diff --git a/cmd/cert-checker/main.go b/cmd/cert-checker/main.go index 17af6ace6..7cc18c936 100644 --- a/cmd/cert-checker/main.go +++ b/cmd/cert-checker/main.go @@ -17,8 +17,8 @@ import ( "github.com/jmhodges/clock" "github.com/prometheus/client_golang/prometheus" "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint" - "github.com/zmap/zlint/lints" + "github.com/zmap/zlint/v2" + "github.com/zmap/zlint/v2/lint" "github.com/letsencrypt/boulder/cmd" "github.com/letsencrypt/boulder/core" @@ -227,7 +227,7 @@ func (c *certChecker) checkCert(cert core.Certificate, ignoredLints map[string]b // Run zlint checks results := zlint.LintCertificate(parsedCert) for name, res := range results.Results { - if ignoredLints[name] || res.Status <= lints.Pass { + if ignoredLints[name] || res.Status <= lint.Pass { continue } prob := fmt.Sprintf("zlint %s: %s", res.Status, name) diff --git a/go.mod b/go.mod index 10bf181f7..7c04bfc2a 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,6 @@ require ( github.com/eggsampler/acme/v3 v3.0.0 github.com/go-gorp/gorp v2.0.0+incompatible // indirect github.com/go-sql-driver/mysql v1.4.1 - github.com/gogo/googleapis v1.1.0 // indirect - github.com/gogo/protobuf v1.2.0 // indirect github.com/golang/mock v1.3.1 github.com/golang/protobuf v1.3.2 github.com/golang/snappy v0.0.0-20170215233205-553a64147049 // indirect @@ -20,7 +18,6 @@ require ( github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548 github.com/letsencrypt/challtestsrv v1.0.2 github.com/letsencrypt/pkcs11key/v4 v4.0.0 - github.com/lyft/protoc-gen-validate v0.0.13 // indirect github.com/miekg/dns v1.1.8 github.com/miekg/pkcs11 v1.0.3 github.com/onsi/ginkgo v1.8.0 // indirect @@ -32,7 +29,6 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134 github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf - github.com/zmap/zlint v1.1.0 github.com/zmap/zlint/v2 v2.0.0 golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 golang.org/x/net v0.0.0-20191112182307-2180aed22343 diff --git a/go.sum b/go.sum index baee0b8d9..7b87b8fc9 100644 --- a/go.sum +++ b/go.sum @@ -28,10 +28,6 @@ github.com/cespare/xxhash/v2 v2.1.0/go.mod h1:dgIUBU3pDso/gPgZ1osOZ0iQf77oPR28Tj github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cloudflare/backoff v0.0.0-20161212185259-647f3cdfc87a h1:8d1CEOF1xldesKds5tRG3tExBsMOgWYownMHNCsev54= github.com/cloudflare/backoff v0.0.0-20161212185259-647f3cdfc87a/go.mod h1:rzgs2ZOiguV6/NpiDgADjRLPNyZlApIWxKpkT+X8SdY= -github.com/cloudflare/cfssl v1.4.0 h1:TdyQbj/bDUMUHf2IkcHU2EHUmzCmRLuJ3fFd8EYMg1E= -github.com/cloudflare/cfssl v1.4.0/go.mod h1:KManx/OJPb5QY+y0+o/898AMcM128sF0bURvoVUSjTo= -github.com/cloudflare/cfssl v1.4.1 h1:vScfU2DrIUI9VPHBVeeAQ0q5A+9yshO1Gz+3QoUQiKw= -github.com/cloudflare/cfssl v1.4.1/go.mod h1:KManx/OJPb5QY+y0+o/898AMcM128sF0bURvoVUSjTo= github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4 h1:gpoY5xZd+Qeb1aXvwFlPELPg6SJiPjV5kuH6e2dcoxw= github.com/cloudflare/cfssl v1.4.2-0.20200324225241-abef926615f4/go.mod h1:jbHlfTdWTKrKYWLgXBVDoL6rdr8deJ3CnGruukZnPC8= github.com/cloudflare/go-metrics v0.0.0-20151117154305-6a9aea36fb41 h1:/8sZyuGTAU2+fYv0Sz9lBcipqX0b7i4eUl8pSStk/4g= @@ -46,7 +42,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/eggsampler/acme/v3 v3.0.0 h1:Fl1fWD94NcdC7Ensb6Ed/CJZ6S24PpekLo/jZB6Ltg8= github.com/eggsampler/acme/v3 v3.0.0/go.mod h1:gw64Ckma6iKulWks9BtE/g/9z/Vdz9D1lM7x7M1X1Ag= -github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I= @@ -61,19 +56,13 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-sql-driver/mysql v1.3.0 h1:pgwjLi/dvffoP9aabwkT3AKpXQM93QARkjFhDDqC1UE= github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= -github.com/go-sql-driver/mysql v1.4.1-0.20191114115753-b4242bab7dc5 h1:TPdJVmaDpKVlxYKc2CTaU6iY51jeQqbRooWdI1ATYG4= -github.com/go-sql-driver/mysql v1.4.1-0.20191114115753-b4242bab7dc5/go.mod h1:XIaZU7xtUgusUqDPXOOPcmC5Dyyw3F1pbh54fHzaehk= github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= -github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= -github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= -github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk= -github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s= github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -91,8 +80,6 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY= github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170826090648-0dafe0d496ea h1:Bzd/0fcg24qAEJyr7pTtDOn806SRBtzyloCuLTEvSOo= -github.com/grpc-ecosystem/go-grpc-prometheus v0.0.0-20170826090648-0dafe0d496ea/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho= github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= @@ -123,12 +110,8 @@ github.com/letsencrypt/challtestsrv v1.0.2 h1:nBAQjKvVMLhpj4cg2Px6jMyvMbQNdJrCEd github.com/letsencrypt/challtestsrv v1.0.2/go.mod h1:/gzSMb+5FjprRIa1TtW6ngjhUOr8JbEFM2XESzK2zPg= github.com/letsencrypt/pkcs11key/v4 v4.0.0 h1:qLc/OznH7xMr5ARJgkZCCWk+EomQkiNTOoOF5LAgagc= github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag= -github.com/lib/pq v0.0.0-20180201184707-88edab080323/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lib/pq v1.1.0 h1:/5u4a+KGJptBRqGzPvYQL9p0d/tPR4S31+Tnzj9lEO4= -github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.3.0 h1:/qkRGz8zljWiDcFvgpwUpwIAPu3r07TDvs3Rws+o/pU= github.com/lib/pq v1.3.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= -github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ= github.com/mattn/go-sqlite3 v1.10.0 h1:jbhqpg7tQe4SupckyijYiy0mJJ/pRyHvXf7JdWK860o= github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc= github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU= @@ -196,26 +179,14 @@ github.com/valyala/fasttemplate v1.0.1 h1:tY9CJiPnMXf1ERmG2EyK7gNUd+c6RKGD0IfU8W github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= github.com/weppos/publicsuffix-go v0.5.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= -github.com/weppos/publicsuffix-go v0.10.1-0.20191119120252-3dd5f42d2d87 h1:atBJZP3ARnSmu6xeR2b0ksATs8da4d6er1f6VnrucoY= -github.com/weppos/publicsuffix-go v0.10.1-0.20191119120252-3dd5f42d2d87/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= -github.com/weppos/publicsuffix-go v0.10.1-0.20191207085315-342bab737784 h1:lZIkUyvJURGx8O0gx4TmYsHyj/oRKpzA7Okuzy0NSIU= -github.com/weppos/publicsuffix-go v0.10.1-0.20191207085315-342bab737784/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134 h1:PIGnoA+Z23Mup4SOVq24dJPGqt7bce45/ZLrMZdViKc= github.com/weppos/publicsuffix-go v0.10.1-0.20200202094241-a723c5d90134/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs= github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0= github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is= -github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e h1:mvOa4+/DXStR4ZXOks/UsjeFdn5O5JpLUtzqk9U8xXw= -github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8= github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8pnycDn3HwpQuTygphu9M/7KYqU= github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8= -github.com/zmap/zlint v0.0.0-20190806154020-fd021b4cfbeb/go.mod h1:29UiAJNsiVdvTBFCJW8e3q6dcDbOoPkhMgttOSCIMMY= -github.com/zmap/zlint v1.0.3-0.20191115164049-eea5fe83935a h1:QaoQc5dqoKaxmebnB1fCIrBxHCdrIinK8SAsWC/v720= -github.com/zmap/zlint v1.0.3-0.20191115164049-eea5fe83935a/go.mod h1:29UiAJNsiVdvTBFCJW8e3q6dcDbOoPkhMgttOSCIMMY= -github.com/zmap/zlint v1.1.0 h1:Vyh2GmprXw5TLmKmkTa2BgFvvYAFBValBFesqkKsszM= -github.com/zmap/zlint v1.1.0/go.mod h1:3MvSF/QhEftzpxKhh3jkBIOvugsSDYMCofl+UaIv0ww= -github.com/zmap/zlint v2.0.0+incompatible h1:Yz3KtcdJLHzjGTd+Em6ss9jUPbAitN5xkVLAstULF3I= github.com/zmap/zlint/v2 v2.0.0 h1:Ve+1yR76LZhTXsxonKA35d5S8dIIW1pmIlr4ahrskhs= github.com/zmap/zlint/v2 v2.0.0/go.mod h1:0jpqZ7cVjm8ABh/PTOp74MK50bPiN+HW+NjjESDxLVA= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -223,8 +194,6 @@ golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc= golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708 h1:pXVtWnwHkrWD9ru3sDxY/qFK/bfc0egRovX91EjWjf4= -golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68 h1:WPLCzSEbawp58wezcvLvLnvhiDJAai54ESbc41NdXS0= golang.org/x/crypto v0.0.0-20200124225646-8b5121be2f68/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -250,8 +219,7 @@ golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAG golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6 h1:bjcUS9ztw9kFmmIxJInhon/0Is3p+EHBKNgquIzo1OI= -golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -279,13 +247,9 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= -google.golang.org/genproto v0.0.0-20190415143225-d1146b9035b9 h1:SymueV2ZwWqdojv3IQn27haYaNer4MttGly0aZCMpoc= -google.golang.org/genproto v0.0.0-20190415143225-d1146b9035b9/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 h1:gSJIx1SDwno+2ElGhA4+qG2zF97qiUzTM+rQ0klBOcE= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= -google.golang.org/grpc v1.20.0 h1:DlsSIrgEBuZAUFJcta2B5i/lzeHHbnfkNFAfFXLVFYQ= -google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1 h1:wdKvqQk7IttEw92GoRyKG2IDrUIpgpj6H6m81yfeMW0= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= @@ -298,8 +262,6 @@ gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-gorp/gorp.v2 v2.0.1-0.20180410155428-6032c66e0f5f h1:OuFU7cfzlNAFNOXX0F3uy5jrC8YHSR0UeNponDkdZO8= gopkg.in/go-gorp/gorp.v2 v2.0.1-0.20180410155428-6032c66e0f5f/go.mod h1:eJwu1bWCXesk9aw26U78PFtctx3Y8haXGmL7x3VJlrw= -gopkg.in/square/go-jose.v2 v2.4.0 h1:0kXPskUMGAXXWJlP05ktEMOV0vmzFQUWw6d+aZJQU8A= -gopkg.in/square/go-jose.v2 v2.4.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/square/go-jose.v2 v2.4.1 h1:H0TmLt7/KmzlrDOpa1F+zr0Tk90PbJYBfsVUmRLrf9Y= gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= diff --git a/vendor/github.com/zmap/zlint/.gitignore b/vendor/github.com/zmap/zlint/.gitignore deleted file mode 100644 index ab5bea648..000000000 --- a/vendor/github.com/zmap/zlint/.gitignore +++ /dev/null @@ -1,123 +0,0 @@ -# Created by https://www.gitignore.io/api/osx,intellij,go - -### OSX ### -*.DS_Store -.AppleDouble -.LSOverride - -# Icon must end with two \r -Icon -# Thumbnails -._* -# Files that might appear in the root of a volume -.DocumentRevisions-V100 -.fseventsd -.Spotlight-V100 -.TemporaryItems -.Trashes -.VolumeIcon.icns -.com.apple.timemachine.donotpresent -# Directories potentially created on remote AFP share -.AppleDB -.AppleDesktop -Network Trash Folder -Temporary Items -.apdisk - -### Vim ### -*.swp - -### Intellij ### -# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm -# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 - -# User-specific stuff: -.idea/workspace.xml -.idea/tasks.xml - -# Sensitive or high-churn files: -.idea/dataSources/ -.idea/dataSources.ids -.idea/dataSources.xml -.idea/dataSources.local.xml -.idea/sqlDataSources.xml -.idea/dynamic.xml -.idea/uiDesigner.xml - -# Gradle: -.idea/gradle.xml -.idea/libraries - -# Mongo Explorer plugin: -.idea/mongoSettings.xml - -## File-based project format: -*.iws - -## Plugin-specific files: - -# IntelliJ -/out/ - -# mpeltonen/sbt-idea plugin -.idea_modules/ - -# JIRA plugin -atlassian-ide-plugin.xml - -# Crashlytics plugin (for Android Studio and IntelliJ) -com_crashlytics_export_strings.xml -crashlytics.properties -crashlytics-build.properties -fabric.properties - -### Intellij Patch ### -# Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721 - -*.iml -.idea -# modules.xml -# .idea/misc.xml -# *.ipr - - -### Go ### -# Compiled Object files, Static and Dynamic libs (Shared Objects) -*.o -*.a -*.so - -# Folders -_obj -_test - -# Architecture specific extensions/prefixes -*.[568vq] -[568vq].out - -*.cgo1.go -*.cgo2.c -_cgo_defun.c -_cgo_gotypes.go -_cgo_export.* - -_testmain.go - -*.exe -*.test -*.prof - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# external packages folder -0 - -### Build Targets ### -/zlint -cmd/zlint/zlint -/zlint-gtld-update -cmd/zlint-gtld-update/zlint-gtld-update - -### Integration test data ### -data diff --git a/vendor/github.com/zmap/zlint/.travis.yml b/vendor/github.com/zmap/zlint/.travis.yml deleted file mode 100644 index d908535b3..000000000 --- a/vendor/github.com/zmap/zlint/.travis.yml +++ /dev/null @@ -1,24 +0,0 @@ -language: go - -dist: trusty - -go: - - "1.13.x" - -script: - # Fast-fail on non-zero exit codes - - set -e - # Build commands - - make - # Verify that all files have been gofmt'd with simplification - - make format-check - # Run unit tests - - make test - # Run integration tests - - make integration PARALLELISM=3 - -notifications: - email: - - dkumar11@illinois.edu - slack: - secure: VNYGBpmWMR6pfTgz5m5V9EkVReKXvD10p44RqTMeBf5vrkClM0TPaqkxgl7N2mXIWbls1yJFh30eHPodZEdGONmQKguEpz3j+1AO1lJVljjLsCNsBW2wRXn2aMDn2oNfwDBbMzFrdvmCQESLx9bk7y8xkwH2g2J01kxU9JEbkdwZ9cbDy6RDJncgD0oflGbAAH0q60ZCi2mfFE0mhRFMCaoVaSNoJdFDyv7pzTH0H5cB4rNvJjo7Au/dekepHCUuWp2rj/4i7n8Non8L27AgU11cX8Nbn8vyFhjIQvCrGJWv4uA3z86dOe4Mf/raO0M/KBQSe8pPVLeUF8krdOG0zy9EBE+fYrBuMsnIb+QpNobdtw6VMlpVg7V+o0PxsM1mCVaeOEcapKmxWxC0HmruBbjZ+RitMcDeQEF/GIcx7UY03C6Fnz7TO01UwFnmiskO5I1KBtPiUdB96RVe5c9PMU0STkJekIz2g0WauoJpiOlemHMmvZH92e07LQPVjiawKmP/6VoGIxAwFE8jvCQSyi0jaQxqUnnjqhk0zWbFTXz3QzOufBh0YoT5Q9AWKa2iMthrLfY4LIFl7AN7fKJfFiFY083uhnhWDia3BMk6vJ+o2I2fUNOKx0L+Jj8H8vsf4XL7JVtpq536JjQhL429qNvBm8kRaH2XHHFD3bjiO5Q= diff --git a/vendor/github.com/zmap/zlint/LICENSE b/vendor/github.com/zmap/zlint/LICENSE deleted file mode 100644 index 7d5abcdd7..000000000 --- a/vendor/github.com/zmap/zlint/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright 2017 Regents of the University of Michigan - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/vendor/github.com/zmap/zlint/README.md b/vendor/github.com/zmap/zlint/README.md deleted file mode 100644 index 9bd8381c7..000000000 --- a/vendor/github.com/zmap/zlint/README.md +++ /dev/null @@ -1,221 +0,0 @@ -ZLint -===== - -[![Build Status](https://travis-ci.org/zmap/zlint.svg?branch=master)](https://travis-ci.org/zmap/zlint) -[![Go Report Card](https://goreportcard.com/badge/github.com/zmap/zlint)](https://goreportcard.com/report/github.com/zmap/zlint) - -ZLint is a X.509 certificate linter written in Go that checks for consistency -with [RFC 5280](https://www.ietf.org/rfc/rfc5280.txt) and the CA/Browser Forum -Baseline Requirements -([v.1.4.8](https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8.pdf)). - -A detailed list of BR coverage can be found here: -https://docs.google.com/spreadsheets/d/1ywp0op9mkTaggigpdF2YMTubepowJ50KQBhc_b00e-Y. - -Requirements ------------- - -ZLint requires [Go 1.13.x or newer](https://golang.org/doc/install) be -installed. The command line setup instructions assume the `go` command is in -your `$PATH`. - -Versioning ----------- - -ZLint aims to follow [semantic versioning](https://semver.org/). The addition of -new lints will generally result in a MINOR version revision. Since downstream -projects depend on lint results and names for policy decisions changes of this -nature will result in MAJOR version revision. - -Command Line Usage ------------------- - -ZLint can be used on the command-line through a simple bundled executable -_ZLint_ as well as through -[ZCertificate](https://github.com/zmap/zcertificate), a more full-fledged -command-line certificate parser that links against ZLint. - -Example ZLint CLI usage: - - go get github.com/zmap/zlint/cmd/zlint - zlint mycert.pem - - -Library Usage -------------- - -ZLint can also be used as a library: - -```go -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint" -) - -parsed, err := x509.ParseCertificate(raw) -if err != nil { - // The certificate could not be parsed. Either error or halt. - log.Fatalf("could not parse certificate: %s", err) -} -zlintResultSet := zlint.LintCertificate(parsed) -``` - - -See https://github.com/zmap/zlint/blob/master/cmd/zlint/main.go for an example. - - -Adding New Lints ----------------- - -**Generating Lint Scaffolding.** The scaffolding for a new lints can be created -by running `./newLint.sh `. Lint names are generally of -the form `e_subject_common_name_not_from_san` where the first letter is one of: -`e`, `w`, or `n` (error, warning, or notice respectively). Struct names -following Go conventions, e.g., `subjectCommonNameNotFromSAN`. Example: -`./newLint.sh e_subject_common_name_not_from_san subjectCommonNameNotFromSAN`. -This will generate a new lint in the `lints` directory with the necessary -fields filled out. - -**Choosing a Lint Result Level.** When choosing what `lints.LintStatus` your new -lint should return (e.g. `Notice`,`Warn`, `Error`, or `Fatal`) the following -general guidance may help. `Error` should be used for clear violations of RFC/BR -`MUST` or `MUST NOT` requirements and include strong citations. `Warn` should be -used for violations of RFC/BR `SHOULD` or `SHOULD NOT` requirements and again -should include strong citations. `Notice` should be used for more general "FYI" -statements that violate non-codified community standards or for cases where -citations are unclear. Lastly `Fatal` should be used when there is an -unresolvable error in `zlint`, `zcrypto` or some other part of the certificate -processing. - -**Scoping a Lint.** Lints are executed in three steps. First, the ZLint -framework determines whether a certificate falls within the scope of a given -lint by calling `CheckApplies`. This is often used to scope lints to only check -subscriber, intermediate CA, or root CAs. This function commonly calls one of a -select number of helper functions: `IsCA`, `IsSubscriber`, `IsExtInCert`, or -`DNSNamesExist`. Example: - -```go -func (l *caCRLSignNotSet) CheckApplies(c *x509.Certificate) bool { - return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID) -} -``` - -Next, the framework determines whether the certificate was issued after the -effective date of a Lint by checking whether the certificate was issued prior -to the lint's `EffectiveDate`. You'll also need to fill out the source and -description of what the lint is checking. We encourage you to copy text -directly from the BR or RFC here. Example: - -```go -func init() { - RegisterLint(&Lint{ - Name: "e_ca_country_name_missing", - Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information", - Citation: "BRs: 7.1.2.1", - EffectiveDate: util.CABEffectiveDate, - Test: &caCountryNameMissing{}, - }) -} -``` - -The meat of the lint is contained within the `RunTest` function, which is -passed `x509.Certificate`. **Note:** This is an X.509 object from -[ZCrypto](https://github.com/zmap/zcrypto) not the Go standard library. Lints -should perform their described test and then return a `ResultStruct` that -contains a Result and optionally a `Details` string, e.g., -`ResultStruct{Result: Pass}`. If you encounter a situation in which you -typically would return a Go `error` object, instead return -`ResultStruct{Result: Fatal}`. - -Example: - -```go -func (l *caCRLSignNotSet) RunTest(c *x509.Certificate) *ResultStruct { - if c.KeyUsage&x509.KeyUsageCRLSign != 0 { - return &ResultStruct{Result: Pass} - } - return &ResultStruct{Result: Error} -} -``` - -**Creating Unit Tests.** Every lint should also have two corresponding unit -tests for a success and failure condition. We have typically generated test -certificates using Go (see https://golang.org/pkg/crypto/x509/#CreateCertificate -for details), but OpenSSL could also be used. Test certificates should be placed -in `testlint/testCerts` and called from the test file created by `newLint.sh`. -Prepend the PEM with the output of `openssl x509 -text`. - -Example: - -```go -func TestBasicConstNotCritical(t *testing.T) { - // Only need to change these two values and the lint name - inputPath := "../testlint/testCerts/caBasicConstNotCrit.pem" - expected := Error - out, _ := Lints["e_basic_constraints_not_critical"].ExecuteTest(ReadCertificate(inputPath)) - if out.Result != expected { - t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) - } -} - -``` - -**Integration Tests.** ZLint's [continuous -integration](https://travis-ci.org/zmap/zlint) includes an integration test -phase where all lints are run against a large corpus of certificates. The number -of notice, warning, error and fatal results for each lint are captured and -compared to a set of expected values in a configuration file. You may need to -update these expected values when you add/change lints. Please see the -[integration tests -README](https://github.com/zmap/zlint/blob/master/integration/README.md) for -more information. - -Updating the TLD Map --------------------- - -ZLint maintains [a map of -top-level-domains](https://github.com/zmap/zlint/blob/master/util/gtld_map.go) -and their validity periods that is referenced by linters. As ICANN adds and -removes TLDs this map need to be updated. To do so, ensure the -`zlint-gtld-update` command is installed and in your `$PATH` and run `go -generate`: - - go get github.com/zmap/zlint/cmd/zlint-gtld-update - go generate github.com/zmap/zlint/... - -Zlint Users/Integrations -------------------------- - -Pre-issuance linting is **strongly recommended** by the [Mozilla root -program](https://wiki.allizom.org/CA/Required_or_Recommended_Practices#Pre-Issuance_Linting). -Here are some projects/CAs known to integrate with ZLint in some fashion: - -* [Camerfirma](https://bugzilla.mozilla.org/show_bug.cgi?id=1556806#c5) -* [CFSSL](https://github.com/cloudflare/cfssl/pull/1015) -* [Sectigo and crt.sh](https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/sjXswrcsvrE/Nl3OLd4PAAAJ) -* [Digicert](https://bugzilla.mozilla.org/show_bug.cgi?id=1550645#c9) -* [EJBCA](https://download.primekey.com/docs/EJBCA-Enterprise/6_11_1/adminguide.html#Post%20Processing%20Validators%20(Pre-Certificate%20or%20Certificate%20Validation)) -* [Government of Spain, FNMT](https://bugzilla.mozilla.org/show_bug.cgi?id=1495507#c8) -* [Globalsign](https://cabforum.org/pipermail/public/2018-April/013233.html) -* [GoDaddy](https://bugzilla.mozilla.org/show_bug.cgi?id=1462844#c6) -* [Izenpe](https://bugzilla.mozilla.org/show_bug.cgi?id=1528290#c5) -* [Let's Encrypt](https://letsencrypt.org) and [Boulder](https://github.com/letsencrypt/boulder) -* [Siemens](https://bugzilla.mozilla.org/show_bug.cgi?id=1391063#c32) -* [QuoVadis](https://bugzilla.mozilla.org/show_bug.cgi?id=1521950#c3) - -Please submit a pull request to update the README if you are aware of -another CA/project that uses zlint. - -License and Copyright ---------------------- - -ZMap Copyright 2019 Regents of the University of Michigan - -Licensed under the Apache License, Version 2.0 (the "License"); you may not use -this file except in compliance with the License. You may obtain a copy of the -License at http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software distributed -under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. See LICENSE for the specific -language governing permissions and limitations under the License. diff --git a/vendor/github.com/zmap/zlint/go.mod b/vendor/github.com/zmap/zlint/go.mod deleted file mode 100644 index fea51c511..000000000 --- a/vendor/github.com/zmap/zlint/go.mod +++ /dev/null @@ -1,12 +0,0 @@ -module github.com/zmap/zlint - -require ( - github.com/sirupsen/logrus v1.3.0 - github.com/weppos/publicsuffix-go v0.4.0 - github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf - golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 - golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 - golang.org/x/text v0.3.0 -) - -go 1.13 diff --git a/vendor/github.com/zmap/zlint/go.sum b/vendor/github.com/zmap/zlint/go.sum deleted file mode 100644 index afd780cc9..000000000 --- a/vendor/github.com/zmap/zlint/go.sum +++ /dev/null @@ -1,45 +0,0 @@ -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk= -github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8= -github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/sirupsen/logrus v1.3.0 h1:hI/7Q+DtNZ2kINb6qt/lS+IyXnHQe9e90POfeewL/ME= -github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= -github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/weppos/publicsuffix-go v0.4.0 h1:YSnfg3V65LcCFKtIGKGoBhkyKolEd0hlipcXaOjdnQw= -github.com/weppos/publicsuffix-go v0.4.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k= -github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= -github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is= -github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e h1:mvOa4+/DXStR4ZXOks/UsjeFdn5O5JpLUtzqk9U8xXw= -github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8= -github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf h1:Q9MiSA+G9DHe/TzG8pnycDn3HwpQuTygphu9M/7KYqU= -github.com/zmap/zcrypto v0.0.0-20191112190257-7f2fe6faf8cf/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793 h1:u+LnwYTOOW7Ukr/fppxEb1Nwz0AtPflrblfvUudpo+I= -golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4 h1:HuIa8hRrWRSrqYzx1qI49NNxhdi2PrY7gxVSq1JjLDc= -golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33 h1:I6FyU15t786LL7oL/hn43zqTuEGr4PN7F4XJ1p4E3Y8= -golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/vendor/github.com/zmap/zlint/lints/base.go b/vendor/github.com/zmap/zlint/lints/base.go deleted file mode 100644 index a7d453c99..000000000 --- a/vendor/github.com/zmap/zlint/lints/base.go +++ /dev/null @@ -1,127 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "time" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -var ( - // Lints is a map of all known lints by name. Add a Lint to the map by calling - // RegisterLint. - Lints = make(map[string]*Lint) -) - -// LintInterface is implemented by each Lint. -type LintInterface interface { - // Initialize runs once per-lint. It is called during RegisterLint(). - Initialize() error - - // CheckApplies runs once per certificate. It returns true if the Lint should - // run on the given certificate. If CheckApplies returns false, the Lint - // result is automatically set to NA without calling CheckEffective() or - // Run(). - CheckApplies(c *x509.Certificate) bool - - // Execute() is the body of the lint. It is called for every certificate for - // which CheckApplies() returns true. - Execute(c *x509.Certificate) *LintResult -} - -// An Enum to programmatically represent the source of a lint -type LintSource int - -const ( - UnknownLintSource LintSource = iota - CABFBaselineRequirements - RFC5280 - RFC5480 - RFC5891 - ZLint - AWSLabs - EtsiEsi // ETSI - Electronic Signatures and Infrastructures (ESI) - CABFEVGuidelines - AppleCTPolicy // https://support.apple.com/en-us/HT205280 -) - -// A Lint struct represents a single lint, e.g. -// "e_basic_constraints_not_critical". It contains an implementation of LintInterface. -type Lint struct { - - // Name is a lowercase underscore-separated string describing what a given - // Lint checks. If Name beings with "w", the lint MUST NOT return Error, only - // Warn. If Name beings with "e", the Lint MUST NOT return Warn, only Error. - Name string `json:"name,omitempty"` - - // A human-readable description of what the Lint checks. Usually copied - // directly from the CA/B Baseline Requirements or RFC 5280. - Description string `json:"description,omitempty"` - - // The source of the check, e.g. "BRs: 6.1.6" or "RFC 5280: 4.1.2.6". - Citation string `json:"citation,omitempty"` - - // Programmatic source of the check, BRs, RFC5280, or ZLint - Source LintSource `json:"-"` - - // Lints automatically returns NE for all certificates where CheckApplies() is - // true but with NotBefore < EffectiveDate. This check is bypassed if - // EffectiveDate is zero. - EffectiveDate time.Time `json:"-"` - - // The implementation of the lint logic. - Lint LintInterface `json:"-"` -} - -// CheckEffective returns true if c was issued on or after the EffectiveDate. If -// EffectiveDate is zero, CheckEffective always returns true. -func (l *Lint) CheckEffective(c *x509.Certificate) bool { - if l.EffectiveDate.IsZero() || !l.EffectiveDate.After(c.NotBefore) { - return true - } - return false -} - -// Execute runs the lint against a certificate. For lints that are -// sourced from the CA/B Forum Baseline Requirements, we first determine -// if they are within the purview of the BRs. See LintInterface for details -// about the other methods called. The ordering is as follows: -// -// CheckApplies() -// CheckEffective() -// Execute() -func (l *Lint) Execute(cert *x509.Certificate) *LintResult { - if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { - return &LintResult{Status: NA} - } - if !l.Lint.CheckApplies(cert) { - return &LintResult{Status: NA} - } else if !l.CheckEffective(cert) { - return &LintResult{Status: NE} - } - res := l.Lint.Execute(cert) - return res -} - -// RegisterLint must be called once for each lint to be excuted. Duplicate lint -// names are squashed. Normally, RegisterLint is called during init(). -func RegisterLint(l *Lint) { - if err := l.Lint.Initialize(); err != nil { - panic("could not initialize lint: " + l.Name + ": " + err.Error()) - } - Lints[l.Name] = l -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_basic_constraints_not_critical.go deleted file mode 100644 index c0114ccd8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_basic_constraints_not_critical.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -/************************************************ -RFC 5280: 4.2.1.9 -Conforming CAs MUST include this extension in all CA certificates that contain -public keys used to validate digital signatures on certificates and MUST mark -the extension as critical in such certificates. This extension MAY appear as a -critical or non- critical extension in CA certificates that contain public keys -used exclusively for purposes other than validating digital signatures on -certificates. Such CA certificates include ones that contain public keys used -exclusively for validating digital signatures on CRLs and ones that contain key -management public keys used with certificate. -************************************************/ - -type basicConstCrit struct{} - -func (l *basicConstCrit) Initialize() error { - return nil -} - -func (l *basicConstCrit) CheckApplies(c *x509.Certificate) bool { - return c.IsCA && util.IsExtInCert(c, util.BasicConstOID) -} - -func (l *basicConstCrit) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil { - if e.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } - } else { - return &LintResult{Status: NA} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_basic_constraints_not_critical", - Description: "basicConstraints MUST appear as a critical extension", - Citation: "RFC 5280: 4.2.1.9", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &basicConstCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_common_name_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ca_common_name_missing.go deleted file mode 100644 index ed98ffa9c..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_common_name_missing.go +++ /dev/null @@ -1,49 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caCommonNameMissing struct{} - -func (l *caCommonNameMissing) Initialize() error { - return nil -} - -func (l *caCommonNameMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsCACert(c) -} - -func (l *caCommonNameMissing) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName == "" { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_common_name_missing", - Description: "CA Certificates common name MUST be included.", - Citation: "BRs: 7.1.4.3.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV148Date, - Lint: &caCommonNameMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_country_name_invalid.go b/vendor/github.com/zmap/zlint/lints/lint_ca_country_name_invalid.go deleted file mode 100644 index 470e6d279..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_country_name_invalid.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -/************************************************ -BRs: 7.1.2.1e -The Certificate Subject MUST contain the following: -‐ countryName (OID 2.5.4.6). -This field MUST contain the two‐letter ISO 3166‐1 country code for the country -in which the CA’s place of business is located. -************************************************/ - -type caCountryNameInvalid struct{} - -func (l *caCountryNameInvalid) Initialize() error { - return nil -} - -func (l *caCountryNameInvalid) CheckApplies(c *x509.Certificate) bool { - return c.IsCA -} - -func (l *caCountryNameInvalid) Execute(c *x509.Certificate) *LintResult { - if c.Subject.Country != nil { - for _, j := range c.Subject.Country { - if !util.IsISOCountryCode(j) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: NA} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_country_name_invalid", - Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caCountryNameInvalid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_country_name_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ca_country_name_missing.go deleted file mode 100644 index 51ec0544f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_country_name_missing.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -/************************************************ -BRs: 7.1.2.1e -The Certificate Subject MUST contain the following: -‐ countryName (OID 2.5.4.6). -This field MUST contain the two‐letter ISO 3166‐1 country code for the country -in which the CA’s place of business is located. -************************************************/ - -type caCountryNameMissing struct{} - -func (l *caCountryNameMissing) Initialize() error { - return nil -} - -func (l *caCountryNameMissing) CheckApplies(c *x509.Certificate) bool { - return c.IsCA -} - -func (l *caCountryNameMissing) Execute(c *x509.Certificate) *LintResult { - if c.Subject.Country != nil && c.Subject.Country[0] != "" { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_country_name_missing", - Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caCountryNameMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_crl_sign_not_set.go b/vendor/github.com/zmap/zlint/lints/lint_ca_crl_sign_not_set.go deleted file mode 100644 index ab5c075ac..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_crl_sign_not_set.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -/************************************************ -BRs: 7.1.2.1b -This extension MUST be present and MUST be marked critical. Bit positions for -keyCertSign and cRLSign MUST be set. If the Root CA Private Key is used for -signing OCSP responses, then the digitalSignature bit MUST be set. -************************************************/ - -type caCRLSignNotSet struct{} - -func (l *caCRLSignNotSet) Initialize() error { - return nil -} - -func (l *caCRLSignNotSet) CheckApplies(c *x509.Certificate) bool { - return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *caCRLSignNotSet) Execute(c *x509.Certificate) *LintResult { - if c.KeyUsage&x509.KeyUsageCRLSign != 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_crl_sign_not_set", - Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caCRLSignNotSet{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_digital_signature_not_set.go b/vendor/github.com/zmap/zlint/lints/lint_ca_digital_signature_not_set.go deleted file mode 100644 index b715d01b8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_digital_signature_not_set.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.1b -This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. -If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caDigSignNotSet struct{} - -func (l *caDigSignNotSet) Initialize() error { - return nil -} - -func (l *caDigSignNotSet) CheckApplies(c *x509.Certificate) bool { - return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *caDigSignNotSet) Execute(c *x509.Certificate) *LintResult { - if c.KeyUsage&x509.KeyUsageDigitalSignature != 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Notice} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "n_ca_digital_signature_not_set", - Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caDigSignNotSet{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_is_ca.go b/vendor/github.com/zmap/zlint/lints/lint_ca_is_ca.go deleted file mode 100644 index 776ded76b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_is_ca.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caIsCA struct{} - -type basicConstraints struct { - IsCA bool `asn1:"optional"` - MaxPathLen int `asn1:"optional,default:-1"` -} - -func (l *caIsCA) Initialize() error { - return nil -} - -func (l *caIsCA) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) && c.KeyUsage&x509.KeyUsageCertSign != 0 && util.IsExtInCert(c, util.BasicConstOID) -} - -func (l *caIsCA) Execute(c *x509.Certificate) *LintResult { - e := util.GetExtFromCert(c, util.BasicConstOID) - var constraints basicConstraints - _, err := asn1.Unmarshal(e.Value, &constraints) - if err != nil { - return &LintResult{Status: Fatal} - } - if constraints.IsCA == true { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_is_ca", - Description: "Root and Sub CA Certificate: The CA field MUST be set to true.", - Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caIsCA{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_key_cert_sign_not_set.go b/vendor/github.com/zmap/zlint/lints/lint_ca_key_cert_sign_not_set.go deleted file mode 100644 index c327d9bc1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_key_cert_sign_not_set.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.1b -This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. -If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caKeyCertSignNotSet struct{} - -func (l *caKeyCertSignNotSet) Initialize() error { - return nil -} - -func (l *caKeyCertSignNotSet) CheckApplies(c *x509.Certificate) bool { - return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *caKeyCertSignNotSet) Execute(c *x509.Certificate) *LintResult { - if c.KeyUsage&x509.KeyUsageCertSign != 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_key_cert_sign_not_set", - Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caKeyCertSignNotSet{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_missing.go deleted file mode 100644 index 14cb65629..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_missing.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.1.3 -Conforming CAs MUST include this extension in certificates that - contain public keys that are used to validate digital signatures on - other public key certificates or CRLs. When present, conforming CAs - SHOULD mark this extension as critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caKeyUsageMissing struct{} - -func (l *caKeyUsageMissing) Initialize() error { - return nil -} - -func (l *caKeyUsageMissing) CheckApplies(c *x509.Certificate) bool { - return c.IsCA -} - -func (l *caKeyUsageMissing) Execute(c *x509.Certificate) *LintResult { - if c.KeyUsage != x509.KeyUsage(0) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_key_usage_missing", - Description: "Root and Subordinate CA certificate keyUsage extension MUST be present", - Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC3280Date, - Lint: &caKeyUsageMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_not_critical.go deleted file mode 100644 index e19a29773..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_key_usage_not_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.1b -This extension MUST be present and MUST be marked critical. Bit positions for keyCertSign and cRLSign MUST be set. -If the Root CA Private Key is used for signing OCSP responses, then the digitalSignature bit MUST be set. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caKeyUsageNotCrit struct{} - -func (l *caKeyUsageNotCrit) Initialize() error { - return nil -} - -func (l *caKeyUsageNotCrit) CheckApplies(c *x509.Certificate) bool { - return c.IsCA && util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *caKeyUsageNotCrit) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.KeyUsageOID); e.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_key_usage_not_critical", - Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caKeyUsageNotCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_organization_name_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ca_organization_name_missing.go deleted file mode 100644 index 57bcb2783..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_organization_name_missing.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.1e -The Certificate Subject MUST contain the following: organizationName (OID 2.5.4.10): This field MUST be present and the contents MUST contain either the Subject CA’s name or DBA as verified under Section 3.2.2.2. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caOrganizationNameMissing struct{} - -func (l *caOrganizationNameMissing) Initialize() error { - return nil -} - -func (l *caOrganizationNameMissing) CheckApplies(c *x509.Certificate) bool { - return c.IsCA -} - -func (l *caOrganizationNameMissing) Execute(c *x509.Certificate) *LintResult { - if c.Subject.Organization != nil && c.Subject.Organization[0] != "" { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_organization_name_missing", - Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caOrganizationNameMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ca_subject_field_empty.go b/vendor/github.com/zmap/zlint/lints/lint_ca_subject_field_empty.go deleted file mode 100644 index fb1aab3ad..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ca_subject_field_empty.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.1.2.6 -The subject field identifies the entity associated with the public - key stored in the subject public key field. The subject name MAY be - carried in the subject field and/or the subjectAltName extension. If - the subject is a CA (e.g., the basic constraints extension, as - discussed in Section 4.2.1.9, is present and the value of cA is - TRUE), then the subject field MUST be populated with a non-empty - distinguished name matching the contents of the issuer field (Section - 4.1.2.4) in all certificates issued by the subject CA. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caSubjectEmpty struct{} - -func (l *caSubjectEmpty) Initialize() error { - return nil -} - -func (l *caSubjectEmpty) CheckApplies(c *x509.Certificate) bool { - return c.IsCA -} - -func (l *caSubjectEmpty) Execute(c *x509.Certificate) *LintResult { - if &c.Subject != nil && util.NotAllNameFieldsAreEmpty(&c.Subject) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ca_subject_field_empty", - Description: "CA Certificates subject field MUST not be empty and MUST have a non-empty distingushed name", - Citation: "RFC 5280: 4.1.2.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &caSubjectEmpty{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_locality.go b/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_locality.go deleted file mode 100644 index a16b480e2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_locality.go +++ /dev/null @@ -1,51 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include -// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type certPolicyConflictsWithLocality struct{} - -func (l *certPolicyConflictsWithLocality) Initialize() error { - return nil -} - -func (l *certPolicyConflictsWithLocality) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert) -} - -func (l *certPolicyConflictsWithLocality) Execute(cert *x509.Certificate) *LintResult { - if util.TypeInName(&cert.Subject, util.LocalityNameOID) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_dv_conflicts_with_locality", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &certPolicyConflictsWithLocality{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_org.go b/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_org.go deleted file mode 100644 index 80809f1e5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_org.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include -// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type certPolicyConflictsWithOrg struct{} - -func (l *certPolicyConflictsWithOrg) Initialize() error { - return nil -} - -func (l *certPolicyConflictsWithOrg) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert) -} - -func (l *certPolicyConflictsWithOrg) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.OrganizationNameOID) { - out.Status = Error - } else { - out.Status = Pass - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_dv_conflicts_with_org", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &certPolicyConflictsWithOrg{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_postal.go b/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_postal.go deleted file mode 100644 index c83c66c77..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_postal.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include -// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type certPolicyConflictsWithPostal struct{} - -func (l *certPolicyConflictsWithPostal) Initialize() error { - return nil -} - -func (l *certPolicyConflictsWithPostal) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert) -} - -func (l *certPolicyConflictsWithPostal) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.PostalCodeOID) { - out.Status = Error - } else { - out.Status = Pass - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_dv_conflicts_with_postal", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &certPolicyConflictsWithPostal{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_province.go b/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_province.go deleted file mode 100644 index b046a0eeb..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_province.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include -// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type certPolicyConflictsWithProvince struct{} - -func (l *certPolicyConflictsWithProvince) Initialize() error { - return nil -} - -func (l *certPolicyConflictsWithProvince) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert) -} - -func (l *certPolicyConflictsWithProvince) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) { - out.Status = Error - } else { - out.Status = Pass - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_dv_conflicts_with_province", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &certPolicyConflictsWithProvince{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_street.go b/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_street.go deleted file mode 100644 index 588baf126..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_dv_conflicts_with_street.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include -// organizationName, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type certPolicyConflictsWithStreet struct{} - -func (l *certPolicyConflictsWithStreet) Initialize() error { - return nil -} - -func (l *certPolicyConflictsWithStreet) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && !util.IsCACert(cert) -} - -func (l *certPolicyConflictsWithStreet) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.StreetAddressOID) { - out.Status = Error - } else { - out.Status = Pass - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_dv_conflicts_with_street", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &certPolicyConflictsWithStreet{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_iv_requires_personal_name.go b/vendor/github.com/zmap/zlint/lints/lint_cab_iv_requires_personal_name.go deleted file mode 100644 index 41436374e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_iv_requires_personal_name.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertPolicyRequiresPersonalName struct{} - -func (l *CertPolicyRequiresPersonalName) Initialize() error { - return nil -} - -func (l *CertPolicyRequiresPersonalName) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID) && !util.IsCACert(cert) -} - -func (l *CertPolicyRequiresPersonalName) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.OrganizationNameOID) || (util.TypeInName(&cert.Subject, util.GivenNameOID) && util.TypeInName(&cert.Subject, util.SurnameOID)) { - out.Status = Pass - } else { - out.Status = Error - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_iv_requires_personal_name", - Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: &CertPolicyRequiresPersonalName{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cab_ov_requires_org.go b/vendor/github.com/zmap/zlint/lints/lint_cab_ov_requires_org.go deleted file mode 100644 index a8529f59f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cab_ov_requires_org.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertPolicyRequiresOrg struct{} - -func (l *CertPolicyRequiresOrg) Initialize() error { - return nil -} - -func (l *CertPolicyRequiresOrg) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID) && !util.IsCACert(cert) -} - -func (l *CertPolicyRequiresOrg) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.OrganizationNameOID) { - out.Status = Pass - } else { - out.Status = Error - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cab_ov_requires_org", - Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &CertPolicyRequiresOrg{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_contains_unique_identifier.go b/vendor/github.com/zmap/zlint/lints/lint_cert_contains_unique_identifier.go deleted file mode 100644 index 9d8beb1ea..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_contains_unique_identifier.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ - These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1). - These fields MUST NOT appear if the version is 1. The subject and issuer - unique identifiers are present in the certificate to handle the possibility - of reuse of subject and/or issuer names over time. This profile RECOMMENDS - that names not be reused for different entities and that Internet certificates - not make use of unique identifiers. CAs conforming to this profile MUST NOT - generate certificates with unique identifiers. Applications conforming to - this profile SHOULD be capable of parsing certificates that include unique - identifiers, but there are no processing requirements associated with the - unique identifiers. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertContainsUniqueIdentifier struct{} - -func (l *CertContainsUniqueIdentifier) Initialize() error { - return nil -} - -func (l *CertContainsUniqueIdentifier) CheckApplies(cert *x509.Certificate) bool { - return true -} - -func (l *CertContainsUniqueIdentifier) Execute(cert *x509.Certificate) *LintResult { - if cert.IssuerUniqueId.Bytes == nil && cert.SubjectUniqueId.Bytes == nil { - return &LintResult{Status: Pass} - } //else - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_contains_unique_identifier", - Description: "CAs MUST NOT generate certificate with unique identifiers", - Source: RFC5280, - Citation: "RFC 5280: 4.1.2.8", - EffectiveDate: util.RFC5280Date, - Lint: &CertContainsUniqueIdentifier{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_extensions_version_not_3.go b/vendor/github.com/zmap/zlint/lints/lint_cert_extensions_version_not_3.go deleted file mode 100644 index faefda9b3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_extensions_version_not_3.go +++ /dev/null @@ -1,67 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -4.1.2.1. Version - This field describes the version of the encoded certificate. When - extensions are used, as expected in this profile, version MUST be 3 - (value is 2). If no extensions are present, but a UniqueIdentifier - is present, the version SHOULD be 2 (value is 1); however, the version - MAY be 3. If only basic fields are present, the version SHOULD be 1 - (the value is omitted from the certificate as the default value); - however, the version MAY be 2 or 3. - - Implementations SHOULD be prepared to accept any version certificate. - At a minimum, conforming implementations MUST recognize version 3 certificates. -4.1.2.9. Extensions - This field MUST only appear if the version is 3 (Section 4.1.2.1). - If present, this field is a SEQUENCE of one or more certificate - extensions. The format and content of certificate extensions in the - Internet PKI are defined in Section 4.2. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertExtensionsVersonNot3 struct{} - -func (l *CertExtensionsVersonNot3) Initialize() error { - return nil -} - -func (l *CertExtensionsVersonNot3) CheckApplies(cert *x509.Certificate) bool { - return true -} - -func (l *CertExtensionsVersonNot3) Execute(cert *x509.Certificate) *LintResult { - if cert.Version != 3 && len(cert.Extensions) != 0 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_extensions_version_not_3", - Description: "The extensions field MUST only appear in version 3 certificates", - Citation: "RFC 5280: 4.1.2.9", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &CertExtensionsVersonNot3{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_country.go b/vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_country.go deleted file mode 100644 index 4a48162d3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_country.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field.*/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertPolicyIVRequiresCountry struct{} - -func (l *CertPolicyIVRequiresCountry) Initialize() error { - return nil -} - -func (l *CertPolicyIVRequiresCountry) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID) -} - -func (l *CertPolicyIVRequiresCountry) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.CountryNameOID) { - out.Status = Pass - } else { - out.Status = Error - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_policy_iv_requires_country", - Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: &CertPolicyIVRequiresCountry{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_province_or_locality.go deleted file mode 100644 index 5618c4b91..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_iv_requires_province_or_locality.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.3, then it MUST also include (i) either organizationName or givenName and surname, (ii) localityName (to the extent such field is required under Section 7.1.4.2.2), (iii) stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and (iv) countryName in the Subject field. -// 7.1.4.2.2 applies only to subscriber certificates. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertPolicyIVRequiresProvinceOrLocal struct{} - -func (l *CertPolicyIVRequiresProvinceOrLocal) Initialize() error { - return nil -} - -func (l *CertPolicyIVRequiresProvinceOrLocal) CheckApplies(cert *x509.Certificate) bool { - return util.IsSubscriberCert(cert) && util.SliceContainsOID(cert.PolicyIdentifiers, util.BRIndividualValidatedOID) -} - -func (l *CertPolicyIVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.LocalityNameOID) || util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) { - out.Status = Pass - } else { - out.Status = Error - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_policy_iv_requires_province_or_locality", - Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: &CertPolicyIVRequiresProvinceOrLocal{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_country.go b/vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_country.go deleted file mode 100644 index d74f7aa02..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_country.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertPolicyOVRequiresCountry struct{} - -func (l *CertPolicyOVRequiresCountry) Initialize() error { - return nil -} - -func (l *CertPolicyOVRequiresCountry) CheckApplies(cert *x509.Certificate) bool { - return util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID) -} - -func (l *CertPolicyOVRequiresCountry) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.CountryNameOID) { - out.Status = Pass - } else { - out.Status = Error - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_policy_ov_requires_country", - Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &CertPolicyOVRequiresCountry{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_province_or_locality.go deleted file mode 100644 index 0031a52d1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_policy_ov_requires_province_or_locality.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// 7.1.6.1: If the Certificate asserts the policy identifier of 2.23.140.1.2.2, then it MUST also include organizationName, localityName (to the extent such field is required under Section 7.1.4.2.2), stateOrProvinceName (to the extent such field is required under Section 7.1.4.2.2), and countryName in the Subject field.*/ -// 7.1.4.2.2 applies only to subscriber certificates. - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type CertPolicyOVRequiresProvinceOrLocal struct{} - -func (l *CertPolicyOVRequiresProvinceOrLocal) Initialize() error { - return nil -} - -func (l *CertPolicyOVRequiresProvinceOrLocal) CheckApplies(cert *x509.Certificate) bool { - return util.IsSubscriberCert(cert) && util.SliceContainsOID(cert.PolicyIdentifiers, util.BROrganizationValidatedOID) -} - -func (l *CertPolicyOVRequiresProvinceOrLocal) Execute(cert *x509.Certificate) *LintResult { - var out LintResult - if util.TypeInName(&cert.Subject, util.LocalityNameOID) || util.TypeInName(&cert.Subject, util.StateOrProvinceNameOID) { - out.Status = Pass - } else { - out.Status = Error - } - return &out -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_policy_ov_requires_province_or_locality", - Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &CertPolicyOVRequiresProvinceOrLocal{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_cert_unique_identifier_version_not_2_or_3.go b/vendor/github.com/zmap/zlint/lints/lint_cert_unique_identifier_version_not_2_or_3.go deleted file mode 100644 index 98a8218d0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_cert_unique_identifier_version_not_2_or_3.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************** -RFC 5280: 4.1.2.8 - These fields MUST only appear if the version is 2 or 3 (Section 4.1.2.1). - These fields MUST NOT appear if the version is 1. The subject and issuer - unique identifiers are present in the certificate to handle the possibility - of reuse of subject and/or issuer names over time. This profile RECOMMENDS - that names not be reused for different entities and that Internet certificates - not make use of unique identifiers. CAs conforming to this profile MUST NOT - generate certificates with unique identifiers. Applications conforming to - this profile SHOULD be capable of parsing certificates that include unique - identifiers, but there are no processing requirements associated with the - unique identifiers. -****************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type certUniqueIdVersion struct{} - -func (l *certUniqueIdVersion) Initialize() error { - return nil -} - -func (l *certUniqueIdVersion) CheckApplies(c *x509.Certificate) bool { - return c.IssuerUniqueId.Bytes != nil || c.SubjectUniqueId.Bytes != nil -} - -func (l *certUniqueIdVersion) Execute(c *x509.Certificate) *LintResult { - if (c.Version) != 2 && (c.Version) != 3 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_cert_unique_identifier_version_not_2_or_3", - Description: "Unique identifiers MUST only appear if the X.509 version is 2 or 3", - Citation: "RFC 5280: 4.1.2.8", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &certUniqueIdVersion{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ct_sct_policy_count_unsatisfied.go b/vendor/github.com/zmap/zlint/lints/lint_ct_sct_policy_count_unsatisfied.go deleted file mode 100644 index 0cc6c87b2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ct_sct_policy_count_unsatisfied.go +++ /dev/null @@ -1,156 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - "time" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/ct" - "github.com/zmap/zlint/util" -) - -type sctPolicyCount struct{} - -// Initialize for a sctPolicyCount instance does nothing. -func (l *sctPolicyCount) Initialize() error { - return nil -} - -// CheckApplies returns true for any subscriber certificates that are not -// precertificates (e.g. that do not have the CT poison extension defined in RFC -// 6962. -func (l *sctPolicyCount) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID) -} - -// Execute checks if the provided certificate has embedded SCTs from -// a sufficient number of unique CT logs to meet Apple's CT log policy[0], -// effective Oct 15th, 2018. -// -// The number of required SCTs from different logs is calculated based on the -// Certificate's lifetime. If the number of required SCTs are not embedded in -// the certificate a Notice level LintResult is returned. -// -// | Certificate lifetime | # of SCTs from separate logs | -// ------------------------------------------------------- -// | Less than 15 months | 2 | -// | 15 to 27 months | 3 | -// | 27 to 39 months | 4 | -// | More than 39 months | 5 | -// ------------------------------------------------------- -// -// Important note 1: We can't know whether additional SCTs were presented -// alongside the certificate via OCSP stapling. This linter assumes only -// embedded SCTs are used and ignores the portion of the Apple policy related to -// SCTs delivered via OCSP. This is one limitation that restricts the linter's -// findings to Notice level. See more background discussion in Issue 226[1]. -// -// Important note 2: The linter doesn't maintain a list of Apple's trusted -// logs. The SCTs embedded in the certificate may not be from log's Apple -// actually trusts. Similarly the embedded SCT signatures are not validated -// in any way. -// -// [0]: https://support.apple.com/en-us/HT205280 -// [1]: https://github.com/zmap/zlint/issues/226 -func (l *sctPolicyCount) Execute(c *x509.Certificate) *LintResult { - // Determine the required number of SCTs from separate logs - expected := appleCTPolicyExpectedSCTs(c) - - // If there are no SCTs then the job is easy. We can return a Notice - // LintResult immediately. - if len(c.SignedCertificateTimestampList) == 0 && expected > 0 { - return &LintResult{ - Status: Notice, - Details: fmt.Sprintf( - "Certificate had 0 embedded SCTs. Browser policy may require %d for this certificate.", - expected), - } - } - - // Build a map from LogID to SCT so that we can count embedded SCTs by unique - // log. - sctsByLogID := make(map[ct.SHA256Hash]*ct.SignedCertificateTimestamp) - for _, sct := range c.SignedCertificateTimestampList { - sctsByLogID[sct.LogID] = sct - } - - // If the number of embedded SCTs from separate logs meets expected return - // a Pass result. - if len(sctsByLogID) >= expected { - return &LintResult{Status: Pass} - } - - // Otherwise return a Notice result - there weren't enough SCTs embedded in - // the certificate. More must be provided by OCSP stapling if the certificate - // is to meet Apple's CT policy. - return &LintResult{ - Status: Notice, - Details: fmt.Sprintf( - "Certificate had %d embedded SCTs from distinct log IDs. "+ - "Browser policy may require %d for this certificate.", - len(sctsByLogID), expected), - } -} - -// appleCTPolicyExpectedSCTs returns a count of the number of SCTs expected to -// be embedded in the given certificate based on its lifetime. -// -// For this function the relevant portion of Apple's policy is the table -// "Number of embedded SCTs based on certificate lifetime" (Also reproduced in -// the `Execute` godoc comment). -func appleCTPolicyExpectedSCTs(cert *x509.Certificate) int { - // Lifetime is relative to the certificate's NotBefore date. - start := cert.NotBefore - - // Thresholds is an ordered array of lifetime periods and their expected # of - // SCTs. A lifetime period is defined by the cutoff date relative to the - // start of the certificate's lifetime. - thresholds := []struct { - CutoffDate time.Time - Expected int - }{ - // Start date ... 15 months - {CutoffDate: start.AddDate(0, 15, 0), Expected: 2}, - // Start date ... 27 months - {CutoffDate: start.AddDate(0, 27, 0), Expected: 3}, - // Start date ... 39 months - {CutoffDate: start.AddDate(0, 39, 0), Expected: 4}, - } - - // If the certificate's lifetime falls into any of the cutoff date ranges then - // we expect that range's expected # of SCTs for this certificate. This loop - // assumes the `thresholds` list is sorted in ascending order. - for _, threshold := range thresholds { - if cert.NotAfter.Before(threshold.CutoffDate) { - return threshold.Expected - } - } - - // The certificate had a validity > 39 months. - return 5 -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ct_sct_policy_count_unsatisfied", - Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy", - Citation: "https://support.apple.com/en-us/HT205280", - Source: AppleCTPolicy, - EffectiveDate: util.AppleCTPolicyDate, - Lint: &sctPolicyCount{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dh_params_missing.go b/vendor/github.com/zmap/zlint/lints/lint_dh_params_missing.go deleted file mode 100644 index ab8e3c271..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dh_params_missing.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/dsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type dsaParamsMissing struct{} - -func (l *dsaParamsMissing) Initialize() error { - return nil -} - -func (l *dsaParamsMissing) CheckApplies(c *x509.Certificate) bool { - return c.PublicKeyAlgorithm == x509.DSA -} - -func (l *dsaParamsMissing) Execute(c *x509.Certificate) *LintResult { - dsaKey, ok := c.PublicKey.(*dsa.PublicKey) - if !ok { - return &LintResult{Status: Fatal} - } - params := dsaKey.Parameters - if params.P.BitLen() == 0 || params.Q.BitLen() == 0 || params.G.BitLen() == 0 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dsa_params_missing", - Description: "DSA: Certificates MUST include all domain parameters", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &dsaParamsMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_distribution_point_incomplete.go b/vendor/github.com/zmap/zlint/lints/lint_distribution_point_incomplete.go deleted file mode 100644 index 4cd94e201..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_distribution_point_incomplete.go +++ /dev/null @@ -1,84 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -The cRLDistributionPoints extension is a SEQUENCE of -DistributionPoint. A DistributionPoint consists of three fields, -each of which is optional: distributionPoint, reasons, and cRLIssuer. -While each of these fields is optional, a DistributionPoint MUST NOT -consist of only the reasons field; either distributionPoint or -cRLIssuer MUST be present. If the certificate issuer is not the CRL -issuer, then the cRLIssuer field MUST be present and contain the Name -of the CRL issuer. If the certificate issuer is also the CRL issuer, -then conforming CAs MUST omit the cRLIssuer field and MUST include -the distributionPoint field. -********************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/pkix" - "github.com/zmap/zlint/util" -) - -type distributionPoint struct { - DistributionPoint distributionPointName `asn1:"optional,tag:0"` - Reason asn1.BitString `asn1:"optional,tag:1"` - CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` -} - -type distributionPointName struct { - FullName asn1.RawValue `asn1:"optional,tag:0"` - RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` -} - -type dpIncomplete struct{} - -func (l *dpIncomplete) Initialize() error { - return nil -} - -func (l *dpIncomplete) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CrlDistOID) -} - -func (l *dpIncomplete) Execute(c *x509.Certificate) *LintResult { - dp := util.GetExtFromCert(c, util.CrlDistOID) - var cdp []distributionPoint - _, err := asn1.Unmarshal(dp.Value, &cdp) - if err != nil { - return &LintResult{Status: Fatal} - } - for _, dp := range cdp { - if dp.Reason.BitLength != 0 && len(dp.DistributionPoint.FullName.Bytes) == 0 && - dp.DistributionPoint.RelativeName == nil && len(dp.CRLIssuer.Bytes) == 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_distribution_point_incomplete", - Description: "A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present", - Citation: "RFC 5280: 4.2.1.13", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &dpIncomplete{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_distribution_point_missing_ldap_or_uri.go b/vendor/github.com/zmap/zlint/lints/lint_distribution_point_missing_ldap_or_uri.go deleted file mode 100644 index a848187f9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_distribution_point_missing_ldap_or_uri.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.1.13 -When present, DistributionPointName SHOULD include at least one LDAP or HTTP URI. -************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type distribNoLDAPorURI struct{} - -func (l *distribNoLDAPorURI) Initialize() error { - return nil -} - -func (l *distribNoLDAPorURI) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CrlDistOID) -} - -func (l *distribNoLDAPorURI) Execute(c *x509.Certificate) *LintResult { - for _, point := range c.CRLDistributionPoints { - if point = strings.ToLower(point); strings.HasPrefix(point, "http://") || strings.HasPrefix(point, "ldap://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Warn} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_distribution_point_missing_ldap_or_uri", - Description: "When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI", - Citation: "RFC 5280: 4.2.1.13", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &distribNoLDAPorURI{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_bad_character_in_label.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_bad_character_in_label.go deleted file mode 100644 index 22c7f09d8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_bad_character_in_label.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "regexp" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameProperCharacters struct { - CompiledExpression *regexp.Regexp -} - -func (l *DNSNameProperCharacters) Initialize() error { - const dnsNameRegexp = `^(\*\.)?(\?\.)*([A-Za-z0-9*_-]+\.)*[A-Za-z0-9*_-]*$` - var err error - l.CompiledExpression, err = regexp.Compile(dnsNameRegexp) - - return err -} - -func (l *DNSNameProperCharacters) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *DNSNameProperCharacters) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - if !l.CompiledExpression.MatchString(c.Subject.CommonName) { - return &LintResult{Status: Error} - } - } - for _, dns := range c.DNSNames { - if !l.CompiledExpression.MatchString(dns) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_bad_character_in_label", - Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameProperCharacters{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_check_left_label_wildcard.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_check_left_label_wildcard.go deleted file mode 100644 index 846e52204..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_check_left_label_wildcard.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameLeftLabelWildcardCheck struct{} - -func (l *DNSNameLeftLabelWildcardCheck) Initialize() error { - return nil -} - -func (l *DNSNameLeftLabelWildcardCheck) CheckApplies(c *x509.Certificate) bool { - return true -} - -func wildcardInLeftLabelIncorrect(domain string) bool { - labels := strings.Split(domain, ".") - if len(labels) >= 1 { - leftLabel := labels[0] - if strings.Contains(leftLabel, "*") && leftLabel != "*" { - return true - } - } - return false -} - -func (l *DNSNameLeftLabelWildcardCheck) Execute(c *x509.Certificate) *LintResult { - if wildcardInLeftLabelIncorrect(c.Subject.CommonName) { - return &LintResult{Status: Error} - } - for _, dns := range c.DNSNames { - if wildcardInLeftLabelIncorrect(dns) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_left_label_wildcard_correct", - Description: "Wildcards in the left label of DNSName should only be *", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameLeftLabelWildcardCheck{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_bare_iana_suffix.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_bare_iana_suffix.go deleted file mode 100644 index 4ea11aa47..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_bare_iana_suffix.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type dnsNameContainsBareIANASuffix struct{} - -func (l *dnsNameContainsBareIANASuffix) Initialize() error { - return nil -} - -func (l *dnsNameContainsBareIANASuffix) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *dnsNameContainsBareIANASuffix) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - if util.IsInTLDMap(c.Subject.CommonName) { - return &LintResult{Status: Error} - } - } - for _, dns := range c.DNSNames { - if util.IsInTLDMap(dns) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_contains_bare_iana_suffix", - Description: "DNSNames should not contain a bare IANA suffix.", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &dnsNameContainsBareIANASuffix{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_empty_label.go deleted file mode 100644 index 8e11d844b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_contains_empty_label.go +++ /dev/null @@ -1,67 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameEmptyLabel struct{} - -func (l *DNSNameEmptyLabel) Initialize() error { - return nil -} - -func (l *DNSNameEmptyLabel) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func domainHasEmptyLabel(domain string) bool { - labels := strings.Split(domain, ".") - for _, elem := range labels { - if elem == "" { - return true - } - } - return false -} - -func (l *DNSNameEmptyLabel) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - if domainHasEmptyLabel(c.Subject.CommonName) { - return &LintResult{Status: Error} - } - } - for _, dns := range c.DNSNames { - if domainHasEmptyLabel(dns) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_empty_label", - Description: "DNSNames should not have an empty label.", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameEmptyLabel{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_hyphen_in_sld.go deleted file mode 100644 index 8070bf227..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_hyphen_in_sld.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameHyphenInSLD struct{} - -func (l *DNSNameHyphenInSLD) Initialize() error { - return nil -} - -func (l *DNSNameHyphenInSLD) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *DNSNameHyphenInSLD) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - domainInfo := c.GetParsedSubjectCommonName(false) - if domainInfo.ParseError != nil { - return &LintResult{Status: NA} - } - if strings.HasPrefix(domainInfo.ParsedDomain.SLD, "-") || strings.HasSuffix(domainInfo.ParsedDomain.SLD, "-") { - return &LintResult{Status: Error} - } - } - parsedSANDNSNames := c.GetParsedDNSNames(false) - for i := range c.GetParsedDNSNames(false) { - if parsedSANDNSNames[i].ParseError != nil { - return &LintResult{Status: NA} - } - if strings.HasPrefix(parsedSANDNSNames[i].ParsedDomain.SLD, "-") || - strings.HasSuffix(parsedSANDNSNames[i].ParsedDomain.SLD, "-") { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_hyphen_in_sld", - Description: "DNSName should not have a hyphen beginning or ending the SLD", - Citation: "BRs 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: &DNSNameHyphenInSLD{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_label_too_long.go deleted file mode 100644 index d9d1eec45..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_label_too_long.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameLabelLengthTooLong struct{} - -func (l *DNSNameLabelLengthTooLong) Initialize() error { - return nil -} - -func (l *DNSNameLabelLengthTooLong) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func labelLengthTooLong(domain string) bool { - labels := strings.Split(domain, ".") - for _, label := range labels { - if len(label) > 63 { - return true - } - } - return false -} - -func (l *DNSNameLabelLengthTooLong) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - labelTooLong := labelLengthTooLong(c.Subject.CommonName) - if labelTooLong { - return &LintResult{Status: Error} - } - } - for _, dns := range c.DNSNames { - labelTooLong := labelLengthTooLong(dns) - if labelTooLong { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_label_too_long", - Description: "DNSName labels MUST be less than or equal to 63 characters", - Citation: "RFC 1035", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameLabelLengthTooLong{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_right_label_valid_tld.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_right_label_valid_tld.go deleted file mode 100644 index ccd9804e3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_right_label_valid_tld.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameValidTLD struct{} - -func (l *DNSNameValidTLD) Initialize() error { - return nil -} - -func (l *DNSNameValidTLD) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *DNSNameValidTLD) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - if !util.HasValidTLD(c.Subject.CommonName, c.NotBefore) { - return &LintResult{Status: Error} - } - } - for _, dns := range c.DNSNames { - if !util.HasValidTLD(dns, c.NotBefore) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_not_valid_tld", - Description: "DNSNames must have a valid TLD.", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameValidTLD{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_sld.go deleted file mode 100644 index a54453eb2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_sld.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameUnderscoreInSLD struct{} - -func (l *DNSNameUnderscoreInSLD) Initialize() error { - return nil -} - -func (l *DNSNameUnderscoreInSLD) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *DNSNameUnderscoreInSLD) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - domainInfo := c.GetParsedSubjectCommonName(false) - if domainInfo.ParseError != nil { - return &LintResult{Status: NA} - } - if strings.Contains(domainInfo.ParsedDomain.SLD, "_") { - return &LintResult{Status: Error} - } - } - - parsedSANDNSNames := c.GetParsedDNSNames(false) - for i := range c.GetParsedDNSNames(false) { - if parsedSANDNSNames[i].ParseError != nil { - return &LintResult{Status: NA} - } - if strings.Contains(parsedSANDNSNames[i].ParsedDomain.SLD, "_") { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_underscore_in_sld", - Description: "DNSName should not have underscore in SLD", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: &DNSNameUnderscoreInSLD{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_trd.go deleted file mode 100644 index 4d70e1e6a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_underscore_in_trd.go +++ /dev/null @@ -1,67 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameUnderscoreInTRD struct{} - -func (l *DNSNameUnderscoreInTRD) Initialize() error { - return nil -} - -func (l *DNSNameUnderscoreInTRD) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *DNSNameUnderscoreInTRD) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - domainInfo := c.GetParsedSubjectCommonName(false) - if domainInfo.ParseError != nil { - return &LintResult{Status: NA} - } - if strings.Contains(domainInfo.ParsedDomain.TRD, "_") { - return &LintResult{Status: Warn} - } - } - - parsedSANDNSNames := c.GetParsedDNSNames(false) - for i := range c.GetParsedDNSNames(false) { - if parsedSANDNSNames[i].ParseError != nil { - return &LintResult{Status: NA} - } - if strings.Contains(parsedSANDNSNames[i].ParsedDomain.TRD, "_") { - return &LintResult{Status: Warn} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_dnsname_underscore_in_trd", - Description: "DNSName should not have an underscore in labels left of the ETLD+1", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: &DNSNameUnderscoreInTRD{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_left_of_public_suffix.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_left_of_public_suffix.go deleted file mode 100644 index a01f4138a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_left_of_public_suffix.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameWildcardLeftofPublicSuffix struct{} - -func (l *DNSNameWildcardLeftofPublicSuffix) Initialize() error { - return nil -} - -func (l *DNSNameWildcardLeftofPublicSuffix) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.DNSNamesExist(c) -} - -func (l *DNSNameWildcardLeftofPublicSuffix) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" && !util.CommonNameIsIP(c) { - domainInfo := c.GetParsedSubjectCommonName(false) - if domainInfo.ParseError != nil { - return &LintResult{Status: NA} - } - - if domainInfo.ParsedDomain.SLD == "*" { - return &LintResult{Status: Warn} - } - } - - parsedSANDNSNames := c.GetParsedDNSNames(false) - for i := range c.GetParsedDNSNames(false) { - if parsedSANDNSNames[i].ParseError != nil { - return &LintResult{Status: NA} - } - - if parsedSANDNSNames[i].ParsedDomain.SLD == "*" { - return &LintResult{Status: Warn} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_dnsname_wildcard_left_of_public_suffix", - Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registry‐controlled” label or “public suffix”", - Citation: "BRs: 3.2.2.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameWildcardLeftofPublicSuffix{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_only_in_left_label.go b/vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_only_in_left_label.go deleted file mode 100644 index 9aaadcd14..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dnsname_wildcard_only_in_left_label.go +++ /dev/null @@ -1,68 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameWildcardOnlyInLeftlabel struct{} - -func (l *DNSNameWildcardOnlyInLeftlabel) Initialize() error { - return nil -} - -func (l *DNSNameWildcardOnlyInLeftlabel) CheckApplies(c *x509.Certificate) bool { - return true -} - -func wildcardNotInLeftLabel(domain string) bool { - labels := strings.Split(domain, ".") - if len(labels) > 1 { - labels = labels[1:] - for _, label := range labels { - if strings.Contains(label, "*") { - return true - } - } - } - return false -} - -func (l *DNSNameWildcardOnlyInLeftlabel) Execute(c *x509.Certificate) *LintResult { - if wildcardNotInLeftLabel(c.Subject.CommonName) { - return &LintResult{Status: Error} - } - for _, dns := range c.DNSNames { - if wildcardNotInLeftLabel(dns) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dnsname_wildcard_only_in_left_label", - Description: "DNSName should not have wildcards except in the left-most label", - Citation: "BRs: 7.1.4.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &DNSNameWildcardOnlyInLeftlabel{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dsa_correct_order_in_subgroup.go b/vendor/github.com/zmap/zlint/lints/lint_dsa_correct_order_in_subgroup.go deleted file mode 100644 index 8fd5eaab2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dsa_correct_order_in_subgroup.go +++ /dev/null @@ -1,65 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/dsa" - "math/big" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type dsaSubgroup struct{} - -func (l *dsaSubgroup) Initialize() error { - return nil -} - -func (l *dsaSubgroup) CheckApplies(c *x509.Certificate) bool { - if c.PublicKeyAlgorithm != x509.DSA { - return false - } - if _, ok := c.PublicKey.(*dsa.PublicKey); !ok { - return false - } - return true -} - -func (l *dsaSubgroup) Execute(c *x509.Certificate) *LintResult { - dsaKey, ok := c.PublicKey.(*dsa.PublicKey) - if !ok { - return &LintResult{Status: NA} - } - output := big.Int{} - - // Enforce that Y^Q == 1 mod P, e.g. that Order(Y) == Q mod P. - output.Exp(dsaKey.Y, dsaKey.Q, dsaKey.P) - if output.Cmp(big.NewInt(1)) == 0 { - return &LintResult{Status: Pass} - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dsa_correct_order_in_subgroup", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &dsaSubgroup{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dsa_improper_modulus_or_divisor_size.go b/vendor/github.com/zmap/zlint/lints/lint_dsa_improper_modulus_or_divisor_size.go deleted file mode 100644 index 096b6b1d5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dsa_improper_modulus_or_divisor_size.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/dsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type dsaImproperSize struct{} - -func (l *dsaImproperSize) Initialize() error { - return nil -} - -func (l *dsaImproperSize) CheckApplies(c *x509.Certificate) bool { - return c.PublicKeyAlgorithm == x509.DSA -} - -func (l *dsaImproperSize) Execute(c *x509.Certificate) *LintResult { - dsaKey, ok := c.PublicKey.(*dsa.PublicKey) - if !ok { - return &LintResult{Status: NA} - } - L := dsaKey.Parameters.P.BitLen() - N := dsaKey.Parameters.Q.BitLen() - if (L == 2048 && N == 224) || (L == 2048 && N == 256) || (L == 3072 && N == 256) { - return &LintResult{Status: Pass} - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dsa_improper_modulus_or_divisor_size", - Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &dsaImproperSize{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dsa_shorter_than_2048_bits.go b/vendor/github.com/zmap/zlint/lints/lint_dsa_shorter_than_2048_bits.go deleted file mode 100644 index b9a0f2906..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dsa_shorter_than_2048_bits.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/dsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type dsaTooShort struct{} - -func (l *dsaTooShort) Initialize() error { - return nil -} - -func (l *dsaTooShort) CheckApplies(c *x509.Certificate) bool { - return c.PublicKeyAlgorithm == x509.DSA -} - -func (l *dsaTooShort) Execute(c *x509.Certificate) *LintResult { - dsaKey, ok := c.PublicKey.(*dsa.PublicKey) - if !ok { - return &LintResult{Status: NA} - } - dsaParams := dsaKey.Parameters - L := dsaParams.P.BitLen() - N := dsaParams.Q.BitLen() - if L >= 2048 && N >= 244 { - return &LintResult{Status: Pass} - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dsa_shorter_than_2048_bits", - Description: "DSA modulus size must be at least 2048 bits", - Citation: "BRs: 6.1.5", - // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &dsaTooShort{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_dsa_unique_correct_representation.go b/vendor/github.com/zmap/zlint/lints/lint_dsa_unique_correct_representation.go deleted file mode 100644 index be356cfa3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_dsa_unique_correct_representation.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/dsa" - "math/big" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type dsaUniqueCorrectRepresentation struct{} - -func (l *dsaUniqueCorrectRepresentation) Initialize() error { - return nil -} - -func (l *dsaUniqueCorrectRepresentation) CheckApplies(c *x509.Certificate) bool { - return c.PublicKeyAlgorithm == x509.DSA -} - -func (l *dsaUniqueCorrectRepresentation) Execute(c *x509.Certificate) *LintResult { - dsaKey, ok := c.PublicKey.(*dsa.PublicKey) - if !ok { - return &LintResult{Status: NA} - } - // Verify that 2 ≤ y ≤ p-2. - two := big.NewInt(2) - pMinusTwo := big.NewInt(0) - pMinusTwo.Sub(dsaKey.P, two) - if two.Cmp(dsaKey.Y) > 0 || dsaKey.Y.Cmp(pMinusTwo) > 0 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_dsa_unique_correct_representation", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &dsaUniqueCorrectRepresentation{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ec_improper_curves.go b/vendor/github.com/zmap/zlint/lints/lint_ec_improper_curves.go deleted file mode 100644 index 81a2827e1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ec_improper_curves.go +++ /dev/null @@ -1,71 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 6.1.5 -Certificates MUST meet the following requirements for algorithm type and key size. -ECC Curve: NIST P-256, P-384, or P-521 -************************************************/ - -import ( - "crypto/ecdsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ecImproperCurves struct{} - -func (l *ecImproperCurves) Initialize() error { - return nil -} - -func (l *ecImproperCurves) CheckApplies(c *x509.Certificate) bool { - return c.PublicKeyAlgorithm == x509.ECDSA -} - -func (l *ecImproperCurves) Execute(c *x509.Certificate) *LintResult { - /* Declare theKey to be a ECDSA Public Key */ - var theKey *ecdsa.PublicKey - /* Need to do different things based on what c.PublicKey is */ - switch c.PublicKey.(type) { - case *x509.AugmentedECDSA: - temp := c.PublicKey.(*x509.AugmentedECDSA) - theKey = temp.Pub - case *ecdsa.PublicKey: - theKey = c.PublicKey.(*ecdsa.PublicKey) - } - /* Now can actually check the params */ - theParams := theKey.Curve.Params() - switch theParams.Name { - case "P-256", "P-384", "P-521": - return &LintResult{Status: Pass} - default: - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ec_improper_curves", - Description: "Only one of NIST P‐256, P‐384, or P‐521 can be used", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - EffectiveDate: util.ZeroDate, - Lint: &ecImproperCurves{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ecdsa_ee_invalid_ku.go b/vendor/github.com/zmap/zlint/lints/lint_ecdsa_ee_invalid_ku.go deleted file mode 100644 index 03c464482..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ecdsa_ee_invalid_ku.go +++ /dev/null @@ -1,98 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - "sort" - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ecdsaInvalidKU struct{} - -// Initialize is a no-op for this lint. -func (l *ecdsaInvalidKU) Initialize() error { - return nil -} - -// CheckApplies returns true when the certificate is a subscriber cert using an -// ECDSA public key algorithm. -func (l *ecdsaInvalidKU) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA -} - -// Execute returns a Notice level LintResult if the ECDSA end entity certificate -// being linted has Key Usage bits set other than digitalSignature, -// nonRepudiation/contentCommentment, and keyAgreement. -func (l *ecdsaInvalidKU) Execute(c *x509.Certificate) *LintResult { - // RFC 5480, Section 3 "Key Usage Bits" says: - // - // If the keyUsage extension is present in an End Entity (EE) - // certificate that indicates id-ecPublicKey in SubjectPublicKeyInfo, - // then any combination of the following values MAY be present: - // - // digitalSignature; - // nonRepudiation; and - // keyAgreement. - // - // So we set up `allowedKUs` to match. Note that per RFC 5280: recent editions - // of X.509 renamed "nonRepudiation" to "contentCommitment", which is the name - // of the Go x509 constant we use here alongside the digitalSignature and - // keyAgreement constants. - allowedKUs := map[x509.KeyUsage]bool{ - x509.KeyUsageDigitalSignature: true, - x509.KeyUsageContentCommitment: true, - x509.KeyUsageKeyAgreement: true, - } - - var invalidKUs []string - for ku, kuName := range util.KeyUsageToString { - if c.KeyUsage&ku != 0 { - if !allowedKUs[ku] { - invalidKUs = append(invalidKUs, kuName) - } - } - } - - if len(invalidKUs) > 0 { - // Sort the invalid KUs to allow consistent ordering of Details messages for - // unit testing - sort.Strings(invalidKUs) - return &LintResult{ - Status: Notice, - Details: fmt.Sprintf( - "Certificate had unexpected key usage(s): %s", - strings.Join(invalidKUs, ", ")), - } - } - - return &LintResult{ - Status: Pass, - } -} - -func init() { - RegisterLint(&Lint{ - Name: "n_ecdsa_ee_invalid_ku", - Description: "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement", - Citation: "RFC 5480 Section 3", - Source: RFC5480, - EffectiveDate: util.CABEffectiveDate, - Lint: &ecdsaInvalidKU{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_eku_critical_improperly.go b/vendor/github.com/zmap/zlint/lints/lint_eku_critical_improperly.go deleted file mode 100644 index 652d7efba..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_eku_critical_improperly.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.1.12 -If a CA includes extended key usages to satisfy such applications, - but does not wish to restrict usages of the key, the CA can include - the special KeyPurposeId anyExtendedKeyUsage in addition to the - particular key purposes required by the applications. Conforming CAs - SHOULD NOT mark this extension as critical if the anyExtendedKeyUsage - KeyPurposeId is present. Applications that require the presence of a - particular purpose MAY reject certificates that include the - anyExtendedKeyUsage OID but not the particular OID expected for the - application. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ekuBadCritical struct{} - -func (l *ekuBadCritical) Initialize() error { - return nil -} - -func (l *ekuBadCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.EkuSynOid) -} - -func (l *ekuBadCritical) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical { - for _, single_use := range c.ExtKeyUsage { - if single_use == x509.ExtKeyUsageAny { - return &LintResult{Status: Warn} - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_eku_critical_improperly", - Description: "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present", - Citation: "RFC 5280: 4.2.1.12", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &ekuBadCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ev_business_category_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ev_business_category_missing.go deleted file mode 100644 index d0888fdca..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ev_business_category_missing.go +++ /dev/null @@ -1,49 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type evNoBiz struct{} - -func (l *evNoBiz) Initialize() error { - return nil -} - -func (l *evNoBiz) CheckApplies(c *x509.Certificate) bool { - return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) -} - -func (l *evNoBiz) Execute(c *x509.Certificate) *LintResult { - if util.TypeInName(&c.Subject, util.BusinessOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ev_business_category_missing", - Description: "EV certificates must include businessCategory in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &evNoBiz{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ev_country_name_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ev_country_name_missing.go deleted file mode 100644 index c06451f71..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ev_country_name_missing.go +++ /dev/null @@ -1,49 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type evCountryMissing struct{} - -func (l *evCountryMissing) Initialize() error { - return nil -} - -func (l *evCountryMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) -} - -func (l *evCountryMissing) Execute(c *x509.Certificate) *LintResult { - if util.TypeInName(&c.Subject, util.CountryNameOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ev_country_name_missing", - Description: "EV certificates must include countryName in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &evCountryMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ev_organization_name_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ev_organization_name_missing.go deleted file mode 100644 index c08cf3f68..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ev_organization_name_missing.go +++ /dev/null @@ -1,49 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type evOrgMissing struct{} - -func (l *evOrgMissing) Initialize() error { - return nil -} - -func (l *evOrgMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) -} - -func (l *evOrgMissing) Execute(c *x509.Certificate) *LintResult { - if util.TypeInName(&c.Subject, util.OrganizationNameOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ev_organization_name_missing", - Description: "EV certificates must include organizationName in subject", - Citation: "BRs: 7.1.6.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &evOrgMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ev_serial_number_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ev_serial_number_missing.go deleted file mode 100644 index 7b34ffc80..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ev_serial_number_missing.go +++ /dev/null @@ -1,48 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type evSNMissing struct{} - -func (l *evSNMissing) Initialize() error { - return nil -} - -func (l *evSNMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) -} - -func (l *evSNMissing) Execute(c *x509.Certificate) *LintResult { - if len(c.Subject.SerialNumber) == 0 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ev_serial_number_missing", - Description: "EV certificates must include serialNumber in subject", - Citation: "EV gudelines: 9.2.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &evSNMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ev_valid_time_too_long.go b/vendor/github.com/zmap/zlint/lints/lint_ev_valid_time_too_long.go deleted file mode 100644 index 31fb5e628..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ev_valid_time_too_long.go +++ /dev/null @@ -1,48 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type evValidTooLong struct{} - -func (l *evValidTooLong) Initialize() error { - return nil -} - -func (l *evValidTooLong) CheckApplies(c *x509.Certificate) bool { - return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) -} - -func (l *evValidTooLong) Execute(c *x509.Certificate) *LintResult { - if c.NotBefore.AddDate(0, 0, 825).Before(c.NotAfter) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ev_valid_time_too_long", - Description: "EV certificates must be 825 days in validity or less", - Citation: "BRs: 6.3.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &evValidTooLong{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_aia_access_location_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ext_aia_access_location_missing.go deleted file mode 100644 index 46fe81f81..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_aia_access_location_missing.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.2.1 -An authorityInfoAccess extension may include multiple instances of - the id-ad-caIssuers accessMethod. The different instances may - specify different methods for accessing the same information or may - point to different information. When the id-ad-caIssuers - accessMethod is used, at least one instance SHOULD specify an - accessLocation that is an HTTP [RFC2616] or LDAP [RFC4516] URI. - -************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type aiaNoHTTPorLDAP struct{} - -func (l *aiaNoHTTPorLDAP) Initialize() error { - return nil -} - -func (l *aiaNoHTTPorLDAP) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.AiaOID) && c.IssuingCertificateURL != nil -} - -func (l *aiaNoHTTPorLDAP) Execute(c *x509.Certificate) *LintResult { - for _, caIssuer := range c.IssuingCertificateURL { - if caIssuer = strings.ToLower(caIssuer); strings.HasPrefix(caIssuer, "http://") || strings.HasPrefix(caIssuer, "ldap://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Warn} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_aia_access_location_missing", - Description: "When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI", - Citation: "RFC 5280: 4.2.2.1", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &aiaNoHTTPorLDAP{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_aia_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_aia_marked_critical.go deleted file mode 100644 index 9c95f73b1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_aia_marked_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Authority Information Access - The authority information access extension indicates how to access information and services for the issuer of the certificate in which the extension appears. Information and services may include on-line validation services and CA policy data. (The location of CRLs is not specified in this extension; that information is provided by the cRLDistributionPoints extension.) This extension may be included in end entity or CA certificates. Conforming CAs MUST mark this extension as non-critical. -************************************************/ -//See also: BRs: 7.1.2.3 & CAB: 7.1.2.2 - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ExtAiaMarkedCritical struct{} - -func (l *ExtAiaMarkedCritical) Initialize() error { - return nil -} - -func (l *ExtAiaMarkedCritical) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.AiaOID) -} - -func (l *ExtAiaMarkedCritical) Execute(cert *x509.Certificate) *LintResult { - if util.GetExtFromCert(cert, util.AiaOID).Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_aia_marked_critical", - Description: "Conforming CAs must mark the Authority Information Access extension as non-critical", - Citation: "RFC 5280: 4.2.2.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &ExtAiaMarkedCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_critical.go deleted file mode 100644 index c85b2c150..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************* -RFC 5280: 4.2.1.1 -Conforming CAs MUST mark this extension as non-critical. -**********************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type authorityKeyIdCritical struct{} - -func (l *authorityKeyIdCritical) Initialize() error { - return nil -} - -func (l *authorityKeyIdCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.AuthkeyOID) -} - -func (l *authorityKeyIdCritical) Execute(c *x509.Certificate) *LintResult { - aki := util.GetExtFromCert(c, util.AuthkeyOID) //pointer to the extension - if aki.Critical { - return &LintResult{Status: Error} - } else { //implies !aki.Critical - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_authority_key_identifier_critical", - Description: "The authority key identifier extension must be non-critical", - Citation: "RFC 5280: 4.2.1.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &authorityKeyIdCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_missing.go deleted file mode 100644 index 4a0050cd7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_missing.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************************************** -RFC 5280: 4.2.1.1 -The keyIdentifier field of the authorityKeyIdentifier extension MUST - be included in all certificates generated by conforming CAs to - facilitate certification path construction. There is one exception; - where a CA distributes its public key in the form of a "self-signed" - certificate, the authority key identifier MAY be omitted. The - signature on a self-signed certificate is generated with the private - key associated with the certificate's subject public key. (This - proves that the issuer possesses both the public and private keys.) - In this case, the subject and authority key identifiers would be - identical, but only the subject key identifier is needed for - certification path building. -***********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type authorityKeyIdMissing struct{} - -func (l *authorityKeyIdMissing) Initialize() error { - return nil -} - -func (l *authorityKeyIdMissing) CheckApplies(c *x509.Certificate) bool { - return !util.IsRootCA(c) -} - -func (l *authorityKeyIdMissing) Execute(c *x509.Certificate) *LintResult { - if !util.IsExtInCert(c, util.AuthkeyOID) && !util.IsSelfSigned(c) { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_authority_key_identifier_missing", - Description: "CAs must support key identifiers and include them in all certificates", - Citation: "RFC 5280: 4.2 & 4.2.1.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &authorityKeyIdMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_no_key_identifier.go b/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_no_key_identifier.go deleted file mode 100644 index 2fd632fb5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_authority_key_identifier_no_key_identifier.