement constants.
allowedKUs := map[x509.KeyUsage]bool{
x509.KeyUsageDigitalSignature: true,
x509.KeyUsageContentCommitment: true,
x509.KeyUsageKeyAgreement: true,
}
var invalidKUs []string
for ku, kuName := range util.KeyUsageToString {
if c.KeyUsage&ku != 0 {
if !allowedKUs[ku] {
invalidKUs = append(invalidKUs, kuName)
}
}
}
if len(invalidKUs) > 0 {
// Sort the invalid KUs to allow consistent ordering of Details messages for
// unit testing
sort.Strings(invalidKUs)
return &LintResult{
Status: Notice,
Details: fmt.Sprintf(
"Certificate had unexpected key usage(s): %s",
strings.Join(invalidKUs, ", ")),
}
}
return &LintResult{
Status: Pass,
}
}
func init() {
RegisterLint(&Lint{
Name: "n_ecdsa_ee_invalid_ku",
Description: "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement",
Citation: "RFC 5480 Section 3",
Source: RFC5480,
EffectiveDate: util.CABEffectiveDate,
Lint: &ecdsaInvalidKU{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_eku_critical_improperly.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.2.1.12
If a CA includes extended key usages to satisfy such applications,
but does not wish to restrict usages of the key, the CA can include
the special KeyPurposeId anyExtendedKeyUsage in addition to the
particular key purposes required by the applications. Conforming CAs
SHOULD NOT mark this extension as critical if the anyExtendedKeyUsage
KeyPurposeId is present. Applications that require the presence of a
particular purpose MAY reject certificates that include the
anyExtendedKeyUsage OID but not the particular OID expected for the
application.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ekuBadCritical struct{}
func (l *ekuBadCritical) Initialize() error {
return nil
}
func (l *ekuBadCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.EkuSynOid)
}
func (l *ekuBadCritical) Execute(c *x509.Certificate) *LintResult {
if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical {
for _, single_use := range c.ExtKeyUsage {
if single_use == x509.ExtKeyUsageAny {
return &LintResult{Status: Warn}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_eku_critical_improperly",
Description: "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present",
Citation: "RFC 5280: 4.2.1.12",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &ekuBadCritical{},
})
}

49
vendor/github.com/zmap/zlint/lints/lint_ev_business_category_missing.go generated vendored
View File

@ -1,49 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type evNoBiz struct{}
func (l *evNoBiz) Initialize() error {
return nil
}
func (l *evNoBiz) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evNoBiz) Execute(c *x509.Certificate) *LintResult {
if util.TypeInName(&c.Subject, util.BusinessOID) {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ev_business_category_missing",
Description: "EV certificates must include businessCategory in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evNoBiz{},
})
}

49
vendor/github.com/zmap/zlint/lints/lint_ev_country_name_missing.go generated vendored
View File

@ -1,49 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type evCountryMissing struct{}
func (l *evCountryMissing) Initialize() error {
return nil
}
func (l *evCountryMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evCountryMissing) Execute(c *x509.Certificate) *LintResult {
if util.TypeInName(&c.Subject, util.CountryNameOID) {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ev_country_name_missing",
Description: "EV certificates must include countryName in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evCountryMissing{},
})
}

49
vendor/github.com/zmap/zlint/lints/lint_ev_organization_name_missing.go generated vendored
View File

@ -1,49 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type evOrgMissing struct{}
func (l *evOrgMissing) Initialize() error {
return nil
}
func (l *evOrgMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evOrgMissing) Execute(c *x509.Certificate) *LintResult {
if util.TypeInName(&c.Subject, util.OrganizationNameOID) {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ev_organization_name_missing",
Description: "EV certificates must include organizationName in subject",
Citation: "BRs: 7.1.6.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evOrgMissing{},
})
}

48
vendor/github.com/zmap/zlint/lints/lint_ev_serial_number_missing.go generated vendored
View File

@ -1,48 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type evSNMissing struct{}
func (l *evSNMissing) Initialize() error {
return nil
}
func (l *evSNMissing) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evSNMissing) Execute(c *x509.Certificate) *LintResult {
if len(c.Subject.SerialNumber) == 0 {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ev_serial_number_missing",
Description: "EV certificates must include serialNumber in subject",
Citation: "EV gudelines: 9.2.6",
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evSNMissing{},
})
}

48
vendor/github.com/zmap/zlint/lints/lint_ev_valid_time_too_long.go generated vendored
View File

@ -1,48 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type evValidTooLong struct{}
func (l *evValidTooLong) Initialize() error {
return nil
}
func (l *evValidTooLong) CheckApplies(c *x509.Certificate) bool {
return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
}
func (l *evValidTooLong) Execute(c *x509.Certificate) *LintResult {
if c.NotBefore.AddDate(0, 0, 825).Before(c.NotAfter) {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ev_valid_time_too_long",
Description: "EV certificates must be 825 days in validity or less",
Citation: "BRs: 6.3.2",
Source: CABFBaselineRequirements,
EffectiveDate: util.ZeroDate,
Lint: &evValidTooLong{},
})
}

63
vendor/github.com/zmap/zlint/lints/lint_ext_aia_access_location_missing.go generated vendored
View File