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************************************** -RFC 5280: 4.2.1.1 -The keyIdentifier field of the authorityKeyIdentifier extension MUST - be included in all certificates generated by conforming CAs to - facilitate certification path construction. There is one exception; - where a CA distributes its public key in the form of a "self-signed" - certificate, the authority key identifier MAY be omitted. The - signature on a self-signed certificate is generated with the private - key associated with the certificate's subject public key. (This - proves that the issuer possesses both the public and private keys.) - In this case, the subject and authority key identifiers would be - identical, but only the subject key identifier is needed for - certification path building. -***********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type authorityKeyIdNoKeyIdField struct{} - -func (l *authorityKeyIdNoKeyIdField) Initialize() error { - return nil -} - -func (l *authorityKeyIdNoKeyIdField) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *authorityKeyIdNoKeyIdField) Execute(c *x509.Certificate) *LintResult { - if c.AuthorityKeyId == nil && !util.IsSelfSigned(c) { //will be nil by default if not found in x509.parseCert - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_authority_key_identifier_no_key_identifier", - Description: "CAs must include keyIdentifer field of AKI in all non-self-issued certificates", - Citation: "RFC 5280: 4.2.1.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &authorityKeyIdNoKeyIdField{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_contains_noticeref.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_contains_noticeref.go deleted file mode 100644 index 33e11ce31..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_contains_noticeref.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -The user notice has two optional fields: the noticeRef field and the -explicitText field. Conforming CAs SHOULD NOT use the noticeRef -option. -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type noticeRefPres struct{} - -func (l *noticeRefPres) Initialize() error { - return nil -} - -func (l *noticeRefPres) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) -} - -func (l *noticeRefPres) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.NoticeRefNumbers { - for _, number := range firstLvl { - if number != nil { - return &LintResult{Status: Warn} - } - } - } - for _, firstLvl := range c.NoticeRefOrgnization { - for _, org := range firstLvl { - if len(org.Bytes) != 0 { - return &LintResult{Status: Warn} - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_cert_policy_contains_noticeref", - Description: "Compliant certificates SHOULD NOT use the noticeRef option", - Citation: "RFC 5280: 4.2.1.4", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: ¬iceRefPres{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_disallowed_any_policy_qualifier.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_disallowed_any_policy_qualifier.go deleted file mode 100644 index e98c2ff39..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_disallowed_any_policy_qualifier.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************* -RFC 5280: 4.2.1.4 -To promote interoperability, this profile RECOMMENDS that policy -information terms consist of only an OID. Where an OID alone is -insufficient, this profile strongly recommends that the use of -qualifiers be limited to those identified in this section. When -qualifiers are used with the special policy anyPolicy, they MUST be -limited to the qualifiers identified in this section. Only those -qualifiers returned as a result of path validation are considered. -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type unrecommendedQualifier struct{} - -func (l *unrecommendedQualifier) Initialize() error { - return nil -} - -func (l *unrecommendedQualifier) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) -} - -func (l *unrecommendedQualifier) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.QualifierId { - for _, qualifierId := range firstLvl { - if !qualifierId.Equal(util.CpsOID) && !qualifierId.Equal(util.UserNoticeOID) { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_cert_policy_disallowed_any_policy_qualifier", - Description: "When qualifiers are used with the special policy anyPolicy, they must be limited to qualifiers identified in this section: (4.2.1.4)", - Citation: "RFC 5280: 4.2.1.4", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &unrecommendedQualifier{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_duplicate.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_duplicate.go deleted file mode 100644 index 0cafbbc92..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_duplicate.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ - The certificate policies extension contains a sequence of one or more - policy information terms, each of which consists of an object identifier - (OID) and optional qualifiers. Optional qualifiers, which MAY be present, - are not expected to change the definition of the policy. A certificate - policy OID MUST NOT appear more than once in a certificate policies extension. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ExtCertPolicyDuplicate struct{} - -func (l *ExtCertPolicyDuplicate) Initialize() error { - return nil -} - -func (l *ExtCertPolicyDuplicate) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.CertPolicyOID) -} - -func (l *ExtCertPolicyDuplicate) Execute(cert *x509.Certificate) *LintResult { - // O(n^2) is not terrible here because n is small - for i := 0; i < len(cert.PolicyIdentifiers); i++ { - for j := i + 1; j < len(cert.PolicyIdentifiers); j++ { - if i != j && cert.PolicyIdentifiers[i].Equal(cert.PolicyIdentifiers[j]) { - // Any one duplicate fails the test, so return here - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_cert_policy_duplicate", - Description: "A certificate policy OID must not appear more than once in the extension", - Citation: "RFC 5280: 4.2.1.4", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &ExtCertPolicyDuplicate{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_ia5_string.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_ia5_string.go deleted file mode 100644 index b07470b2b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_ia5_string.go +++ /dev/null @@ -1,71 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** - -An explicitText field includes the textual statement directly in -the certificate. The explicitText field is a string with a -maximum size of 200 characters. Conforming CAs SHOULD use the -UTF8String encoding for explicitText. VisibleString or BMPString -are acceptable but less preferred alternatives. Conforming CAs -MUST NOT encode explicitText as IA5String. The explicitText string -SHOULD NOT include any control characters (e.g., U+0000 to U+001F -and U+007F to U+009F). When the UTF8String or BMPString encoding -is used, all character sequences SHOULD be normalized according -to Unicode normalization form C (NFC) [NFC]. -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type explicitTextIA5String struct{} - -func (l *explicitTextIA5String) Initialize() error { - return nil -} - -func (l *explicitTextIA5String) CheckApplies(c *x509.Certificate) bool { - for _, text := range c.ExplicitTexts { - if text != nil { - return true - } - } - return false -} - -func (l *explicitTextIA5String) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.ExplicitTexts { - for _, text := range firstLvl { - if text.Tag == 22 { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_cert_policy_explicit_text_ia5_string", - Description: "Compliant certificates must not encode explicitTest as an IA5String", - Citation: "RFC 6818: 3", - Source: RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: &explicitTextIA5String{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_includes_control.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_includes_control.go deleted file mode 100644 index 648d5ed49..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_includes_control.go +++ /dev/null @@ -1,89 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************* -An explicitText field includes the textual statement directly in -the certificate. The explicitText field is a string with a -maximum size of 200 characters. Conforming CAs SHOULD use the -UTF8String encoding for explicitText, but MAY use IA5String. -Conforming CAs MUST NOT encode explicitText as VisibleString or -BMPString. The explicitText string SHOULD NOT include any control -characters (e.g., U+0000 to U+001F and U+007F to U+009F). When -the UTF8String encoding is used, all character sequences SHOULD be -normalized according to Unicode normalization form C (NFC) [NFC]. -*********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type controlChar struct{} - -func (l *controlChar) Initialize() error { - return nil -} - -func (l *controlChar) CheckApplies(c *x509.Certificate) bool { - for _, text := range c.ExplicitTexts { - if text != nil { - return true - } - } - return false -} - -func (l *controlChar) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.ExplicitTexts { - for _, text := range firstLvl { - if text.Tag == 12 { - for i := 0; i < len(text.Bytes); i++ { - if text.Bytes[i]&0x80 == 0 { - if text.Bytes[i] < 0x20 || text.Bytes[i] == 0x7f { - return &LintResult{Status: Warn} - } - } else if text.Bytes[i]&0x20 == 0 { - if text.Bytes[i] == 0xc2 && text.Bytes[i+1] >= 0x80 && text.Bytes[i+1] <= 0x9f { - return &LintResult{Status: Warn} - } - i += 1 - } else if text.Bytes[i]&0x10 == 0 { - i += 2 - } else if text.Bytes[i]&0x08 == 0 { - i += 3 - } else if text.Bytes[i]&0x04 == 0 { - i += 4 - } else if text.Bytes[i]&0x02 == 0 { - i += 5 - } - } - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_cert_policy_explicit_text_includes_control", - Description: "Explicit text should not include any control characters", - Citation: "RFC 6818: 3", - Source: RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: &controlChar{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_nfc.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_nfc.go deleted file mode 100644 index 781280347..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_nfc.go +++ /dev/null @@ -1,65 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ - When the UTF8String encoding is used, all character sequences SHOULD be - normalized according to Unicode normalization form C (NFC) [NFC]. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "golang.org/x/text/unicode/norm" -) - -type ExtCertPolicyExplicitTextNotNFC struct{} - -func (l *ExtCertPolicyExplicitTextNotNFC) Initialize() error { - return nil -} - -func (l *ExtCertPolicyExplicitTextNotNFC) CheckApplies(c *x509.Certificate) bool { - for _, text := range c.ExplicitTexts { - if text != nil { - return true - } - } - return false -} - -func (l *ExtCertPolicyExplicitTextNotNFC) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.ExplicitTexts { - for _, text := range firstLvl { - if text.Tag == 12 || text.Tag == 30 { - if !norm.NFC.IsNormal(text.Bytes) { - return &LintResult{Status: Warn} - } - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_cert_policy_explicit_text_not_nfc", - Description: "When utf8string or bmpstring encoding is used for explicitText field in certificate policy, it SHOULD be normalized by NFC format", - Citation: "RFC6181 3", - Source: RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: &ExtCertPolicyExplicitTextNotNFC{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_utf8.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_utf8.go deleted file mode 100644 index 754d5eb33..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_not_utf8.go +++ /dev/null @@ -1,70 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************* -An explicitText field includes the textual statement directly in -the certificate. The explicitText field is a string with a -maximum size of 200 characters. Conforming CAs SHOULD use the -UTF8String encoding for explicitText. VisibleString or BMPString -are acceptable but less preferred alternatives. Conforming CAs -MUST NOT encode explicitText as IA5String. The explicitText string -SHOULD NOT include any control characters (e.g., U+0000 to U+001F -and U+007F to U+009F). When the UTF8String or BMPString encoding -is used, all character sequences SHOULD be normalized according -to Unicode normalization form C (NFC) [NFC]. -*******************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type explicitTextUtf8 struct{} - -func (l *explicitTextUtf8) Initialize() error { - return nil -} - -func (l *explicitTextUtf8) CheckApplies(c *x509.Certificate) bool { - for _, text := range c.ExplicitTexts { - if text != nil { - return true - } - } - return false -} - -func (l *explicitTextUtf8) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.ExplicitTexts { - for _, text := range firstLvl { - if text.Tag != 12 { - return &LintResult{Status: Warn} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_cert_policy_explicit_text_not_utf8", - Description: "Compliant certificates should use the utf8string encoding for explicitText", - Citation: "RFC 6818: 3", - Source: RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: &explicitTextUtf8{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_too_long.go b/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_too_long.go deleted file mode 100644 index 6d7879e7f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_cert_policy_explicit_text_too_long.go +++ /dev/null @@ -1,81 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************* -An explicitText field includes the textual statement directly in -the certificate. The explicitText field is a string with a -maximum size of 200 characters. Conforming CAs SHOULD use the -UTF8String encoding for explicitText. VisibleString or BMPString -are acceptable but less preferred alternatives. Conforming CAs -MUST NOT encode explicitText as IA5String. The explicitText string -SHOULD NOT include any control characters (e.g., U+0000 to U+001F -and U+007F to U+009F). When the UTF8String or BMPString encoding -is used, all character sequences SHOULD be normalized according -to Unicode normalization form C (NFC) [NFC]. -*******************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type explicitTextTooLong struct{} - -const tagBMPString int = 30 - -func (l *explicitTextTooLong) Initialize() error { - return nil -} - -func (l *explicitTextTooLong) CheckApplies(c *x509.Certificate) bool { - for _, text := range c.ExplicitTexts { - if text != nil { - return true - } - } - return false -} - -func (l *explicitTextTooLong) Execute(c *x509.Certificate) *LintResult { - for _, firstLvl := range c.ExplicitTexts { - for _, text := range firstLvl { - var runes string - // If the field is a BMPString, we need to parse the bytes out into - // UTF-16-BE runes in order to check their length accurately - // The `Bytes` attribute here is the raw representation of the userNotice - if text.Tag == tagBMPString { - runes, _ = util.ParseBMPString(text.Bytes) - } else { - runes = string(text.Bytes) - } - if len(runes) > 200 { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_cert_policy_explicit_text_too_long", - Description: "Explicit text has a maximum size of 200 characters", - Citation: "RFC 6818: 3", - Source: RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: &explicitTextTooLong{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_crl_distribution_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_crl_distribution_marked_critical.go deleted file mode 100644 index be2aa9706..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_crl_distribution_marked_critical.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -The CRL distribution points extension identifies how CRL information is obtained. The extension SHOULD be non-critical, but this profile RECOMMENDS support for this extension by CAs and applications. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ExtCrlDistributionMarkedCritical struct{} - -func (l *ExtCrlDistributionMarkedCritical) Initialize() error { - return nil -} - -func (l *ExtCrlDistributionMarkedCritical) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.CrlDistOID) -} - -func (l *ExtCrlDistributionMarkedCritical) Execute(cert *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(cert, util.CrlDistOID); e != nil { - if e.Critical == false { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } - } - return &LintResult{Status: NA} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_crl_distribution_marked_critical", - Description: "If included, the CRL Distribution Points extension SHOULD NOT be marked critical", - Citation: "RFC 5280: 4.2.1.13", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &ExtCrlDistributionMarkedCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_duplicate_extension.go b/vendor/github.com/zmap/zlint/lints/lint_ext_duplicate_extension.go deleted file mode 100644 index 01acbbadd..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_duplicate_extension.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -"A certificate MUST NOT include more than one instance of a particular extension." -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ExtDuplicateExtension struct{} - -func (l *ExtDuplicateExtension) Initialize() error { - return nil -} - -func (l *ExtDuplicateExtension) CheckApplies(cert *x509.Certificate) bool { - return cert.Version == 3 -} - -func (l *ExtDuplicateExtension) Execute(cert *x509.Certificate) *LintResult { - // O(n^2) is not terrible here because n is capped around 10 - for i := 0; i < len(cert.Extensions); i++ { - for j := i + 1; j < len(cert.Extensions); j++ { - if i != j && cert.Extensions[i].Id.Equal(cert.Extensions[j].Id) { - return &LintResult{Status: Error} - } - } - } - // Nested loop will return if it finds a duplicate, so safe to assume pass - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_duplicate_extension", - Description: "A certificate MUST NOT include more than one instance of a particular extension", - Citation: "RFC 5280: 4.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &ExtDuplicateExtension{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_freshest_crl_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_freshest_crl_marked_critical.go deleted file mode 100644 index b2faac927..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_freshest_crl_marked_critical.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -The freshest CRL extension identifies how delta CRL information is obtained. The extension MUST be marked as non-critical by conforming CAs. Further discussion of CRL management is contained in Section 5. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/pkix" - "github.com/zmap/zlint/util" -) - -type ExtFreshestCrlMarkedCritical struct{} - -func (l *ExtFreshestCrlMarkedCritical) Initialize() error { - return nil -} - -func (l *ExtFreshestCrlMarkedCritical) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.FreshCRLOID) -} - -func (l *ExtFreshestCrlMarkedCritical) Execute(cert *x509.Certificate) *LintResult { - var fCRL *pkix.Extension = util.GetExtFromCert(cert, util.FreshCRLOID) - if fCRL != nil && fCRL.Critical { - return &LintResult{Status: Error} - } else if fCRL != nil && !fCRL.Critical { - return &LintResult{Status: Pass} - } - return &LintResult{Status: NA} //shouldn't happen -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_freshest_crl_marked_critical", - Description: "Freshest CRL MUST be marked as non-critical by conforming CAs", - Citation: "RFC 5280: 4.2.1.15", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &ExtFreshestCrlMarkedCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_critical.go deleted file mode 100644 index 00a2182ce..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Issuer Alternative Name - As with Section 4.2.1.6, this extension is used to associate Internet style identities with the certificate issuer. Issuer alternative name MUST be encoded as in 4.2.1.6. Issuer alternative names are not processed as part of the certification path validation algorithm in Section 6. (That is, issuer alternative names are not used in name chaining and name constraints are not enforced.) - Where present, conforming CAs SHOULD mark this extension as non-critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ExtIANCritical struct{} - -func (l *ExtIANCritical) Initialize() error { - return nil -} - -func (l *ExtIANCritical) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.IssuerAlternateNameOID) -} - -func (l *ExtIANCritical) Execute(cert *x509.Certificate) *LintResult { - if util.GetExtFromCert(cert, util.IssuerAlternateNameOID).Critical { - return &LintResult{Status: Warn} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_ian_critical", - Description: "Issuer alternate name should be marked as non-critical", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &ExtIANCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_dns_not_ia5_string.go deleted file mode 100644 index 8b63acdc3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_dns_not_ia5_string.go +++ /dev/null @@ -1,73 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -RFC 5280: 4.2.1.7 -When the subjectAltName extension contains a domain name system -label, the domain name MUST be stored in the DNSName (an IA5String). -The name MUST be in the "preferred name syntax", as specified by -Section 3.5 of [RFC1034] and as modified by Section 2.1 of -[RFC1123]. Note that while uppercase and lowercase letters are -allowed in domain names, no significance is attached to the case. In -addition, while the string " " is a legal domain name, subjectAltName -extensions with a DNSName of " " MUST NOT be used. Finally, the use -of the DNS representation for Internet mail addresses -(subscriber.example.com instead of subscriber@example.com) MUST NOT -be used; such identities are to be encoded as rfc822Name. Rules for -encoding internationalized domain names are specified in Section 7.2. -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANDNSNotIA5String struct{} - -func (l *IANDNSNotIA5String) Initialize() error { - return nil -} - -func (l *IANDNSNotIA5String) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANDNSNotIA5String) Execute(c *x509.Certificate) *LintResult { - ext := util.GetExtFromCert(c, util.IssuerAlternateNameOID) - if ext == nil { - return &LintResult{Status: Fatal} - } - ok, err := util.AllAlternateNameWithTagAreIA5(ext, util.DNSNameTag) - if err != nil { - return &LintResult{Status: Fatal} - } - if ok { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_dns_not_ia5_string", - Description: "DNSNames MUST be IA5 strings", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &IANDNSNotIA5String{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_empty_name.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_empty_name.go deleted file mode 100644 index d0a5428ea..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_empty_name.go +++ /dev/null @@ -1,80 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/****************************************************************** -RFC 5280: 4.2.1.7 -If the subjectAltName extension is present, the sequence MUST contain -at least one entry. Unlike the subject field, conforming CAs MUST -NOT issue certificates with subjectAltNames containing empty -GeneralName fields. For example, an rfc822Name is represented as an -IA5String. While an empty string is a valid IA5String, such an -rfc822Name is not permitted by this profile. The behavior of clients -that encounter such a certificate when processing a certification -path is not defined by this profile. -******************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANEmptyName struct{} - -func (l *IANEmptyName) Initialize() error { - return nil -} - -func (l *IANEmptyName) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANEmptyName) Execute(c *x509.Certificate) *LintResult { - value := util.GetExtFromCert(c, util.IssuerAlternateNameOID).Value - var seq asn1.RawValue - if _, err := asn1.Unmarshal(value, &seq); err != nil { - return &LintResult{Status: Fatal} - } - if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 { - return &LintResult{Status: Fatal} - } - - rest := seq.Bytes - for len(rest) > 0 { - var v asn1.RawValue - var err error - rest, err = asn1.Unmarshal(rest, &v) - if err != nil { - return &LintResult{Status: NA} - } - if len(v.Bytes) == 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_empty_name", - Description: "General name fields must not be empty in IAN", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &IANEmptyName{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_no_entries.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_no_entries.go deleted file mode 100644 index b36607399..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_no_entries.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************** -RFC 5280: 4.2.1.7 -If the issuerAltName extension is present, the sequence MUST contain - at least one entry. Unlike the subject field, conforming CAs MUST - NOT issue certificates with subjectAltNames containing empty - GeneralName fields. For example, an rfc822Name is represented as an - IA5String. While an empty string is a valid IA5String, such an - rfc822Name is not permitted by this profile. The behavior of clients - that encounter such a certificate when processing a certification - path is not defined by this profile. -***********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANNoEntry struct{} - -func (l *IANNoEntry) Initialize() error { - return nil -} - -func (l *IANNoEntry) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANNoEntry) Execute(c *x509.Certificate) *LintResult { - ian := util.GetExtFromCert(c, util.IssuerAlternateNameOID) - if util.IsEmptyASN1Sequence(ian.Value) { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_no_entries", - Description: "If present, the IAN extension must contain at least one entry", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &IANNoEntry{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_rfc822_format_invalid.go deleted file mode 100644 index db89f686d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_rfc822_format_invalid.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -RFC 5280: 4.2.1.6 - When the issuerAltName extension contains an Internet mail address, - the address MUST be stored in the rfc822Name. The format of an - rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821]. - A Mailbox has the form "Local-part@Domain". Note that a Mailbox has - no phrase (such as a common name) before it, has no comment (text - surrounded in parentheses) after it, and is not surrounded by "<" and - ">". Rules for encoding Internet mail addresses that include - internationalized domain names are specified in Section 7.5. -************************************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANEmail struct{} - -func (l *IANEmail) Initialize() error { - return nil -} - -func (l *IANEmail) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANEmail) Execute(c *x509.Certificate) *LintResult { - for _, str := range c.IANEmailAddresses { - if str == "" { - continue - } - if strings.Contains(str, " ") { - return &LintResult{Status: Error} - } else if str[0] == '<' || str[len(str)-1] == ')' { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_rfc822_format_invalid", - Description: "Email must not be surrounded with `<>`, and there MUST NOT be trailing comments in `()`", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &IANEmail{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_space_dns_name.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_space_dns_name.go deleted file mode 100644 index 746c66620..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_space_dns_name.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************** -RFC 5280: 4.2.1.7 -When the issuerAltName extension contains a domain name system -label, the domain name MUST be stored in the dNSName (an IA5String). -The name MUST be in the "preferred name syntax", as specified by -Section 3.5 of [RFC1034] and as modified by Section 2.1 of -[RFC1123]. Note that while uppercase and lowercase letters are -allowed in domain names, no significance is attached to the case. In -addition, while the string " " is a legal domain name, subjectAltName -extensions with a dNSName of " " MUST NOT be used. Finally, the use -of the DNS representation for Internet mail addresses -(subscriber.example.com instead of subscriber@example.com) MUST NOT -be used; such identities are to be encoded as rfc822Name. Rules for -encoding internationalized domain names are specified in Section 7.2. -**********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANSpace struct{} - -func (l *IANSpace) Initialize() error { - return nil -} - -func (l *IANSpace) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANSpace) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.IANDNSNames { - if dns == " " { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_space_dns_name", - Description: "dNSName ' ' MUST NOT be used", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &IANSpace{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_format_invalid.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_format_invalid.go deleted file mode 100644 index 325a42031..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_format_invalid.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -The name MUST include both a -scheme (e.g., "http" or "ftp") and a scheme-specific-part. -************************************************/ - -import ( - "net/url" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANURIFormat struct{} - -func (l *IANURIFormat) Initialize() error { - return nil -} - -func (l *IANURIFormat) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANURIFormat) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.IANURIs { - parsed_uri, err := url.Parse(uri) - - if err != nil { - return &LintResult{Status: Error} - } - - //scheme - if parsed_uri.Scheme == "" { - return &LintResult{Status: Error} - } - - //scheme-specific part - if parsed_uri.Host == "" && parsed_uri.User == nil && parsed_uri.Opaque == "" && parsed_uri.Path == "" { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_uri_format_invalid", - Description: "URIs in the subjectAltName extension MUST have a scheme and scheme specific part", - Citation: "RFC5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &IANURIFormat{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_host_not_fqdn_or_ip.go deleted file mode 100644 index 3590f1abf..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_host_not_fqdn_or_ip.go +++ /dev/null @@ -1,71 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************* -When the issuerAltName extension contains a URI, the name MUST be -stored in the uniformResourceIdentifier (an IA5String). The name -MUST NOT be a relative URI, and it MUST follow the URI syntax and -encoding rules specified in [RFC3986]. The name MUST include both a -scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that -include an authority ([RFC3986], Section 3.2) MUST include a fully -qualified domain name or IP address as the host. Rules for encoding -Internationalized Resource Identifiers (IRIs) are specified in -Section 7.4. -*********************************************************************/ - -import ( - "net/url" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANURIFQDNOrIP struct{} - -func (l *IANURIFQDNOrIP) Initialize() error { - return nil -} - -func (l *IANURIFQDNOrIP) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANURIFQDNOrIP) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.IANURIs { - if uri != "" { - parsedUrl, err := url.Parse(uri) - if err != nil { - return &LintResult{Status: Error} - } - host := parsedUrl.Host - if !util.AuthIsFQDNOrIP(host) { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_uri_host_not_fqdn_or_ip", - Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &IANURIFQDNOrIP{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_not_ia5.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_not_ia5.go deleted file mode 100644 index 044871945..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_not_ia5.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -When the issuerAltName extension contains a URI, the name MUST be -stored in the uniformResourceIdentifier (an IA5String). -************************************************/ - -import ( - "unicode" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANURIIA5String struct{} - -func (l *IANURIIA5String) Initialize() error { - return nil -} - -func (l *IANURIIA5String) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANURIIA5String) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.IANURIs { - for _, c := range uri { - if c > unicode.MaxASCII { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_uri_not_ia5", - Description: "When subjectAltName contains a URI, the name MUST be an IA5 string", - Citation: "RFC5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &IANURIIA5String{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_relative.go b/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_relative.go deleted file mode 100644 index fc9db80a8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_ian_uri_relative.go +++ /dev/null @@ -1,70 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************* -When the issuerAltName extension contains a URI, the name MUST be -stored in the uniformResourceIdentifier (an IA5String). The name -MUST NOT be a relative URI, and it MUST follow the URI syntax and -encoding rules specified in [RFC3986]. The name MUST include both a -scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that -include an authority ([RFC3986], Section 3.2) MUST include a fully -qualified domain name or IP address as the host. Rules for encoding -Internationalized Resource Identifiers (IRIs) are specified in -Section 7.4. -*************************************************************************/ - -import ( - "net/url" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type uriRelative struct{} - -func (l *uriRelative) Initialize() error { - return nil -} - -func (l *uriRelative) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *uriRelative) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.IANURIs { - parsed_uri, err := url.Parse(uri) - - if err != nil { - return &LintResult{Status: Error} - } - - if !parsed_uri.IsAbs() { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_ian_uri_relative", - Description: "When issuerAltName extension is present and the URI is used, the name MUST NOT be a relative URI", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &uriRelative{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_cert_sign_without_ca.go b/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_cert_sign_without_ca.go deleted file mode 100644 index eba91c54e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_cert_sign_without_ca.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -RFC 5280: 4.2.1.9 -The cA boolean indicates whether the certified public key may be used - to verify certificate signatures. If the cA boolean is not asserted, - then the keyCertSign bit in the key usage extension MUST NOT be - asserted. If the basic constraints extension is not present in a - version 3 certificate, or the extension is present but the cA boolean - is not asserted, then the certified public key MUST NOT be used to - verify certificate signatures. -************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type keyUsageCertSignNoCa struct{} - -func (l *keyUsageCertSignNoCa) Initialize() error { - return nil -} - -func (l *keyUsageCertSignNoCa) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *keyUsageCertSignNoCa) Execute(c *x509.Certificate) *LintResult { - if (c.KeyUsage & x509.KeyUsageCertSign) != 0 { - if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certtificate signing usage - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_key_usage_cert_sign_without_ca", - Description: "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted", - Citation: "RFC 5280: 4.2.1.3 & 4.2.1.9", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &keyUsageCertSignNoCa{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_not_critical.go deleted file mode 100644 index 47271d682..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_not_critical.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// "When present, conforming CAs SHOULD mark this extension as critical." - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type checkKeyUsageCritical struct{} - -func (l *checkKeyUsageCritical) Initialize() error { - return nil -} - -func (l *checkKeyUsageCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *checkKeyUsageCritical) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - keyUsage := util.GetExtFromCert(c, util.KeyUsageOID) - if keyUsage == nil { - return &LintResult{Status: NA} - } - if keyUsage.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_key_usage_not_critical", - Description: "The keyUsage extension SHOULD be critical", - Citation: "RFC 5280: 4.2.1.3", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &checkKeyUsageCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_without_bits.go b/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_without_bits.go deleted file mode 100644 index 574719fd1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_key_usage_without_bits.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************************************** - This profile does not restrict the combinations of bits that may be - set in an instantiation of the keyUsage extension. However, - appropriate values for keyUsage extensions for particular algorithms - are specified in [RFC3279], [RFC4055], and [RFC4491]. When the - keyUsage extension appears in a certificate, at least one of the bits - MUST be set to 1. -***********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type keyUsageBitsSet struct{} - -func (l *keyUsageBitsSet) Initialize() error { - return nil -} - -func (l *keyUsageBitsSet) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *keyUsageBitsSet) Execute(c *x509.Certificate) *LintResult { - if c.KeyUsage == 0 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_key_usage_without_bits", - Description: "When the keyUsage extension is included, at least one bit MUST be set to 1", - Citation: "RFC 5280: 4.2.1.3", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &keyUsageBitsSet{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_critical.go deleted file mode 100644 index 62b28baa7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_critical.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -Restrictions are defined in terms of permitted or excluded name - subtrees. Any name matching a restriction in the excludedSubtrees - field is invalid regardless of information appearing in the - permittedSubtrees. Conforming CAs MUST mark this extension as - critical and SHOULD NOT impose name constraints on the x400Address, - ediPartyName, or registeredID name forms. Conforming CAs MUST NOT - issue certificates where name constraints is an empty sequence. That - is, either the permittedSubtrees field or the excludedSubtrees MUST - be present. -************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintCrit struct{} - -func (l *nameConstraintCrit) Initialize() error { - return nil -} - -func (l *nameConstraintCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstraintCrit) Execute(c *x509.Certificate) *LintResult { - e := util.GetExtFromCert(c, util.NameConstOID) - if e.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_name_constraints_not_critical", - Description: "If it is included, conforming CAs MUST mark the name constrains extension as critical", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &nameConstraintCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_in_ca.go b/vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_in_ca.go deleted file mode 100644 index dd70b3197..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_name_constraints_not_in_ca.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************************************** -RFC 5280: 4.2.1.10 -The name constraints extension, which MUST be used only in a CA - certificate, indicates a name space within which all subject names in - subsequent certificates in a certification path MUST be located. - Restrictions apply to the subject distinguished name and apply to - subject alternative names. Restrictions apply only when the - specified name form is present. If no name of the type is in the - certificate, the certificate is acceptable. -***********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintNotCa struct{} - -func (l *nameConstraintNotCa) Initialize() error { - return nil -} - -func (l *nameConstraintNotCa) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstraintNotCa) Execute(c *x509.Certificate) *LintResult { - if !util.IsCACert(c) { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_name_constraints_not_in_ca", - Description: "The name constraints extension MUST only be used in CA certificates", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &nameConstraintNotCa{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_empty.go b/vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_empty.go deleted file mode 100644 index 748e71c56..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_empty.go +++ /dev/null @@ -1,75 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************* -RFC 5280: 4.2.1.11 -Conforming CAs MUST NOT issue certificates where policy constraints - is an empty sequence. That is, either the inhibitPolicyMapping field - or the requireExplicitPolicy field MUST be present. The behavior of - clients that encounter an empty policy constraints field is not - addressed in this profile. -*************************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type policyConstraintsContents struct{} - -func (l *policyConstraintsContents) Initialize() error { - return nil -} - -func (l *policyConstraintsContents) CheckApplies(c *x509.Certificate) bool { - if !(util.IsExtInCert(c, util.PolicyConstOID)) { - return false - } - pc := util.GetExtFromCert(c, util.PolicyConstOID) - var seq asn1.RawValue - rest, err := asn1.Unmarshal(pc.Value, &seq) //only one sequence, so rest should be empty - if err != nil || len(rest) != 0 || seq.Tag != 16 || seq.Class != 0 || !seq.IsCompound { - return false - } - return true -} - -func (l *policyConstraintsContents) Execute(c *x509.Certificate) *LintResult { - pc := util.GetExtFromCert(c, util.PolicyConstOID) - var seq asn1.RawValue - _, err := asn1.Unmarshal(pc.Value, &seq) //only one sequence, so rest should be empty - if err != nil { - return &LintResult{Status: Fatal} - } - if len(seq.Bytes) == 0 { - return &LintResult{Status: Error} - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_policy_constraints_empty", - Description: "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present", - Citation: "RFC 5280: 4.2.1.11", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &policyConstraintsContents{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_not_critical.go deleted file mode 100644 index 6a09576ee..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_constraints_not_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.1.11 -Conforming CAs MUST mark this extension as critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type policyConstraintsCritical struct{} - -func (l *policyConstraintsCritical) Initialize() error { - return nil -} - -func (l *policyConstraintsCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.PolicyConstOID) -} - -func (l *policyConstraintsCritical) Execute(c *x509.Certificate) *LintResult { - pc := util.GetExtFromCert(c, util.PolicyConstOID) - if !pc.Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_policy_constraints_not_critical", - Description: "Conforming CAs MUST mark the policy constraints extension as critical", - Citation: "RFC 5280: 4.2.1.11", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &policyConstraintsCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_any_policy.go b/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_any_policy.go deleted file mode 100644 index feabaa409..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_any_policy.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -RFC 5280: 4.2.1.5 -Each issuerDomainPolicy named in the policy mappings extension SHOULD - also be asserted in a certificate policies extension in the same - certificate. Policies MUST NOT be mapped either to or from the - special value anyPolicy (Section 4.2.1.4). -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type policyMapAnyPolicy struct{} - -func (l *policyMapAnyPolicy) Initialize() error { - return nil -} - -func (l *policyMapAnyPolicy) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.PolicyMapOID) -} - -func (l *policyMapAnyPolicy) Execute(c *x509.Certificate) *LintResult { - extPolMap := util.GetExtFromCert(c, util.PolicyMapOID) - polMap, err := util.GetMappedPolicies(extPolMap) - if err != nil { - return &LintResult{Status: Fatal} - } - - for _, pair := range polMap { - if util.AnyPolicyOID.Equal(pair[0]) || util.AnyPolicyOID.Equal(pair[1]) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_policy_map_any_policy", - Description: "Policies must not be mapped to or from the anyPolicy value", - Citation: "RFC 5280: 4.2.1.5", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &policyMapAnyPolicy{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_critical.go deleted file mode 100644 index 97f681500..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_critical.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************** -RFC 5280: 4.2.1.5. Policy Mappings -This extension MAY be supported by CAs and/or applications. - Conforming CAs SHOULD mark this extension as critical. -**********************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type policyMapCritical struct{} - -func (l *policyMapCritical) Initialize() error { - return nil -} - -func (l *policyMapCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.PolicyMapOID) -} - -func (l *policyMapCritical) Execute(c *x509.Certificate) *LintResult { - polMap := util.GetExtFromCert(c, util.PolicyMapOID) - if polMap.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_policy_map_not_critical", - Description: "Policy mappings should be marked as critical", - Citation: "RFC 5280: 4.2.1.5", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &policyMapCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_in_cert_policy.go b/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_in_cert_policy.go deleted file mode 100644 index 8da9fbbb3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_policy_map_not_in_cert_policy.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************* -RFC 5280: 4.2.1.5 -Each issuerDomainPolicy named in the policy mapping extension SHOULD - also be asserted in a certificate policies extension in the same - certificate. Policies SHOULD NOT be mapped either to or from the - special value anyPolicy (section 4.2.1.5). -*********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type policyMapMatchesCertPolicy struct{} - -func (l *policyMapMatchesCertPolicy) Initialize() error { - return nil -} - -func (l *policyMapMatchesCertPolicy) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.PolicyMapOID) -} - -func (l *policyMapMatchesCertPolicy) Execute(c *x509.Certificate) *LintResult { - extPolMap := util.GetExtFromCert(c, util.PolicyMapOID) - polMap, err := util.GetMappedPolicies(extPolMap) - if err != nil { - return &LintResult{Status: Fatal} - } - for _, pair := range polMap { - if !util.SliceContainsOID(c.PolicyIdentifiers, pair[0]) { - return &LintResult{Status: Warn} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_policy_map_not_in_cert_policy", - Description: "Each issuerDomainPolicy named in the policy mappings extension should also be asserted in a certificate policies extension", - Citation: "RFC 5280: 4.2.1.5", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &policyMapMatchesCertPolicy{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_contains_reserved_ip.go deleted file mode 100644 index 502037983..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_contains_reserved_ip.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.4.2.1 -Also as of the Effective Date, the CA SHALL NOT -issue a certificate with an Expiry Date later than -1 November 2015 with a subjectAlternativeName extension -or Subject commonName field containing a Reserved IP -Address or Internal Name. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANReservedIP struct{} - -func (l *SANReservedIP) Initialize() error { - return nil -} - -func (l *SANReservedIP) CheckApplies(c *x509.Certificate) bool { - return c.NotAfter.After(util.NoReservedIP) -} - -func (l *SANReservedIP) Execute(c *x509.Certificate) *LintResult { - for _, ip := range c.IPAddresses { - if util.IsIANAReserved(ip) { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_contains_reserved_ip", - Description: "Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name.", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANReservedIP{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_critical_with_subject_dn.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_critical_with_subject_dn.go deleted file mode 100644 index babf72477..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_critical_with_subject_dn.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Further, if the only subject identity included in the certificate is an - alternative name form (e.g., an electronic mail address), then the subject - distinguished name MUST be empty (an empty sequence), and the subjectAltName - extension MUST be present. If the subject field contains an empty sequence, - then the issuing CA MUST include a subjectAltName extension that is marked as - critical. When including the subjectAltName extension in a certificate that - has a non-empty subject distinguished name, conforming CAs SHOULD mark the - subjectAltName extension as non-critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type ExtSANCriticalWithSubjectDN struct{} - -func (l *ExtSANCriticalWithSubjectDN) Initialize() error { - return nil -} - -func (l *ExtSANCriticalWithSubjectDN) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.SubjectAlternateNameOID) -} - -func (l *ExtSANCriticalWithSubjectDN) Execute(cert *x509.Certificate) *LintResult { - san := util.GetExtFromCert(cert, util.SubjectAlternateNameOID) - if san.Critical && util.NotAllNameFieldsAreEmpty(&cert.Subject) { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_san_critical_with_subject_dn", - Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical", - Citation: "RFC 5280: 4.2.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: &ExtSANCriticalWithSubjectDN{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_directory_name_present.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_directory_name_present.go deleted file mode 100644 index 64b9bfc7e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_directory_name_present.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.4.2.1. Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing -the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST -confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the -right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Wildcard FQDNs are permitted. -*************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANDirName struct{} - -func (l *SANDirName) Initialize() error { - return nil -} - -func (l *SANDirName) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANDirName) Execute(c *x509.Certificate) *LintResult { - if c.DirectoryNames != nil { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_directory_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANDirName{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_dns_name_too_long.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_dns_name_too_long.go deleted file mode 100644 index 47017c5ab..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_dns_name_too_long.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANDNSTooLong struct{} - -func (l *SANDNSTooLong) Initialize() error { - return nil -} - -func (l *SANDNSTooLong) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) && len(c.DNSNames) > 0 -} - -func (l *SANDNSTooLong) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - if len(dns) > 253 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_dns_name_too_long", - Description: "DNSName must be less than or equal to 253 bytes", - Citation: "RFC 5280", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &SANDNSTooLong{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_dns_not_ia5_string.go deleted file mode 100644 index 5bc854e75..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_dns_not_ia5_string.go +++ /dev/null @@ -1,72 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -RFC 5280: 4.2.1.6 -When the subjectAltName extension contains a domain name system -label, the domain name MUST be stored in the dNSName (an IA5String). -The name MUST be in the "preferred name syntax", as specified by -Section 3.5 of [RFC1034] and as modified by Section 2.1 of -[RFC1123]. Note that while uppercase and lowercase letters are -allowed in domain names, no significance is attached to the case. In -addition, while the string " " is a legal domain name, subjectAltName -extensions with a dNSName of " " MUST NOT be used. Finally, the use -of the DNS representation for Internet mail addresses -(subscriber.example.com instead of subscriber@example.com) MUST NOT -be used; such identities are to be encoded as rfc822Name. Rules for -encoding internationalized domain names are specified in Section 7.2. -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANDNSNotIA5String struct{} - -func (l *SANDNSNotIA5String) Initialize() error { - return nil -} - -func (l *SANDNSNotIA5String) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANDNSNotIA5String) Execute(c *x509.Certificate) *LintResult { - ext := util.GetExtFromCert(c, util.SubjectAlternateNameOID) - if ext == nil { - return &LintResult{Status: Fatal} - } - ok, err := util.AllAlternateNameWithTagAreIA5(ext, util.DNSNameTag) - if err != nil { - return &LintResult{Status: Fatal} - } - if ok { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_dns_not_ia5_string", - Description: "dNSNames MUST be IA5 strings", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &SANDNSNotIA5String{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_edi_party_name_present.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_edi_party_name_present.go deleted file mode 100644 index 603195efe..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_edi_party_name_present.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.4.2.1. Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing -the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST -confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the -right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Wildcard FQDNs are permitted. -*************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANEDI struct{} - -func (l *SANEDI) Initialize() error { - return nil -} - -func (l *SANEDI) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANEDI) Execute(c *x509.Certificate) *LintResult { - if c.EDIPartyNames != nil { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_edi_party_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANEDI{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_empty_name.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_empty_name.go deleted file mode 100644 index e2e9babff..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_empty_name.go +++ /dev/null @@ -1,80 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/****************************************************************** -RFC 5280: 4.2.1.6 -If the subjectAltName extension is present, the sequence MUST contain -at least one entry. Unlike the subject field, conforming CAs MUST -NOT issue certificates with subjectAltNames containing empty -GeneralName fields. For example, an rfc822Name is represented as an -IA5String. While an empty string is a valid IA5String, such an -rfc822Name is not permitted by this profile. The behavior of clients -that encounter such a certificate when processing a certification -path is not defined by this profile. -******************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANEmptyName struct{} - -func (l *SANEmptyName) Initialize() error { - return nil -} - -func (l *SANEmptyName) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANEmptyName) Execute(c *x509.Certificate) *LintResult { - value := util.GetExtFromCert(c, util.SubjectAlternateNameOID).Value - var seq asn1.RawValue - if _, err := asn1.Unmarshal(value, &seq); err != nil { - return &LintResult{Status: Fatal} - } - if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 { - return &LintResult{Status: Fatal} - } - - rest := seq.Bytes - for len(rest) > 0 { - var v asn1.RawValue - var err error - rest, err = asn1.Unmarshal(rest, &v) - if err != nil { - return &LintResult{Status: NA} - } - if len(v.Bytes) == 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_empty_name", - Description: "General name fields MUST NOT be empty in subjectAlternateNames", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &SANEmptyName{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_missing.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_missing.go deleted file mode 100644 index ccdc39902..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_missing.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.4.2.1 -Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANMissing struct{} - -func (l *SANMissing) Initialize() error { - return nil -} - -func (l *SANMissing) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *SANMissing) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.SubjectAlternateNameOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_missing", - Description: "Subscriber certificates MUST contain the Subject Alternate Name extension", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_no_entries.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_no_entries.go deleted file mode 100644 index 820f0a4d9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_no_entries.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************** -RFC 5280: 4.2.1.6 -If the subjectAltName extension is present, the sequence MUST contain - at least one entry. Unlike the subject field, conforming CAs MUST - NOT issue certificates with subjectAltNames containing empty - GeneralName fields. For example, an rfc822Name is represented as an - IA5String. While an empty string is a valid IA5String, such an - rfc822Name is not permitted by this profile. The behavior of clients - that encounter such a certificate when processing a certification - path is not defined by this profile. -***********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANNoEntry struct{} - -func (l *SANNoEntry) Initialize() error { - return nil -} - -func (l *SANNoEntry) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANNoEntry) Execute(c *x509.Certificate) *LintResult { - san := util.GetExtFromCert(c, util.SubjectAlternateNameOID) - if util.IsEmptyASN1Sequence(san.Value) { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_no_entries", - Description: "If present, the SAN extension MUST contain at least one entry", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &SANNoEntry{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_not_critical_without_subject.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_not_critical_without_subject.go deleted file mode 100644 index dc8cab2d0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_not_critical_without_subject.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.1.6 -Further, if the only subject identity included in the certificate is - an alternative name form (e.g., an electronic mail address), then the - subject distinguished name MUST be empty (an empty sequence), and the - subjectAltName extension MUST be present. If the subject field - contains an empty sequence, then the issuing CA MUST include a - subjectAltName extension that is marked as critical. When including - the subjectAltName extension in a certificate that has a non-empty - subject distinguished name, conforming CAs SHOULD mark the - subjectAltName extension as non-critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type extSANNotCritNoSubject struct{} - -func (l *extSANNotCritNoSubject) Initialize() error { - return nil -} - -func (l *extSANNotCritNoSubject) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *extSANNotCritNoSubject) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.SubjectAlternateNameOID); !util.NotAllNameFieldsAreEmpty(&c.Subject) && !e.Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_not_critical_without_subject", - Description: "If there is an empty subject field, then the SAN extension MUST be critical", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &extSANNotCritNoSubject{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_other_name_present.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_other_name_present.go deleted file mode 100644 index dca820081..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_other_name_present.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.4.2.1. Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing -the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST -confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the -right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Wildcard FQDNs are permitted. -*************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANOtherName struct{} - -func (l *SANOtherName) Initialize() error { - return nil -} - -func (l *SANOtherName) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANOtherName) Execute(c *x509.Certificate) *LintResult { - if c.OtherNames != nil { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_other_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANOtherName{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_registered_id_present.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_registered_id_present.go deleted file mode 100644 index e3d4cfdcd..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_registered_id_present.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.4.2.1. Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing -the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST -confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the -right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Wildcard FQDNs are permitted. -*************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANRegId struct{} - -func (l *SANRegId) Initialize() error { - return nil -} - -func (l *SANRegId) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANRegId) Execute(c *x509.Certificate) *LintResult { - if c.RegisteredIDs != nil { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_registered_id_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANRegId{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_rfc822_format_invalid.go deleted file mode 100644 index c41c5a1d0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_rfc822_format_invalid.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -RFC 5280: 4.2.1.6 - When the subjectAltName extension contains an Internet mail address, - the address MUST be stored in the rfc822Name. The format of an - rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821]. - A Mailbox has the form "Local-part@Domain". Note that a Mailbox has - no phrase (such as a common name) before it, has no comment (text - surrounded in parentheses) after it, and is not surrounded by "<" and - ">". Rules for encoding Internet mail addresses that include - internationalized domain names are specified in Section 7.5. -************************************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type invalidEmail struct{} - -func (l *invalidEmail) Initialize() error { - return nil -} - -func (l *invalidEmail) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *invalidEmail) Execute(c *x509.Certificate) *LintResult { - for _, str := range c.EmailAddresses { - if str == "" { - continue - } - if strings.Contains(str, " ") { - return &LintResult{Status: Error} - } else if str[0] == '<' || str[len(str)-1] == ')' { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_rfc822_format_invalid", - Description: "Email MUST NOT be surrounded with `<>`, and there must be no trailing comments in `()`", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &invalidEmail{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_rfc822_name_present.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_rfc822_name_present.go deleted file mode 100644 index 32b831949..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_rfc822_name_present.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.4.2.1. Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing -the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST -confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the -right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Wildcard FQDNs are permitted. -*************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANRfc822 struct{} - -func (l *SANRfc822) Initialize() error { - return nil -} - -func (l *SANRfc822) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANRfc822) Execute(c *x509.Certificate) *LintResult { - if c.EmailAddresses != nil { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_rfc822_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANRfc822{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_space_dns_name.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_space_dns_name.go deleted file mode 100644 index 688297f8a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_space_dns_name.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -RFC 5280: 4.2.1.6 -When the subjectAltName extension contains a domain name system - label, the domain name MUST be stored in the dNSName (an IA5String). - The name MUST be in the "preferred name syntax", as specified by - Section 3.5 of [RFC1034] and as modified by Section 2.1 of - [RFC1123]. Note that while uppercase and lowercase letters are - allowed in domain names, no significance is attached to the case. In - addition, while the string " " is a legal domain name, subjectAltName - extensions with a dNSName of " " MUST NOT be used. Finally, the use - of the DNS representation for Internet mail addresses - (subscriber.example.com instead of subscriber@example.com) MUST NOT - be used; such identities are to be encoded as rfc822Name. Rules for - encoding internationalized domain names are specified in Section 7.2. -************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANIsSpaceDNS struct{} - -func (l *SANIsSpaceDNS) Initialize() error { - return nil -} - -func (l *SANIsSpaceDNS) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANIsSpaceDNS) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - if dns == " " { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_space_dns_name", - Description: "The dNSName ` ` MUST NOT be used", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &SANIsSpaceDNS{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uniform_resource_identifier_present.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_uniform_resource_identifier_present.go deleted file mode 100644 index 27586401d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uniform_resource_identifier_present.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.4.2.1. Subject Alternative Name Extension -Certificate Field: extensions:subjectAltName -Required/Optional: Required -Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing -the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST -confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the -right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Wildcard FQDNs are permitted. -*************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANURI struct{} - -func (l *SANURI) Initialize() error { - return nil -} - -func (l *SANURI) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANURI) Execute(c *x509.Certificate) *LintResult { - if c.URIs != nil { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_uniform_resource_identifier_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &SANURI{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_format_invalid.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_format_invalid.go deleted file mode 100644 index 23f22b9d0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_format_invalid.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -The name MUST include both a -scheme (e.g., "http" or "ftp") and a scheme-specific-part. -************************************************/ - -import ( - "net/url" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type extSANURIFormatInvalid struct{} - -func (l *extSANURIFormatInvalid) Initialize() error { - return nil -} - -func (l *extSANURIFormatInvalid) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *extSANURIFormatInvalid) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.URIs { - parsed_uri, err := url.Parse(uri) - - if err != nil { - return &LintResult{Status: Error} - } - - //scheme - if parsed_uri.Scheme == "" { - return &LintResult{Status: Error} - } - - //scheme-specific part - if parsed_uri.Host == "" && parsed_uri.User == nil && parsed_uri.Opaque == "" && parsed_uri.Path == "" { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_uri_format_invalid", - Description: "URIs in SAN extension must have a scheme and scheme specific part", - Citation: "RFC5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &extSANURIFormatInvalid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_host_not_fqdn_or_ip.go deleted file mode 100644 index 6404e43b3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_host_not_fqdn_or_ip.go +++ /dev/null @@ -1,76 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************* -When the subjectAltName extension contains a URI, the name MUST be -stored in the uniformResourceIdentifier (an IA5String). The name -MUST NOT be a relative URI, and it MUST follow the URI syntax and -encoding rules specified in [RFC3986]. The name MUST include both a -scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that -include an authority ([RFC3986], Section 3.2) MUST include a fully -qualified domain name or IP address as the host. Rules for encoding -Internationalized Resource Identifiers (IRIs) are specified in -Section 7.4. -*********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "net/url" -) - -type SANURIHost struct{} - -func (l *SANURIHost) Initialize() error { - return nil -} - -func (l *SANURIHost) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANURIHost) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.URIs { - if uri != "" { - parsed, err := url.Parse(uri) - if err != nil { - return &LintResult{Status: Error} - } - if parsed.Opaque == "" { - // if Opaque is not empty, that means there is no authority, which means that the URI is vacuously OK - if parsed.Host == "" { - return &LintResult{Status: Error} - } - if !util.IsFQDNOrIP(parsed.Host) { - return &LintResult{Status: Error} - } - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_uri_host_not_fqdn_or_ip", - Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", - Citation: "RFC 5280: 4.2.1.7", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &SANURIHost{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_not_ia5.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_not_ia5.go deleted file mode 100644 index 39d92b63a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_not_ia5.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -When the subjectAltName extension contains a URI, the name MUST be -stored in the uniformResourceIdentifier (an IA5String). -************************************************/ - -import ( - "unicode" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type extSANURINotIA5 struct{} - -func (l *extSANURINotIA5) Initialize() error { - return nil -} - -func (l *extSANURINotIA5) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *extSANURINotIA5) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.URIs { - for _, c := range uri { - if c > unicode.MaxASCII { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_uri_not_ia5", - Description: "When subjectAlternateName contains a URI, the name MUST be an IA5 string", - Citation: "RFC5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &extSANURINotIA5{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_relative.go b/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_relative.go deleted file mode 100644 index b4314e3cd..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_san_uri_relative.go +++ /dev/null @@ -1,70 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************* -When the subjectAltName extension contains a URI, the name MUST be -stored in the uniformResourceIdentifier (an IA5String). The name -MUST NOT be a relative URI, and it MUST follow the URI syntax and -encoding rules specified in [RFC3986]. The name MUST include both a -scheme (e.g., "http" or "ftp") and a scheme-specific-part. URIs that -include an authority ([RFC3986], Section 3.2) MUST include a fully -qualified domain name or IP address as the host. Rules for encoding -Internationalized Resource Identifiers (IRIs) are specified in -Section 7.4. -*************************************************************************/ - -import ( - "net/url" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type extSANURIRelative struct{} - -func (l *extSANURIRelative) Initialize() error { - return nil -} - -func (l *extSANURIRelative) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *extSANURIRelative) Execute(c *x509.Certificate) *LintResult { - for _, uri := range c.URIs { - parsed_uri, err := url.Parse(uri) - - if err != nil { - return &LintResult{Status: Error} - } - - if !parsed_uri.IsAbs() { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_san_uri_relative", - Description: "When the subjectAlternateName extension is present and a URI is used, the name MUST NOT be a relative URI", - Citation: "RFC 5280: 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &extSANURIRelative{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_directory_attr_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_subject_directory_attr_critical.go deleted file mode 100644 index 687f50e74..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_directory_attr_critical.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.2.1.8 -The subject directory attributes extension is used to convey - identification attributes (e.g., nationality) of the subject. The - extension is defined as a sequence of one or more attributes. - Conforming CAs MUST mark this extension as non-critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subDirAttrCrit struct{} - -func (l *subDirAttrCrit) Initialize() error { - return nil -} - -func (l *subDirAttrCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectDirAttrOID) -} - -func (l *subDirAttrCrit) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.SubjectDirAttrOID); e.Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_subject_directory_attr_critical", - Description: "Conforming CAs MUST mark the Subject Directory Attributes extension as not critical", - Citation: "RFC 5280: 4.2.1.8", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subDirAttrCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_critical.go b/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_critical.go deleted file mode 100644 index 256be1326..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************** -RFC 5280: 4.2.1.2 - Conforming CAs MUST mark this extension as non-critical. -**********************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectKeyIdCritical struct{} - -func (l *subjectKeyIdCritical) Initialize() error { - return nil -} - -func (l *subjectKeyIdCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectKeyIdentityOID) -} - -func (l *subjectKeyIdCritical) Execute(c *x509.Certificate) *LintResult { - ski := util.GetExtFromCert(c, util.SubjectKeyIdentityOID) //pointer to the extension - if ski.Critical { - return &LintResult{Status: Error} - } else { //implies !ski.Critical - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_subject_key_identifier_critical", - Description: "The subject key identifier extension MUST be non-critical", - Citation: "RFC 5280: 4.2.1.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectKeyIdCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_missing_ca.go b/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_missing_ca.go deleted file mode 100644 index 472402a1e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_missing_ca.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ - To facilitate certification path construction, this extension MUST - appear in all conforming CA certificates, that is, all certificates - including the basic constraints extension (Section 4.2.1.9) where the - value of cA is TRUE. In conforming CA certificates, the value of the - subject key identifier MUST be the value placed in the key identifier - field of the authority key identifier extension (Section 4.2.1.1) of - certificates issued by the subject of this certificate. Applications - are not required to verify that key identifiers match when performing - certification path validation. - ... - For end entity certificates, the subject key identifier extension provides - a means for identifying certificates containing the particular public key - used in an application. Where an end entity has obtained multiple certificates, - especially from multiple CAs, the subject key identifier provides a means to - quickly identify the set of certificates containing a particular public key. - To assist applications in identifying the appropriate end entity certificate, - this extension SHOULD be included in all end entity certificates. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectKeyIdMissingCA struct{} - -func (l *subjectKeyIdMissingCA) Initialize() error { - return nil -} - -func (l *subjectKeyIdMissingCA) CheckApplies(cert *x509.Certificate) bool { - return util.IsCACert(cert) -} - -func (l *subjectKeyIdMissingCA) Execute(cert *x509.Certificate) *LintResult { - if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_subject_key_identifier_missing_ca", - Description: "CAs MUST include a Subject Key Identifier in all CA certificates", - Citation: "RFC 5280: 4.2 & 4.2.1.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectKeyIdMissingCA{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_missing_sub_cert.go b/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_missing_sub_cert.go deleted file mode 100644 index b5faf9f32..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_subject_key_identifier_missing_sub_cert.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************** - To facilitate certification path construction, this extension MUST - appear in all conforming CA certificates, that is, all certificates - including the basic constraints extension (Section 4.2.1.9) where the - value of cA is TRUE. In conforming CA certificates, the value of the - subject key identifier MUST be the value placed in the key identifier - field of the authority key identifier extension (Section 4.2.1.1) of - certificates issued by the subject of this certificate. Applications - are not required to verify that key identifiers match when performing - certification path validation. - ... - For end entity certificates, the subject key identifier extension provides - a means for identifying certificates containing the particular public key - used in an application. Where an end entity has obtained multiple certificates, - especially from multiple CAs, the subject key identifier provides a means to - quickly identify the set of certificates containing a particular public key. - To assist applications in identifying the appropriate end entity certificate, - this extension SHOULD be included in all end entity certificates. -**********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectKeyIdMissingSubscriber struct{} - -func (l *subjectKeyIdMissingSubscriber) Initialize() error { - return nil -} - -func (l *subjectKeyIdMissingSubscriber) CheckApplies(cert *x509.Certificate) bool { - return !util.IsCACert(cert) -} - -func (l *subjectKeyIdMissingSubscriber) Execute(cert *x509.Certificate) *LintResult { - if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ext_subject_key_identifier_missing_sub_cert", - Description: "Sub certificates SHOULD include Subject Key Identifier in end entity certs", - Citation: "RFC 5280: 4.2 & 4.2.1.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectKeyIdMissingSubscriber{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ext_tor_service_descriptor_hash_invalid.go b/vendor/github.com/zmap/zlint/lints/lint_ext_tor_service_descriptor_hash_invalid.go deleted file mode 100644 index dbb6807d1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ext_tor_service_descriptor_hash_invalid.go +++ /dev/null @@ -1,210 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - "net/url" - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type torServiceDescHashInvalid struct{} - -func (l *torServiceDescHashInvalid) Initialize() error { - // There is nothing to initialize for a torServiceDescHashInvalid linter. - return nil -} - -// CheckApplies returns true if the certificate is a subscriber certificate that -// contains a subject name ending in `.onion`. -func (l *torServiceDescHashInvalid) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, onionTLD) -} - -// failResult is a small utility function for creating a failed lint result. -func failResult(format string, args ...interface{}) *LintResult { - return &LintResult{ - Status: Error, - Details: fmt.Sprintf(format, args...), - } -} - -// torServiceDescExtName is a common string prefix used in many lint result -// detail messages to identify the extension at fault. -var torServiceDescExtName = fmt.Sprintf( - "TorServiceDescriptor extension (oid %s)", - util.BRTorServiceDescriptor.String()) - -// lintOnionURL verifies that an Onion URI value from a TorServiceDescriptorHash -// is: -// -// 1) a valid parseable url. -// 2) a URL with a non-empty hostname -// 3) a URL with an https:// protocol scheme -// -// If all of the above hold then nil is returned. If any of the above conditions -// are not met an error lint result pointer is returned. -func lintOnionURL(onion string) *LintResult { - if onionURL, err := url.Parse(onion); err != nil { - return failResult( - "%s contained "+ - "TorServiceDescriptorHash object with invalid Onion URI", - torServiceDescExtName) - } else if onionURL.Host == "" { - return failResult( - "%s contained "+ - "TorServiceDescriptorHash object with Onion URI missing a hostname", - torServiceDescExtName) - } else if onionURL.Scheme != "https" { - return failResult( - "%s contained "+ - "TorServiceDescriptorHash object with Onion URI using a non-HTTPS "+ - "protocol scheme", - torServiceDescExtName) - } - return nil -} - -// Execute will lint the provided certificate. An Error LintResult will be -// returned if: -// -// 1) There is no TorServiceDescriptor extension present. -// 2) There were no TorServiceDescriptors parsed by zcrypto -// 3) There are TorServiceDescriptorHash entries with an invalid Onion URL. -// 4) There are TorServiceDescriptorHash entries with an unknown hash -// algorithm or incorrect hash bit length. -// 5) There is a TorServiceDescriptorHash entry that doesn't correspond to -// an onion subject in the cert. -// 6) There is an onion subject in the cert that doesn't correspond to -// a TorServiceDescriptorHash. -func (l *torServiceDescHashInvalid) Execute(c *x509.Certificate) *LintResult { - // If the BRTorServiceDescriptor extension is missing return a lint error. We - // know the cert contains one or more `.onion` subjects because of - // `CheckApplies` and all such certs are expected to have this extension after - // util.CABV201Date. - if ext := util.GetExtFromCert(c, util.BRTorServiceDescriptor); ext == nil { - return failResult( - "certificate contained a %s domain but is missing a TorServiceDescriptor "+ - "extension (oid %s)", - onionTLD, util.BRTorServiceDescriptor.String()) - } - - // The certificate should have at least one TorServiceDescriptorHash in the - // TorServiceDescriptor extension. - descriptors := c.TorServiceDescriptors - if len(descriptors) == 0 { - return failResult( - "certificate contained a %s domain but TorServiceDescriptor "+ - "extension (oid %s) had no TorServiceDescriptorHash objects", - onionTLD, util.BRTorServiceDescriptor.String()) - } - - // Build a map of all the eTLD+1 onion subjects in the cert to compare against - // the service descriptors. - onionETLDPlusOneMap := make(map[string]string) - for _, subj := range append(c.DNSNames, c.Subject.CommonName) { - if !strings.HasSuffix(subj, onionTLD) { - continue - } - labels := strings.Split(subj, ".") - if len(labels) < 2 { - return failResult("certificate contained a %s domain with too few "+ - "labels: %q", - onionTLD, subj) - } - eTLDPlusOne := strings.Join(labels[len(labels)-2:], ".") - onionETLDPlusOneMap[eTLDPlusOne] = subj - } - - expectedHashBits := map[string]int{ - "SHA256": 256, - "SHA384": 384, - "SHA512": 512, - } - - // Build a map of onion hostname -> TorServiceDescriptorHash using the parsed - // TorServiceDescriptors from zcrypto. - descriptorMap := make(map[string]*x509.TorServiceDescriptorHash) - for _, descriptor := range descriptors { - // each descriptor's Onion URL must be valid - if errResult := lintOnionURL(descriptor.Onion); errResult != nil { - return errResult - } - // each descriptor should have a known hash algorithm and the correct - // corresponding size of hash. - if expectedBits, found := expectedHashBits[descriptor.AlgorithmName]; !found { - return failResult( - "%s contained a TorServiceDescriptorHash for Onion URI %q with an "+ - "unknown hash algorithm", - torServiceDescExtName, descriptor.Onion) - } else if expectedBits != descriptor.HashBits { - return failResult( - "%s contained a TorServiceDescriptorHash with hash algorithm %q but "+ - "only %d bits of hash not %d", - torServiceDescExtName, descriptor.AlgorithmName, - descriptor.HashBits, expectedBits) - } - // NOTE(@cpu): Throwing out the err result here because lintOnionURL already - // ensured the URL is valid. - url, _ := url.Parse(descriptor.Onion) - hostname := url.Hostname() - // there should only be one TorServiceDescriptorHash for each Onion hostname. - if _, exists := descriptorMap[hostname]; exists { - return failResult( - "%s contained more than one TorServiceDescriptorHash for base "+ - "Onion URI %q", - torServiceDescExtName, descriptor.Onion) - } - // there shouldn't be a TorServiceDescriptorHash for a Onion hostname that - // isn't an eTLD+1 in the certificate's subjects. - if _, found := onionETLDPlusOneMap[hostname]; !found { - return failResult( - "%s contained a TorServiceDescriptorHash with a hostname (%q) not "+ - "present as a subject in the certificate", - torServiceDescExtName, hostname) - } - descriptorMap[hostname] = descriptor - } - - // Check if any of the onion subjects in the certificate don't have - // a TorServiceDescriptorHash for the eTLD+1 in the descriptorMap. - for eTLDPlusOne, subjDomain := range onionETLDPlusOneMap { - if _, found := descriptorMap[eTLDPlusOne]; !found { - return failResult( - "%s subject domain name %q does not have a corresponding "+ - "TorServiceDescriptorHash for its eTLD+1", - onionTLD, subjDomain) - } - } - - // Everything checks out! - return &LintResult{ - Status: Pass, - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ext_tor_service_descriptor_hash_invalid", - Description: "certificates with .onion names need valid TorServiceDescriptors in extension", - Citation: "BRS: Ballot 201", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV201Date, - Lint: &torServiceDescHashInvalid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_extra_subject_common_names.go b/vendor/github.com/zmap/zlint/lints/lint_extra_subject_common_names.go deleted file mode 100644 index d934754e9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_extra_subject_common_names.go +++ /dev/null @@ -1,51 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type extraSubjectCommonNames struct{} - -func (l *extraSubjectCommonNames) Initialize() error { - return nil -} - -func (l *extraSubjectCommonNames) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *extraSubjectCommonNames) Execute(c *x509.Certificate) *LintResult { - // Multiple subject commonName fields are not expressly prohibited by section - // 7.1.4.2.2 but do seem to run afoul of the intent. For that reason we return - // only a Warn level finding here. - if len(c.Subject.CommonNames) > 1 { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_extra_subject_common_names", - Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &extraSubjectCommonNames{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_generalized_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/lints/lint_generalized_time_does_not_include_seconds.go deleted file mode 100644 index 6ff3801e4..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_generalized_time_does_not_include_seconds.go +++ /dev/null @@ -1,96 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -4.1.2.5.2. GeneralizedTime -The generalized time type, GeneralizedTime, is a standard ASN.1 type -for variable precision representation of time. Optionally, the -GeneralizedTime field can include a representation of the time -differential between local and Greenwich Mean Time. - -For the purposes of this profile, GeneralizedTime values MUST be -expressed in Greenwich Mean Time (Zulu) and MUST include seconds -(i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds -is zero. GeneralizedTime values MUST NOT include fractional seconds. -********************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type generalizedNoSeconds struct { -} - -func (l *generalizedNoSeconds) Initialize() error { - return nil -} - -func (l *generalizedNoSeconds) CheckApplies(c *x509.Certificate) bool { - firstDate, secondDate := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(firstDate, secondDate) - date1Gen := beforeTag == 24 - date2Gen := afterTag == 24 - return date1Gen || date2Gen -} - -func (l *generalizedNoSeconds) Execute(c *x509.Certificate) *LintResult { - r := Pass - date1, date2 := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(date1, date2) - date1Gen := beforeTag == 24 - date2Gen := afterTag == 24 - if date1Gen { - // UTC Tests on notBefore - checkSeconds(&r, date1) - if r == Error { - return &LintResult{Status: r} - } - } - if date2Gen { - checkSeconds(&r, date2) - } - return &LintResult{Status: r} -} - -func checkSeconds(r *LintStatus, t asn1.RawValue) { - if t.Bytes[len(t.Bytes)-1] == 'Z' { - if len(t.Bytes) < 15 { - *r = Error - } - } else if t.Bytes[len(t.Bytes)-5] == '-' || t.Bytes[len(t.Bytes)-1] == '+' { - if len(t.Bytes) < 19 { - *r = Error - } - } else { - if len(t.Bytes) < 14 { - *r = Error - } - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_generalized_time_does_not_include_seconds", - Description: "Generalized time values MUST include seconds", - Citation: "RFC 5280: 4.1.2.5.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &generalizedNoSeconds{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_generalized_time_includes_fraction_seconds.go b/vendor/github.com/zmap/zlint/lints/lint_generalized_time_includes_fraction_seconds.go deleted file mode 100644 index 787fec599..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_generalized_time_includes_fraction_seconds.go +++ /dev/null @@ -1,96 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -4.1.2.5.2. GeneralizedTime -The generalized time type, GeneralizedTime, is a standard ASN.1 type -for variable precision representation of time. Optionally, the -GeneralizedTime field can include a representation of the time -differential between local and Greenwich Mean Time. - -For the purposes of this profile, GeneralizedTime values MUST be -expressed in Greenwich Mean Time (Zulu) and MUST include seconds -(i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds -is zero. GeneralizedTime values MUST NOT include fractional seconds. -********************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type generalizedTimeFraction struct { -} - -func (l *generalizedTimeFraction) Initialize() error { - return nil -} - -func (l *generalizedTimeFraction) CheckApplies(c *x509.Certificate) bool { - firstDate, secondDate := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(firstDate, secondDate) - date1Gen := beforeTag == 24 - date2Gen := afterTag == 24 - return date1Gen || date2Gen -} - -func (l *generalizedTimeFraction) Execute(c *x509.Certificate) *LintResult { - r := Pass - date1, date2 := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(date1, date2) - date1Gen := beforeTag == 24 - date2Gen := afterTag == 24 - if date1Gen { - // UTC Tests on notBefore - checkFraction(&r, date1) - if r == Error { - return &LintResult{Status: r} - } - } - if date2Gen { - checkFraction(&r, date2) - } - return &LintResult{Status: r} -} - -func checkFraction(r *LintStatus, t asn1.RawValue) { - if t.Bytes[len(t.Bytes)-1] == 'Z' { - if len(t.Bytes) > 15 { - *r = Error - } - } else if t.Bytes[len(t.Bytes)-5] == '-' || t.Bytes[len(t.Bytes)-1] == '+' { - if len(t.Bytes) > 19 { - *r = Error - } - } else { - if len(t.Bytes) > 14 { - *r = Error - } - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_generalized_time_includes_fraction_seconds", - Description: "Generalized time values MUST NOT include fractional seconds", - Citation: "RFC 5280: 4.1.2.5.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &generalizedTimeFraction{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_generalized_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/lints/lint_generalized_time_not_in_zulu.go deleted file mode 100644 index 93efa3f31..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_generalized_time_not_in_zulu.go +++ /dev/null @@ -1,77 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -4.1.2.5.2. GeneralizedTime -The generalized time type, GeneralizedTime, is a standard ASN.1 type -for variable precision representation of time. Optionally, the -GeneralizedTime field can include a representation of the time -differential between local and Greenwich Mean Time. - -For the purposes of this profile, GeneralizedTime values MUST be -expressed in Greenwich Mean Time (Zulu) and MUST include seconds -(i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds -is zero. GeneralizedTime values MUST NOT include fractional seconds. -********************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type generalizedNotZulu struct { -} - -func (l *generalizedNotZulu) Initialize() error { - return nil -} - -func (l *generalizedNotZulu) CheckApplies(c *x509.Certificate) bool { - firstDate, secondDate := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(firstDate, secondDate) - date1Gen := beforeTag == 24 - date2Gen := afterTag == 24 - return date1Gen || date2Gen -} - -func (l *generalizedNotZulu) Execute(c *x509.Certificate) *LintResult { - date1, date2 := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(date1, date2) - date1Gen := beforeTag == 24 - date2Gen := afterTag == 24 - if date1Gen { - if date1.Bytes[len(date1.Bytes)-1] != 'Z' { - return &LintResult{Status: Error} - } - } - if date2Gen { - if date2.Bytes[len(date2.Bytes)-1] != 'Z' { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_generalized_time_not_in_zulu", - Description: "Generalized time values MUST be expressed in Greenwich Mean Time (Zulu)", - Citation: "RFC 5280: 4.1.2.5.2", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &generalizedNotZulu{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ian_bare_wildcard.go b/vendor/github.com/zmap/zlint/lints/lint_ian_bare_wildcard.go deleted file mode 100644 index 80241400b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ian_bare_wildcard.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type brIANBareWildcard struct{} - -func (l *brIANBareWildcard) Initialize() error { - return nil -} - -func (l *brIANBareWildcard) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *brIANBareWildcard) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.IANDNSNames { - if strings.HasSuffix(dns, "*") { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ian_bare_wildcard", - Description: "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)", - Citation: "RFC5280", - Source: RFC5280, - EffectiveDate: util.ZeroDate, - Lint: &brIANBareWildcard{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ian_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/lints/lint_ian_dns_name_includes_null_char.go deleted file mode 100644 index 1bb7b6287..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ian_dns_name_includes_null_char.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANDNSNull struct{} - -func (l *IANDNSNull) Initialize() error { - return nil -} - -func (l *IANDNSNull) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANDNSNull) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.IANDNSNames { - for i := 0; i < len(dns); i++ { - if dns[i] == 0 { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ian_dns_name_includes_null_char", - Description: "DNSName MUST NOT include a null character", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &IANDNSNull{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ian_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/lints/lint_ian_dns_name_starts_with_period.go deleted file mode 100644 index caa4413d8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ian_dns_name_starts_with_period.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANDNSPeriod struct{} - -func (l *IANDNSPeriod) Initialize() error { - return nil -} - -func (l *IANDNSPeriod) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANDNSPeriod) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.IANDNSNames { - if strings.HasPrefix(dns, ".") { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ian_dns_name_starts_with_period", - Description: "DNSName MUST NOT start with a period", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &IANDNSPeriod{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ian_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/lints/lint_ian_iana_pub_suffix_empty.go deleted file mode 100644 index ad3721887..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ian_iana_pub_suffix_empty.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IANPubSuffix struct{} - -func (l *IANPubSuffix) Initialize() error { - return nil -} - -func (l *IANPubSuffix) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *IANPubSuffix) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.IANDNSNames { - if len(strings.Split(dns, ".")) < 3 { - return &LintResult{Status: Warn} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_ian_iana_pub_suffix_empty", - Description: "Domain SHOULD NOT have a bare public suffix", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &IANPubSuffix{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_ian_wildcard_not_first.go b/vendor/github.com/zmap/zlint/lints/lint_ian_wildcard_not_first.go deleted file mode 100644 index e2ce7b5f8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_ian_wildcard_not_first.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type brIANWildcardFirst struct{} - -func (l *brIANWildcardFirst) Initialize() error { - return nil -} - -func (l *brIANWildcardFirst) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.IssuerAlternateNameOID) -} - -func (l *brIANWildcardFirst) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.IANDNSNames { - for i := 1; i < len(dns); i++ { - if dns[i] == '*' { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_ian_wildcard_not_first", - Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &brIANWildcardFirst{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_idn_dnsname_malformed_unicode.go b/vendor/github.com/zmap/zlint/lints/lint_idn_dnsname_malformed_unicode.go deleted file mode 100644 index 54fa6d356..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_idn_dnsname_malformed_unicode.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "golang.org/x/net/idna" -) - -type IDNMalformedUnicode struct{} - -func (l *IDNMalformedUnicode) Initialize() error { - return nil -} - -func (l *IDNMalformedUnicode) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *IDNMalformedUnicode) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - labels := strings.Split(dns, ".") - for _, label := range labels { - if strings.HasPrefix(label, "xn--") { - _, err := idna.ToUnicode(label) - if err != nil { - return &LintResult{Status: Error} - } - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_international_dns_name_not_unicode", - Description: "Internationalized DNSNames punycode not valid unicode", - Citation: "RFC 3490", - EffectiveDate: util.RFC3490Date, - Source: RFC5280, - Lint: &IDNMalformedUnicode{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_idn_dnsname_must_be_nfc.go b/vendor/github.com/zmap/zlint/lints/lint_idn_dnsname_must_be_nfc.go deleted file mode 100644 index 081d57a5d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_idn_dnsname_must_be_nfc.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "golang.org/x/net/idna" - "golang.org/x/text/unicode/norm" -) - -type IDNNotNFC struct{} - -func (l *IDNNotNFC) Initialize() error { - return nil -} - -func (l *IDNNotNFC) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *IDNNotNFC) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - labels := strings.Split(dns, ".") - for _, label := range labels { - if strings.HasPrefix(label, "xn--") { - unicodeLabel, err := idna.ToUnicode(label) - if err != nil { - return &LintResult{Status: NA} - } - if !norm.NFC.IsNormalString(unicodeLabel) { - return &LintResult{Status: Error} - } - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_international_dns_name_not_nfc", - Description: "Internationalized DNSNames must be normalized by unicode normalization form C", - Citation: "RFC 8399", - Source: RFC5891, - EffectiveDate: util.RFC8399Date, - Lint: &IDNNotNFC{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_inhibit_any_policy_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_inhibit_any_policy_not_critical.go deleted file mode 100644 index 79ed2e11a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_inhibit_any_policy_not_critical.go +++ /dev/null @@ -1,63 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -4.2.1.14. Inhibit anyPolicy - The inhibit anyPolicy extension can be used in certificates issued to CAs. - The inhibit anyPolicy extension indicates that the special anyPolicy OID, - with the value { 2 5 29 32 0 }, is not considered an explicit match for other - certificate policies except when it appears in an intermediate self-issued - CA certificate. The value indicates the number of additional non-self-issued - certificates that may appear in the path before anyPolicy is no longer permitted. - For example, a value of one indicates that anyPolicy may be processed in - certificates issued by the subject of this certificate, but not in additional - certificates in the path. - - Conforming CAs MUST mark this extension as critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type InhibitAnyPolicyNotCritical struct{} - -func (l *InhibitAnyPolicyNotCritical) Initialize() error { - return nil -} - -func (l *InhibitAnyPolicyNotCritical) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.InhibitAnyPolicyOID) -} - -func (l *InhibitAnyPolicyNotCritical) Execute(cert *x509.Certificate) *LintResult { - if anyPol := util.GetExtFromCert(cert, util.InhibitAnyPolicyOID); !anyPol.Critical { - return &LintResult{Status: Error} - } //else - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_inhibit_any_policy_not_critical", - Description: "CAs MUST mark the inhibitAnyPolicy extension as critical", - Citation: "RFC 5280: 4.2.1.14", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &InhibitAnyPolicyNotCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_invalid_certificate_version.go b/vendor/github.com/zmap/zlint/lints/lint_invalid_certificate_version.go deleted file mode 100644 index 589fb85bd..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_invalid_certificate_version.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Certificates MUST be of type X.509 v3. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type InvalidCertificateVersion struct{} - -func (l *InvalidCertificateVersion) Initialize() error { - return nil -} - -func (l *InvalidCertificateVersion) CheckApplies(cert *x509.Certificate) bool { - return true -} - -func (l *InvalidCertificateVersion) Execute(cert *x509.Certificate) *LintResult { - if cert.Version != 3 { - return &LintResult{Status: Error} - } - //else - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_invalid_certificate_version", - Description: "Certificates MUST be of type X.590 v3", - Citation: "BRs: 7.1.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV130Date, - Lint: &InvalidCertificateVersion{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_is_redacted_cert.go b/vendor/github.com/zmap/zlint/lints/lint_is_redacted_cert.go deleted file mode 100644 index 60675a1d7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_is_redacted_cert.go +++ /dev/null @@ -1,62 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type DNSNameRedacted struct{} - -func (l *DNSNameRedacted) Initialize() error { - return nil -} - -func (l *DNSNameRedacted) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func isRedactedCertificate(domain string) bool { - domain = util.RemovePrependedWildcard(domain) - return strings.HasPrefix(domain, "?.") -} - -func (l *DNSNameRedacted) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName != "" { - if isRedactedCertificate(c.Subject.CommonName) { - return &LintResult{Status: Notice} - } - } - for _, domain := range c.DNSNames { - if isRedactedCertificate(domain) { - return &LintResult{Status: Notice} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "n_contains_redacted_dnsname", - Description: "Some precerts are redacted and of the form ?.?.a.com or *.?.a.com", - Source: ZLint, - Citation: "IETF Draft: https://tools.ietf.org/id/draft-strad-trans-redaction-00.html", - EffectiveDate: util.ZeroDate, - Lint: &DNSNameRedacted{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_country_not_printable_string.go deleted file mode 100644 index ce79fd4f2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_country_not_printable_string.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IssuerDNCountryNotPrintableString struct{} - -func (l *IssuerDNCountryNotPrintableString) Initialize() error { - return nil -} - -func (l *IssuerDNCountryNotPrintableString) CheckApplies(c *x509.Certificate) bool { - return len(c.Issuer.Country) > 0 -} - -func (l *IssuerDNCountryNotPrintableString) Execute(c *x509.Certificate) *LintResult { - rdnSequence := util.RawRDNSequence{} - rest, err := asn1.Unmarshal(c.RawIssuer, &rdnSequence) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(rest) > 0 { - return &LintResult{Status: Fatal} - } - - for _, attrTypeAndValueSet := range rdnSequence { - for _, attrTypeAndValue := range attrTypeAndValueSet { - if attrTypeAndValue.Type.Equal(util.CountryNameOID) && attrTypeAndValue.Value.Tag != asn1.TagPrintableString { - return &LintResult{Status: Error} - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_issuer_dn_country_not_printable_string", - Description: "X520 Distinguished Name Country MUST BE encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: RFC5280, - EffectiveDate: util.ZeroDate, - Lint: &IssuerDNCountryNotPrintableString{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_leading_whitespace.go deleted file mode 100644 index a32b7a1b8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_leading_whitespace.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IssuerDNLeadingSpace struct{} - -func (l *IssuerDNLeadingSpace) Initialize() error { - return nil -} - -func (l *IssuerDNLeadingSpace) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *IssuerDNLeadingSpace) Execute(c *x509.Certificate) *LintResult { - leading, _, err := util.CheckRDNSequenceWhiteSpace(c.RawIssuer) - if err != nil { - return &LintResult{Status: Fatal} - } - if leading { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_issuer_dn_leading_whitespace", - Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", - Citation: "AWSLabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &IssuerDNLeadingSpace{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_trailing_whitespace.go deleted file mode 100644 index 94b85b208..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_issuer_dn_trailing_whitespace.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type IssuerDNTrailingSpace struct{} - -func (l *IssuerDNTrailingSpace) Initialize() error { - return nil -} - -func (l *IssuerDNTrailingSpace) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *IssuerDNTrailingSpace) Execute(c *x509.Certificate) *LintResult { - _, trailing, err := util.CheckRDNSequenceWhiteSpace(c.RawIssuer) - if err != nil { - return &LintResult{Status: Fatal} - } - if trailing { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_issuer_dn_trailing_whitespace", - Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", - Citation: "AWSLabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &IssuerDNTrailingSpace{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_issuer_field_empty.go b/vendor/github.com/zmap/zlint/lints/lint_issuer_field_empty.go deleted file mode 100644 index 77fdbc107..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_issuer_field_empty.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.1.2.4 -The issuer field identifies the entity that has signed and issued the - certificate. The issuer field MUST contain a non-empty distinguished - name (DN). The issuer field is defined as the X.501 type Name - [X.501]. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type issuerFieldEmpty struct{} - -func (l *issuerFieldEmpty) Initialize() error { - return nil -} - -func (l *issuerFieldEmpty) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *issuerFieldEmpty) Execute(c *x509.Certificate) *LintResult { - if &c.Issuer != nil && util.NotAllNameFieldsAreEmpty(&c.Issuer) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_issuer_field_empty", - Description: "Certificate issuer field MUST NOT be empty and must have a non-empty distingushed name", - Citation: "RFC 5280: 4.1.2.4", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &issuerFieldEmpty{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_issuer_multiple_rdn.go b/vendor/github.com/zmap/zlint/lints/lint_issuer_multiple_rdn.go deleted file mode 100644 index 07d385ed9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_issuer_multiple_rdn.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/pkix" - "github.com/zmap/zlint/util" -) - -type IssuerRDNHasMultipleAttribute struct{} - -func (l *IssuerRDNHasMultipleAttribute) Initialize() error { - return nil -} - -func (l *IssuerRDNHasMultipleAttribute) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *IssuerRDNHasMultipleAttribute) Execute(c *x509.Certificate) *LintResult { - var issuer pkix.RDNSequence - _, err := asn1.Unmarshal(c.RawIssuer, &issuer) - if err != nil { - return &LintResult{Status: Fatal} - } - for _, rdn := range issuer { - if len(rdn) > 1 { - return &LintResult{Status: Warn} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_multiple_issuer_rdn", - Description: "Certificates should not have multiple attributes in a single RDN (issuer)", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &IssuerRDNHasMultipleAttribute{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_empty.go b/vendor/github.com/zmap/zlint/lints/lint_name_constraint_empty.go deleted file mode 100644 index 61a46efe7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_empty.go +++ /dev/null @@ -1,78 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************************************** - Restrictions are defined in terms of permitted or excluded name - subtrees. Any name matching a restriction in the excludedSubtrees - field is invalid regardless of information appearing in the - permittedSubtrees. Conforming CAs MUST mark this extension as - critical and SHOULD NOT impose name constraints on the x400Address, - ediPartyName, or registeredID name forms. Conforming CAs MUST NOT - issue certificates where name constraints is an empty sequence. That - is, either the permittedSubtrees field or the excludedSubtrees MUST - be present. -************************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintEmpty struct{} - -func (l *nameConstraintEmpty) Initialize() error { - return nil -} - -func (l *nameConstraintEmpty) CheckApplies(c *x509.Certificate) bool { - if !(util.IsExtInCert(c, util.NameConstOID)) { - return false - } - nc := util.GetExtFromCert(c, util.NameConstOID) - var seq asn1.RawValue - rest, err := asn1.Unmarshal(nc.Value, &seq) //only one sequence, so rest should be empty - if err != nil || len(rest) != 0 || seq.Tag != 16 || seq.Class != 0 || !seq.IsCompound { - return false - } - return true -} - -func (l *nameConstraintEmpty) Execute(c *x509.Certificate) *LintResult { - nc := util.GetExtFromCert(c, util.NameConstOID) - var seq asn1.RawValue - _, err := asn1.Unmarshal(nc.Value, &seq) //only one sequence, so rest should be empty - if err != nil { - return &LintResult{Status: Fatal} - } - if len(seq.Bytes) == 0 { - return &LintResult{Status: Error} - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_name_constraint_empty", - Description: "Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtree or excludedSubtree fields must be present", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &nameConstraintEmpty{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_maximum_not_absent.go b/vendor/github.com/zmap/zlint/lints/lint_name_constraint_maximum_not_absent.go deleted file mode 100644 index d80c29dc1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_maximum_not_absent.go +++ /dev/null @@ -1,126 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -RFC 5280: 4.2.1.10 -Within this profile, the minimum and maximum fields are not used with -any name forms, thus, the minimum MUST be zero, and maximum MUST be -absent. However, if an application encounters a critical name -constraints extension that specifies other values for minimum or -maximum for a name form that appears in a subsequent certificate, the -application MUST either process these fields or reject the -certificate. -************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintMax struct{} - -func (l *nameConstraintMax) Initialize() error { - return nil -} - -func (l *nameConstraintMax) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstraintMax) Execute(c *x509.Certificate) *LintResult { - for _, i := range c.PermittedDNSNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedDNSNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedDNSNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedEmailAddresses { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedIPAddresses { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedIPAddresses { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedDirectoryNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedDirectoryNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedEdiPartyNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedEdiPartyNames { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedRegisteredIDs { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedRegisteredIDs { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedX400Addresses { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedX400Addresses { - if i.Max != 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_name_constraint_maximum_not_absent", - Description: "Within the name constraints name form, the maximum field is not used and therefore MUST be absent", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &nameConstraintMax{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_minimum_non_zero.go b/vendor/github.com/zmap/zlint/lints/lint_name_constraint_minimum_non_zero.go deleted file mode 100644 index 5191dbeaa..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_minimum_non_zero.go +++ /dev/null @@ -1,126 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -RFC 5280: 4.2.1.10 -Within this profile, the minimum and maximum fields are not used with -any name forms, thus, the minimum MUST be zero, and maximum MUST be -absent. However, if an application encounters a critical name -constraints extension that specifies other values for minimum or -maximum for a name form that appears in a subsequent certificate, the -application MUST either process these fields or reject the -certificate. -************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstMin struct{} - -func (l *nameConstMin) Initialize() error { - return nil -} - -func (l *nameConstMin) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstMin) Execute(c *x509.Certificate) *LintResult { - for _, i := range c.PermittedDNSNames { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedDNSNames { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedEmailAddresses { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedEmailAddresses { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedIPAddresses { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedIPAddresses { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedDirectoryNames { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedDirectoryNames { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedEdiPartyNames { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedEdiPartyNames { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedRegisteredIDs { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedRegisteredIDs { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.PermittedX400Addresses { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - for _, i := range c.ExcludedX400Addresses { - if i.Min != 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_name_constraint_minimum_non_zero", - Description: "Within the name constraints name forms, the minimum field is not used and therefore MUST be zero", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &nameConstMin{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_edi_party_name.go b/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_edi_party_name.go deleted file mode 100644 index a56d9d2c0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_edi_party_name.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************* -RFC 5280: 4.2.1.10 -Restrictions are defined in terms of permitted or excluded name -subtrees. Any name matching a restriction in the excludedSubtrees -field is invalid regardless of information appearing in the -permittedSubtrees. Conforming CAs MUST mark this extension as -critical and SHOULD NOT impose name constraints on the x400Address, -ediPartyName, or registeredID name forms. Conforming CAs MUST NOT -issue certificates where name constraints is an empty sequence. That -is, either the permittedSubtrees field or the excludedSubtrees MUST -be present. -*******************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintOnEDI struct{} - -func (l *nameConstraintOnEDI) Initialize() error { - return nil -} - -func (l *nameConstraintOnEDI) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstraintOnEDI) Execute(c *x509.Certificate) *LintResult { - if c.PermittedEdiPartyNames != nil || c.ExcludedEdiPartyNames != nil { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_name_constraint_on_edi_party_name", - Description: "The name constraints extension SHOULD NOT impose constraints on the ediPartyName name form", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &nameConstraintOnEDI{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_registered_id.go b/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_registered_id.go deleted file mode 100644 index c788a0475..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_registered_id.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************* -RFC 5280: 4.2.1.10 -Restrictions are defined in terms of permitted or excluded name -subtrees. Any name matching a restriction in the excludedSubtrees -field is invalid regardless of information appearing in the -permittedSubtrees. Conforming CAs MUST mark this extension as -critical and SHOULD NOT impose name constraints on the x400Address, -ediPartyName, or registeredID name forms. Conforming CAs MUST NOT -issue certificates where name constraints is an empty sequence. That -is, either the permittedSubtrees field or the excludedSubtrees MUST -be present. -*******************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintOnRegisteredId struct{} - -func (l *nameConstraintOnRegisteredId) Initialize() error { - return nil -} - -func (l *nameConstraintOnRegisteredId) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstraintOnRegisteredId) Execute(c *x509.Certificate) *LintResult { - if c.PermittedRegisteredIDs != nil || c.ExcludedRegisteredIDs != nil { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_name_constraint_on_registered_id", - Description: "The name constraints extension SHOULD NOT impose constraints on the registeredID name form", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &nameConstraintOnRegisteredId{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_x400.go b/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_x400.go deleted file mode 100644 index 0184a5f47..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_name_constraint_on_x400.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************* -RFC 5280: 4.2.1.10 -Restrictions are defined in terms of permitted or excluded name -subtrees. Any name matching a restriction in the excludedSubtrees -field is invalid regardless of information appearing in the -permittedSubtrees. Conforming CAs MUST mark this extension as -critical and SHOULD NOT impose name constraints on the x400Address, -ediPartyName, or registeredID name forms. Conforming CAs MUST NOT -issue certificates where name constraints is an empty sequence. That -is, either the permittedSubtrees field or the excludedSubtrees MUST -be present. -*******************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type nameConstraintOnX400 struct{} - -func (l *nameConstraintOnX400) Initialize() error { - return nil -} - -func (l *nameConstraintOnX400) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.NameConstOID) -} - -func (l *nameConstraintOnX400) Execute(c *x509.Certificate) *LintResult { - if c.PermittedX400Addresses != nil || c.ExcludedX400Addresses != nil { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_name_constraint_on_x400", - Description: "The name constraints extension SHOULD NOT impose constraints on the x400Address name form", - Citation: "RFC 5280: 4.2.1.10", - Source: RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: &nameConstraintOnX400{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_old_root_ca_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/lints/lint_old_root_ca_rsa_mod_less_than_2048_bits.go deleted file mode 100644 index 7aeda2964..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_old_root_ca_rsa_mod_less_than_2048_bits.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Change this to match source TEXT -************************************************/ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rootCaModSize struct{} - -func (l *rootCaModSize) Initialize() error { - return nil -} - -func (l *rootCaModSize) CheckApplies(c *x509.Certificate) bool { - issueDate := c.NotBefore - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA && util.IsRootCA(c) && issueDate.Before(util.NoRSA1024RootDate) -} - -func (l *rootCaModSize) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.N.BitLen() < 2048 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_old_root_ca_rsa_mod_less_than_2048_bits", - Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &rootCaModSize{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/lints/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go deleted file mode 100644 index 6f89b65a4..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// CHANGE THIS COMMENT TO MATCH SOURCE TEXT - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCaModSize struct{} - -func (l *subCaModSize) Initialize() error { - return nil -} - -func (l *subCaModSize) CheckApplies(c *x509.Certificate) bool { - issueDate := c.NotBefore - endDate := c.NotAfter - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && util.IsSubCA(c) && issueDate.Before(util.NoRSA1024RootDate) && endDate.Before(util.NoRSA1024Date) -} - -func (l *subCaModSize) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.N.BitLen() < 1024 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits", - Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test - EffectiveDate: util.ZeroDate, - Lint: &subCaModSize{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/lints/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go deleted file mode 100644 index b7e0bbcba..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subModSize struct{} - -func (l *subModSize) Initialize() error { - return nil -} - -func (l *subModSize) CheckApplies(c *x509.Certificate) bool { - endDate := c.NotAfter - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA && !util.IsCACert(c) && endDate.Before(util.NoRSA1024Date) -} - -func (l *subModSize) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.N.BitLen() < 1024 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits", - Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test - EffectiveDate: util.ZeroDate, - Lint: &subModSize{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_onion_subject_validity_time_too_large.go b/vendor/github.com/zmap/zlint/lints/lint_onion_subject_validity_time_too_large.go deleted file mode 100644 index ef52e8eff..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_onion_subject_validity_time_too_large.go +++ /dev/null @@ -1,68 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -const ( - // Ballot 144 specified: - // CAs MUST NOT issue a Certificate that includes a Domain Name where .onion - // is in the right-most label of the Domain Name with a validity period longer - // than 15 months - maxOnionValidityMonths = 15 -) - -type torValidityTooLarge struct{} - -// Initialize for a torValidityTooLarge linter is a NOP. -func (l *torValidityTooLarge) Initialize() error { - return nil -} - -// CheckApplies returns true if the certificate is a subscriber certificate that -// contains a subject name ending in `.onion`. -func (l *torValidityTooLarge) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, onionTLD) -} - -// Execute will return an Error LintResult if the provided certificate has -// a validity period longer than the maximum allowed validity for a certificate -// with a .onion subject. -func (l *torValidityTooLarge) Execute(c *x509.Certificate) *LintResult { - if c.NotBefore.AddDate(0, maxOnionValidityMonths, 0).Before(c.NotAfter) { - return &LintResult{ - Status: Error, - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_onion_subject_validity_time_too_large", - Description: fmt.Sprintf( - "certificates with .onion names can not be valid for more than %d months", - maxOnionValidityMonths), - Citation: "CABF EV Guidelines: Appendix F", - Source: CABFEVGuidelines, - EffectiveDate: util.OnionOnlyEVDate, - Lint: &torValidityTooLarge{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_path_len_constraint_improperly_included.go b/vendor/github.com/zmap/zlint/lints/lint_path_len_constraint_improperly_included.go deleted file mode 100644 index 6cea47be9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_path_len_constraint_improperly_included.go +++ /dev/null @@ -1,72 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/****************************************************************** -RFC 5280: 4.2.1.9 -CAs MUST NOT include the pathLenConstraint field unless the cA -boolean is asserted and the key usage extension asserts the -keyCertSign bit. -******************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type pathLenIncluded struct{} - -func (l *pathLenIncluded) Initialize() error { - return nil -} - -func (l *pathLenIncluded) CheckApplies(cert *x509.Certificate) bool { - return util.IsExtInCert(cert, util.BasicConstOID) -} - -func (l *pathLenIncluded) Execute(cert *x509.Certificate) *LintResult { - bc := util.GetExtFromCert(cert, util.BasicConstOID) - var seq asn1.RawValue - var isCa bool - _, err := asn1.Unmarshal(bc.Value, &seq) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(seq.Bytes) == 0 { - return &LintResult{Status: Pass} - } - rest, err := asn1.UnmarshalWithParams(seq.Bytes, &isCa, "optional") - if err != nil { - return &LintResult{Status: Fatal} - } - keyUsageValue := util.IsExtInCert(cert, util.KeyUsageOID) - if len(rest) > 0 && (!cert.IsCA || !keyUsageValue || (keyUsageValue && cert.KeyUsage&x509.KeyUsageCertSign == 0)) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_path_len_constraint_improperly_included", - Description: "CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set", - Citation: "RFC 5280: 4.2.1.9", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &pathLenIncluded{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_path_len_constraint_zero_or_less.go b/vendor/github.com/zmap/zlint/lints/lint_path_len_constraint_zero_or_less.go deleted file mode 100644 index 22c77a785..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_path_len_constraint_zero_or_less.go +++ /dev/null @@ -1,78 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -The pathLenConstraint field is meaningful only if the cA boolean is -asserted and the key usage extension, if present, asserts the -keyCertSign bit (Section 4.2.1.3). In this case, it gives the -maximum number of non-self-issued intermediate certificates that may -follow this certificate in a valid certification path. (Note: The -last certificate in the certification path is not an intermediate -certificate, and is not included in this limit. Usually, the last -certificate is an end entity certificate, but it can be a CA -certificate.) A pathLenConstraint of zero indicates that no non- -self-issued intermediate CA certificates may follow in a valid -certification path. Where it appears, the pathLenConstraint field -MUST be greater than or equal to zero. Where pathLenConstraint does -not appear, no limit is imposed. -********************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type basicConst struct { - CA bool `asn1:"optional"` - PathLenConstraint int `asn1:"optional"` -} - -type pathLenNonPositive struct { -} - -func (l *pathLenNonPositive) Initialize() error { - return nil -} - -func (l *pathLenNonPositive) CheckApplies(cert *x509.Certificate) bool { - return cert.BasicConstraintsValid -} - -func (l *pathLenNonPositive) Execute(cert *x509.Certificate) *LintResult { - var bc basicConst - - ext := util.GetExtFromCert(cert, util.BasicConstOID) - if _, err := asn1.Unmarshal(ext.Value, &bc); err != nil { - return &LintResult{Status: Fatal} - } - if bc.PathLenConstraint < 0 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_path_len_constraint_zero_or_less", - Description: "Where it appears, the pathLenConstraint field MUST be greater than or equal to zero", - Citation: "RFC 5280: 4.2.1.9", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &pathLenNonPositive{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_public_key_type_not_allowed.go b/vendor/github.com/zmap/zlint/lints/lint_public_key_type_not_allowed.go deleted file mode 100644 index 3e4b06994..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_public_key_type_not_allowed.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type publicKeyAllowed struct{} - -func (l *publicKeyAllowed) Initialize() error { - return nil -} - -func (l *publicKeyAllowed) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *publicKeyAllowed) Execute(c *x509.Certificate) *LintResult { - alg := c.PublicKeyAlgorithm - if alg != x509.UnknownPublicKeyAlgorithm { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_public_key_type_not_allowed", - Description: "Certificates MUST have RSA, DSA, or ECDSA public key type", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &publicKeyAllowed{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_etsi_present_qcs_critical.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_etsi_present_qcs_critical.go deleted file mode 100644 index 4f2b9e9d3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_etsi_present_qcs_critical.go +++ /dev/null @@ -1,66 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQcEtsiPresentQcsCritical struct{} - -func (this *qcStatemQcEtsiPresentQcsCritical) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcCompliance -} - -func (l *qcStatemQcEtsiPresentQcsCritical) Initialize() error { - return nil -} - -func (l *qcStatemQcEtsiPresentQcsCritical) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.IsAnyEtsiQcStatementPresent(util.GetExtFromCert(c, util.QcStateOid).Value) { - return true - } - return false -} - -func (l *qcStatemQcEtsiPresentQcsCritical) Execute(c *x509.Certificate) *LintResult { - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - if ext.Critical { - errString = "ETSI QC Statement is present and QC Statements extension is marked critical" - } - - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_etsi_present_qcs_critical", - Description: "Checks that a QC Statement which contains any of the id-etsi-qcs-... QC Statements is not marked critical", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.1", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcEtsiPresentQcsCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_etsi_type_as_statem.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_etsi_type_as_statem.go deleted file mode 100644 index 638de1361..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_etsi_type_as_statem.go +++ /dev/null @@ -1,67 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "fmt" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemEtsiTypeAsStatem struct{} - -func (l *qcStatemEtsiTypeAsStatem) Initialize() error { - return nil -} - -func (l *qcStatemEtsiTypeAsStatem) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.QcStateOid) -} - -func (l *qcStatemEtsiTypeAsStatem) Execute(c *x509.Certificate) *LintResult { - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - - oidList := make([]*asn1.ObjectIdentifier, 3) - oidList[0] = &util.IdEtsiQcsQctEsign - oidList[1] = &util.IdEtsiQcsQctEseal - oidList[2] = &util.IdEtsiQcsQctWeb - - for _, oid := range oidList { - r := util.ParseQcStatem(ext.Value, *oid) - util.AppendToStringSemicolonDelim(&errString, r.GetErrorInfo()) - if r.IsPresent() { - util.AppendToStringSemicolonDelim(&errString, fmt.Sprintf("ETSI QC Type OID %v used as QC statement", oid)) - } - } - - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_etsi_type_as_statem", - Description: "Checks for erroneous QC Statement OID that actually are represented by ETSI ESI QC type OID.", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemEtsiTypeAsStatem{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_mandatory_etsi_statems.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_mandatory_etsi_statems.go deleted file mode 100644 index 9188659b3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_mandatory_etsi_statems.go +++ /dev/null @@ -1,70 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQcmandatoryEtsiStatems struct{} - -func (l *qcStatemQcmandatoryEtsiStatems) Initialize() error { - return nil -} - -func (l *qcStatemQcmandatoryEtsiStatems) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.IsAnyEtsiQcStatementPresent(util.GetExtFromCert(c, util.QcStateOid).Value) { - return true - } - return false -} - -func (l *qcStatemQcmandatoryEtsiStatems) Execute(c *x509.Certificate) *LintResult { - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - - oidList := make([]*asn1.ObjectIdentifier, 1) - oidList[0] = &util.IdEtsiQcsQcCompliance - - for _, oid := range oidList { - r := util.ParseQcStatem(ext.Value, *oid) - util.AppendToStringSemicolonDelim(&errString, r.GetErrorInfo()) - if !r.IsPresent() { - util.AppendToStringSemicolonDelim(&errString, "missing mandatory ETSI QC statement") - } - } - - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_mandatory_etsi_statems", - Description: "Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 5", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcmandatoryEtsiStatems{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qccompliance_valid.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qccompliance_valid.go deleted file mode 100644 index 8559d4e8d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qccompliance_valid.go +++ /dev/null @@ -1,65 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQcComplianceValid struct{} - -func (this *qcStatemQcComplianceValid) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcCompliance -} - -func (l *qcStatemQcComplianceValid) Initialize() error { - return nil -} - -func (l *qcStatemQcComplianceValid) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func (l *qcStatemQcComplianceValid) Execute(c *x509.Certificate) *LintResult { - - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_qccompliance_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcCompliance has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.1", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcComplianceValid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qclimitvalue_valid.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qclimitvalue_valid.go deleted file mode 100644 index 6675ee704..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qclimitvalue_valid.go +++ /dev/null @@ -1,99 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "unicode" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQcLimitValueValid struct{} - -func (this *qcStatemQcLimitValueValid) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcLimitValue -} - -func (l *qcStatemQcLimitValueValid) Initialize() error { - return nil -} - -func (l *qcStatemQcLimitValueValid) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func isOnlyLetters(s string) bool { - for _, r := range s { - if !unicode.IsLetter(r) { - return false - } - } - return true -} - -func (l *qcStatemQcLimitValueValid) Execute(c *x509.Certificate) *LintResult { - - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - qcLv, ok := s.(util.EtsiQcLimitValue) - if !ok { - return &LintResult{Status: Error, Details: "parsed QcStatem is not a EtsiQcLimitValue"} - } - if qcLv.Amount < 0 { - util.AppendToStringSemicolonDelim(&errString, "amount is negative") - } - if qcLv.IsNum { - if qcLv.CurrencyNum < 1 || qcLv.CurrencyNum > 999 { - util.AppendToStringSemicolonDelim(&errString, "numeric currency code is out of range") - } - } else { - if len(qcLv.CurrencyAlph) != 3 { - util.AppendToStringSemicolonDelim(&errString, "invalid string length of currency code") - } - if !isOnlyLetters(qcLv.CurrencyAlph) { - util.AppendToStringSemicolonDelim(&errString, "currency code string contains not only letters") - } - - } - - } - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_qclimitvalue_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcLimitValue has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.2", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcLimitValueValid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcpds_lang_case.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcpds_lang_case.go deleted file mode 100644 index 6c49cd08f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcpds_lang_case.go +++ /dev/null @@ -1,89 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "fmt" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "unicode" -) - -type qcStatemQcPdsLangCase struct{} - -func (this *qcStatemQcPdsLangCase) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcEuPDS -} - -func (l *qcStatemQcPdsLangCase) Initialize() error { - return nil -} - -func (l *qcStatemQcPdsLangCase) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func isOnlyLowerCaseLetters(s string) bool { - for _, c := range s { - if !unicode.IsLower(c) { - return false - } - } - return true -} - -func (l *qcStatemQcPdsLangCase) Execute(c *x509.Certificate) *LintResult { - errString := "" - wrnString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - pds := s.(util.EtsiQcPds) - for i, loc := range pds.PdsLocations { - if !isOnlyLowerCaseLetters(loc.Language) { - util.AppendToStringSemicolonDelim(&wrnString, fmt.Sprintf("PDS location %d has a language code containing invalid letters", i)) - } - - } - } - if len(errString) == 0 { - if len(wrnString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn, Details: wrnString} - } - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_qcstatem_qcpds_lang_case", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS features a language code comprised of only lower case letters", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcPdsLangCase{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcpds_valid.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcpds_valid.go deleted file mode 100644 index b6f7c4754..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcpds_valid.go +++ /dev/null @@ -1,99 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "fmt" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "strings" -) - -type qcStatemQcPdsValid struct{} - -func (this *qcStatemQcPdsValid) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcEuPDS -} - -func (l *qcStatemQcPdsValid) Initialize() error { - return nil -} - -func (l *qcStatemQcPdsValid) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func isInList(s string, list []string) bool { - for _, i := range list { - if strings.Compare(i, s) == 0 { - return true - } - } - return false -} - -func (l *qcStatemQcPdsValid) Execute(c *x509.Certificate) *LintResult { - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - codeList := make([]string, 0) - foundEn := false - pds := s.(util.EtsiQcPds) - if len(pds.PdsLocations) == 0 { - util.AppendToStringSemicolonDelim(&errString, "PDS list is empty") - } - for i, loc := range pds.PdsLocations { - if len(loc.Language) != 2 { - util.AppendToStringSemicolonDelim(&errString, fmt.Sprintf("PDS location %d has a language code with an invalid length", i)) - } - if strings.Compare(strings.ToLower(loc.Language), "en") == 0 { - foundEn = true - } - if isInList(strings.ToLower(loc.Language), codeList) { - util.AppendToStringSemicolonDelim(&errString, "country code '"+loc.Language+"' appears multiple times") - } - codeList = append(codeList, loc.Language) - - } - if !foundEn { - util.AppendToStringSemicolonDelim(&errString, "no english PDS present") - } - } - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_qcpds_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcPdsValid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcretentionperiod_valid.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcretentionperiod_valid.go deleted file mode 100644 index 615c640c8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcretentionperiod_valid.go +++ /dev/null @@ -1,72 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQcRetentionPeriodValid struct{} - -func (this *qcStatemQcRetentionPeriodValid) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcRetentionPeriod -} - -func (l *qcStatemQcRetentionPeriodValid) Initialize() error { - return nil -} - -func (l *qcStatemQcRetentionPeriodValid) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func (l *qcStatemQcRetentionPeriodValid) Execute(c *x509.Certificate) *LintResult { - - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - - rp := s.(util.EtsiQcRetentionPeriod) - if rp.Period < 0 { - util.AppendToStringSemicolonDelim(&errString, "retention period is negative") - } - } - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_qcretentionperiod_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcRetentionPeriod has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11)/ Section 4.3.3", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcRetentionPeriodValid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcsscd_valid.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcsscd_valid.go deleted file mode 100644 index bf6f1d57a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qcsscd_valid.go +++ /dev/null @@ -1,66 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQcSscdValid struct{} - -func (this *qcStatemQcSscdValid) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcSSCD -} - -func (l *qcStatemQcSscdValid) Initialize() error { - return nil -} - -func (l *qcStatemQcSscdValid) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func (l *qcStatemQcSscdValid) Execute(c *x509.Certificate) *LintResult { - - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_qcsscd_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcSSCD has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.2", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQcSscdValid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qctype_valid.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qctype_valid.go deleted file mode 100644 index b1b3e47d4..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qctype_valid.go +++ /dev/null @@ -1,82 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "fmt" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQctypeValid struct{} - -func (this *qcStatemQctypeValid) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcType -} - -func (l *qcStatemQctypeValid) Initialize() error { - return nil -} - -func (l *qcStatemQctypeValid) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func (l *qcStatemQctypeValid) Execute(c *x509.Certificate) *LintResult { - - errString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - qcType := s.(util.Etsi423QcType) - if len(qcType.TypeOids) == 0 { - errString += "no QcType present, sequence of OIDs is empty" - } - for _, t := range qcType.TypeOids { - - if !t.Equal(util.IdEtsiQcsQctEsign) && !t.Equal(util.IdEtsiQcsQctEseal) && !t.Equal(util.IdEtsiQcsQctWeb) { - if len(errString) > 0 { - errString += "; " - } - errString += fmt.Sprintf("encountered invalid ETSI QcType OID: %v", t) - } - } - } - - if len(errString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_qcstatem_qctype_valid", - Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features a non-empty list of only the allowed QcType OIDs", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQctypeValid{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qctype_web.go b/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qctype_web.go deleted file mode 100644 index 31bb2856e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_qcstatem_qctype_web.go +++ /dev/null @@ -1,89 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "fmt" - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type qcStatemQctypeWeb struct{} - -func (this *qcStatemQctypeWeb) getStatementOid() *asn1.ObjectIdentifier { - return &util.IdEtsiQcsQcType -} - -func (l *qcStatemQctypeWeb) Initialize() error { - return nil -} - -func (l *qcStatemQctypeWeb) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.QcStateOid) { - return false - } - if util.ParseQcStatem(util.GetExtFromCert(c, util.QcStateOid).Value, *l.getStatementOid()).IsPresent() { - return true - } - return false -} - -func (l *qcStatemQctypeWeb) Execute(c *x509.Certificate) *LintResult { - - errString := "" - wrnString := "" - ext := util.GetExtFromCert(c, util.QcStateOid) - s := util.ParseQcStatem(ext.Value, *l.getStatementOid()) - errString += s.GetErrorInfo() - if len(errString) == 0 { - qcType := s.(util.Etsi423QcType) - if len(qcType.TypeOids) == 0 { - errString += "no QcType present, sequence of OIDs is empty" - } - found := false - for _, t := range qcType.TypeOids { - - if t.Equal(util.IdEtsiQcsQctWeb) { - found = true - } - } - if found != true { - wrnString += fmt.Sprintf("etsi Type does not indicate certificate as a 'web' certificate") - - } - } - - if len(errString) == 0 { - if len(wrnString) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn, Details: wrnString} - } - } else { - return &LintResult{Status: Error, Details: errString} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_qcstatem_qctype_web", - Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features features at least the type IdEtsiQcsQctWeb", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: &qcStatemQctypeWeb{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_root_ca_basic_constraints_path_len_constraint_field_present.go b/vendor/github.com/zmap/zlint/lints/lint_root_ca_basic_constraints_path_len_constraint_field_present.go deleted file mode 100644 index 0e942da31..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_root_ca_basic_constraints_path_len_constraint_field_present.go +++ /dev/null @@ -1,70 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************ -7.1.2.1. Root CA Certificate -a. basicConstraints -This extension MUST appear as a critical extension. The cA field MUST be set true. The pathLenConstraint field SHOULD NOT be present. -***********************************************************************************************************/ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rootCaPathLenPresent struct{} - -func (l *rootCaPathLenPresent) Initialize() error { - return nil -} - -func (l *rootCaPathLenPresent) CheckApplies(c *x509.Certificate) bool { - return util.IsRootCA(c) && util.IsExtInCert(c, util.BasicConstOID) -} - -func (l *rootCaPathLenPresent) Execute(c *x509.Certificate) *LintResult { - bc := util.GetExtFromCert(c, util.BasicConstOID) - var seq asn1.RawValue - var isCa bool - _, err := asn1.Unmarshal(bc.Value, &seq) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(seq.Bytes) == 0 { - return &LintResult{Status: Pass} - } - rest, err := asn1.Unmarshal(seq.Bytes, &isCa) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(rest) > 0 { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_root_ca_basic_constraints_path_len_constraint_field_present", - Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &rootCaPathLenPresent{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_root_ca_contains_cert_policy.go b/vendor/github.com/zmap/zlint/lints/lint_root_ca_contains_cert_policy.go deleted file mode 100644 index 1fedbfcb5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_root_ca_contains_cert_policy.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.1c certificatePolicies -This extension SHOULD NOT be present. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rootCAContainsCertPolicy struct{} - -func (l *rootCAContainsCertPolicy) Initialize() error { - return nil -} - -func (l *rootCAContainsCertPolicy) CheckApplies(c *x509.Certificate) bool { - return util.IsRootCA(c) -} - -func (l *rootCAContainsCertPolicy) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.CertPolicyOID) { - return &LintResult{Status: Warn} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_root_ca_contains_cert_policy", - Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &rootCAContainsCertPolicy{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_root_ca_extended_key_usage_present.go b/vendor/github.com/zmap/zlint/lints/lint_root_ca_extended_key_usage_present.go deleted file mode 100644 index 48a639d54..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_root_ca_extended_key_usage_present.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.1d extendedKeyUsage -This extension MUST NOT be present. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rootCAContainsEKU struct{} - -func (l *rootCAContainsEKU) Initialize() error { - return nil -} - -func (l *rootCAContainsEKU) CheckApplies(c *x509.Certificate) bool { - return util.IsRootCA(c) -} - -func (l *rootCAContainsEKU) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if util.IsExtInCert(c, util.EkuSynOid) { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_root_ca_extended_key_usage_present", - Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &rootCAContainsEKU{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_root_ca_key_usage_must_be_critical.go b/vendor/github.com/zmap/zlint/lints/lint_root_ca_key_usage_must_be_critical.go deleted file mode 100644 index 0e49f46d2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_root_ca_key_usage_must_be_critical.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rootCAKeyUsageMustBeCritical struct{} - -func (l *rootCAKeyUsageMustBeCritical) Initialize() error { - return nil -} - -func (l *rootCAKeyUsageMustBeCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsRootCA(c) && util.IsExtInCert(c, util.KeyUsageOID) -} - -func (l *rootCAKeyUsageMustBeCritical) Execute(c *x509.Certificate) *LintResult { - keyUsageExtension := util.GetExtFromCert(c, util.KeyUsageOID) - if keyUsageExtension.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_root_ca_key_usage_must_be_critical", - Description: "Root CA certificates MUST have Key Usage Extension marked critical", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC2459Date, - Lint: &rootCAKeyUsageMustBeCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_root_ca_key_usage_present.go b/vendor/github.com/zmap/zlint/lints/lint_root_ca_key_usage_present.go deleted file mode 100644 index 3babc03c7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_root_ca_key_usage_present.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rootCAKeyUsagePresent struct{} - -func (l *rootCAKeyUsagePresent) Initialize() error { - return nil -} - -func (l *rootCAKeyUsagePresent) CheckApplies(c *x509.Certificate) bool { - return util.IsRootCA(c) -} - -func (l *rootCAKeyUsagePresent) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if util.IsExtInCert(c, util.KeyUsageOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_root_ca_key_usage_present", - Description: "Root CA certificates MUST have Key Usage Extension Present", - Citation: "BRs: 7.1.