@ -1,63 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.2.2.1
An authorityInfoAccess extension may include multiple instances of
the id-ad-caIssuers accessMethod. The different instances may
specify different methods for accessing the same information or may
point to different information. When the id-ad-caIssuers
accessMethod is used, at least one instance SHOULD specify an
accessLocation that is an HTTP [RFC2616] or LDAP [RFC4516] URI.
************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type aiaNoHTTPorLDAP struct{}
func (l *aiaNoHTTPorLDAP) Initialize() error {
return nil
}
func (l *aiaNoHTTPorLDAP) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.AiaOID) && c.IssuingCertificateURL != nil
}
func (l *aiaNoHTTPorLDAP) Execute(c *x509.Certificate) *LintResult {
for _, caIssuer := range c.IssuingCertificateURL {
if caIssuer = strings.ToLower(caIssuer); strings.HasPrefix(caIssuer, "http://") || strings.HasPrefix(caIssuer, "ldap://") {
return &LintResult{Status: Pass}
}
}
return &LintResult{Status: Warn}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_aia_access_location_missing",
Description: "When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI",
Citation: "RFC 5280: 4.2.2.1",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &aiaNoHTTPorLDAP{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ext_aia_marked_critical.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
Authority Information Access
The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in end entity or CA certificates. Conforming CAs MUST mark this extension as non-critical.
************************************************/
//See also: BRs: 7.1.2.3 & CAB: 7.1.2.2
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ExtAiaMarkedCritical struct{}
func (l *ExtAiaMarkedCritical) Initialize() error {
return nil
}
func (l *ExtAiaMarkedCritical) CheckApplies(cert *x509.Certificate) bool {
return util.IsExtInCert(cert, util.AiaOID)
}
func (l *ExtAiaMarkedCritical) Execute(cert *x509.Certificate) *LintResult {
if util.GetExtFromCert(cert, util.AiaOID).Critical {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_aia_marked_critical",
Description: "Conforming CAs must mark the Authority Information Access extension as non-critical",
Citation: "RFC 5280: 4.2.2.1",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &ExtAiaMarkedCritical{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_critical.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*********************************************************
RFC 5280: 4.2.1.1
Conforming CAs MUST mark this extension as non-critical.
**********************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type authorityKeyIdCritical struct{}
func (l *authorityKeyIdCritical) Initialize() error {
return nil
}
func (l *authorityKeyIdCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.AuthkeyOID)
}
func (l *authorityKeyIdCritical) Execute(c *x509.Certificate) *LintResult {
aki := util.GetExtFromCert(c, util.AuthkeyOID) //pointer to the extension
if aki.Critical {
return &LintResult{Status: Error}
} else { //implies !aki.Critical
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_authority_key_identifier_critical",
Description: "The authority key identifier extension must be non-critical",
Citation: "RFC 5280: 4.2.1.1",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &authorityKeyIdCritical{},
})
}

64
vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_missing.go generated vendored
View File

@ -1,64 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************************************
RFC 5280: 4.2.1.1
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted. The
signature on a self-signed certificate is generated with the private
key associated with the certificate's subject public key. (This
proves that the issuer possesses both the public and private keys.)
In this case, the subject and authority key identifiers would be
identical, but only the subject key identifier is needed for
certification path building.
***********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type authorityKeyIdMissing struct{}
func (l *authorityKeyIdMissing) Initialize() error {
return nil
}
func (l *authorityKeyIdMissing) CheckApplies(c *x509.Certificate) bool {
return !util.IsRootCA(c)
}
func (l *authorityKeyIdMissing) Execute(c *x509.Certificate) *LintResult {
if !util.IsExtInCert(c, util.AuthkeyOID) && !util.IsSelfSigned(c) {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_authority_key_identifier_missing",
Description: "CAs must support key identifiers and include them in all certificates",
Citation: "RFC 5280: 4.2 & 4.2.1.1",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &authorityKeyIdMissing{},
})
}

64
vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_no_key_identifier.go generated vendored
View File

@ -1,64 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************************************
RFC 5280: 4.2.1.1
The keyIdentifier field of the authorityKeyIdentifier extension MUST
be included in all certificates generated by conforming CAs to
facilitate certification path construction. There is one exception;
where a CA distributes its public key in the form of a "self-signed"
certificate, the authority key identifier MAY be omitted. The
signature on a self-signed certificate is generated with the private
key associated with the certificate's subject public key. (This
proves that the issuer possesses both the public and private keys.)
In this case, the subject and authority key identifiers would be
identical, but only the subject key identifier is needed for
certification path building.
***********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type authorityKeyIdNoKeyIdField struct{}
func (l *authorityKeyIdNoKeyIdField) Initialize() error {
return nil
}
func (l *authorityKeyIdNoKeyIdField) CheckApplies(c *x509.Certificate) bool {
return true
}
func (l *authorityKeyIdNoKeyIdField) Execute(c *x509.Certificate) *LintResult {
if c.AuthorityKeyId == nil && !util.IsSelfSigned(c) { //will be nil by default if not found in x509.parseCert
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_authority_key_identifier_no_key_identifier",
Description: "CAs must include keyIdentifer field of AKI in all non-self-issued certificates",
Citation: "RFC 5280: 4.2.1.1",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &authorityKeyIdNoKeyIdField{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_contains_noticeref.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/********************************************************************
The user notice has two optional fields: the noticeRef field and the
explicitText field. Conforming CAs SHOULD NOT use the noticeRef
option.
********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type noticeRefPres struct{}
func (l *noticeRefPres) Initialize() error {
return nil
}
func (l *noticeRefPres) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.CertPolicyOID)
}
func (l *noticeRefPres) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.NoticeRefNumbers {
for _, number := range firstLvl {
if number != nil {
return &LintResult{Status: Warn}
}
}
}
for _, firstLvl := range c.NoticeRefOrgnization {
for _, org := range firstLvl {
if len(org.Bytes) != 0 {
return &LintResult{Status: Warn}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_cert_policy_contains_noticeref",
Description: "Compliant certificates SHOULD NOT use the noticeRef option",
Citation: "RFC 5280: 4.2.1.4",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &noticeRefPres{},
})
}

63
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_disallowed_any_policy_qualifier.go generated vendored
View File

@ -1,63 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************
RFC 5280: 4.2.1.4
To promote interoperability, this profile RECOMMENDS that policy
information terms consist of only an OID. Where an OID alone is
insufficient, this profile strongly recommends that the use of
qualifiers be limited to those identified in this section. When
qualifiers are used with the special policy anyPolicy, they MUST be
limited to the qualifiers identified in this section. Only those
qualifiers returned as a result of path validation are considered.
********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type unrecommendedQualifier struct{}
func (l *unrecommendedQualifier) Initialize() error {
return nil
}
func (l *unrecommendedQualifier) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.CertPolicyOID)
}
func (l *unrecommendedQualifier) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.QualifierId {
for _, qualifierId := range firstLvl {
if !qualifierId.Equal(util.CpsOID) && !qualifierId.Equal(util.UserNoticeOID) {
return &LintResult{Status: Error}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_cert_policy_disallowed_any_policy_qualifier",
Description: "When qualifiers are used with the special policy anyPolicy, they must be limited to qualifiers identified in this section: (4.2.1.4)",
Citation: "RFC 5280: 4.2.1.4",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &unrecommendedQualifier{},
})
}

62
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_duplicate.go generated vendored
View File

@ -1,62 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
The certificate policies extension contains a sequence of one or more
policy information terms, each of which consists of an object identifier
(OID) and optional qualifiers. Optional qualifiers, which MAY be present,
are not expected to change the definition of the policy. A certificate
policy OID MUST NOT appear more than once in a certificate policies extension.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ExtCertPolicyDuplicate struct{}
func (l *ExtCertPolicyDuplicate) Initialize() error {
return nil
}
func (l *ExtCertPolicyDuplicate) CheckApplies(cert *x509.Certificate) bool {
return util.IsExtInCert(cert, util.CertPolicyOID)
}
func (l *ExtCertPolicyDuplicate) Execute(cert *x509.Certificate) *LintResult {
// O(n^2) is not terrible here because n is small
for i := 0; i < len(cert.PolicyIdentifiers); i++ {
for j := i + 1; j < len(cert.PolicyIdentifiers); j++ {
if i != j && cert.PolicyIdentifiers[i].Equal(cert.PolicyIdentifiers[j]) {
// Any one duplicate fails the test, so return here
return &LintResult{Status: Error}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_cert_policy_duplicate",
Description: "A certificate policy OID must not appear more than once in the extension",
Citation: "RFC 5280: 4.2.1.4",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &ExtCertPolicyDuplicate{},
})
}

71
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_ia5_string.go generated vendored
View File

@ -1,71 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/********************************************************************
An explicitText field includes the textual statement directly in
the certificate. The explicitText field is a string with a
maximum size of 200 characters. Conforming CAs SHOULD use the
UTF8String encoding for explicitText. VisibleString or BMPString
are acceptable but less preferred alternatives. Conforming CAs
MUST NOT encode explicitText as IA5String. The explicitText string
SHOULD NOT include any control characters (e.g., U+0000 to U+001F
and U+007F to U+009F). When the UTF8String or BMPString encoding
is used, all character sequences SHOULD be normalized according
to Unicode normalization form C (NFC) [NFC].
********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type explicitTextIA5String struct{}
func (l *explicitTextIA5String) Initialize() error {
return nil
}
func (l *explicitTextIA5String) CheckApplies(c *x509.Certificate) bool {
for _, text := range c.ExplicitTexts {
if text != nil {
return true
}
}
return false
}
func (l *explicitTextIA5String) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.ExplicitTexts {
for _, text := range firstLvl {
if text.Tag == 22 {
return &LintResult{Status: Error}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_cert_policy_explicit_text_ia5_string",
Description: "Compliant certificates must not encode explicitTest as an IA5String",
Citation: "RFC 6818: 3",
Source: RFC5280,
EffectiveDate: util.RFC6818Date,
Lint: &explicitTextIA5String{},
})
}

89
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_includes_control.go generated vendored
View File

@ -1,89 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*********************************************************************
An explicitText field includes the textual statement directly in
the certificate. The explicitText field is a string with a
maximum size of 200 characters. Conforming CAs SHOULD use the
UTF8String encoding for explicitText, but MAY use IA5String.
Conforming CAs MUST NOT encode explicitText as VisibleString or
BMPString. The explicitText string SHOULD NOT include any control
characters (e.g., U+0000 to U+001F and U+007F to U+009F). When
the UTF8String encoding is used, all character sequences SHOULD be
normalized according to Unicode normalization form C (NFC) [NFC].
*********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type controlChar struct{}
func (l *controlChar) Initialize() error {
return nil
}
func (l *controlChar) CheckApplies(c *x509.Certificate) bool {
for _, text := range c.ExplicitTexts {
if text != nil {
return true
}
}
return false
}
func (l *controlChar) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.ExplicitTexts {
for _, text := range firstLvl {
if text.Tag == 12 {
for i := 0; i < len(text.Bytes); i++ {
if text.Bytes[i]&0x80 == 0 {
if text.Bytes[i] < 0x20 || text.Bytes[i] == 0x7f {
return &LintResult{Status: Warn}
}
} else if text.Bytes[i]&0x20 == 0 {
if text.Bytes[i] == 0xc2 && text.Bytes[i+1] >= 0x80 && text.Bytes[i+1] <= 0x9f {
return &LintResult{Status: Warn}
}
i += 1
} else if text.Bytes[i]&0x10 == 0 {
i += 2
} else if text.Bytes[i]&0x08 == 0 {
i += 3
} else if text.Bytes[i]&0x04 == 0 {
i += 4
} else if text.Bytes[i]&0x02 == 0 {
i += 5
}
}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_cert_policy_explicit_text_includes_control",
Description: "Explicit text should not include any control characters",
Citation: "RFC 6818: 3",
Source: RFC5280,
EffectiveDate: util.RFC6818Date,
Lint: &controlChar{},
})
}

65
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_nfc.go generated vendored
View File

@ -1,65 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
When the UTF8String encoding is used, all character sequences SHOULD be
normalized according to Unicode normalization form C (NFC) [NFC].
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
"golang.org/x/text/unicode/norm"
)
type ExtCertPolicyExplicitTextNotNFC struct{}
func (l *ExtCertPolicyExplicitTextNotNFC) Initialize() error {
return nil
}
func (l *ExtCertPolicyExplicitTextNotNFC) CheckApplies(c *x509.Certificate) bool {
for _, text := range c.ExplicitTexts {
if text != nil {
return true
}
}
return false
}
func (l *ExtCertPolicyExplicitTextNotNFC) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.ExplicitTexts {
for _, text := range firstLvl {
if text.Tag == 12 || text.Tag == 30 {
if !norm.NFC.IsNormal(text.Bytes) {
return &LintResult{Status: Warn}
}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_cert_policy_explicit_text_not_nfc",
Description: "When utf8string or bmpstring encoding is used for explicitText field in certificate policy, it SHOULD be normalized by NFC format",
Citation: "RFC6181 3",
Source: RFC5280,
EffectiveDate: util.RFC6818Date,
Lint: &ExtCertPolicyExplicitTextNotNFC{},
})
}