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.RFC2459Date, - Lint: &rootCAKeyUsagePresent{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_exp_negative.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_exp_negative.go deleted file mode 100644 index 3fed5c218..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_exp_negative.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaExpNegative struct{} - -func (l *rsaExpNegative) Initialize() error { - return nil -} - -func (l *rsaExpNegative) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaExpNegative) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.E < 0 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_rsa_exp_negative", - Description: "RSA public key exponent MUST be positive", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &rsaExpNegative{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_factors_smaller_than_752_bits.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_factors_smaller_than_752_bits.go deleted file mode 100644 index a2742c68b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_factors_smaller_than_752_bits.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************** -6.1.6. Public Key Parameters Generation and Quality Checking -RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 216+1 and 2256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800‐89]. -**************************************************************************************************/ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaModSmallFactor struct{} - -func (l *rsaModSmallFactor) Initialize() error { - return nil -} - -func (l *rsaModSmallFactor) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaModSmallFactor) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if util.PrimeNoSmallerThan752(key.N) { - return &LintResult{Status: Pass} - } - return &LintResult{Status: Warn} - -} - -func init() { - RegisterLint(&Lint{ - Name: "w_rsa_mod_factors_smaller_than_752", - Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: &rsaModSmallFactor{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_less_than_2048_bits.go deleted file mode 100644 index b8be14ebe..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_less_than_2048_bits.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Change this to match source TEXT -************************************************/ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaParsedTestsKeySize struct{} - -func (l *rsaParsedTestsKeySize) Initialize() error { - return nil -} - -func (l *rsaParsedTestsKeySize) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA && c.NotAfter.After(util.NoRSA1024Date.Add(-1)) -} - -func (l *rsaParsedTestsKeySize) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.N.BitLen() < 2048 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_rsa_mod_less_than_2048_bits", - Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &rsaParsedTestsKeySize{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_not_odd.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_not_odd.go deleted file mode 100644 index b35077c4c..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_mod_not_odd.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -"BRs: 6.1.6" -RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89]. -*******************************************************************************************************/ - -import ( - "crypto/rsa" - "math/big" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaParsedTestsKeyModOdd struct{} - -func (l *rsaParsedTestsKeyModOdd) Initialize() error { - return nil -} - -func (l *rsaParsedTestsKeyModOdd) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaParsedTestsKeyModOdd) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - z := big.NewInt(0) - if (z.Mod(key.N, big.NewInt(2)).Cmp(big.NewInt(1))) == 0 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_rsa_mod_not_odd", - Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: &rsaParsedTestsKeyModOdd{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_no_public_key.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_no_public_key.go deleted file mode 100644 index d6edae467..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_no_public_key.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaParsedPubKeyExist struct{} - -func (l *rsaParsedPubKeyExist) Initialize() error { - return nil -} - -func (l *rsaParsedPubKeyExist) CheckApplies(c *x509.Certificate) bool { - return c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaParsedPubKeyExist) Execute(c *x509.Certificate) *LintResult { - _, ok := c.PublicKey.(*rsa.PublicKey) - if !ok { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_rsa_no_public_key", - Description: "The RSA public key should be present", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &rsaParsedPubKeyExist{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_not_in_range.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_not_in_range.go deleted file mode 100644 index a28505e87..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_not_in_range.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -"BRs: 6.1.6" -RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89]. -*******************************************************************************************************/ - -import ( - "crypto/rsa" - "math/big" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaParsedTestsExpInRange struct { - upperBound *big.Int -} - -func (l *rsaParsedTestsExpInRange) Initialize() error { - l.upperBound = &big.Int{} - l.upperBound.Exp(big.NewInt(2), big.NewInt(256), nil) - return nil -} - -func (l *rsaParsedTestsExpInRange) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaParsedTestsExpInRange) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - exponent := key.E - const lowerBound = 65536 // 2^16 + 1 - if exponent > lowerBound && l.upperBound.Cmp(big.NewInt(int64(exponent))) == 1 { - return &LintResult{Status: Pass} - } - return &LintResult{Status: Warn} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_rsa_public_exponent_not_in_range", - Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: &rsaParsedTestsExpInRange{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_not_odd.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_not_odd.go deleted file mode 100644 index 8edf839ed..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_not_odd.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -"BRs: 6.1.6" -RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89]. -*******************************************************************************************************/ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaParsedTestsKeyExpOdd struct{} - -func (l *rsaParsedTestsKeyExpOdd) Initialize() error { - return nil -} - -func (l *rsaParsedTestsKeyExpOdd) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaParsedTestsKeyExpOdd) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.E%2 == 1 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_rsa_public_exponent_not_odd", - Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: &rsaParsedTestsKeyExpOdd{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_too_small.go b/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_too_small.go deleted file mode 100644 index 2cf52c154..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_rsa_public_exponent_too_small.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -"BRs: 6.1.6" -RSA: The CA SHALL confirm that the value of the public exponent is an odd number equal to 3 or more. Additionally, the public exponent SHOULD be in the range between 2^16+1 and 2^256-1. The modulus SHOULD also have the following characteristics: an odd number, not the power of a prime, and have no factors smaller than 752. [Citation: Section 5.3.3, NIST SP 800-89]. -*******************************************************************************************************/ - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type rsaParsedTestsExpBounds struct{} - -func (l *rsaParsedTestsExpBounds) Initialize() error { - return nil -} - -func (l *rsaParsedTestsExpBounds) CheckApplies(c *x509.Certificate) bool { - _, ok := c.PublicKey.(*rsa.PublicKey) - return ok && c.PublicKeyAlgorithm == x509.RSA -} - -func (l *rsaParsedTestsExpBounds) Execute(c *x509.Certificate) *LintResult { - key := c.PublicKey.(*rsa.PublicKey) - if key.E >= 3 { //If Cmp returns 1, means N > E - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_rsa_public_exponent_too_small", - Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", - Citation: "BRs: 6.1.6", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: &rsaParsedTestsExpBounds{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_bare_wildcard.go b/vendor/github.com/zmap/zlint/lints/lint_san_bare_wildcard.go deleted file mode 100644 index 2a99ec30b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_bare_wildcard.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type brSANBareWildcard struct{} - -func (l *brSANBareWildcard) Initialize() error { - return nil -} - -func (l *brSANBareWildcard) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *brSANBareWildcard) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - if strings.HasSuffix(dns, "*") { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_san_bare_wildcard", - Description: "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &brSANBareWildcard{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_duplicate.go b/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_duplicate.go deleted file mode 100644 index 40577c9a7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_duplicate.go +++ /dev/null @@ -1,57 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANDNSDuplicate struct{} - -func (l *SANDNSDuplicate) Initialize() error { - return nil -} - -func (l *SANDNSDuplicate) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANDNSDuplicate) Execute(c *x509.Certificate) *LintResult { - checkedDNSNames := map[string]struct{}{} - for _, dns := range c.DNSNames { - normalizedDNSName := strings.ToLower(dns) - if _, isPresent := checkedDNSNames[normalizedDNSName]; isPresent { - return &LintResult{Status: Notice} - } - - checkedDNSNames[normalizedDNSName] = struct{}{} - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "n_san_dns_name_duplicate", - Description: "SAN DNSName contains duplicate values", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SANDNSDuplicate{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_includes_null_char.go deleted file mode 100644 index 6267d1fb4..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_includes_null_char.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANDNSNull struct{} - -func (l *SANDNSNull) Initialize() error { - return nil -} - -func (l *SANDNSNull) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANDNSNull) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - for i := 0; i < len(dns); i++ { - if dns[i] == 0 { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_san_dns_name_includes_null_char", - Description: "DNSName MUST NOT include a null character", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SANDNSNull{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_onion_not_ev_cert.go b/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_onion_not_ev_cert.go deleted file mode 100644 index 01f41452e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_onion_not_ev_cert.go +++ /dev/null @@ -1,72 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -const ( - // onionTLD is a const for the TLD for Tor Hidden Services. - onionTLD = ".onion" -) - -type onionNotEV struct{} - -// Initialize for an onionNotEV linter is a NOP. -func (l *onionNotEV) Initialize() error { - return nil -} - -// CheckApplies returns true if the certificate is a subscriber certificate that -// contains a subject name ending in `.onion`. -func (l *onionNotEV) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, onionTLD) -} - -// Execute returns an Error LintResult if the certificate is not an EV -// certificate. CheckApplies has already verified the certificate contains one -// or more `.onion` subjects and so it must be an EV certificate. -func (l *onionNotEV) Execute(c *x509.Certificate) *LintResult { - /* - * Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an - * Internal Name using onion as the right-most label in an entry in the - * subjectAltName Extension or commonName field unless such Certificate was - * issued in accordance with Appendix F of the EV Guidelines. - */ - if !util.IsEV(c.PolicyIdentifiers) { - return &LintResult{ - Status: Error, - Details: fmt.Sprintf( - "certificate contains one or more %s subject domains but is not an EV certificate", - onionTLD), - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_san_dns_name_onion_not_ev_cert", - Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines", - Citation: "CABF Ballot 144", - Source: CABFBaselineRequirements, - EffectiveDate: util.OnionOnlyEVDate, - Lint: &onionNotEV{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_starts_with_period.go deleted file mode 100644 index c6b9fdb8d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_dns_name_starts_with_period.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANDNSPeriod struct{} - -func (l *SANDNSPeriod) Initialize() error { - return nil -} - -func (l *SANDNSPeriod) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANDNSPeriod) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - if strings.HasPrefix(dns, ".") { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_san_dns_name_starts_with_period", - Description: "DNSName MUST NOT start with a period", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SANDNSPeriod{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/lints/lint_san_iana_pub_suffix_empty.go deleted file mode 100644 index 0687a9865..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_iana_pub_suffix_empty.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type pubSuffix struct{} - -func (l *pubSuffix) Initialize() error { - return nil -} - -func (l *pubSuffix) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *pubSuffix) Execute(c *x509.Certificate) *LintResult { - parsedSANDNSNames := c.GetParsedDNSNames(false) - for i := range c.GetParsedDNSNames(false) { - if parsedSANDNSNames[i].ParseError != nil { - if strings.HasSuffix(parsedSANDNSNames[i].ParseError.Error(), "is a suffix") { - return &LintResult{Status: Warn} - } else { - return &LintResult{Status: NA} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_san_iana_pub_suffix_empty", - Description: "The domain SHOULD NOT have a bare public suffix", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &pubSuffix{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_san_wildcard_not_first.go b/vendor/github.com/zmap/zlint/lints/lint_san_wildcard_not_first.go deleted file mode 100644 index 8265ea4b5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_san_wildcard_not_first.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SANWildCardFirst struct{} - -func (l *SANWildCardFirst) Initialize() error { - return nil -} - -func (l *SANWildCardFirst) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectAlternateNameOID) -} - -func (l *SANWildCardFirst) Execute(c *x509.Certificate) *LintResult { - for _, dns := range c.DNSNames { - for i := 1; i < len(dns); i++ { - if dns[i] == '*' { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_san_wildcard_not_first", - Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)", - Citation: "awslabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SANWildCardFirst{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_serial_number_longer_than_20_octets.go b/vendor/github.com/zmap/zlint/lints/lint_serial_number_longer_than_20_octets.go deleted file mode 100644 index d0997c334..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_serial_number_longer_than_20_octets.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: 4.1.2.2. Serial Number - The serial number MUST be a positive integer assigned by the CA to each - certificate. It MUST be unique for each certificate issued by a given CA - (i.e., the issuer name and serial number identify a unique certificate). - CAs MUST force the serialNumber to be a non-negative integer. - - Given the uniqueness requirements above, serial numbers can be expected to - contain long integers. Certificate users MUST be able to handle serialNumber - values up to 20 octets. Conforming CAs MUST NOT use serialNumber values longer - than 20 octets. - - Note: Non-conforming CAs may issue certificates with serial numbers that are - negative or zero. Certificate users SHOULD be prepared togracefully handle - such certificates. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type serialNumberTooLong struct{} - -func (l *serialNumberTooLong) Initialize() error { - return nil -} - -func (l *serialNumberTooLong) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *serialNumberTooLong) Execute(c *x509.Certificate) *LintResult { - if c.SerialNumber.BitLen() > 160 { // 20 octets - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_serial_number_longer_than_20_octets", - Description: "Certificates must not have a serial number longer than 20 octets", - Citation: "RFC 5280: 4.1.2.2", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &serialNumberTooLong{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_serial_number_not_positive.go b/vendor/github.com/zmap/zlint/lints/lint_serial_number_not_positive.go deleted file mode 100644 index 6a56ad47a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_serial_number_not_positive.go +++ /dev/null @@ -1,66 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -4.1.2.2. Serial Number - The serial number MUST be a positive integer assigned by the CA to each - certificate. It MUST be unique for each certificate issued by a given CA - (i.e., the issuer name and serial number identify a unique certificate). - CAs MUST force the serialNumber to be a non-negative integer. - - Given the uniqueness requirements above, serial numbers can be expected to - contain long integers. Certificate users MUST be able to handle serialNumber - values up to 20 octets. Conforming CAs MUST NOT use serialNumber values longer - than 20 octets. - - Note: Non-conforming CAs may issue certificates with serial numbers that are - negative or zero. Certificate users SHOULD be prepared togracefully handle - such certificates. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SerialNumberNotPositive struct{} - -func (l *SerialNumberNotPositive) Initialize() error { - return nil -} - -func (l *SerialNumberNotPositive) CheckApplies(cert *x509.Certificate) bool { - return true -} - -func (l *SerialNumberNotPositive) Execute(cert *x509.Certificate) *LintResult { - if cert.SerialNumber.Sign() == -1 { // -1 Means negative when using big.Sign() - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_serial_number_not_positive", - Description: "Certificates must have a positive serial number", - Citation: "RFC 5280: 4.1.2.2", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &SerialNumberNotPositive{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_signature_algorithm_not_supported.go b/vendor/github.com/zmap/zlint/lints/lint_signature_algorithm_not_supported.go deleted file mode 100644 index 8563ca701..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_signature_algorithm_not_supported.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type signatureAlgorithmNotSupported struct{} - -func (l *signatureAlgorithmNotSupported) Initialize() error { - return nil -} - -func (l *signatureAlgorithmNotSupported) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *signatureAlgorithmNotSupported) Execute(c *x509.Certificate) *LintResult { - - if c.SignatureAlgorithm == x509.SHA1WithRSA || c.SignatureAlgorithm == x509.SHA256WithRSA || c.SignatureAlgorithm == x509.SHA384WithRSA || c.SignatureAlgorithm == x509.SHA512WithRSA || c.SignatureAlgorithm == x509.DSAWithSHA1 || c.SignatureAlgorithm == x509.DSAWithSHA256 || c.SignatureAlgorithm == x509.ECDSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA256 || c.SignatureAlgorithm == x509.ECDSAWithSHA384 || c.SignatureAlgorithm == x509.ECDSAWithSHA512 { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_signature_algorithm_not_supported", - Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512", - Citation: "BRs: 6.1.5", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &signatureAlgorithmNotSupported{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_spki_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/lints/lint_spki_rsa_encryption_parameter_not_null.go deleted file mode 100644 index 156371229..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_spki_rsa_encryption_parameter_not_null.go +++ /dev/null @@ -1,73 +0,0 @@ -package lints - -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -"RFC5280: RFC 4055, Section 1.2" -RSA: Encoded algorithm identifier MUST have NULL parameters. -*******************************************************************************************************/ - -import ( - "fmt" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "golang.org/x/crypto/cryptobyte" - cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" -) - -type rsaSPKIEncryptionParamNotNULL struct{} - -func (l *rsaSPKIEncryptionParamNotNULL) Initialize() error { - return nil -} - -func (l *rsaSPKIEncryptionParamNotNULL) CheckApplies(c *x509.Certificate) bool { - // explicitly check for util.OidRSAEncryption, as RSA-PSS or RSA-OAEP certificates might be classified with c.PublicKeyAlgorithm = RSA - return c.PublicKeyAlgorithmOID.Equal(util.OidRSAEncryption) -} - -func (l *rsaSPKIEncryptionParamNotNULL) Execute(c *x509.Certificate) *LintResult { - input := cryptobyte.String(c.RawSubjectPublicKeyInfo) - - var publicKeyInfo cryptobyte.String - if !input.ReadASN1(&publicKeyInfo, cryptobyte_asn1.SEQUENCE) { - return &LintResult{Status: Fatal, Details: "error reading pkixPublicKey"} - } - - var algorithm cryptobyte.String - var tag cryptobyte_asn1.Tag - // use ReadAnyElement to preserve tag and length octets - if !publicKeyInfo.ReadAnyASN1Element(&algorithm, &tag) { - return &LintResult{Status: Fatal, Details: "error reading pkixPublicKey"} - } - - if err := util.CheckAlgorithmIDParamNotNULL(algorithm, util.OidRSAEncryption); err != nil { - return &LintResult{Status: Error, Details: fmt.Sprintf("certificate pkixPublicKey %s", err.Error())} - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_spki_rsa_encryption_parameter_not_null", - Description: "RSA: Encoded public key algorithm identifier MUST have NULL parameters", - Citation: "RFC 4055, Section 1.2", - Source: RFC5280, // RFC4055 is referenced in RFC5280, Section 1 - EffectiveDate: util.RFC5280Date, - Lint: &rsaSPKIEncryptionParamNotNULL{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go deleted file mode 100644 index 0b12ce85f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************** -CAB 7.1.2.2c -With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be -marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod -= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate -(accessMethod = 1.3.6.1.5.5.7.48.2). -************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCaIssuerUrl struct{} - -func (l *subCaIssuerUrl) Initialize() error { - return nil -} - -func (l *subCaIssuerUrl) CheckApplies(c *x509.Certificate) bool { - return util.IsCACert(c) && !util.IsRootCA(c) -} - -func (l *subCaIssuerUrl) Execute(c *x509.Certificate) *LintResult { - for _, url := range c.IssuingCertificateURL { - if strings.HasPrefix(url, "http://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Warn} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url", - Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCaIssuerUrl{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_does_not_contain_ocsp_url.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_does_not_contain_ocsp_url.go deleted file mode 100644 index 398e71456..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_does_not_contain_ocsp_url.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************** -CAB 7.1.2.2c -With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be -marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod -= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate -(accessMethod = 1.3.6.1.5.5.7.48.2). -************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCaOcspUrl struct{} - -func (l *subCaOcspUrl) Initialize() error { - return nil -} - -func (l *subCaOcspUrl) CheckApplies(c *x509.Certificate) bool { - return util.IsCACert(c) && !util.IsRootCA(c) -} - -func (l *subCaOcspUrl) Execute(c *x509.Certificate) *LintResult { - for _, url := range c.OCSPServer { - if strings.HasPrefix(url, "http://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_aia_does_not_contain_ocsp_url", - Description: "Subordinate CA certificates authorityInformationAccess extension must contain the HTTP URL of the issuing CA’s OCSP responder", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCaOcspUrl{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_marked_critical.go deleted file mode 100644 index 0552f41e0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_marked_critical.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCaAIAMarkedCritical struct{} - -func (l *subCaAIAMarkedCritical) Initialize() error { - return nil -} - -func (l *subCaAIAMarkedCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && util.IsExtInCert(c, util.AiaOID) -} - -func (l *subCaAIAMarkedCritical) Execute(c *x509.Certificate) *LintResult { - e := util.GetExtFromCert(c, util.AiaOID) - if e.Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_aia_marked_critical", - Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: &subCaAIAMarkedCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_missing.go deleted file mode 100644 index 38753f71c..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_aia_missing.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************** -CAB 7.1.2.2c -With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be -marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod -= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate -(accessMethod = 1.3.6.1.5.5.7.48.2). -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type caAiaMissing struct{} - -func (l *caAiaMissing) Initialize() error { - return nil -} - -func (l *caAiaMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsCACert(c) && !util.IsRootCA(c) -} - -func (l *caAiaMissing) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.AiaOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_aia_missing", - Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &caAiaMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_certificate_policies_marked_critical.go deleted file mode 100644 index cfc27dc25..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_certificate_policies_marked_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.2a certificatePolicies -This extension MUST be present and SHOULD NOT be marked critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCACertPolicyCrit struct{} - -func (l *subCACertPolicyCrit) Initialize() error { - return nil -} - -func (l *subCACertPolicyCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && util.IsExtInCert(c, util.CertPolicyOID) -} - -func (l *subCACertPolicyCrit) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.CertPolicyOID); e.Critical { - return &LintResult{Status: Warn} - } else { - return &LintResult{Status: Pass} - } - -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_ca_certificate_policies_marked_critical", - Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCACertPolicyCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_certificate_policies_missing.go deleted file mode 100644 index 63e0febdd..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_certificate_policies_missing.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.2a certificatePolicies -This extension MUST be present and SHOULD NOT be marked critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCACertPolicyMissing struct{} - -func (l *subCACertPolicyMissing) Initialize() error { - return nil -} - -func (l *subCACertPolicyMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) -} - -func (l *subCACertPolicyMissing) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.CertPolicyOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_certificate_policies_missing", - Description: "Subordinate CA certificates must have a certificatePolicies extension", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCACertPolicyMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_does_not_contain_url.go deleted file mode 100644 index 846741d44..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_does_not_contain_url.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.2b cRLDistributionPoints -This extension MUST be present and MUST NOT be marked critical. -It MUST contain the HTTP URL of the CA’s CRL service. -************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCACRLDistNoUrl struct{} - -func (l *subCACRLDistNoUrl) Initialize() error { - return nil -} - -func (l *subCACRLDistNoUrl) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && util.IsExtInCert(c, util.CrlDistOID) -} - -func (l *subCACRLDistNoUrl) Execute(c *x509.Certificate) *LintResult { - for _, s := range c.CRLDistributionPoints { - if strings.HasPrefix(s, "http://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_crl_distribution_points_does_not_contain_url", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCACRLDistNoUrl{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_marked_critical.go deleted file mode 100644 index a8b934fc2..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_marked_critical.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.2b cRLDistributionPoints -This extension MUST be present and MUST NOT be marked critical. -It MUST contain the HTTP URL of the CA’s CRL service. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCACRLDistCrit struct{} - -func (l *subCACRLDistCrit) Initialize() error { - return nil -} - -func (l *subCACRLDistCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && util.IsExtInCert(c, util.CrlDistOID) -} - -func (l *subCACRLDistCrit) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.CrlDistOID); e.Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_crl_distribution_points_marked_critical", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCACRLDistCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_missing.go deleted file mode 100644 index 5a4942407..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_crl_distribution_points_missing.go +++ /dev/null @@ -1,55 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.2b cRLDistributionPoints -This extension MUST be present and MUST NOT be marked critical. -It MUST contain the HTTP URL of the CA’s CRL service. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCACRLDistMissing struct{} - -func (l *subCACRLDistMissing) Initialize() error { - return nil -} - -func (l *subCACRLDistMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) -} - -func (l *subCACRLDistMissing) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.CrlDistOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_ca_crl_distribution_points_missing", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCACRLDistMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_critical.go deleted file mode 100644 index 852b4915a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_critical.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.2.2g extkeyUsage (optional) -For Subordinate CA Certificates to be Technically constrained in line with section 7.1.5, then either the value -id‐kp‐serverAuth [RFC5280] or id‐kp‐clientAuth [RFC5280] or both values MUST be present**. -Other values MAY be present. -If present, this extension SHOULD be marked non‐critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCAEKUCrit struct{} - -func (l *subCAEKUCrit) Initialize() error { - return nil -} - -func (l *subCAEKUCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && util.IsExtInCert(c, util.EkuSynOid) -} - -func (l *subCAEKUCrit) Execute(c *x509.Certificate) *LintResult { - if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical { - return &LintResult{Status: Warn} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_ca_eku_critical", - Description: "Subordinate CA certificate extkeyUsage extension should be marked non-critical if present", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV116Date, - Lint: &subCAEKUCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_missing.go deleted file mode 100644 index a150ab990..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_missing.go +++ /dev/null @@ -1,49 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCAEKUMissing struct{} - -func (l *subCAEKUMissing) Initialize() error { - return nil -} - -func (l *subCAEKUMissing) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) -} - -func (l *subCAEKUMissing) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.EkuSynOid) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Notice} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "n_sub_ca_eku_missing", - Description: "To be considered Technically Constrained, the Subordinate CA certificate MUST have extkeyUsage extension", - Citation: "BRs: 7.1.5", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCAEKUMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_valid_fields.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_valid_fields.go deleted file mode 100644 index 47182a59f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_eku_valid_fields.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCAEKUValidFields struct{} - -func (l *subCAEKUValidFields) Initialize() error { - return nil -} - -func (l *subCAEKUValidFields) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && util.IsExtInCert(c, util.EkuSynOid) -} - -func (l *subCAEKUValidFields) Execute(c *x509.Certificate) *LintResult { - validFieldsPresent := false - for _, ekuValue := range c.ExtKeyUsage { - if ekuValue == x509.ExtKeyUsageServerAuth || - ekuValue == x509.ExtKeyUsageClientAuth { - validFieldsPresent = true - } - } - if validFieldsPresent { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Notice} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "n_sub_ca_eku_not_technically_constrained", - Description: "Subordinate CA extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present to be technically constrained.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV116Date, - Lint: &subCAEKUValidFields{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_ca_name_constraints_not_critical.go deleted file mode 100644 index f8c5b55ee..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_ca_name_constraints_not_critical.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Change this to match source TEXT -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SubCANameConstraintsNotCritical struct{} - -func (l *SubCANameConstraintsNotCritical) Initialize() error { - return nil -} - -func (l *SubCANameConstraintsNotCritical) CheckApplies(cert *x509.Certificate) bool { - return util.IsSubCA(cert) && util.IsExtInCert(cert, util.NameConstOID) -} - -func (l *SubCANameConstraintsNotCritical) Execute(cert *x509.Certificate) *LintResult { - if ski := util.GetExtFromCert(cert, util.NameConstOID); ski.Critical { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_ca_name_constraints_not_critical", - Description: "Subordinate CA Certificate: NameConstraints if present, SHOULD be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABV102Date, - Lint: &SubCANameConstraintsNotCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go deleted file mode 100644 index a35025e64..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -BRs: 7.1.2.3 -cRLDistributionPoints -This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the -HTTP URL of the CA’s CRL service. See Section 13.2.1 for details. -*************************************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertIssuerUrl struct{} - -func (l *subCertIssuerUrl) Initialize() error { - return nil -} - -func (l *subCertIssuerUrl) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertIssuerUrl) Execute(c *x509.Certificate) *LintResult { - for _, url := range c.IssuingCertificateURL { - if strings.HasPrefix(url, "http://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Warn} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_cert_aia_does_not_contain_issuing_ca_url", - Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertIssuerUrl{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_does_not_contain_ocsp_url.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_does_not_contain_ocsp_url.go deleted file mode 100644 index c154e6ee5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_does_not_contain_ocsp_url.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************** -BRs: 7.1.2.3 -authorityInformationAccess -With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be -marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod -= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate -(accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details. -***************************************************************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertOcspUrl struct{} - -func (l *subCertOcspUrl) Initialize() error { - return nil -} - -func (l *subCertOcspUrl) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *subCertOcspUrl) Execute(c *x509.Certificate) *LintResult { - for _, url := range c.OCSPServer { - if strings.HasPrefix(url, "http://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_aia_does_not_contain_ocsp_url", - Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertOcspUrl{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_marked_critical.go deleted file mode 100644 index 97d3e6243..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_marked_critical.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertAiaMarkedCritical struct{} - -func (l *subCertAiaMarkedCritical) Initialize() error { - return nil -} - -func (l *subCertAiaMarkedCritical) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) -} - -func (l *subCertAiaMarkedCritical) Execute(c *x509.Certificate) *LintResult { - e := util.GetExtFromCert(c, util.AiaOID) - if e.Critical { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_aia_marked_critical", - Description: "Subscriber Certificate: authorityInformationAccess MUST NOT be marked critical", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertAiaMarkedCritical{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_missing.go deleted file mode 100644 index 738de3565..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_aia_missing.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************** -BRs: 7.1.2.3 -authorityInformationAccess -With the exception of stapling, which is noted below, this extension MUST be present. It MUST NOT be -marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod -= 1.3.6.1.5.5.7.48.1). It SHOULD also contain the HTTP URL of the Issuing CA’s certificate -(accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details. -***************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertAiaMissing struct{} - -func (l *subCertAiaMissing) Initialize() error { - return nil -} - -func (l *subCertAiaMissing) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *subCertAiaMissing) Execute(c *x509.Certificate) *LintResult { - if util.IsExtInCert(c, util.AiaOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_aia_missing", - Description: "Subscriber Certiifcate: authorityInformationAccess MUST be present, with the exception of stapling.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertAiaMissing{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_cert_policy_empty.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_cert_policy_empty.go deleted file mode 100644 index 93d401958..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_cert_policy_empty.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************************** -BRs: 7.1.6.4 -Subscriber Certificates -A Certificate issued to a Subscriber MUST contain one or more policy identifier(s), defined by the Issuing CA, in -the Certificate’s certificatePolicies extension that indicates adherence to and complIANce with these Requirements. -CAs complying with these Requirements MAY also assert one of the reserved policy OIDs in such Certificates. -*********************************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertPolicyEmpty struct{} - -func (l *subCertPolicyEmpty) Initialize() error { - return nil -} - -func (l *subCertPolicyEmpty) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *subCertPolicyEmpty) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if util.IsExtInCert(c, util.CertPolicyOID) && c.PolicyIdentifiers != nil { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_cert_policy_empty", - Description: "Subscriber certificates must contain at least one policy identifier that indicates adherence to CAB standards", - Citation: "BRs: 7.1.6.4", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertPolicyEmpty{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_certificate_policies_marked_critical.go deleted file mode 100644 index 3790dcd13..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_certificate_policies_marked_critical.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/****************************************************************************** -BRs: 7.1.2.3 -certificatePolicies -This extension MUST be present and SHOULD NOT be marked critical. -******************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertPolicyCrit struct{} - -func (l *subCertPolicyCrit) Initialize() error { - return nil -} - -func (l *subCertPolicyCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) -} - -func (l *subCertPolicyCrit) Execute(c *x509.Certificate) *LintResult { - e := util.GetExtFromCert(c, util.CertPolicyOID) - if e.Critical == false { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Warn} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_cert_certificate_policies_marked_critical", - Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertPolicyCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_certificate_policies_missing.go deleted file mode 100644 index 9feb10305..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_certificate_policies_missing.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/****************************************************************************** -BRs: 7.1.2.3 -certificatePolicies -This extension MUST be present and SHOULD NOT be marked critical. -******************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertPolicy struct{} - -func (l *subCertPolicy) Initialize() error { - return nil -} - -func (l *subCertPolicy) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *subCertPolicy) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if util.IsExtInCert(c, util.CertPolicyOID) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_certificate_policies_missing", - Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertPolicy{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_country_name_must_appear.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_country_name_must_appear.go deleted file mode 100644 index 65eb40b31..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_country_name_must_appear.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertCountryNameMustAppear struct{} - -func (l *subCertCountryNameMustAppear) Initialize() error { - return nil -} - -func (l *subCertCountryNameMustAppear) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertCountryNameMustAppear) Execute(c *x509.Certificate) *LintResult { - if len(c.Subject.Organization) > 0 || len(c.Subject.GivenName) > 0 || len(c.Subject.Surname) > 0 { - if len(c.Subject.Country) == 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_country_name_must_appear", - Description: "Subscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertCountryNameMustAppear{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_crl_distribution_points_does_not_contain_url.go deleted file mode 100644 index ecab5acc9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_crl_distribution_points_does_not_contain_url.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -BRs: 7.1.2.3 -cRLDistributionPoints -This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP -URL of the CA’s CRL service. -*******************************************************************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCRLDistNoURL struct{} - -func (l *subCRLDistNoURL) Initialize() error { - return nil -} - -func (l *subCRLDistNoURL) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CrlDistOID) -} - -func (l *subCRLDistNoURL) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - for _, s := range c.CRLDistributionPoints { - if strings.HasPrefix(s, "http://") { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_crl_distribution_points_does_not_contain_url", - Description: "Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCRLDistNoURL{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_crl_distribution_points_marked_critical.go deleted file mode 100644 index f9fc620ab..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_crl_distribution_points_marked_critical.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -BRs: 7.1.2.3 -cRLDistributionPoints -This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the HTTP -URL of the CA’s CRL service. -*******************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCrlDistCrit struct{} - -func (l *subCrlDistCrit) Initialize() error { - return nil -} - -func (l *subCrlDistCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CrlDistOID) -} - -func (l *subCrlDistCrit) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - e := util.GetExtFromCert(c, util.CrlDistOID) - if e.Critical == false { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_crl_distribution_points_marked_critical", - Description: "Subscriber Certiifcate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCrlDistCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_extra_values.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_extra_values.go deleted file mode 100644 index d2b263dd9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_extra_values.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -BRs: 7.1.2.3 -extKeyUsage (required) -Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present. -*******************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subExtKeyUsageLegalUsage struct{} - -func (l *subExtKeyUsageLegalUsage) Initialize() error { - return nil -} - -func (l *subExtKeyUsageLegalUsage) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && c.ExtKeyUsage != nil -} - -func (l *subExtKeyUsageLegalUsage) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - for _, kp := range c.ExtKeyUsage { - if kp == x509.ExtKeyUsageServerAuth || - kp == x509.ExtKeyUsageClientAuth || - kp == x509.ExtKeyUsageEmailProtection { - // If we find any of these three, considered passing, continue - continue - } else { - // A bad usage was found, report and leave - return &LintResult{Status: Warn} - } - } - // If no bad usage was found, pass - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_cert_eku_extra_values", - Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subExtKeyUsageLegalUsage{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_missing.go deleted file mode 100644 index ea8a42e07..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_missing.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -BRs: 7.1.2.3 -extKeyUsage (required) -Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present. -*******************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subExtKeyUsage struct{} - -func (l *subExtKeyUsage) Initialize() error { - return nil -} - -func (l *subExtKeyUsage) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *subExtKeyUsage) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if util.IsExtInCert(c, util.EkuSynOid) { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Error} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_eku_missing", - Description: "Subscriber certificates MUST have the extended key usage extension present", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subExtKeyUsage{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_server_auth_client_auth_missing.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_server_auth_client_auth_missing.go deleted file mode 100644 index 958d056f1..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_eku_server_auth_client_auth_missing.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -BRs: 7.1.2.3 -extKeyUsage (required) -Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present. -*******************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subExtKeyUsageClientOrServer struct{} - -func (l *subExtKeyUsageClientOrServer) Initialize() error { - return nil -} - -func (l *subExtKeyUsageClientOrServer) CheckApplies(c *x509.Certificate) bool { - return c.ExtKeyUsage != nil -} - -func (l *subExtKeyUsageClientOrServer) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - for _, kp := range c.ExtKeyUsage { - if kp == x509.ExtKeyUsageServerAuth || kp == x509.ExtKeyUsageClientAuth { - // If we find either of ServerAuth or ClientAuth, Pass - return &LintResult{Status: Pass} - } - } - // If neither were found, Error - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_eku_server_auth_client_auth_missing", - Description: "Subscriber certificates MUST have have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subExtKeyUsageClientOrServer{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_gn_sn_contains_policy.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_gn_sn_contains_policy.go deleted file mode 100644 index 8b206243e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_gn_sn_contains_policy.go +++ /dev/null @@ -1,51 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertSubjectGnOrSnContainsPolicy struct{} - -func (l *subCertSubjectGnOrSnContainsPolicy) Initialize() error { - return nil -} - -func (l *subCertSubjectGnOrSnContainsPolicy) CheckApplies(c *x509.Certificate) bool { - //Check if GivenName or Surname fields are filled out - return util.IsSubscriberCert(c) && (len(c.Subject.GivenName) != 0 || len(c.Subject.Surname) != 0) -} - -func (l *subCertSubjectGnOrSnContainsPolicy) Execute(c *x509.Certificate) *LintResult { - for _, policyIds := range c.PolicyIdentifiers { - if policyIds.Equal(util.BRIndividualValidatedOID) { - return &LintResult{Status: Pass} - } - } - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_given_name_surname_contains_correct_policy", - Description: "Subscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertSubjectGnOrSnContainsPolicy{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_is_ca.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_is_ca.go deleted file mode 100644 index a37b9d020..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_is_ca.