70
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_utf8.go generated vendored
View File

@ -1,70 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************
An explicitText field includes the textual statement directly in
the certificate. The explicitText field is a string with a
maximum size of 200 characters. Conforming CAs SHOULD use the
UTF8String encoding for explicitText. VisibleString or BMPString
are acceptable but less preferred alternatives. Conforming CAs
MUST NOT encode explicitText as IA5String. The explicitText string
SHOULD NOT include any control characters (e.g., U+0000 to U+001F
and U+007F to U+009F). When the UTF8String or BMPString encoding
is used, all character sequences SHOULD be normalized according
to Unicode normalization form C (NFC) [NFC].
*******************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type explicitTextUtf8 struct{}
func (l *explicitTextUtf8) Initialize() error {
return nil
}
func (l *explicitTextUtf8) CheckApplies(c *x509.Certificate) bool {
for _, text := range c.ExplicitTexts {
if text != nil {
return true
}
}
return false
}
func (l *explicitTextUtf8) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.ExplicitTexts {
for _, text := range firstLvl {
if text.Tag != 12 {
return &LintResult{Status: Warn}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_cert_policy_explicit_text_not_utf8",
Description: "Compliant certificates should use the utf8string encoding for explicitText",
Citation: "RFC 6818: 3",
Source: RFC5280,
EffectiveDate: util.RFC6818Date,
Lint: &explicitTextUtf8{},
})
}

81
vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_too_long.go generated vendored
View File

@ -1,81 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*******************************************************************
An explicitText field includes the textual statement directly in
the certificate. The explicitText field is a string with a
maximum size of 200 characters. Conforming CAs SHOULD use the
UTF8String encoding for explicitText. VisibleString or BMPString
are acceptable but less preferred alternatives. Conforming CAs
MUST NOT encode explicitText as IA5String. The explicitText string
SHOULD NOT include any control characters (e.g., U+0000 to U+001F
and U+007F to U+009F). When the UTF8String or BMPString encoding
is used, all character sequences SHOULD be normalized according
to Unicode normalization form C (NFC) [NFC].
*******************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type explicitTextTooLong struct{}
const tagBMPString int = 30
func (l *explicitTextTooLong) Initialize() error {
return nil
}
func (l *explicitTextTooLong) CheckApplies(c *x509.Certificate) bool {
for _, text := range c.ExplicitTexts {
if text != nil {
return true
}
}
return false
}
func (l *explicitTextTooLong) Execute(c *x509.Certificate) *LintResult {
for _, firstLvl := range c.ExplicitTexts {
for _, text := range firstLvl {
var runes string
// If the field is a BMPString, we need to parse the bytes out into
// UTF-16-BE runes in order to check their length accurately
// The `Bytes` attribute here is the raw representation of the userNotice
if text.Tag == tagBMPString {
runes, _ = util.ParseBMPString(text.Bytes)
} else {
runes = string(text.Bytes)
}
if len(runes) > 200 {
return &LintResult{Status: Error}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_cert_policy_explicit_text_too_long",
Description: "Explicit text has a maximum size of 200 characters",
Citation: "RFC 6818: 3",
Source: RFC5280,
EffectiveDate: util.RFC6818Date,
Lint: &explicitTextTooLong{},
})
}

56
vendor/github.com/zmap/zlint/lints/lint_ext_crl_distribution_marked_critical.go generated vendored
View File

@ -1,56 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
The CRL distribution points extension identifies how CRL information is obtained. The extension SHOULD be non-critical, but this profile RECOMMENDS support for this extension by CAs and applications.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ExtCrlDistributionMarkedCritical struct{}
func (l *ExtCrlDistributionMarkedCritical) Initialize() error {
return nil
}
func (l *ExtCrlDistributionMarkedCritical) CheckApplies(cert *x509.Certificate) bool {
return util.IsExtInCert(cert, util.CrlDistOID)
}
func (l *ExtCrlDistributionMarkedCritical) Execute(cert *x509.Certificate) *LintResult {
if e := util.GetExtFromCert(cert, util.CrlDistOID); e != nil {
if e.Critical == false {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Warn}
}
}
return &LintResult{Status: NA}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_crl_distribution_marked_critical",
Description: "If included, the CRL Distribution Points extension SHOULD NOT be marked critical",
Citation: "RFC 5280: 4.2.1.13",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &ExtCrlDistributionMarkedCritical{},
})
}

58
vendor/github.com/zmap/zlint/lints/lint_ext_duplicate_extension.go generated vendored
View File

@ -1,58 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
"A certificate MUST NOT include more than one instance of a particular extension."
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ExtDuplicateExtension struct{}
func (l *ExtDuplicateExtension) Initialize() error {
return nil
}
func (l *ExtDuplicateExtension) CheckApplies(cert *x509.Certificate) bool {
return cert.Version == 3
}
func (l *ExtDuplicateExtension) Execute(cert *x509.Certificate) *LintResult {
// O(n^2) is not terrible here because n is capped around 10
for i := 0; i < len(cert.Extensions); i++ {
for j := i + 1; j < len(cert.Extensions); j++ {
if i != j && cert.Extensions[i].Id.Equal(cert.Extensions[j].Id) {
return &LintResult{Status: Error}
}
}
}
// Nested loop will return if it finds a duplicate, so safe to assume pass
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_duplicate_extension",
Description: "A certificate MUST NOT include more than one instance of a particular extension",
Citation: "RFC 5280: 4.2",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &ExtDuplicateExtension{},
})
}

56
vendor/github.com/zmap/zlint/lints/lint_ext_freshest_crl_marked_critical.go generated vendored
View File

@ -1,56 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
The freshest CRL extension identifies how delta CRL information is obtained. The extension MUST be marked as non-critical by conforming CAs. Further discussion of CRL management is contained in Section 5.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zcrypto/x509/pkix"
"github.com/zmap/zlint/util"
)
type ExtFreshestCrlMarkedCritical struct{}
func (l *ExtFreshestCrlMarkedCritical) Initialize() error {
return nil
}
func (l *ExtFreshestCrlMarkedCritical) CheckApplies(cert *x509.Certificate) bool {
return util.IsExtInCert(cert, util.FreshCRLOID)
}
func (l *ExtFreshestCrlMarkedCritical) Execute(cert *x509.Certificate) *LintResult {
var fCRL *pkix.Extension = util.GetExtFromCert(cert, util.FreshCRLOID)
if fCRL != nil && fCRL.Critical {
return &LintResult{Status: Error}
} else if fCRL != nil && !fCRL.Critical {
return &LintResult{Status: Pass}
}
return &LintResult{Status: NA} //shouldn't happen
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_freshest_crl_marked_critical",
Description: "Freshest CRL MUST be marked as non-critical by conforming CAs",
Citation: "RFC 5280: 4.2.1.15",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &ExtFreshestCrlMarkedCritical{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ext_ian_critical.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
Issuer Alternative Name
As with Section 4.2.1.6, this extension is used to associate Internet style identities with the certificate issuer. Issuer alternative name MUST be encoded as in 4.2.1.6. Issuer alternative names are not processed as part of the certification path validation algorithm in Section 6. (That is, issuer alternative names are not used in name chaining and name constraints are not enforced.)
Where present, conforming CAs SHOULD mark this extension as non-critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type ExtIANCritical struct{}
func (l *ExtIANCritical) Initialize() error {
return nil
}
func (l *ExtIANCritical) CheckApplies(cert *x509.Certificate) bool {
return util.IsExtInCert(cert, util.IssuerAlternateNameOID)
}
func (l *ExtIANCritical) Execute(cert *x509.Certificate) *LintResult {
if util.GetExtFromCert(cert, util.IssuerAlternateNameOID).Critical {
return &LintResult{Status: Warn}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_ian_critical",
Description: "Issuer alternate name should be marked as non-critical",
Citation: "RFC 5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &ExtIANCritical{},
})
}

73
vendor/github.com/zmap/zlint/lints/lint_ext_ian_dns_not_ia5_string.go generated vendored
View File

@ -1,73 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/********************************************************************
RFC 5280: 4.2.1.7
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the DNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123]. Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case. In
addition, while the string " " is a legal domain name, subjectAltName
extensions with a DNSName of " " MUST NOT be used. Finally, the use
of the DNS representation for Internet mail addresses
(subscriber.example.com instead of subscriber@example.com) MUST NOT
be used; such identities are to be encoded as rfc822Name. Rules for
encoding internationalized domain names are specified in Section 7.2.
********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANDNSNotIA5String struct{}
func (l *IANDNSNotIA5String) Initialize() error {
return nil
}
func (l *IANDNSNotIA5String) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANDNSNotIA5String) Execute(c *x509.Certificate) *LintResult {
ext := util.GetExtFromCert(c, util.IssuerAlternateNameOID)
if ext == nil {
return &LintResult{Status: Fatal}
}
ok, err := util.AllAlternateNameWithTagAreIA5(ext, util.DNSNameTag)
if err != nil {
return &LintResult{Status: Fatal}
}
if ok {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_dns_not_ia5_string",
Description: "DNSNames MUST be IA5 strings",
Citation: "RFC 5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &IANDNSNotIA5String{},
})
}

80
vendor/github.com/zmap/zlint/lints/lint_ext_ian_empty_name.go generated vendored
View File

@ -1,80 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/******************************************************************
RFC 5280: 4.2.1.7
If the subjectAltName extension is present, the sequence MUST contain
at least one entry. Unlike the subject field, conforming CAs MUST
NOT issue certificates with subjectAltNames containing empty
GeneralName fields. For example, an rfc822Name is represented as an
IA5String. While an empty string is a valid IA5String, such an
rfc822Name is not permitted by this profile. The behavior of clients
that encounter such a certificate when processing a certification
path is not defined by this profile.
******************************************************************/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANEmptyName struct{}
func (l *IANEmptyName) Initialize() error {
return nil
}
func (l *IANEmptyName) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANEmptyName) Execute(c *x509.Certificate) *LintResult {
value := util.GetExtFromCert(c, util.IssuerAlternateNameOID).Value
var seq asn1.RawValue
if _, err := asn1.Unmarshal(value, &seq); err != nil {
return &LintResult{Status: Fatal}
}
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
return &LintResult{Status: Fatal}
}
rest := seq.Bytes
for len(rest) > 0 {
var v asn1.RawValue
var err error
rest, err = asn1.Unmarshal(rest, &v)
if err != nil {
return &LintResult{Status: NA}
}
if len(v.Bytes) == 0 {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_empty_name",
Description: "General name fields must not be empty in IAN",
Citation: "RFC 5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &IANEmptyName{},
})
}

62
vendor/github.com/zmap/zlint/lints/lint_ext_ian_no_entries.go generated vendored
View File

@ -1,62 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**********************************************************************
RFC 5280: 4.2.1.7
If the issuerAltName extension is present, the sequence MUST contain
at least one entry. Unlike the subject field, conforming CAs MUST
NOT issue certificates with subjectAltNames containing empty
GeneralName fields. For example, an rfc822Name is represented as an
IA5String. While an empty string is a valid IA5String, such an
rfc822Name is not permitted by this profile. The behavior of clients
that encounter such a certificate when processing a certification
path is not defined by this profile.
***********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANNoEntry struct{}
func (l *IANNoEntry) Initialize() error {
return nil
}
func (l *IANNoEntry) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANNoEntry) Execute(c *x509.Certificate) *LintResult {
ian := util.GetExtFromCert(c, util.IssuerAlternateNameOID)
if util.IsEmptyASN1Sequence(ian.Value) {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_no_entries",
Description: "If present, the IAN extension must contain at least one entry",
Citation: "RFC 5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &IANNoEntry{},
})
}

69
vendor/github.com/zmap/zlint/lints/lint_ext_ian_rfc822_format_invalid.go generated vendored
View File