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertNotCA struct{} - -func (l *subCertNotCA) Initialize() error { - return nil -} - -func (l *subCertNotCA) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) && c.KeyUsage&x509.KeyUsageCertSign == 0 && util.IsExtInCert(c, util.BasicConstOID) -} - -func (l *subCertNotCA) Execute(c *x509.Certificate) *LintResult { - e := util.GetExtFromCert(c, util.BasicConstOID) - var constraints basicConstraints - if _, err := asn1.Unmarshal(e.Value, &constraints); err != nil { - return &LintResult{Status: Fatal} - } - if constraints.IsCA == true { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_not_is_ca", - Description: "Subscriber Certificate: basicContrainsts cA field MUST NOT be true.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertNotCA{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_key_usage_cert_sign_bit_set.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_key_usage_cert_sign_bit_set.go deleted file mode 100644 index ba25a3f26..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_key_usage_cert_sign_bit_set.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************** -BRs: 7.1.2.3 -keyUsage (optional) -If present, bit positions for keyCertSign and cRLSign MUST NOT be set. -***************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertKeyUsageBitSet struct{} - -func (l *subCertKeyUsageBitSet) Initialize() error { - return nil -} - -func (l *subCertKeyUsageBitSet) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) && !util.IsCACert(c) -} - -func (l *subCertKeyUsageBitSet) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if (c.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign { - return &LintResult{Status: Error} - } else { //key usage doesn't allow cert signing or isn't present - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_key_usage_cert_sign_bit_set", - Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCertKeyUsageBitSet{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_key_usage_crl_sign_bit_set.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_key_usage_crl_sign_bit_set.go deleted file mode 100644 index 45e45eb9b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_key_usage_crl_sign_bit_set.go +++ /dev/null @@ -1,56 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************** -BRs: 7.1.2.3 -keyUsage (optional) -If present, bit positions for keyCertSign and cRLSign MUST NOT be set. -***************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCrlSignAllowed struct{} - -func (l *subCrlSignAllowed) Initialize() error { - return nil -} - -func (l *subCrlSignAllowed) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.KeyUsageOID) && !util.IsCACert(c) -} - -func (l *subCrlSignAllowed) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here - if (c.KeyUsage & x509.KeyUsageCRLSign) == x509.KeyUsageCRLSign { - return &LintResult{Status: Error} - } else { //key usage doesn't allow cert signing or isn't present - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_key_usage_crl_sign_bit_set", - Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", - Citation: "BRs: 7.1.2.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subCrlSignAllowed{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_locality_name_must_appear.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_locality_name_must_appear.go deleted file mode 100644 index 9acbd977d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_locality_name_must_appear.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertLocalityNameMustAppear struct{} - -func (l *subCertLocalityNameMustAppear) Initialize() error { - return nil -} - -func (l *subCertLocalityNameMustAppear) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertLocalityNameMustAppear) Execute(c *x509.Certificate) *LintResult { - if len(c.Subject.Organization) > 0 || len(c.Subject.GivenName) > 0 || len(c.Subject.Surname) > 0 { - if len(c.Subject.Province) == 0 { - if len(c.Subject.Locality) == 0 { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_locality_name_must_appear", - Description: "Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertLocalityNameMustAppear{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_locality_name_must_not_appear.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_locality_name_must_not_appear.go deleted file mode 100644 index be9625057..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_locality_name_must_not_appear.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertLocalityNameMustNotAppear struct{} - -func (l *subCertLocalityNameMustNotAppear) Initialize() error { - return nil -} - -func (l *subCertLocalityNameMustNotAppear) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertLocalityNameMustNotAppear) Execute(c *x509.Certificate) *LintResult { - if len(c.Subject.Organization) == 0 && len(c.Subject.GivenName) == 0 && len(c.Subject.Surname) == 0 { - if len(c.Subject.Locality) > 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_locality_name_must_not_appear", - Description: "Subscriber Certificate: subject:localityName MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertLocalityNameMustNotAppear{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_or_sub_ca_using_sha1.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_or_sub_ca_using_sha1.go deleted file mode 100644 index f9d69d0b5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_or_sub_ca_using_sha1.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************** -BRs: 7.1.3 -SHA‐1 MAY be used with RSA keys in accordance with the criteria defined in Section 7.1.3. -**************************************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type sigAlgTestsSHA1 struct{} - -func (l *sigAlgTestsSHA1) Initialize() error { - return nil -} - -func (l *sigAlgTestsSHA1) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *sigAlgTestsSHA1) Execute(c *x509.Certificate) *LintResult { - if c.SignatureAlgorithm == x509.SHA1WithRSA || c.SignatureAlgorithm == x509.DSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA1 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_or_sub_ca_using_sha1", - Description: "CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016", - Citation: "BRs: 7.1.3", - Source: CABFBaselineRequirements, - EffectiveDate: util.NO_SHA1, - Lint: &sigAlgTestsSHA1{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_postal_code_prohibited.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_postal_code_prohibited.go deleted file mode 100644 index 8721ad698..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_postal_code_prohibited.go +++ /dev/null @@ -1,51 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertPostalCodeMustNotAppear struct{} - -func (l *subCertPostalCodeMustNotAppear) Initialize() error { - return nil -} - -func (l *subCertPostalCodeMustNotAppear) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertPostalCodeMustNotAppear) Execute(c *x509.Certificate) *LintResult { - // BR 7.1.4.2.2 uses "or" and "and" interchangeably when they mean "and". - if len(c.Subject.Organization) == 0 && len(c.Subject.GivenName) == 0 && len(c.Subject.Surname) == 0 { - if len(c.Subject.PostalCode) > 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_postal_code_must_not_appear", - Description: "Subscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertPostalCodeMustNotAppear{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_province_must_appear.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_province_must_appear.go deleted file mode 100644 index e6843a04d..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_province_must_appear.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertProvinceMustAppear struct{} - -func (l *subCertProvinceMustAppear) Initialize() error { - return nil -} - -func (l *subCertProvinceMustAppear) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertProvinceMustAppear) Execute(c *x509.Certificate) *LintResult { - if len(c.Subject.Organization) > 0 || len(c.Subject.GivenName) > 0 || len(c.Subject.Surname) > 0 { - if len(c.Subject.Locality) == 0 { - if len(c.Subject.Province) == 0 { - return &LintResult{Status: Error} - } - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_province_must_appear", - Description: "Subscriber Certificate: subject:stateOrProvinceName MUST appear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertProvinceMustAppear{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_province_must_not_appear.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_province_must_not_appear.go deleted file mode 100644 index e7ac3780b..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_province_must_not_appear.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertProvinceMustNotAppear struct{} - -func (l *subCertProvinceMustNotAppear) Initialize() error { - return nil -} - -func (l *subCertProvinceMustNotAppear) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertProvinceMustNotAppear) Execute(c *x509.Certificate) *LintResult { - if len(c.Subject.Organization) == 0 && len(c.Subject.GivenName) == 0 && len(c.Subject.Surname) == 0 { - if len(c.Subject.Province) > 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_province_must_not_appear", - Description: "Subscriber Certificate: subject:stateOrProvinceName MUST NOT appear if the subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertProvinceMustNotAppear{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_sha1_expiration_too_long.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_sha1_expiration_too_long.go deleted file mode 100644 index 61736ae08..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_sha1_expiration_too_long.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*************************************************************************************************************** -Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA‐1 algorithm with -an Expiry Date greater than 1 January 2017 because Application Software Providers are in the process of -deprecating and/or removing the SHA‐1 algorithm from their software, and they have communicated that -CAs and Subscribers using such certificates do so at their own risk. -****************************************************************************************************************/ - -import ( - "time" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type sha1ExpireLong struct{} - -func (l *sha1ExpireLong) Initialize() error { - return nil -} - -func (l *sha1ExpireLong) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) && (c.SignatureAlgorithm == x509.SHA1WithRSA || - c.SignatureAlgorithm == x509.DSAWithSHA1 || - c.SignatureAlgorithm == x509.ECDSAWithSHA1) -} - -func (l *sha1ExpireLong) Execute(c *x509.Certificate) *LintResult { - if c.NotAfter.After(time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC)) { - return &LintResult{Status: Warn} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "w_sub_cert_sha1_expiration_too_long", - Description: "Subscriber certificates using the SHA-1 algorithm SHOULD NOT have an expiration date later than 1 Jan 2017", - Citation: "BRs: 7.1.3", - Source: CABFBaselineRequirements, - EffectiveDate: time.Date(2015, time.January, 16, 0, 0, 0, 0, time.UTC), - Lint: &sha1ExpireLong{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_street_address_should_not_exist.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_street_address_should_not_exist.go deleted file mode 100644 index 66d5d958f..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_street_address_should_not_exist.go +++ /dev/null @@ -1,51 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertStreetAddressShouldNotExist struct{} - -func (l *subCertStreetAddressShouldNotExist) Initialize() error { - return nil -} - -func (l *subCertStreetAddressShouldNotExist) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertStreetAddressShouldNotExist) Execute(c *x509.Certificate) *LintResult { - //If all fields are absent - if len(c.Subject.Organization) == 0 && len(c.Subject.GivenName) == 0 && len(c.Subject.Surname) == 0 { - if len(c.Subject.StreetAddress) > 0 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_street_address_should_not_exist", - Description: "Subscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: &subCertStreetAddressShouldNotExist{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_valid_time_longer_than_39_months.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_valid_time_longer_than_39_months.go deleted file mode 100644 index 8add5fb60..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_valid_time_longer_than_39_months.go +++ /dev/null @@ -1,48 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertValidTimeLongerThan39Months struct{} - -func (l *subCertValidTimeLongerThan39Months) Initialize() error { - return nil -} - -func (l *subCertValidTimeLongerThan39Months) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertValidTimeLongerThan39Months) Execute(c *x509.Certificate) *LintResult { - if c.NotBefore.AddDate(0, 39, 0).Before(c.NotAfter) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_valid_time_longer_than_39_months", - Description: "Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.", - Citation: "BRs: 6.3.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.SubCert39Month, - Lint: &subCertValidTimeLongerThan39Months{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_valid_time_longer_than_825_days.go b/vendor/github.com/zmap/zlint/lints/lint_sub_cert_valid_time_longer_than_825_days.go deleted file mode 100644 index 6ec5c62f7..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_sub_cert_valid_time_longer_than_825_days.go +++ /dev/null @@ -1,48 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subCertValidTimeLongerThan825Days struct{} - -func (l *subCertValidTimeLongerThan825Days) Initialize() error { - return nil -} - -func (l *subCertValidTimeLongerThan825Days) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) -} - -func (l *subCertValidTimeLongerThan825Days) Execute(c *x509.Certificate) *LintResult { - if c.NotBefore.AddDate(0, 0, 825).Before(c.NotAfter) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_sub_cert_valid_time_longer_than_825_days", - Description: "Subscriber Certificates issued after 1 March 2018 MUST have a Validity Period no greater than 825 days.", - Citation: "BRs: 6.3.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.SubCert825Days, - Lint: &subCertValidTimeLongerThan825Days{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_included.go b/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_included.go deleted file mode 100644 index 4f9b26313..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_included.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*************************************************************** -BRs: 7.1.4.2.2 -Required/Optional: Deprecated (Discouraged, but not prohibited) -***************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type commonNames struct{} - -func (l *commonNames) Initialize() error { - return nil -} - -func (l *commonNames) CheckApplies(c *x509.Certificate) bool { - return !util.IsCACert(c) -} - -func (l *commonNames) Execute(c *x509.Certificate) *LintResult { - if c.Subject.CommonName == "" { - return &LintResult{Status: Pass} - } else { - return &LintResult{Status: Notice} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "n_subject_common_name_included", - Description: "Subscriber Certificate: commonName is deprecated.", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &commonNames{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_max_length.go deleted file mode 100644 index a7d342987..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_max_length.go +++ /dev/null @@ -1,58 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-common-name INTEGER ::= 64 -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectCommonNameMaxLength struct{} - -func (l *subjectCommonNameMaxLength) Initialize() error { - return nil -} - -func (l *subjectCommonNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectCommonNameMaxLength) Execute(c *x509.Certificate) *LintResult { - if utf8.RuneCountInString(c.Subject.CommonName) > 64 { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_common_name_max_length", - Description: "The commonName field of the subject MUST be less than 64 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectCommonNameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_not_from_san.go b/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_not_from_san.go deleted file mode 100644 index 106b51727..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_common_name_not_from_san.go +++ /dev/null @@ -1,68 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.4.2.2 -If present, this field MUST contain a single IP address -or Fully‐Qualified Domain Name that is one of the values -contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1). -************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectCommonNameNotFromSAN struct{} - -func (l *subjectCommonNameNotFromSAN) Initialize() error { - return nil -} - -func (l *subjectCommonNameNotFromSAN) CheckApplies(c *x509.Certificate) bool { - return c.Subject.CommonName != "" && !util.IsCACert(c) -} - -func (l *subjectCommonNameNotFromSAN) Execute(c *x509.Certificate) *LintResult { - cn := c.Subject.CommonName - - for _, dn := range c.DNSNames { - if strings.EqualFold(cn, dn) { - return &LintResult{Status: Pass} - } - } - - for _, ip := range c.IPAddresses { - if cn == ip.String() { - return &LintResult{Status: Pass} - } - } - - return &LintResult{Status: Error} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_common_name_not_from_san", - Description: "The common name field in subscriber certificates must include only names from the SAN extension", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subjectCommonNameNotFromSAN{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_malformed_arpa_ip.go b/vendor/github.com/zmap/zlint/lints/lint_subject_contains_malformed_arpa_ip.go deleted file mode 100644 index 50100c1f3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_malformed_arpa_ip.go +++ /dev/null @@ -1,139 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - "net" - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -// arpaMalformedIP is a linter that warns for malformed names under the -// .in-addr.arpa or .ip6.arpa zones. -// See also: lint_subject_contains_reserved_arpa_ip.go for a lint that ensures -// well formed rDNS names in these zones do not specify an address in a IANA -// reserved network. -type arpaMalformedIP struct{} - -// Initialize for an arpaMalformedIP linter is a NOP to statisfy linting -// interfaces. -func (l *arpaMalformedIP) Initialize() error { - return nil -} - -// CheckApplies returns true if the certificate contains any names that end in -// one of the two designated zones for reverse DNS: in-addr.arpa or ip6.arpa. -func (l *arpaMalformedIP) CheckApplies(c *x509.Certificate) bool { - names := append([]string{c.Subject.CommonName}, c.DNSNames...) - for _, name := range names { - name = strings.ToLower(name) - if strings.HasSuffix(name, rdnsIPv4Suffix) || - strings.HasSuffix(name, rdnsIPv6Suffix) { - return true - } - } - return false -} - -// Execute will check the given certificate to ensure that all of the DNS -// subject alternate names that specify a reverse DNS name under the respective -// IPv4 or IPv6 arpa zones are well formed. A Warn LintResult is returned if -// the name is in a reverse DNS zone but has the wrong number of labels. -func (l *arpaMalformedIP) Execute(c *x509.Certificate) *LintResult { - for _, name := range c.DNSNames { - name = strings.ToLower(name) - var err error - if strings.HasSuffix(name, rdnsIPv4Suffix) { - // If the name has the in-addr.arpa suffix then it should be an IPv4 reverse - // DNS name. - err = lintReversedIPAddressLabels(name, false) - } else if strings.HasSuffix(name, rdnsIPv6Suffix) { - // If the name has the ip6.arpa suffix then it should be an IPv6 reverse - // DNS name. - err = lintReversedIPAddressLabels(name, true) - } - // Return the first error as a negative lint result - if err != nil { - return &LintResult{ - Status: Warn, - Details: err.Error(), - } - } - } - - return &LintResult{ - Status: Pass, - } -} - -// lintReversedIPAddressLabels lints the given name as either a reversed IPv4 or -// IPv6 address under the respective ARPA zone based on the address class. An -// error is returned if there aren't enough labels in the name after removing -// the relevant arpa suffix. -func lintReversedIPAddressLabels(name string, ipv6 bool) error { - numRequiredLabels := rdnsIPv4Labels - zoneSuffix := rdnsIPv4Suffix - - if ipv6 { - numRequiredLabels = rdnsIPv6Labels - zoneSuffix = rdnsIPv6Suffix - } - - // Strip off the zone suffix to get only the reversed IP address - ipName := strings.TrimSuffix(name, zoneSuffix) - - // A well encoded IPv4 or IPv6 reverse DNS name will have the correct number - // of labels to express the address - ipLabels := strings.Split(ipName, ".") - if len(ipLabels) != numRequiredLabels { - return fmt.Errorf( - "name %q has too few leading labels (%d vs %d) to be a reverse DNS entry "+ - "in the %q zone.", - name, len(ipLabels), numRequiredLabels, zoneSuffix) - } - - // Reverse the IP labels and try to parse an IP address - var ip net.IP - if ipv6 { - ip = reversedLabelsToIPv6(ipLabels) - } else { - ip = reversedLabelsToIPv4(ipLabels) - } - - // If the result isn't an IP then a warning should be generated - if ip == nil { - return fmt.Errorf( - "the first %d labels of name %q did not parse as a reversed IP address", - numRequiredLabels, name) - } - - // Otherwise return no error - checking the actual value of the IP is left to - // `lint_subject_contains_reserved_arpa_ip.go`. - return nil -} - -func init() { - RegisterLint(&Lint{ - Name: "w_subject_contains_malformed_arpa_ip", - Description: "Checks no subject domain name contains a rDNS entry in an .arpa zone with the wrong number of labels", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &arpaMalformedIP{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_noninformational_value.go b/vendor/github.com/zmap/zlint/lints/lint_subject_contains_noninformational_value.go deleted file mode 100644 index b2d4d91b5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_noninformational_value.go +++ /dev/null @@ -1,79 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************************************************************** -BRs: 7.1.4.2.2 -Other Subject Attributes -With the exception of the subject:organizationalUnitName (OU) attribute, optional attributes, when present within -the subject field, MUST contain information that has been verified by the CA. Metadata such as ‘.’, ‘-‘, and ‘ ‘ (i.e. -space) characters, and/or any other indication that the value is absent, incomplete, or not applicable, SHALL NOT -be used. -**********************************************************************************************************************/ - -import ( - "fmt" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type illegalChar struct{} - -func (l *illegalChar) Initialize() error { - return nil -} - -func (l *illegalChar) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *illegalChar) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.Names { - value, ok := j.Value.(string) - if !ok { - continue - } - - if !checkAlphaNumericOrUTF8Present(value) { - return &LintResult{Status: Error, Details: fmt.Sprintf("found only metadata %s in subjectDN attribute %s", value, j.Type.String())} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_contains_noninformational_value", - Description: "Subject name fields must not contain '.','-',' ' or any other indication that the field has been omitted", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &illegalChar{}, - }) -} - -// checkAlphaNumericOrUTF8Present checks if input string contains at least one occurrence of [a-Z0-9] or -// a UTF8 rune outside of ascii table -func checkAlphaNumericOrUTF8Present(input string) bool { - for _, r := range input { - if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r > 127 { - return true - } - } - - return false -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_reserved_arpa_ip.go b/vendor/github.com/zmap/zlint/lints/lint_subject_contains_reserved_arpa_ip.go deleted file mode 100644 index fd224711a..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_reserved_arpa_ip.go +++ /dev/null @@ -1,232 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "fmt" - "net" - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -const ( - // arpaTLD holds a string constant for the .arpa TLD - arpaTLD = ".arpa" - - // rdnsIPv4Suffix is the expected suffix for IPv4 reverse DNS names as - // specified in https://tools.ietf.org/html/rfc1035#section-3.5 - rdnsIPv4Suffix = ".in-addr" + arpaTLD - // rndsIPv4Labels is the expected number of labels for an IPv4 reverse DNS - // name (not counting the rdnsIPv4Suffix labels). IPv4 addresses are four - // bytes. RFC 1035 uses one byte per label meaning there are 4 expected labels - // under the rdnsIPv4Suffix. - rdnsIPv4Labels = 4 - - // rdnsIPv6Suffix is the expected suffix for IPv6 reverse DNS names as - // specified in https://tools.ietf.org/html/rfc3596#section-2.5 - rdnsIPv6Suffix = ".ip6" + arpaTLD - // rndsIPv6Labels is the expected number of labels for an IPv6 reverse DNS - // name (not counting the rdnsIPv6Suffix labels). IPv6 addresses are 16 bytes. - // RFC 3596 Sec 2.5 uses one *nibble* per label meaning there are 16*2 - // expected labels under the rdnsIPv6Suffix. - rdnsIPv6Labels = 32 -) - -// arpaReservedIP is a linter that errors for any well formed rDNS names in the -// .in-addr.arpa or .ip6.arpa zones that specify an address in an IANA reserved -// network. -// See also: lint_subject_contains_malformed_arpa_ip.go for a lint that warns -// about malformed rDNS names in these zones. -type arpaReservedIP struct{} - -// Initialize for an arpaReservedIP linter is a NOP to statisfy linting -// interfaces. -func (l *arpaReservedIP) Initialize() error { - return nil -} - -// CheckApplies returns true if the certificate contains any names that end in -// one of the two designated zones for reverse DNS: in-addr.arpa or ip6.arpa. -func (l *arpaReservedIP) CheckApplies(c *x509.Certificate) bool { - names := append([]string{c.Subject.CommonName}, c.DNSNames...) - for _, name := range names { - name = strings.ToLower(name) - if strings.HasSuffix(name, rdnsIPv4Suffix) || - strings.HasSuffix(name, rdnsIPv6Suffix) { - return true - } - } - return false -} - -// Execute will check the given certificate to ensure that all of the DNS -// subject alternate names that specify a well formed reverse DNS name under the -// respective IPv4 or IPv6 arpa zones do not specify an IP in an IANA -// reserved IP space. An Error LintResult is returned if the name specifies an -// IP address of the wrong class, or specifies an IP address in an IANA reserved -// network. -func (l *arpaReservedIP) Execute(c *x509.Certificate) *LintResult { - for _, name := range c.DNSNames { - name = strings.ToLower(name) - var err error - if strings.HasSuffix(name, rdnsIPv4Suffix) { - // If the name has the in-addr.arpa suffix then it should be an IPv4 reverse - // DNS name. - err = lintReversedIPAddress(name, false) - } else if strings.HasSuffix(name, rdnsIPv6Suffix) { - // If the name has the ip6.arpa suffix then it should be an IPv6 reverse - // DNS name. - err = lintReversedIPAddress(name, true) - } - // Return the first error as a negative lint result - if err != nil { - return &LintResult{ - Status: Error, - Details: err.Error(), - } - } - } - - return &LintResult{ - Status: Pass, - } -} - -// reversedLabelsToIPv4 reverses the provided labels (assumed to be 4 labels, -// one per byte of the IPv6 address) and constructs an IPv4 address, returning -// the result of calling net.ParseIP for the constructed address. -func reversedLabelsToIPv4(labels []string) net.IP { - var buf strings.Builder - - // If there aren't the right number of labels, it isn't an IPv4 address. - if len(labels) != rdnsIPv4Labels { - return nil - } - - // An IPv4 address is represented as four groups of bytes separated by '.' - for i := len(labels) - 1; i >= 0; i-- { - buf.WriteString(labels[i]) - if i != 0 { - buf.WriteString(".") - } - } - return net.ParseIP(buf.String()) -} - -// reversedLabelsToIPv6 reverses the provided labels (assumed to be 32 labels, -// one per nibble of an IPv6 address) and constructs an IPv6 address, returning -// the result of calling net.ParseIP for the constructed address. -func reversedLabelsToIPv6(labels []string) net.IP { - var buf strings.Builder - - // If there aren't the right number of labels, it isn't an IPv6 address. - if len(labels) != rdnsIPv6Labels { - return nil - } - - // An IPv6 address is represented as eight groups of two bytes separated - // by `:` in hex form. Since each label in the rDNS form is one nibble we need - // four label components per IPv6 address component group. - for i := len(labels) - 1; i >= 0; i -= 4 { - buf.WriteString(labels[i]) - buf.WriteString(labels[i-1]) - buf.WriteString(labels[i-2]) - buf.WriteString(labels[i-3]) - if i > 4 { - buf.WriteString(":") - } - } - return net.ParseIP(buf.String()) -} - -// lintReversedIPAddress lints the given name as either a reversed IPv4 or IPv6 -// address under the respective ARPA zone based on the address class. An error -// is returned if: -// -// 1. The IP address labels parse as an IP of the wrong address class for the -// arpa suffix the name is using. -// 2. The IP address is within an IANA reserved range. -func lintReversedIPAddress(name string, ipv6 bool) error { - numRequiredLabels := rdnsIPv4Labels - zoneSuffix := rdnsIPv4Suffix - - if ipv6 { - numRequiredLabels = rdnsIPv6Labels - zoneSuffix = rdnsIPv6Suffix - } - - // Strip off the zone suffix to get only the reversed IP address - ipName := strings.TrimSuffix(name, zoneSuffix) - - // A well encoded IPv4 or IPv6 reverse DNS name will have the correct number - // of labels to express the address. If there isn't the right number of labels - // a separate `lint_subject_contains_malformed_arpa_ip.go` linter will flag it - // as a warning. This linter is specifically concerned with well formed rDNS - // that specifies a reserved IP. - ipLabels := strings.Split(ipName, ".") - if len(ipLabels) != numRequiredLabels { - return nil - } - - // Reverse the IP labels and try to parse an IP address - var ip net.IP - if ipv6 { - ip = reversedLabelsToIPv6(ipLabels) - } else { - ip = reversedLabelsToIPv4(ipLabels) - } - // If the result isn't an IP at all assume there is no problem - leave - // `lint_subject_contains_malformed_arpa_ip` to flag it as a warning. - if ip == nil { - return nil - } - - if !ipv6 && ip.To4() == nil { - // If we weren't expecting IPv6 and got it, that's a problem - return fmt.Errorf( - "the first %d labels of name %q parsed as a reversed IPv6 address but is "+ - "in the %q IPv4 reverse DNS zone.", - numRequiredLabels, name, rdnsIPv4Suffix) - } else if ipv6 && ip.To4() != nil { - // If we were expecting IPv6 and got an IPv4 address, that's a problem - return fmt.Errorf( - "the first %d labels of name %q parsed as a reversed IPv4 address but is "+ - "in the %q IPv4 reverse DNS zone.", - numRequiredLabels, name, rdnsIPv6Suffix) - } - - // If the IP address is in an IANA reserved space, that's a problem. - if util.IsIANAReserved(ip) { - return fmt.Errorf( - "the first %d labels of name %q parsed as a reversed IP address in "+ - "an IANA reserved IP space.", - numRequiredLabels, name) - } - - return nil -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_contains_reserved_arpa_ip", - Description: "Checks no subject domain name contains a rDNS entry in an .arpa zone specifying a reserved IP address", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &arpaReservedIP{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/lints/lint_subject_contains_reserved_ip.go deleted file mode 100644 index e91983d71..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_contains_reserved_ip.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -BRs: 7.1.4.2.1 -Also as of the Effective Date, the CA SHALL NOT -issue a certificate with an Expiry Date later than -1 November 2015 with a subjectAlternativeName extension -or Subject commonName field containing a Reserved IP -Address or Internal Name. -************************************************/ - -import ( - "net" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectReservedIP struct{} - -func (l *subjectReservedIP) Initialize() error { - return nil -} - -func (l *subjectReservedIP) CheckApplies(c *x509.Certificate) bool { - return c.NotAfter.After(util.NoReservedIP) -} - -func (l *subjectReservedIP) Execute(c *x509.Certificate) *LintResult { - if ip := net.ParseIP(c.Subject.CommonName); ip != nil && util.IsIANAReserved(ip) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_contains_reserved_ip", - Description: "Certificates expiring later than 11 Jan 2015 MUST NOT contain a reserved IP address in the common name field", - Citation: "BRs: 7.1.4.2.1", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &subjectReservedIP{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_country_not_iso.go b/vendor/github.com/zmap/zlint/lints/lint_subject_country_not_iso.go deleted file mode 100644 index 001ce42ab..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_country_not_iso.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************************************************** -BRs: 7.1.4.2.2 -Certificate Field: issuer:countryName (OID 2.5.4.6) -Required/Optional: Required -Contents: This field MUST contain the two-letter ISO 3166-1 country code for the country in which the issuer’s -place of business is located. -**************************************************************************************************************/ - -import ( - "strings" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type countryNotIso struct{} - -func (l *countryNotIso) Initialize() error { - return nil -} - -func (l *countryNotIso) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *countryNotIso) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.Country { - if !util.IsISOCountryCode(strings.ToUpper(j)) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_country_not_iso", - Description: "The country name field MUST contain the two-letter ISO code for the country or XX", - Citation: "BRs: 7.1.4.2.2", - Source: CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: &countryNotIso{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/lints/lint_subject_dn_country_not_printable_string.go deleted file mode 100644 index 5201c590e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_country_not_printable_string.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SubjectDNCountryNotPrintableString struct{} - -func (l *SubjectDNCountryNotPrintableString) Initialize() error { - return nil -} - -func (l *SubjectDNCountryNotPrintableString) CheckApplies(c *x509.Certificate) bool { - return len(c.Subject.Country) > 0 -} - -func (l *SubjectDNCountryNotPrintableString) Execute(c *x509.Certificate) *LintResult { - rdnSequence := util.RawRDNSequence{} - rest, err := asn1.Unmarshal(c.RawSubject, &rdnSequence) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(rest) > 0 { - return &LintResult{Status: Fatal} - } - - for _, attrTypeAndValueSet := range rdnSequence { - for _, attrTypeAndValue := range attrTypeAndValueSet { - if attrTypeAndValue.Type.Equal(util.CountryNameOID) && attrTypeAndValue.Value.Tag != asn1.TagPrintableString { - return &LintResult{Status: Error} - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_dn_country_not_printable_string", - Description: "X520 Distinguished Name Country MUST be encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: RFC5280, - EffectiveDate: util.ZeroDate, - Lint: &SubjectDNCountryNotPrintableString{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/lints/lint_subject_dn_leading_whitespace.go deleted file mode 100644 index dea9f97bb..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_leading_whitespace.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SubjectDNLeadingSpace struct{} - -func (l *SubjectDNLeadingSpace) Initialize() error { - return nil -} - -func (l *SubjectDNLeadingSpace) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *SubjectDNLeadingSpace) Execute(c *x509.Certificate) *LintResult { - leading, _, err := util.CheckRDNSequenceWhiteSpace(c.RawSubject) - if err != nil { - return &LintResult{Status: Fatal} - } - if leading { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_subject_dn_leading_whitespace", - Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", - Citation: "AWSLabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SubjectDNLeadingSpace{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_not_printable_characters.go b/vendor/github.com/zmap/zlint/lints/lint_subject_dn_not_printable_characters.go deleted file mode 100644 index 7d7b75afe..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_not_printable_characters.go +++ /dev/null @@ -1,73 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectDNNotPrintableCharacters struct{} - -func (l *subjectDNNotPrintableCharacters) Initialize() error { - return nil -} - -func (l *subjectDNNotPrintableCharacters) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectDNNotPrintableCharacters) Execute(c *x509.Certificate) *LintResult { - rdnSequence := util.RawRDNSequence{} - rest, err := asn1.Unmarshal(c.RawSubject, &rdnSequence) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(rest) > 0 { - return &LintResult{Status: Fatal} - } - - for _, attrTypeAndValueSet := range rdnSequence { - for _, attrTypeAndValue := range attrTypeAndValueSet { - bytes := attrTypeAndValue.Value.Bytes - for len(bytes) > 0 { - r, size := utf8.DecodeRune(bytes) - if r < 0x20 { - return &LintResult{Status: Error} - } - if r >= 0x7F && r <= 0x9F { - return &LintResult{Status: Error} - } - bytes = bytes[size:] - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_dn_not_printable_characters", - Description: "X520 Subject fields MUST only contain printable control characters", - Citation: "RFC 5280: Appendix A", - Source: RFC5280, - EffectiveDate: util.ZeroDate, - Lint: &subjectDNNotPrintableCharacters{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_serial_number_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_dn_serial_number_max_length.go deleted file mode 100644 index d783d53f9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_serial_number_max_length.go +++ /dev/null @@ -1,50 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SubjectDNSerialNumberMaxLength struct{} - -func (l *SubjectDNSerialNumberMaxLength) Initialize() error { - return nil -} - -func (l *SubjectDNSerialNumberMaxLength) CheckApplies(c *x509.Certificate) bool { - return len(c.Subject.SerialNumber) > 0 -} - -func (l *SubjectDNSerialNumberMaxLength) Execute(c *x509.Certificate) *LintResult { - if utf8.RuneCountInString(c.Subject.SerialNumber) > 64 { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_dn_serial_number_max_length", - Description: "The 'Serial Number' field of the subject MUST be less than 64 characters", - Citation: "RFC 5280: Appendix A", - Source: RFC5280, - EffectiveDate: util.ZeroDate, - Lint: &SubjectDNSerialNumberMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_serial_number_not_printable_string.go b/vendor/github.com/zmap/zlint/lints/lint_subject_dn_serial_number_not_printable_string.go deleted file mode 100644 index 8db9ed08c..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_serial_number_not_printable_string.go +++ /dev/null @@ -1,64 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SubjectDNSerialNumberNotPrintableString struct{} - -func (l *SubjectDNSerialNumberNotPrintableString) Initialize() error { - return nil -} - -func (l *SubjectDNSerialNumberNotPrintableString) CheckApplies(c *x509.Certificate) bool { - return len(c.Subject.SerialNumber) > 0 -} - -func (l *SubjectDNSerialNumberNotPrintableString) Execute(c *x509.Certificate) *LintResult { - rdnSequence := util.RawRDNSequence{} - rest, err := asn1.Unmarshal(c.RawSubject, &rdnSequence) - if err != nil { - return &LintResult{Status: Fatal} - } - if len(rest) > 0 { - return &LintResult{Status: Fatal} - } - - for _, attrTypeAndValueSet := range rdnSequence { - for _, attrTypeAndValue := range attrTypeAndValueSet { - if attrTypeAndValue.Type.Equal(util.SerialOID) && attrTypeAndValue.Value.Tag != asn1.TagPrintableString { - return &LintResult{Status: Error} - } - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_dn_serial_number_not_printable_string", - Description: "X520 Distinguished Name SerialNumber MUST be encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: RFC5280, - EffectiveDate: util.ZeroDate, - Lint: &SubjectDNSerialNumberNotPrintableString{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/lints/lint_subject_dn_trailing_whitespace.go deleted file mode 100644 index fbb763842..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_dn_trailing_whitespace.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type SubjectDNTrailingSpace struct{} - -func (l *SubjectDNTrailingSpace) Initialize() error { - return nil -} - -func (l *SubjectDNTrailingSpace) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *SubjectDNTrailingSpace) Execute(c *x509.Certificate) *LintResult { - _, trailing, err := util.CheckRDNSequenceWhiteSpace(c.RawSubject) - if err != nil { - return &LintResult{Status: Fatal} - } - if trailing { - return &LintResult{Status: Warn} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "w_subject_dn_trailing_whitespace", - Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", - Citation: "AWSLabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SubjectDNTrailingSpace{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_email_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_email_max_length.go deleted file mode 100644 index 0c138e059..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_email_max_length.go +++ /dev/null @@ -1,67 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-emailaddress-length INTEGER ::= 128 - -The ASN.1 modules in Appendix A are unchanged from RFC 3280, except -that ub-emailaddress-length was changed from 128 to 255 in order to -align with PKCS #9 [RFC2985]. - -ub-emailaddress-length INTEGER ::= 255 - -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectEmailMaxLength struct{} - -func (l *subjectEmailMaxLength) Initialize() error { - return nil -} - -func (l *subjectEmailMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectEmailMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.EmailAddress { - if utf8.RuneCountInString(j) > 255 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_email_max_length", - Description: "The 'Email' field of the subject MUST be less than 255 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectEmailMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_empty_without_san.go b/vendor/github.com/zmap/zlint/lints/lint_subject_empty_without_san.go deleted file mode 100644 index 4bc30ad46..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_empty_without_san.go +++ /dev/null @@ -1,69 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************* -RFC 5280: 4.2 & 4.2.1.6 -Further, if the only subject identity included in the certificate is -an alternative name form (e.g., an electronic mail address), then the -subject distinguished name MUST be empty (an empty sequence), and the -subjectAltName extension MUST be present. If the subject field -contains an empty sequence, then the issuing CA MUST include a -subjectAltName extension that is marked as critical. When including -the subjectAltName extension in a certificate that has a non-empty -subject distinguished name, conforming CAs SHOULD mark the -subjectAltName extension as non-critical. -*************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type emptyWithoutSAN struct{} - -func (l *emptyWithoutSAN) Initialize() error { - return nil -} - -func (l *emptyWithoutSAN) CheckApplies(cert *x509.Certificate) bool { - return true -} - -func (l *emptyWithoutSAN) Execute(cert *x509.Certificate) *LintResult { - if subjectIsEmpty(cert) && !util.IsExtInCert(cert, util.SubjectAlternateNameOID) { - return &LintResult{Status: Error} - } else { - return &LintResult{Status: Pass} - } -} - -func subjectIsEmpty(cert *x509.Certificate) bool { - if cert.Subject.Names == nil { - return true - } - return false -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_empty_without_san", - Description: "CAs MUST support subject alternative name if the subject field is an empty sequence", - Citation: "RFC 5280: 4.2 & 4.2.1.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &emptyWithoutSAN{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_given_name_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_given_name_max_length.go deleted file mode 100644 index fcfcfcc9e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_given_name_max_length.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-given-name-length INTEGER ::= 16 - -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectGivenNameMaxLength struct{} - -func (l *subjectGivenNameMaxLength) Initialize() error { - return nil -} - -func (l *subjectGivenNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectGivenNameMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.GivenName { - if utf8.RuneCountInString(j) > 16 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_given_name_max_length", - Description: "The 'GivenName' field of the subject MUST be less than 17 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectGivenNameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_info_access_marked_critical.go b/vendor/github.com/zmap/zlint/lints/lint_subject_info_access_marked_critical.go deleted file mode 100644 index 784aec3b6..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_info_access_marked_critical.go +++ /dev/null @@ -1,53 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -The subject information access extension indicates how to access information and services for the subject of the certificate in which the extension appears. When the subject is a CA, information and services may include certificate validation services and CA policy data. When the subject is an end entity, the information describes the type of services offered and how to access them. In this case, the contents of this extension are defined in the protocol specifications for the supported services. This extension may be included in end entity or CA certificates. Conforming CAs MUST mark this extension as non-critical. -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type siaCrit struct{} - -func (l *siaCrit) Initialize() error { - return nil -} - -func (l *siaCrit) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.SubjectInfoAccessOID) -} - -func (l *siaCrit) Execute(c *x509.Certificate) *LintResult { - sia := util.GetExtFromCert(c, util.SubjectInfoAccessOID) - if sia.Critical { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_info_access_marked_critical", - Description: "Conforming CAs MUST mark the Subject Info Access extension as non-critical", - Citation: "RFC 5280: 4.2.2.2", - Source: RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: &siaCrit{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_locality_name_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_locality_name_max_length.go deleted file mode 100644 index e9fd9c4a3..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_locality_name_max_length.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-locality-name INTEGER ::= 128 -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectLocalityNameMaxLength struct{} - -func (l *subjectLocalityNameMaxLength) Initialize() error { - return nil -} - -func (l *subjectLocalityNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectLocalityNameMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.Locality { - if utf8.RuneCountInString(j) > 128 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_locality_name_max_length", - Description: "The 'Locality Name' field of the subject MUST be less than 128 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectLocalityNameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_multiple_rdn.go b/vendor/github.com/zmap/zlint/lints/lint_subject_multiple_rdn.go deleted file mode 100644 index bf02aba87..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_multiple_rdn.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/pkix" - "github.com/zmap/zlint/util" -) - -type SubjectRDNHasMultipleAttribute struct{} - -func (l *SubjectRDNHasMultipleAttribute) Initialize() error { - return nil -} - -func (l *SubjectRDNHasMultipleAttribute) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *SubjectRDNHasMultipleAttribute) Execute(c *x509.Certificate) *LintResult { - var subject pkix.RDNSequence - if _, err := asn1.Unmarshal(c.RawSubject, &subject); err != nil { - return &LintResult{Status: Fatal} - } - for _, rdn := range subject { - if len(rdn) > 1 { - return &LintResult{Status: Notice} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "n_multiple_subject_rdn", - Description: "Certificates typically do not have have multiple attributes in a single RDN (subject). This may be an error.", - Citation: "AWSLabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &SubjectRDNHasMultipleAttribute{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_not_dn.go b/vendor/github.com/zmap/zlint/lints/lint_subject_not_dn.go deleted file mode 100644 index e775a4fab..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_not_dn.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************* - RFC 5280: 4.1.2.6 - Where it is non-empty, the subject field MUST contain an X.500 - distinguished name (DN). The DN MUST be unique for each subject - entity certified by the one CA as defined by the issuer name field. A - CA may issue more than one certificate with the same DN to the same - subject entity. -*************************************************************************/ - -import ( - "reflect" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/pkix" - "github.com/zmap/zlint/util" -) - -type subjectDN struct{} - -func (l *subjectDN) Initialize() error { - return nil -} - -func (l *subjectDN) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectDN) Execute(c *x509.Certificate) *LintResult { - if reflect.TypeOf(c.Subject) != reflect.TypeOf(*(new(pkix.Name))) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_not_dn", - Description: "When not empty, the subject field MUST be a distinguished name", - Citation: "RFC 5280: 4.1.2.6", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectDN{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_organization_name_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_organization_name_max_length.go deleted file mode 100644 index b6cb2e2a4..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_organization_name_max_length.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-organization-name INTEGER ::= 64 -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectOrganizationNameMaxLength struct{} - -func (l *subjectOrganizationNameMaxLength) Initialize() error { - return nil -} - -func (l *subjectOrganizationNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectOrganizationNameMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.Organization { - if utf8.RuneCountInString(j) > 64 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_organization_name_max_length", - Description: "The 'Organization Name' field of the subject MUST be less than 64 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectOrganizationNameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_organizational_unit_name_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_organizational_unit_name_max_length.go deleted file mode 100644 index fd4bc0f12..