@ -1,69 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************
RFC 5280: 4.2.1.6
When the issuerAltName extension contains an Internet mail address,
the address MUST be stored in the rfc822Name. The format of an
rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821].
A Mailbox has the form "Local-part@Domain". Note that a Mailbox has
no phrase (such as a common name) before it, has no comment (text
surrounded in parentheses) after it, and is not surrounded by "<" and
">". Rules for encoding Internet mail addresses that include
internationalized domain names are specified in Section 7.5.
************************************************************************/
import (
"strings"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANEmail struct{}
func (l *IANEmail) Initialize() error {
return nil
}
func (l *IANEmail) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANEmail) Execute(c *x509.Certificate) *LintResult {
for _, str := range c.IANEmailAddresses {
if str == "" {
continue
}
if strings.Contains(str, " ") {
return &LintResult{Status: Error}
} else if str[0] == '<' || str[len(str)-1] == ')' {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_rfc822_format_invalid",
Description: "Email must not be surrounded with `<>`, and there MUST NOT be trailing comments in `()`",
Citation: "RFC 5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &IANEmail{},
})
}

66
vendor/github.com/zmap/zlint/lints/lint_ext_ian_space_dns_name.go generated vendored
View File

@ -1,66 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**********************************************************************
RFC 5280: 4.2.1.7
When the issuerAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123]. Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case. In
addition, while the string " " is a legal domain name, subjectAltName
extensions with a dNSName of " " MUST NOT be used. Finally, the use
of the DNS representation for Internet mail addresses
(subscriber.example.com instead of subscriber@example.com) MUST NOT
be used; such identities are to be encoded as rfc822Name. Rules for
encoding internationalized domain names are specified in Section 7.2.
**********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANSpace struct{}
func (l *IANSpace) Initialize() error {
return nil
}
func (l *IANSpace) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANSpace) Execute(c *x509.Certificate) *LintResult {
for _, dns := range c.IANDNSNames {
if dns == " " {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_space_dns_name",
Description: "dNSName ' ' MUST NOT be used",
Citation: "RFC 5280: 4.2.1.6",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &IANSpace{},
})
}

69
vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_format_invalid.go generated vendored
View File

@ -1,69 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
The name MUST include both a
scheme (e.g., "http" or "ftp") and a scheme-specific-part.
************************************************/
import (
"net/url"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANURIFormat struct{}
func (l *IANURIFormat) Initialize() error {
return nil
}
func (l *IANURIFormat) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANURIFormat) Execute(c *x509.Certificate) *LintResult {
for _, uri := range c.IANURIs {
parsed_uri, err := url.Parse(uri)
if err != nil {
return &LintResult{Status: Error}
}
//scheme
if parsed_uri.Scheme == "" {
return &LintResult{Status: Error}
}
//scheme-specific part
if parsed_uri.Host == "" && parsed_uri.User == nil && parsed_uri.Opaque == "" && parsed_uri.Path == "" {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_uri_format_invalid",
Description: "URIs in the subjectAltName extension MUST have a scheme and scheme specific part",
Citation: "RFC5280: 4.2.1.6",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &IANURIFormat{},
})
}

71
vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_host_not_fqdn_or_ip.go generated vendored
View File

@ -1,71 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*********************************************************************
When the issuerAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier (an IA5String). The name
MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in [RFC3986]. The name MUST include both a
scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that
include an authority ([RFC3986], Section 3.2) MUST include a fully
qualified domain name or IP address as the host. Rules for encoding
Internationalized Resource Identifiers (IRIs) are specified in
Section 7.4.
*********************************************************************/
import (
"net/url"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANURIFQDNOrIP struct{}
func (l *IANURIFQDNOrIP) Initialize() error {
return nil
}
func (l *IANURIFQDNOrIP) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANURIFQDNOrIP) Execute(c *x509.Certificate) *LintResult {
for _, uri := range c.IANURIs {
if uri != "" {
parsedUrl, err := url.Parse(uri)
if err != nil {
return &LintResult{Status: Error}
}
host := parsedUrl.Host
if !util.AuthIsFQDNOrIP(host) {
return &LintResult{Status: Error}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_uri_host_not_fqdn_or_ip",
Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host",
Citation: "RFC 5280: 4.2.1.6",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &IANURIFQDNOrIP{},
})
}

59
vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_not_ia5.go generated vendored
View File

@ -1,59 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
When the issuerAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier (an IA5String).
************************************************/
import (
"unicode"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type IANURIIA5String struct{}
func (l *IANURIIA5String) Initialize() error {
return nil
}
func (l *IANURIIA5String) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *IANURIIA5String) Execute(c *x509.Certificate) *LintResult {
for _, uri := range c.IANURIs {
for _, c := range uri {
if c > unicode.MaxASCII {
return &LintResult{Status: Error}
}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_uri_not_ia5",
Description: "When subjectAltName contains a URI, the name MUST be an IA5 string",
Citation: "RFC5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &IANURIIA5String{},
})
}

70
vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_relative.go generated vendored
View File

@ -1,70 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*************************************************************************
When the issuerAltName extension contains a URI, the name MUST be
stored in the uniformResourceIdentifier (an IA5String). The name
MUST NOT be a relative URI, and it MUST follow the URI syntax and
encoding rules specified in [RFC3986]. The name MUST include both a
scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that
include an authority ([RFC3986], Section 3.2) MUST include a fully
qualified domain name or IP address as the host. Rules for encoding
Internationalized Resource Identifiers (IRIs) are specified in
Section 7.4.
*************************************************************************/
import (
"net/url"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type uriRelative struct{}
func (l *uriRelative) Initialize() error {
return nil
}
func (l *uriRelative) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.IssuerAlternateNameOID)
}
func (l *uriRelative) Execute(c *x509.Certificate) *LintResult {
for _, uri := range c.IANURIs {
parsed_uri, err := url.Parse(uri)
if err != nil {
return &LintResult{Status: Error}
}
if !parsed_uri.IsAbs() {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_ian_uri_relative",
Description: "When issuerAltName extension is present and the URI is used, the name MUST NOT be a relative URI",
Citation: "RFC 5280: 4.2.1.7",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &uriRelative{},
})
}

64
vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_cert_sign_without_ca.go generated vendored
View File

@ -1,64 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************
RFC 5280: 4.2.1.9
The cA boolean indicates whether the certified public key may be used
to verify certificate signatures. If the cA boolean is not asserted,
then the keyCertSign bit in the key usage extension MUST NOT be
asserted. If the basic constraints extension is not present in a
version 3 certificate, or the extension is present but the cA boolean
is not asserted, then the certified public key MUST NOT be used to
verify certificate signatures.
************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type keyUsageCertSignNoCa struct{}
func (l *keyUsageCertSignNoCa) Initialize() error {
return nil
}
func (l *keyUsageCertSignNoCa) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *keyUsageCertSignNoCa) Execute(c *x509.Certificate) *LintResult {
if (c.KeyUsage & x509.KeyUsageCertSign) != 0 {
if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certtificate signing usage
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_key_usage_cert_sign_without_ca",
Description: "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted",
Citation: "RFC 5280: 4.2.1.3 & 4.2.1.9",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &keyUsageCertSignNoCa{},
})
}

56
vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_not_critical.go generated vendored
View File

@ -1,56 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
// "When present, conforming CAs SHOULD mark this extension as critical."
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type checkKeyUsageCritical struct{}
func (l *checkKeyUsageCritical) Initialize() error {
return nil
}
func (l *checkKeyUsageCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *checkKeyUsageCritical) Execute(c *x509.Certificate) *LintResult {
// Add actual lint here
keyUsage := util.GetExtFromCert(c, util.KeyUsageOID)
if keyUsage == nil {
return &LintResult{Status: NA}
}
if keyUsage.Critical {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Warn}
}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_key_usage_not_critical",
Description: "The keyUsage extension SHOULD be critical",
Citation: "RFC 5280: 4.2.1.3",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &checkKeyUsageCritical{},
})
}

58
vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_without_bits.go generated vendored
View File

@ -1,58 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************************************
This profile does not restrict the combinations of bits that may be
set in an instantiation of the keyUsage extension. However,
appropriate values for keyUsage extensions for particular algorithms
are specified in [RFC3279], [RFC4055], and [RFC4491]. When the
keyUsage extension appears in a certificate, at least one of the bits
MUST be set to 1.
***********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type keyUsageBitsSet struct{}
func (l *keyUsageBitsSet) Initialize() error {
return nil
}
func (l *keyUsageBitsSet) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.KeyUsageOID)
}
func (l *keyUsageBitsSet) Execute(c *x509.Certificate) *LintResult {
if c.KeyUsage == 0 {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_key_usage_without_bits",
Description: "When the keyUsage extension is included, at least one bit MUST be set to 1",
Citation: "RFC 5280: 4.2.1.3",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &keyUsageBitsSet{},
})
}

62
vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_critical.go generated vendored
View File

@ -1,62 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************************************
Restrictions are defined in terms of permitted or excluded name
subtrees. Any name matching a restriction in the excludedSubtrees
field is invalid regardless of information appearing in the
permittedSubtrees. Conforming CAs MUST mark this extension as
critical and SHOULD NOT impose name constraints on the x400Address,
ediPartyName, or registeredID name forms. Conforming CAs MUST NOT
issue certificates where name constraints is an empty sequence. That
is, either the permittedSubtrees field or the excludedSubtrees MUST
be present.
************************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type nameConstraintCrit struct{}
func (l *nameConstraintCrit) Initialize() error {
return nil
}
func (l *nameConstraintCrit) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.NameConstOID)
}
func (l *nameConstraintCrit) Execute(c *x509.Certificate) *LintResult {
e := util.GetExtFromCert(c, util.NameConstOID)
if e.Critical {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Error}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_name_constraints_not_critical",
Description: "If it is included, conforming CAs MUST mark the name constrains extension as critical",
Citation: "RFC 5280: 4.2.1.10",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &nameConstraintCrit{},
})
}

60
vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_in_ca.go generated vendored
View File

@ -1,60 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/***********************************************************************
RFC 5280: 4.2.1.10
The name constraints extension, which MUST be used only in a CA
certificate, indicates a name space within which all subject names in
subsequent certificates in a certification path MUST be located.
Restrictions apply to the subject distinguished name and apply to
subject alternative names. Restrictions apply only when the
specified name form is present. If no name of the type is in the
certificate, the certificate is acceptable.
***********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type nameConstraintNotCa struct{}
func (l *nameConstraintNotCa) Initialize() error {
return nil
}
func (l *nameConstraintNotCa) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.NameConstOID)
}
func (l *nameConstraintNotCa) Execute(c *x509.Certificate) *LintResult {
if !util.IsCACert(c) {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_name_constraints_not_in_ca",
Description: "The name constraints extension MUST only be used in CA certificates",
Citation: "RFC 5280: 4.2.1.10",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &nameConstraintNotCa{},
})
}

75
vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_empty.go generated vendored
View File

@ -1,75 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*************************************************************************
RFC 5280: 4.2.1.11
Conforming CAs MUST NOT issue certificates where policy constraints
is an empty sequence. That is, either the inhibitPolicyMapping field
or the requireExplicitPolicy field MUST be present. The behavior of
clients that encounter an empty policy constraints field is not
addressed in this profile.
*************************************************************************/
import (
"encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type policyConstraintsContents struct{}
func (l *policyConstraintsContents) Initialize() error {
return nil
}
func (l *policyConstraintsContents) CheckApplies(c *x509.Certificate) bool {
if !(util.IsExtInCert(c, util.PolicyConstOID)) {
return false
}
pc := util.GetExtFromCert(c, util.PolicyConstOID)
var seq asn1.RawValue
rest, err := asn1.Unmarshal(pc.Value, &seq) //only one sequence, so rest should be empty
if err != nil || len(rest) != 0 || seq.Tag != 16 || seq.Class != 0 || !seq.IsCompound {
return false
}
return true
}
func (l *policyConstraintsContents) Execute(c *x509.Certificate) *LintResult {
pc := util.GetExtFromCert(c, util.PolicyConstOID)
var seq asn1.RawValue
_, err := asn1.Unmarshal(pc.Value, &seq) //only one sequence, so rest should be empty
if err != nil {
return &LintResult{Status: Fatal}
}
if len(seq.Bytes) == 0 {
return &LintResult{Status: Error}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_policy_constraints_empty",
Description: "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present",
Citation: "RFC 5280: 4.2.1.11",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &policyConstraintsContents{},
})
}

55
vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_not_critical.go generated vendored
View File

@ -1,55 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
RFC 5280: 4.2.1.11
Conforming CAs MUST mark this extension as critical.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type policyConstraintsCritical struct{}
func (l *policyConstraintsCritical) Initialize() error {
return nil
}
func (l *policyConstraintsCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.PolicyConstOID)
}
func (l *policyConstraintsCritical) Execute(c *x509.Certificate) *LintResult {
pc := util.GetExtFromCert(c, util.PolicyConstOID)
if !pc.Critical {
return &LintResult{Status: Error}
} else {
return &LintResult{Status: Pass}
}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_policy_constraints_not_critical",
Description: "Conforming CAs MUST mark the policy constraints extension as critical",
Citation: "RFC 5280: 4.2.1.11",
Source: RFC5280,
EffectiveDate: util.RFC5280Date,
Lint: &policyConstraintsCritical{},
})
}

64
vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_any_policy.go generated vendored
View File

@ -1,64 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/********************************************************************
RFC 5280: 4.2.1.5
Each issuerDomainPolicy named in the policy mappings extension SHOULD
also be asserted in a certificate policies extension in the same
certificate. Policies MUST NOT be mapped either to or from the
special value anyPolicy (Section 4.2.1.4).
********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type policyMapAnyPolicy struct{}
func (l *policyMapAnyPolicy) Initialize() error {
return nil
}
func (l *policyMapAnyPolicy) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.PolicyMapOID)
}
func (l *policyMapAnyPolicy) Execute(c *x509.Certificate) *LintResult {
extPolMap := util.GetExtFromCert(c, util.PolicyMapOID)
polMap, err := util.GetMappedPolicies(extPolMap)
if err != nil {
return &LintResult{Status: Fatal}
}
for _, pair := range polMap {
if util.AnyPolicyOID.Equal(pair[0]) || util.AnyPolicyOID.Equal(pair[1]) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_policy_map_any_policy",
Description: "Policies must not be mapped to or from the anyPolicy value",
Citation: "RFC 5280: 4.2.1.5",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &policyMapAnyPolicy{},
})
}

56
vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_critical.go generated vendored
View File

@ -1,56 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**********************************************************
RFC 5280: 4.2.1.5. Policy Mappings
This extension MAY be supported by CAs and/or applications.
Conforming CAs SHOULD mark this extension as critical.
**********************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type policyMapCritical struct{}
func (l *policyMapCritical) Initialize() error {
return nil
}
func (l *policyMapCritical) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.PolicyMapOID)
}
func (l *policyMapCritical) Execute(c *x509.Certificate) *LintResult {
polMap := util.GetExtFromCert(c, util.PolicyMapOID)
if polMap.Critical {
return &LintResult{Status: Pass}
} else {
return &LintResult{Status: Warn}
}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_policy_map_not_critical",
Description: "Policy mappings should be marked as critical",
Citation: "RFC 5280: 4.2.1.5",
Source: RFC5280,
EffectiveDate: util.RFC2459Date,
Lint: &policyMapCritical{},
})
}

63
vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_in_cert_policy.go generated vendored
View File

@ -1,63 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*********************************************************************
RFC 5280: 4.2.1.5
Each issuerDomainPolicy named in the policy mapping extension SHOULD
also be asserted in a certificate policies extension in the same
certificate. Policies SHOULD NOT be mapped either to or from the
special value anyPolicy (section 4.2.1.5).
*********************************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type policyMapMatchesCertPolicy struct{}
func (l *policyMapMatchesCertPolicy) Initialize() error {
return nil
}
func (l *policyMapMatchesCertPolicy) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.PolicyMapOID)
}
func (l *policyMapMatchesCertPolicy) Execute(c *x509.Certificate) *LintResult {
extPolMap := util.GetExtFromCert(c, util.PolicyMapOID)
polMap, err := util.GetMappedPolicies(extPolMap)
if err != nil {
return &LintResult{Status: Fatal}
}
for _, pair := range polMap {
if !util.SliceContainsOID(c.PolicyIdentifiers, pair[0]) {
return &LintResult{Status: Warn}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "w_ext_policy_map_not_in_cert_policy",
Description: "Each issuerDomainPolicy named in the policy mappings extension should also be asserted in a certificate policies extension",
Citation: "RFC 5280: 4.2.1.5",
Source: RFC5280,
EffectiveDate: util.RFC3280Date,
Lint: &policyMapMatchesCertPolicy{},
})
}

60
vendor/github.com/zmap/zlint/lints/lint_ext_san_contains_reserved_ip.go generated vendored
View File

@ -1,60 +0,0 @@
package lints
/*
* ZLint Copyright 2018 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/************************************************
BRs: 7.1.4.2.1
Also as of the Effective Date, the CA SHALL NOT
issue a certificate with an Expiry Date later than
1 November 2015 with a subjectAlternativeName extension
or Subject commonName field containing a Reserved IP
Address or Internal Name.
************************************************/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)
type SANReservedIP struct{}
func (l *SANReservedIP) Initialize() error {
return nil
}
func (l *SANReservedIP) CheckApplies(c *x509.Certificate) bool {
return c.NotAfter.After(util.NoReservedIP)
}
func (l *SANReservedIP) Execute(c *x509.Certificate) *LintResult {
for _, ip := range c.IPAddresses {
if util.IsIANAReserved(ip) {
return &LintResult{Status: Error}
}
}
return &LintResult{Status: Pass}
}
func init() {
RegisterLint(&Lint{
Name: "e_ext_san_contains_reserved_ip",
Description: "Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name.",
Citation: "BRs: 7.1.4.2.1",
Source: CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: &SANReservedIP{},
})
}

Some files were not shown because too many files have changed in this diff Show More