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_organizational_unit_name_max_length.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-organizational-unit-name INTEGER ::= 64 -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectOrganizationalUnitNameMaxLength struct{} - -func (l *subjectOrganizationalUnitNameMaxLength) Initialize() error { - return nil -} - -func (l *subjectOrganizationalUnitNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectOrganizationalUnitNameMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.OrganizationalUnit { - if utf8.RuneCountInString(j) > 64 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_organizational_unit_name_max_length", - Description: "The 'Organizational Unit Name' field of the subject MUST be less than 64 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectOrganizationalUnitNameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_postal_code_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_postal_code_max_length.go deleted file mode 100644 index 749ccc4d9..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_postal_code_max_length.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-postal-code-length INTEGER ::= 16 - -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectPostalCodeMaxLength struct{} - -func (l *subjectPostalCodeMaxLength) Initialize() error { - return nil -} - -func (l *subjectPostalCodeMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectPostalCodeMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.PostalCode { - if utf8.RuneCountInString(j) > 16 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_postal_code_max_length", - Description: "The 'PostalCode' field of the subject MUST be less than 17 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectPostalCodeMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_printable_string_badalpha.go b/vendor/github.com/zmap/zlint/lints/lint_subject_printable_string_badalpha.go deleted file mode 100644 index 764e69509..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_printable_string_badalpha.go +++ /dev/null @@ -1,108 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "encoding/asn1" - "errors" - "fmt" - "regexp" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -var ( - // Per RFC 5280, Appendix B. ASN.1 Notes: - // The character string type PrintableString supports a very basic Latin - // character set: the lowercase letters 'a' through 'z', uppercase - // letters 'A' through 'Z', the digits '0' through '9', eleven special - // characters ' = ( ) + , - . / : ? and space. - printableStringRegex = regexp.MustCompile(`^[a-zA-Z0-9\=\(\)\+,\-.\/:\? ']+$`) -) - -// validatePrintableString returns an error if the provided encoded printable -// string doesn't adhere to the character set defined in RFC 5280. -func validatePrintableString(rawPS []byte) error { - if !printableStringRegex.Match(rawPS) { - return errors.New("encoded PrintableString contained illegal characters") - } - return nil -} - -type subjectPrintableStringBadAlpha struct { -} - -func (l *subjectPrintableStringBadAlpha) Initialize() error { - return nil -} - -// CheckApplies returns true for any certificate with a non-empty RawSubject. -func (l *subjectPrintableStringBadAlpha) CheckApplies(c *x509.Certificate) bool { - return len(c.RawSubject) > 0 -} - -// Execute checks the certificate's RawSubject to ensure that any -// PrintableString attribute/value pairs in the Subject match the character set -// defined for this type in RFC 5280. An Error level LintResult is returned if any -// of the PrintableString attributes do not match a regular expression for the -// allowed character set. -func (l *subjectPrintableStringBadAlpha) Execute(c *x509.Certificate) *LintResult { - rdnSequence := util.RawRDNSequence{} - rest, err := asn1.Unmarshal(c.RawSubject, &rdnSequence) - if err != nil { - return &LintResult{ - Status: Fatal, - Details: "Failed to Unmarshal RawSubject into RawRDNSequence", - } - } - if len(rest) > 0 { - return &LintResult{ - Status: Fatal, - Details: "Trailing data after RawSubject RawRDNSequence", - } - } - - for _, attrTypeAndValueSet := range rdnSequence { - for _, attrTypeAndValue := range attrTypeAndValueSet { - // If the attribute type is a PrintableString the bytes of the attribute - // value must match the printable string alphabet. - if attrTypeAndValue.Value.Tag == asn1.TagPrintableString { - if err := validatePrintableString(attrTypeAndValue.Value.Bytes); err != nil { - return &LintResult{ - Status: Error, - Details: fmt.Sprintf("RawSubject attr oid %s %s", - attrTypeAndValue.Type, err.Error()), - } - } - } - } - } - - return &LintResult{ - Status: Pass, - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_printable_string_badalpha", - Description: "PrintableString type's alphabet only includes a-z, A-Z, 0-9, and 11 special characters", - Citation: "RFC 5280: Appendix B. ASN.1 Notes", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectPrintableStringBadAlpha{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_state_name_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_state_name_max_length.go deleted file mode 100644 index fa841e81c..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_state_name_max_length.go +++ /dev/null @@ -1,60 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-state-name INTEGER ::= 128 -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectStateNameMaxLength struct{} - -func (l *subjectStateNameMaxLength) Initialize() error { - return nil -} - -func (l *subjectStateNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectStateNameMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.Province { - if utf8.RuneCountInString(j) > 128 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_state_name_max_length", - Description: "The 'State Name' field of the subject MUST be less than 128 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectStateNameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_street_address_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_street_address_max_length.go deleted file mode 100644 index 463fb23c8..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_street_address_max_length.go +++ /dev/null @@ -1,59 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -ITU-T X.520 (02/2001) UpperBounds -ub-street-address INTEGER ::= 128 - -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectStreetAddressMaxLength struct{} - -func (l *subjectStreetAddressMaxLength) Initialize() error { - return nil -} - -func (l *subjectStreetAddressMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectStreetAddressMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.StreetAddress { - if utf8.RuneCountInString(j) > 128 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_street_address_max_length", - Description: "The 'StreetAddress' field of the subject MUST be less than 129 characters", - Citation: "ITU-T X.520 (02/2001) UpperBounds", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectStreetAddressMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_subject_surname_max_length.go b/vendor/github.com/zmap/zlint/lints/lint_subject_surname_max_length.go deleted file mode 100644 index d0593f5d5..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_subject_surname_max_length.go +++ /dev/null @@ -1,61 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -RFC 5280: A.1 - * In this Appendix, there is a list of upperbounds - for fields in a x509 Certificate. * - ub-surname-length INTEGER ::= 40 - -************************************************/ - -import ( - "unicode/utf8" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type subjectSurnameMaxLength struct{} - -func (l *subjectSurnameMaxLength) Initialize() error { - return nil -} - -func (l *subjectSurnameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *subjectSurnameMaxLength) Execute(c *x509.Certificate) *LintResult { - for _, j := range c.Subject.Surname { - if utf8.RuneCountInString(j) > 40 { - return &LintResult{Status: Error} - } - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_subject_surname_max_length", - Description: "The 'Surname' field of the subject MUST be less than 41 characters", - Citation: "RFC 5280: A.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &subjectSurnameMaxLength{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_tbs_signature_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/lints/lint_tbs_signature_rsa_encryption_parameter_not_null.go deleted file mode 100644 index f29dae380..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_tbs_signature_rsa_encryption_parameter_not_null.go +++ /dev/null @@ -1,81 +0,0 @@ -package lints - -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************************************************* -"RFC5280: RFC 4055, Section 5" -RSA: Encoded algorithm identifier MUST have NULL parameters. -*******************************************************************************************************/ - -import ( - "fmt" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" - "golang.org/x/crypto/cryptobyte" - cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" -) - -type rsaTBSSignatureEncryptionParamNotNULL struct{} - -func (l *rsaTBSSignatureEncryptionParamNotNULL) Initialize() error { - return nil -} - -func (l *rsaTBSSignatureEncryptionParamNotNULL) CheckApplies(c *x509.Certificate) bool { - _, ok := util.RSAAlgorithmIDToDER[c.SignatureAlgorithmOID.String()] - return ok -} - -func (l *rsaTBSSignatureEncryptionParamNotNULL) Execute(c *x509.Certificate) *LintResult { - input := cryptobyte.String(c.RawTBSCertificate) - - var tbsCert cryptobyte.String - if !input.ReadASN1(&tbsCert, cryptobyte_asn1.SEQUENCE) { - return &LintResult{Status: Fatal, Details: "error reading tbsCertificate"} - } - - if !tbsCert.SkipOptionalASN1(cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) { - return &LintResult{Status: Fatal, Details: "error reading tbsCertificate.version"} - } - - if !tbsCert.SkipASN1(cryptobyte_asn1.INTEGER) { - return &LintResult{Status: Fatal, Details: "error reading tbsCertificate.serialNumber"} - } - - var signatureAlgoID cryptobyte.String - var tag cryptobyte_asn1.Tag - // use ReadAnyElement to preserve tag and length octets - if !tbsCert.ReadAnyASN1Element(&signatureAlgoID, &tag) { - return &LintResult{Status: Fatal, Details: "error reading tbsCertificate.signature"} - } - - if err := util.CheckAlgorithmIDParamNotNULL(signatureAlgoID, c.SignatureAlgorithmOID); err != nil { - return &LintResult{Status: Error, Details: fmt.Sprintf("certificate tbsCertificate.signature %s", err.Error())} - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_tbs_signature_rsa_encryption_parameter_not_null", - Description: "RSA: Encoded signature algorithm identifier MUST have NULL parameters", - Citation: "RFC 4055, Section 5", - Source: RFC5280, // RFC4055 is referenced in RFC5280, Section 1 - EffectiveDate: util.RFC5280Date, - Lint: &rsaTBSSignatureEncryptionParamNotNULL{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_utc_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/lints/lint_utc_time_does_not_include_seconds.go deleted file mode 100644 index 49ed6371e..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_utc_time_does_not_include_seconds.go +++ /dev/null @@ -1,82 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************************************ -4.1.2.5.1. UTCTime -The universal time type, UTCTime, is a standard ASN.1 type intended -for representation of dates and time. UTCTime specifies the year -through the two low-order digits and time is specified to the -precision of one minute or one second. UTCTime includes either Z -(for Zulu, or Greenwich Mean Time) or a time differential. -For the purposes of this profile, UTCTime values MUST be expressed in -Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are -YYMMDDHHMMSSZ), even where the number of seconds is zero. Conforming -systems MUST interpret the year field (YY) as follows: - - Where YY is greater than or equal to 50, the year SHALL be - interpreted as 19YY; and - - Where YY is less than 50, the year SHALL be interpreted as 20YY. -************************************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type utcNoSecond struct { -} - -func (l *utcNoSecond) Initialize() error { - return nil -} - -func (l *utcNoSecond) CheckApplies(c *x509.Certificate) bool { - firstDate, secondDate := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(firstDate, secondDate) - date1Utc := beforeTag == 23 - date2Utc := afterTag == 23 - return date1Utc || date2Utc -} - -func (l *utcNoSecond) Execute(c *x509.Certificate) *LintResult { - date1, date2 := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(date1, date2) - date1Utc := beforeTag == 23 - date2Utc := afterTag == 23 - if date1Utc { - if len(date1.Bytes) != 13 && len(date1.Bytes) != 17 { - return &LintResult{Status: Error} - } - } - if date2Utc { - if len(date2.Bytes) != 13 && len(date2.Bytes) != 17 { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_utc_time_does_not_include_seconds", - Description: "UTCTime values MUST include seconds", - Citation: "RFC 5280: 4.1.2.5.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &utcNoSecond{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_utc_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/lints/lint_utc_time_not_in_zulu.go deleted file mode 100644 index 43d6b9934..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_utc_time_not_in_zulu.go +++ /dev/null @@ -1,97 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/*********************************************************************** -4.1.2.5.1. UTCTime - The universal time type, UTCTime, is a standard ASN.1 type intended - for representation of dates and time. UTCTime specifies the year - through the two low-order digits and time is specified to the - precision of one minute or one second. UTCTime includes either Z - (for Zulu, or Greenwich Mean Time) or a time differential. - - For the purposes of this profile, UTCTime values MUST be expressed in - Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are - YYMMDDHHMMSSZ), even where the number of seconds is zero. Conforming - systems MUST interpret the year field (YY) as follows: - - Where YY is greater than or equal to 50, the year SHALL be - interpreted as 19YY; and - - Where YY is less than 50, the year SHALL be interpreted as 20YY. -***********************************************************************/ - -import ( - "time" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type utcTimeGMT struct { -} - -func (l *utcTimeGMT) Initialize() error { - return nil -} - -func (l *utcTimeGMT) CheckApplies(c *x509.Certificate) bool { - firstDate, secondDate := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(firstDate, secondDate) - date1Utc := beforeTag == 23 - date2Utc := afterTag == 23 - return date1Utc || date2Utc -} - -func (l *utcTimeGMT) Execute(c *x509.Certificate) *LintResult { - var r LintStatus - firstDate, secondDate := util.GetTimes(c) - beforeTag, afterTag := util.FindTimeType(firstDate, secondDate) - date1Utc := beforeTag == 23 - date2Utc := afterTag == 23 - if date1Utc { - // UTC Tests on notBefore - utcNotGmt(c.NotBefore, &r) - } - if date2Utc { - // UTC Tests on NotAfter - utcNotGmt(c.NotAfter, &r) - } - return &LintResult{Status: r} -} - -func utcNotGmt(t time.Time, r *LintStatus) { - // If we already ran this test and it resulted in error, don't want to discard that - // And now we use the afterBool to make sure we test the right time - if *r == Error { - return - } - if t.Location() != time.UTC { - *r = Error - } else { - *r = Pass - } -} - -func init() { - RegisterLint(&Lint{ - Name: "e_utc_time_not_in_zulu", - Description: "UTCTime values MUST be expressed in Greenwich Mean Time (Zulu)", - Citation: "RFC 5280: 4.1.2.5.1", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &utcTimeGMT{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_validity_time_not_positive.go b/vendor/github.com/zmap/zlint/lints/lint_validity_time_not_positive.go deleted file mode 100644 index b41de4ef0..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_validity_time_not_positive.go +++ /dev/null @@ -1,52 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/************************************************ -Change this to match source TEXT -************************************************/ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type validityNegative struct{} - -func (l *validityNegative) Initialize() error { - return nil -} - -func (l *validityNegative) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *validityNegative) Execute(c *x509.Certificate) *LintResult { - if c.NotBefore.After(c.NotAfter) { - return &LintResult{Status: Error} - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_validity_time_not_positive", - Description: "Certificates MUST have a positive time for which they are valid", - Citation: "AWSLabs certlint", - Source: AWSLabs, - EffectiveDate: util.ZeroDate, - Lint: &validityNegative{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/lint_wrong_time_format_pre2050.go b/vendor/github.com/zmap/zlint/lints/lint_wrong_time_format_pre2050.go deleted file mode 100644 index b56d33eab..000000000 --- a/vendor/github.com/zmap/zlint/lints/lint_wrong_time_format_pre2050.go +++ /dev/null @@ -1,85 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/********************************************************************* -CAs conforming to this profile MUST always encode certificate -validity dates through the year 2049 as UTCTime; certificate validity -dates in 2050 or later MUST be encoded as GeneralizedTime. -Conforming applications MUST be able to process validity dates that -are encoded in either UTCTime or GeneralizedTime. -*********************************************************************/ - -import ( - "encoding/asn1" - "time" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type generalizedPre2050 struct{} - -func (l *generalizedPre2050) Initialize() error { - return nil -} - -func (l *generalizedPre2050) CheckApplies(c *x509.Certificate) bool { - return true -} - -func (l *generalizedPre2050) Execute(c *x509.Certificate) *LintResult { - date1, date2 := util.GetTimes(c) - var t time.Time - type1, type2 := util.FindTimeType(date1, date2) - if type1 == 24 { - temp, err := asn1.Marshal(date1) - if err != nil { - return &LintResult{Status: Fatal} - } - _, err = asn1.Unmarshal(temp, &t) - if err != nil { - return &LintResult{Status: Fatal} - } - if t.Before(util.GeneralizedDate) { - return &LintResult{Status: Error} - } - } - if type2 == 24 { - temp, err := asn1.Marshal(date2) - if err != nil { - return &LintResult{Status: Fatal} - } - _, err = asn1.Unmarshal(temp, &t) - if err != nil { - return &LintResult{Status: Fatal} - } - if t.Before(util.GeneralizedDate) { - return &LintResult{Status: Error} - } - } - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_wrong_time_format_pre2050", - Description: "Certificates valid through the year 2049 MUST be encoded in UTC time", - Citation: "RFC 5280: 4.1.2.5", - Source: RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: &generalizedPre2050{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/lints/result.go b/vendor/github.com/zmap/zlint/lints/result.go deleted file mode 100644 index 6ea447c32..000000000 --- a/vendor/github.com/zmap/zlint/lints/result.go +++ /dev/null @@ -1,106 +0,0 @@ -package lints - -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "encoding/json" - "fmt" - "strings" -) - -// LintStatus is an enum returned by lints inside of a LintResult. -type LintStatus int - -// Known LintStatus values -const ( - // Unused / unset LintStatus - Reserved LintStatus = 0 - - // Not Applicable - NA LintStatus = 1 - - // Not Effective - NE LintStatus = 2 - - Pass LintStatus = 3 - Notice LintStatus = 4 - Warn LintStatus = 5 - Error LintStatus = 6 - Fatal LintStatus = 7 -) - -var ( - // statusLabelToLintStatus is used to work backwards from - // a LintStatus.String() to the LintStatus. This is used by - // LintStatus.Unmarshal. - statusLabelToLintStatus = map[string]LintStatus{ - Reserved.String(): Reserved, - NA.String(): NA, - NE.String(): NE, - Pass.String(): Pass, - Notice.String(): Notice, - Warn.String(): Warn, - Error.String(): Error, - Fatal.String(): Fatal, - } -) - -// LintResult contains a LintStatus, and an optional human-readable description. -// The output of a lint is a LintResult. -type LintResult struct { - Status LintStatus `json:"result"` - Details string `json:"details,omitempty"` -} - -// MarshalJSON implements the json.Marshaler interface. -func (e LintStatus) MarshalJSON() ([]byte, error) { - s := e.String() - return json.Marshal(s) -} - -// UnmarshalJSON implements the json.Unmarshaler interface. -func (e *LintStatus) UnmarshalJSON(data []byte) error { - key := strings.ReplaceAll(string(data), `"`, "") - if status, ok := statusLabelToLintStatus[key]; ok { - *e = status - } else { - return fmt.Errorf("bad LintStatus JSON value: %s", string(data)) - } - return nil -} - -// String returns the canonical representation of a LintStatus as a string. -func (e LintStatus) String() string { - switch e { - case Reserved: - return "reserved" - case NA: - return "NA" - case NE: - return "NE" - case Pass: - return "pass" - case Notice: - return "info" - case Warn: - return "warn" - case Error: - return "error" - case Fatal: - return "fatal" - default: - return "" - } -} diff --git a/vendor/github.com/zmap/zlint/lints/testingUtil.go b/vendor/github.com/zmap/zlint/lints/testingUtil.go deleted file mode 100644 index 27da0bcb2..000000000 --- a/vendor/github.com/zmap/zlint/lints/testingUtil.go +++ /dev/null @@ -1,51 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// Contains resources necessary to the Unit Test Cases - -import ( - "encoding/pem" - "fmt" - "io/ioutil" - "strings" - - "github.com/zmap/zcrypto/x509" -) - -func ReadCertificate(inPath string) *x509.Certificate { - // All of this can be encapsulated in a function - data, err := ioutil.ReadFile(inPath) - if err != nil { - //read failure, die horribly here - fmt.Println(err) - panic("File read failed!") - } - var textData string = string(data) - if strings.Contains(textData, "-BEGIN CERTIFICATE-") { - block, _ := pem.Decode(data) - if block == nil { - panic("PEM decode failed!") - } - data = block.Bytes - } - theCert, err := x509.ParseCertificate(data) - if err != nil { - //die horribly here - fmt.Println(err) - return nil - } - return theCert -} diff --git a/vendor/github.com/zmap/zlint/makefile b/vendor/github.com/zmap/zlint/makefile deleted file mode 100644 index 3e99060dc..000000000 --- a/vendor/github.com/zmap/zlint/makefile +++ /dev/null @@ -1,38 +0,0 @@ -SHELL := /bin/bash -# Number of linting Go routines to use in integration tests -PARALLELISM := 5 -# Additional integration test flags. Example usage: -# make integration PARALLELISM=99 INT_FLAGS="-fingerprintSummary -forceDownload" -# make integration INT_FLAGS="-overwriteExpected -config custom.config.json" -# make integration INT_FLAGS="-fingerprintSummary -lintSummary -fingerprintFilter='^[ea]' -lintFilter='^w_ext_cert_policy_explicit_text_not_utf8' -config small.config.json" -# make integration INT_FLAGS="-lintSummary -fingerprintSummary -lintFilter='^e_' -config small.config.json" -INT_FLAGS := - -CMDS = zlint zlint-gtld-update -CMD_PREFIX = ./cmd/ -GO_ENV = GO111MODULE="on" GOFLAGS="-mod=vendor" -BUILD = $(GO_ENV) go build -TEST = $(GO_ENV) GORACE=halt_on_error=1 go test -race -INT_TEST = $(GO_ENV) go test -v -tags integration -timeout 20m ./integration/... -parallelism $(PARALLELISM) $(INT_FLAGS) - -all: $(CMDS) - -zlint: - $(BUILD) $(CMD_PREFIX)$(@) - -zlint-gtld-update: - $(BUILD) $(CMD_PREFIX)$(@) - -clean: - rm -f $(CMDS) - -test: - $(TEST) ./... - -integration: - $(INT_TEST) - -format-check: - diff <(find . -name '*.go' -not -path './vendor/*' -print | xargs -n1 gofmt -l) <(printf "") - -.PHONY: clean zlint zlint-gtld-update test integration format-check diff --git a/vendor/github.com/zmap/zlint/newLint.sh b/vendor/github.com/zmap/zlint/newLint.sh deleted file mode 100644 index 5580d4f62..000000000 --- a/vendor/github.com/zmap/zlint/newLint.sh +++ /dev/null @@ -1,34 +0,0 @@ -# Script to create new lint from template - -USAGE="Usage: $0 - -ARG1: File_name/TestName (no 'lint_' prefix) -ARG2: Struct_name" - -if [ $# -eq 0 ]; then - echo "No arguments provided..." - echo "$USAGE" - exit 1 -fi - -if [ $# -eq 1 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 -fi - -if [ -e lint_$1.go ] -then - echo "File already exists. Can't make new file." - exit 1 -fi - -FILENAME=$1 -TESTNAME=$2 - -cp template lints/lint_$FILENAME.go - -cat "lints/lint_$FILENAME.go" | sed "s/SUBST/$2/g" | sed "s/SUBTEST/$1/g" > temp.go -mv -f temp.go "lints/lint_$FILENAME.go" - -echo "Created file lint_$FILENAME.go with test name $TESTNAME" diff --git a/vendor/github.com/zmap/zlint/template b/vendor/github.com/zmap/zlint/template deleted file mode 100644 index 007f2f43b..000000000 --- a/vendor/github.com/zmap/zlint/template +++ /dev/null @@ -1,44 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package lints - -import ( - "github.com/zmap/zcrypto/x509" -) - -type SUBST struct{} - -func (l *SUBST) Initialize() error { - return nil -} - -func (l *SUBST) CheckApplies(c *x509.Certificate) bool { - // Add conditions for application here -} - -func (l *SUBST) Execute(c *x509.Certificate) *LintResult { - // Add actual lint here -} - -func init() { - RegisterLint(&Lint{ - Name: "SUBTEST", - Description: "Fill this in...", - Citation: "Fill this in...", - Source: UnknownLintSource, - EffectiveDate: "Change this...", - Lint: &SUBST{}, - }) -} diff --git a/vendor/github.com/zmap/zlint/util/algorithm_identifier.go b/vendor/github.com/zmap/zlint/util/algorithm_identifier.go deleted file mode 100644 index 921b2867b..000000000 --- a/vendor/github.com/zmap/zlint/util/algorithm_identifier.go +++ /dev/null @@ -1,86 +0,0 @@ -package util - -import ( - "bytes" - "encoding/asn1" - "errors" - "fmt" - - "golang.org/x/crypto/cryptobyte" - cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" -) - -// RSAAlgorithmIDToDER contains DER representations of pkix.AlgorithmIdentifier for different RSA OIDs with Parameters as asn1.NULL -var RSAAlgorithmIDToDER = map[string][]byte{ - // rsaEncryption - "1.2.840.113549.1.1.1": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x1, 0x5, 0x0}, - // md2WithRSAEncryption - "1.2.840.113549.1.1.2": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x2, 0x5, 0x0}, - // md5WithRSAEncryption - "1.2.840.113549.1.1.4": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x4, 0x5, 0x0}, - // sha-1WithRSAEncryption - "1.2.840.113549.1.1.5": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0x5, 0x5, 0x0}, - // sha224WithRSAEncryption - "1.2.840.113549.1.1.14": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xe, 0x5, 0x0}, - // sha256WithRSAEncryption - "1.2.840.113549.1.1.11": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xb, 0x5, 0x0}, - // sha384WithRSAEncryption - "1.2.840.113549.1.1.12": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xc, 0x5, 0x0}, - // sha512WithRSAEncryption - "1.2.840.113549.1.1.13": {0x30, 0x0d, 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0xd, 0x1, 0x1, 0xd, 0x5, 0x0}, -} - -// CheckAlgorithmIDParamNotNULL parses an AlgorithmIdentifier with algorithm OID rsaEncryption to check the Param field is asn1.NULL -// Expects DER-encoded AlgorithmIdentifier including tag and length -func CheckAlgorithmIDParamNotNULL(algorithmIdentifier []byte, requiredAlgoID asn1.ObjectIdentifier) error { - expectedAlgoIDBytes, ok := RSAAlgorithmIDToDER[requiredAlgoID.String()] - if !ok { - return errors.New("error algorithmID to check is not RSA") - } - - algorithmSequence := cryptobyte.String(algorithmIdentifier) - - // byte comparison of algorithm sequence and checking no trailing data is present - var algorithmBytes []byte - if algorithmSequence.ReadBytes(&algorithmBytes, len(expectedAlgoIDBytes)) { - if bytes.Compare(algorithmBytes, expectedAlgoIDBytes) == 0 && algorithmSequence.Empty() { - return nil - } - } - - // re-parse to get an error message detailing what did not match in the byte comparison - algorithmSequence = cryptobyte.String(algorithmIdentifier) - var algorithm cryptobyte.String - if !algorithmSequence.ReadASN1(&algorithm, cryptobyte_asn1.SEQUENCE) { - return errors.New("error reading algorithm") - } - - encryptionOID := asn1.ObjectIdentifier{} - if !algorithm.ReadASN1ObjectIdentifier(&encryptionOID) { - return errors.New("error reading algorithm OID") - } - - if !encryptionOID.Equal(requiredAlgoID) { - return fmt.Errorf("algorithm OID is not equal to %s", requiredAlgoID.String()) - } - - if algorithm.Empty() { - return errors.New("RSA algorithm identifier missing required NULL parameter") - } - - var nullValue cryptobyte.String - if !algorithm.ReadASN1(&nullValue, cryptobyte_asn1.NULL) { - return errors.New("RSA algorithm identifier with non-NULL parameter") - } - - if len(nullValue) != 0 { - return errors.New("RSA algorithm identifier with NULL parameter containing data") - } - - // ensure algorithm is empty and no trailing data is present - if !algorithm.Empty() { - return errors.New("RSA algorithm identifier with trailing data") - } - - return errors.New("RSA algorithm appears correct, but didn't match byte-wise comparison") -} diff --git a/vendor/github.com/zmap/zlint/util/ca.go b/vendor/github.com/zmap/zlint/util/ca.go deleted file mode 100644 index 5a29640e0..000000000 --- a/vendor/github.com/zmap/zlint/util/ca.go +++ /dev/null @@ -1,57 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "github.com/zmap/zcrypto/x509" -) - -// IsCACert returns true if c has IsCA set. -func IsCACert(c *x509.Certificate) bool { - return c.IsCA -} - -// IsRootCA returns true if c has IsCA set and is also self-signed. -func IsRootCA(c *x509.Certificate) bool { - return IsCACert(c) && IsSelfSigned(c) -} - -// IsSubCA returns true if c has IsCA set, but is not self-signed. -func IsSubCA(c *x509.Certificate) bool { - return IsCACert(c) && !IsSelfSigned(c) -} - -// IsSelfSigned returns true if SelfSigned is set. -func IsSelfSigned(c *x509.Certificate) bool { - return c.SelfSigned -} - -// IsSubscriberCert returns true for if a certificate is not a CA and not -// self-signed. -func IsSubscriberCert(c *x509.Certificate) bool { - return !IsCACert(c) && !IsSelfSigned(c) -} - -func IsServerAuthCert(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { - return true - } - for _, eku := range cert.ExtKeyUsage { - if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageServerAuth { - return true - } - } - return false -} diff --git a/vendor/github.com/zmap/zlint/util/countries.go b/vendor/github.com/zmap/zlint/util/countries.go deleted file mode 100644 index fcc826cec..000000000 --- a/vendor/github.com/zmap/zlint/util/countries.go +++ /dev/null @@ -1,51 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import "strings" - -var countries = map[string]bool{ - "AD": true, "AE": true, "AF": true, "AG": true, "AI": true, "AL": true, "AM": true, "AN": true, "AO": true, "AQ": true, "AR": true, - "AS": true, "AT": true, "AU": true, "AW": true, "AX": true, "AZ": true, "BA": true, "BB": true, "BD": true, "BE": true, "BF": true, "BG": true, - "BH": true, "BI": true, "BJ": true, "BL": true, "BM": true, "BN": true, "BO": true, "BQ": true, "BR": true, "BS": true, "BT": true, "BV": true, - "BW": true, "BY": true, "BZ": true, "CA": true, "CC": true, "CD": true, "CF": true, "CG": true, "CH": true, "CI": true, "CK": true, "CL": true, - "CM": true, "CN": true, "CO": true, "CR": true, "CU": true, "CV": true, "CW": true, "CX": true, "CY": true, "CZ": true, "DE": true, "DJ": true, - "DK": true, "DM": true, "DO": true, "DZ": true, "EC": true, "EE": true, "EG": true, "EH": true, "ER": true, "ES": true, "ET": true, "FI": true, - "FJ": true, "FK": true, "FM": true, "FO": true, "FR": true, "GA": true, "GB": true, "GD": true, "GE": true, "GF": true, "GG": true, "GH": true, - "GI": true, "GL": true, "GM": true, "GN": true, "GP": true, "GQ": true, "GR": true, "GS": true, "GT": true, "GU": true, "GW": true, "GY": true, - "HK": true, "HM": true, "HN": true, "HR": true, "HT": true, "HU": true, "ID": true, "IE": true, "IL": true, "IM": true, "IN": true, "IO": true, - "IQ": true, "IR": true, "IS": true, "IT": true, "JE": true, "JM": true, "JO": true, "JP": true, "KE": true, "KG": true, "KH": true, "KI": true, - "KM": true, "KN": true, "KP": true, "KR": true, "KW": true, "KY": true, "KZ": true, "LA": true, "LB": true, "LC": true, "LI": true, "LK": true, - "LR": true, "LS": true, "LT": true, "LU": true, "LV": true, "LY": true, "MA": true, "MC": true, "MD": true, "ME": true, "MF": true, "MG": true, - "MH": true, "MK": true, "ML": true, "MM": true, "MN": true, "MO": true, "MP": true, "MQ": true, "MR": true, "MS": true, "MT": true, "MU": true, - "MV": true, "MW": true, "MX": true, "MY": true, "MZ": true, "NA": true, "NC": true, "NE": true, "NF": true, "NG": true, "NI": true, "NL": true, - "NO": true, "NP": true, "NR": true, "NU": true, "NZ": true, "OM": true, "PA": true, "PE": true, "PF": true, "PG": true, "PH": true, "PK": true, - "PL": true, "PM": true, "PN": true, "PR": true, "PS": true, "PT": true, "PW": true, "PY": true, "QA": true, "RE": true, "RO": true, "RS": true, - "RU": true, "RW": true, "SA": true, "SB": true, "SC": true, "SD": true, "SE": true, "SG": true, "SH": true, "SI": true, "SJ": true, "SK": true, - "SL": true, "SM": true, "SN": true, "SO": true, "SR": true, "SS": true, "ST": true, "SV": true, "SX": true, "SY": true, "SZ": true, "TC": true, - "TD": true, "TF": true, "TG": true, "TH": true, "TJ": true, "TK": true, "TL": true, "TM": true, "TN": true, "TO": true, "TR": true, "TT": true, - "TV": true, "TW": true, "TZ": true, "UA": true, "UG": true, "UM": true, "US": true, "UY": true, "UZ": true, "VA": true, "VC": true, "VE": true, - "VG": true, "VI": true, "VN": true, "VU": true, "WF": true, "WS": true, "YE": true, "YT": true, "ZA": true, "ZM": true, "ZW": true, "XX": true, -} - -// IsISOCountryCode returns true if the input is a known two-letter country -// code. -// -// TODO: Document where the list of known countries came from. -func IsISOCountryCode(in string) bool { - in = strings.ToUpper(in) - _, ok := countries[in] - return ok -} diff --git a/vendor/github.com/zmap/zlint/util/encodings.go b/vendor/github.com/zmap/zlint/util/encodings.go deleted file mode 100644 index 92a30d261..000000000 --- a/vendor/github.com/zmap/zlint/util/encodings.go +++ /dev/null @@ -1,136 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "bytes" - "encoding/asn1" - "errors" - "regexp" - "strings" - "unicode" - "unicode/utf16" - - "github.com/zmap/zcrypto/x509/pkix" -) - -// CheckRDNSequenceWhiteSpace returns true if there is leading or trailing -// whitespace in any name attribute in the sequence, respectively. -func CheckRDNSequenceWhiteSpace(raw []byte) (leading, trailing bool, err error) { - var seq pkix.RDNSequence - if _, err = asn1.Unmarshal(raw, &seq); err != nil { - return - } - for _, rdn := range seq { - for _, atv := range rdn { - if !IsNameAttribute(atv.Type) { - continue - } - value, ok := atv.Value.(string) - if !ok { - continue - } - if leftStrip := strings.TrimLeftFunc(value, unicode.IsSpace); leftStrip != value { - leading = true - } - if rightStrip := strings.TrimRightFunc(value, unicode.IsSpace); rightStrip != value { - trailing = true - } - } - } - return -} - -// IsIA5String returns true if raw is an IA5String, and returns false otherwise. -func IsIA5String(raw []byte) bool { - for _, b := range raw { - i := int(b) - if i > 127 || i < 0 { - return false - } - } - return true -} - -func IsInPrefSyn(name string) bool { - // If the DNS name is just a space, it is valid - if name == " " { - return true - } - // This is the expression that matches the ABNF syntax from RFC 1034: Sec 3.5, specifically for subdomain since the " " case for domain is covered above - prefsyn := regexp.MustCompile(`^([[:alpha:]]{1}(([[:alnum:]]|[-])*[[:alnum:]]{1})*){1}([.][[:alpha:]]{1}(([[:alnum:]]|[-])*[[:alnum:]]{1})*)*$`) - return prefsyn.MatchString(name) -} - -// AllAlternateNameWithTagAreIA5 returns true if all sequence members with the -// given tag are encoded as IA5 strings, and false otherwise. If it encounters -// errors parsing asn1, err will be non-nil. -func AllAlternateNameWithTagAreIA5(ext *pkix.Extension, tag int) (bool, error) { - var seq asn1.RawValue - var err error - // Unmarshal the extension as a sequence - if _, err = asn1.Unmarshal(ext.Value, &seq); err != nil { - return false, err - } - // Ensure the sequence matches what we expect for SAN/IAN - if !seq.IsCompound || seq.Tag != asn1.TagSequence || seq.Class != asn1.ClassUniversal { - err = asn1.StructuralError{Msg: "bad alternate name sequence"} - return false, err - } - - // Iterate over the sequence and look for items tagged with tag - rest := seq.Bytes - for len(rest) > 0 { - var v asn1.RawValue - rest, err = asn1.Unmarshal(rest, &v) - if err != nil { - return false, err - } - if v.Tag == tag { - if !IsIA5String(v.Bytes) { - return false, nil - } - } - } - - return true, nil -} - -// IsEmptyASN1Sequence returns true if -// *input is an empty sequence (0x30, 0x00) or -// *len(inout) < 2 -// This check covers more cases than just empty sequence checks but it makes sense from the usage perspective -var emptyASN1Sequence = []byte{0x30, 0x00} - -func IsEmptyASN1Sequence(input []byte) bool { - return len(input) < 2 || bytes.Equal(input, emptyASN1Sequence) -} - -// ParseBMPString returns a uint16 encoded string following the specification for a BMPString type -func ParseBMPString(bmpString []byte) (string, error) { - if len(bmpString)%2 != 0 { - return "", errors.New("odd-length BMP string") - } - // strip terminator if present - if l := len(bmpString); l >= 2 && bmpString[l-1] == 0 && bmpString[l-2] == 0 { - bmpString = bmpString[:l-2] - } - s := make([]uint16, 0, len(bmpString)/2) - for len(bmpString) > 0 { - s = append(s, uint16(bmpString[0])<<8+uint16(bmpString[1])) - bmpString = bmpString[2:] - } - return string(utf16.Decode(s)), nil -} diff --git a/vendor/github.com/zmap/zlint/util/ev.go b/vendor/github.com/zmap/zlint/util/ev.go deleted file mode 100644 index f9b440248..000000000 --- a/vendor/github.com/zmap/zlint/util/ev.go +++ /dev/null @@ -1,71 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "encoding/asn1" -) - -var evoids = map[string]bool{ - "1.3.159.1.17.1": true, - "1.3.6.1.4.1.34697.2.1": true, - "1.3.6.1.4.1.34697.2.2": true, - "1.3.6.1.4.1.34697.2.3": true, - "1.3.6.1.4.1.34697.2.4": true, - "1.2.40.0.17.1.22": true, - "2.16.578.1.26.1.3.3": true, - "1.3.6.1.4.1.17326.10.14.2.1.2": true, - "1.3.6.1.4.1.17326.10.8.2.1.2": true, - "1.3.6.1.4.1.6449.1.2.1.5.1": true, - "2.16.840.1.114412.2.1": true, - "2.16.840.1.114412.1.3.0.2": true, - "2.16.528.1.1001.1.1.1.12.6.1.1.1": true, - "2.16.792.3.0.4.1.1.4": true, - "2.16.840.1.114028.10.1.2": true, - "0.4.0.2042.1.4": true, - "0.4.0.2042.1.5": true, - "1.3.6.1.4.1.13177.10.1.3.10": true, - "1.3.6.1.4.1.14370.1.6": true, - "1.3.6.1.4.1.4146.1.1": true, - "2.16.840.1.114413.1.7.23.3": true, - "1.3.6.1.4.1.14777.6.1.1": true, - "2.16.792.1.2.1.1.5.7.1.9": true, - "1.3.6.1.4.1.782.1.2.1.8.1": true, - "1.3.6.1.4.1.22234.2.5.2.3.1": true, - "1.3.6.1.4.1.8024.0.2.100.1.2": true, - "1.2.392.200091.100.721.1": true, - "2.16.840.1.114414.1.7.23.3": true, - "1.3.6.1.4.1.23223.2": true, - "1.3.6.1.4.1.23223.1.1.1": true, - "2.16.756.1.83.21.0": true, - "2.16.756.1.89.1.2.1.1": true, - "1.3.6.1.4.1.7879.13.24.1": true, - "2.16.840.1.113733.1.7.48.1": true, - "2.16.840.1.114404.1.1.2.4.1": true, - "2.16.840.1.113733.1.7.23.6": true, - "1.3.6.1.4.1.6334.1.100.1": true, - "2.16.840.1.114171.500.9": true, - "1.3.6.1.4.1.36305.2": true, -} - -// IsEV returns true if the input is a known Extended Validation OID. -func IsEV(in []asn1.ObjectIdentifier) bool { - for _, oid := range in { - if _, ok := evoids[oid.String()]; ok { - return true - } - } - return false -} diff --git a/vendor/github.com/zmap/zlint/util/fqdn.go b/vendor/github.com/zmap/zlint/util/fqdn.go deleted file mode 100644 index d9cdf97a0..000000000 --- a/vendor/github.com/zmap/zlint/util/fqdn.go +++ /dev/null @@ -1,127 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "net" - "net/url" - "strings" - - "github.com/weppos/publicsuffix-go/publicsuffix" - zcutil "github.com/zmap/zcrypto/util" - "github.com/zmap/zcrypto/x509" -) - -func RemovePrependedQuestionMarks(domain string) string { - for strings.HasPrefix(domain, "?.") { - domain = domain[2:] - } - return domain -} - -func RemovePrependedWildcard(domain string) string { - if strings.HasPrefix(domain, "*.") { - domain = domain[2:] - } - return domain -} - -func IsFQDN(domain string) bool { - domain = RemovePrependedWildcard(domain) - domain = RemovePrependedQuestionMarks(domain) - return zcutil.IsURL(domain) -} - -func GetAuthority(uri string) string { - parsed, err := url.Parse(uri) - if err != nil { - return "" - } - if parsed.Opaque != "" { - // non-empty Opaque means that there is no authority - return "" - } - if len(uri) < 4 { - return "" - } - // https://tools.ietf.org/html/rfc3986#section-3 - // The only time an authority is present is if there is a // after the scheme. - firstColon := strings.Index(uri, ":") - postScheme := uri[firstColon+1:] - // After the scheme, there is the hier-part, optionally followed by a query or fragment. - if !strings.HasPrefix(postScheme, "//") { - // authority is always prefixed by // - return "" - } - for i := 2; i < len(postScheme); i++ { - // in the hier-part, the authority is followed by either an absolute path, or the empty string. - // So, the authority is terminated by the start of an absolute path (/), the start of a fragment (#) or the start of a query(?) - if postScheme[i] == '/' || postScheme[i] == '#' || postScheme[i] == '?' { - return postScheme[2:i] - } - } - // Found no absolute path, fragment or query -- so the authority is the only data after the scheme:// - return postScheme[2:] -} - -func GetHost(auth string) string { - begin := strings.Index(auth, "@") - if begin == len(auth)-1 { - begin = -1 - } - end := strings.Index(auth, ":") - if end == -1 { - end = len(auth) - } - if end < begin { - return "" - } - return auth[begin+1 : end] -} - -func AuthIsFQDNOrIP(auth string) bool { - return IsFQDNOrIP(GetHost(auth)) -} - -func IsFQDNOrIP(host string) bool { - if IsFQDN(host) { - return true - } - if net.ParseIP(host) != nil { - return true - } - return false -} - -func DNSNamesExist(cert *x509.Certificate) bool { - if cert.Subject.CommonName == "" && len(cert.DNSNames) == 0 { - return false - } else { - return true - } -} - -func ICANNPublicSuffixParse(domain string) (*publicsuffix.DomainName, error) { - return publicsuffix.ParseFromListWithOptions(publicsuffix.DefaultList, domain, &publicsuffix.FindOptions{IgnorePrivate: true, DefaultRule: publicsuffix.DefaultRule}) -} - -func CommonNameIsIP(cert *x509.Certificate) bool { - ip := net.ParseIP(cert.Subject.CommonName) - if ip == nil { - return false - } else { - return true - } -} diff --git a/vendor/github.com/zmap/zlint/util/gtld.go b/vendor/github.com/zmap/zlint/util/gtld.go deleted file mode 100644 index a5482c546..000000000 --- a/vendor/github.com/zmap/zlint/util/gtld.go +++ /dev/null @@ -1,122 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "fmt" - "strings" - "time" - - "github.com/zmap/zcrypto/x509" -) - -// This package uses the `zlint-gtld-update` command to generate a `tldMap` map. -//go:generate zlint-gtld-update ./gtld_map.go - -const ( - GTLDPeriodDateFormat = "2006-01-02" -) - -// GTLDPeriod is a struct representing a gTLD's validity period. The field names -// are chosen to match the data returned by the ICANN gTLD v2 JSON registry[0]. -// See the `zlint-gtld-update` command for more information. -// [0] - https://www.icann.org/resources/registries/gtlds/v2/gtlds.json -type GTLDPeriod struct { - // GTLD is the GTLD the period corresponds to. It is used only for friendly - // error messages from `Valid` - GTLD string - // DelegationDate is the date at which ICANN delegated the gTLD into existence - // from the root DNS, or is empty if the gTLD was never delegated. - DelegationDate string - // RemovalDate is the date at which ICANN removed the gTLD delegation from the - // root DNS, or is empty if the gTLD is still delegated and has not been - // removed. - RemovalDate string -} - -// Valid determines if the provided `when` time is within the GTLDPeriod for the -// gTLD. E.g. whether a certificate issued at `when` with a subject identifier -// using the specified gTLD can be considered a valid use of the gTLD. -func (p GTLDPeriod) Valid(when time.Time) error { - // NOTE: We can throw away the errors from time.Parse in this function because - // the zlint-gtld-update command only writes entries to the generated gTLD map - // after the dates have been verified as parseable - notBefore, _ := time.Parse(GTLDPeriodDateFormat, p.DelegationDate) - if when.Before(notBefore) { - return fmt.Errorf(`gTLD ".%s" is not valid until %s`, - p.GTLD, p.DelegationDate) - } - // The removal date may be empty. We only need to check `when` against the - // removal when it isn't empty - if p.RemovalDate != "" { - notAfter, _ := time.Parse(GTLDPeriodDateFormat, p.RemovalDate) - if when.After(notAfter) { - return fmt.Errorf(`gTLD ".%s" is not valid after %s`, - p.GTLD, p.RemovalDate) - } - } - return nil -} - -// HasValidTLD checks that a domain ends in a valid TLD that was delegated in -// the root DNS at the time specified. -func HasValidTLD(domain string, when time.Time) bool { - labels := strings.Split(strings.ToLower(domain), ".") - rightLabel := labels[len(labels)-1] - // if the rightmost label is not present in the tldMap, it isn't valid and - // never was. - if tldPeriod, present := tldMap[rightLabel]; !present { - return false - } else if tldPeriod.Valid(when) != nil { - // If the TLD exists but the date is outside of the gTLD's validity period - // then it is not a valid TLD. - return false - } - // Otherwise the TLD exists, and was a valid TLD delegated in the root DNS - // at the time of the given date. - return true -} - -// IsInTLDMap checks that a label is present in the TLD map. It does not -// consider the TLD's validity period and whether the TLD may have been removed, -// only whether it was ever a TLD that was delegated. -func IsInTLDMap(label string) bool { - label = strings.ToLower(label) - if _, ok := tldMap[label]; ok { - return true - } else { - return false - } -} - -// CertificateSubjContainsTLD checks whether the provided Certificate has -// a Subject Common Name or DNS Subject Alternate Name that ends in the provided -// TLD label. If IsInTLDMap(label) returns false then CertificateSubjInTLD will -// return false. -func CertificateSubjInTLD(c *x509.Certificate, label string) bool { - label = strings.ToLower(label) - if strings.HasPrefix(label, ".") { - label = label[1:] - } - if !IsInTLDMap(label) { - return false - } - for _, name := range append(c.DNSNames, c.Subject.CommonName) { - if strings.HasSuffix(name, "."+label) { - return true - } - } - return false -} diff --git a/vendor/github.com/zmap/zlint/util/gtld_map.go b/vendor/github.com/zmap/zlint/util/gtld_map.go deleted file mode 100644 index f1edaa82f..000000000 --- a/vendor/github.com/zmap/zlint/util/gtld_map.go +++ /dev/null @@ -1,7845 +0,0 @@ -// Code generated by go generate; DO NOT EDIT. -// This file was generated by zlint-gtld-update. - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -var tldMap = map[string]GTLDPeriod{ - "aaa": { - GTLD: "aaa", - DelegationDate: "2015-08-28", - RemovalDate: "", - }, - "aarp": { - GTLD: "aarp", - DelegationDate: "2015-11-03", - RemovalDate: "", - }, - "abarth": { - GTLD: "abarth", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "abb": { - GTLD: "abb", - DelegationDate: "2015-04-25", - RemovalDate: "", - }, - "abbott": { - GTLD: "abbott", - DelegationDate: "2015-03-07", - RemovalDate: "", - }, - "abbvie": { - GTLD: "abbvie", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "abc": { - GTLD: "abc", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "able": { - GTLD: "able", - DelegationDate: "2016-06-21", - RemovalDate: "", - }, - "abogado": { - GTLD: "abogado", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "abudhabi": { - GTLD: "abudhabi", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "ac": { - GTLD: "ac", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "academy": { - GTLD: "academy", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "accenture": { - GTLD: "accenture", - DelegationDate: "2015-05-09", - RemovalDate: "", - }, - "accountant": { - GTLD: "accountant", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "accountants": { - GTLD: "accountants", - DelegationDate: "2014-05-07", - RemovalDate: "", - }, - "aco": { - GTLD: "aco", - DelegationDate: "2015-08-27", - RemovalDate: "", - }, - "active": { - GTLD: "active", - DelegationDate: "2014-06-26", - RemovalDate: "2019-02-17", - }, - "actor": { - GTLD: "actor", - DelegationDate: "2014-02-26", - RemovalDate: "", - }, - "ad": { - GTLD: "ad", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "adac": { - GTLD: "adac", - DelegationDate: "2016-01-26", - RemovalDate: "", - }, - "ads": { - GTLD: "ads", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "adult": { - GTLD: "adult", - DelegationDate: "2014-12-06", - RemovalDate: "", - }, - "ae": { - GTLD: "ae", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "aeg": { - GTLD: "aeg", - DelegationDate: "2015-06-20", - RemovalDate: "", - }, - "aero": { - GTLD: "aero", - DelegationDate: "2002-03-02", - RemovalDate: "", - }, - "aetna": { - GTLD: "aetna", - DelegationDate: "2016-05-20", - RemovalDate: "", - }, - "af": { - GTLD: "af", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "afamilycompany": { - GTLD: "afamilycompany", - DelegationDate: "2016-07-31", - RemovalDate: "", - }, - "afl": { - GTLD: "afl", - DelegationDate: "2015-03-28", - RemovalDate: "", - }, - "africa": { - GTLD: "africa", - DelegationDate: "2017-02-15", - RemovalDate: "", - }, - "ag": { - GTLD: "ag", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "agakhan": { - GTLD: "agakhan", - DelegationDate: "2016-04-16", - RemovalDate: "", - }, - "agency": { - GTLD: "agency", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "ai": { - GTLD: "ai", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "aig": { - GTLD: "aig", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "aigo": { - GTLD: "aigo", - DelegationDate: "2016-08-16", - RemovalDate: "", - }, - "airbus": { - GTLD: "airbus", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "airforce": { - GTLD: "airforce", - DelegationDate: "2014-04-30", - RemovalDate: "", - }, - "airtel": { - GTLD: "airtel", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "akdn": { - GTLD: "akdn", - DelegationDate: "2016-04-16", - RemovalDate: "", - }, - "al": { - GTLD: "al", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "alfaromeo": { - GTLD: "alfaromeo", - DelegationDate: "2016-08-02", - RemovalDate: "", - }, - "alibaba": { - GTLD: "alibaba", - DelegationDate: "2016-01-16", - RemovalDate: "", - }, - "alipay": { - GTLD: "alipay", - DelegationDate: "2016-01-16", - RemovalDate: "", - }, - "allfinanz": { - GTLD: "allfinanz", - DelegationDate: "2014-10-01", - RemovalDate: "", - }, - "allstate": { - GTLD: "allstate", - DelegationDate: "2016-07-14", - RemovalDate: "", - }, - "ally": { - GTLD: "ally", - DelegationDate: "2016-03-24", - RemovalDate: "", - }, - "alsace": { - GTLD: "alsace", - DelegationDate: "2014-10-04", - RemovalDate: "", - }, - "alstom": { - GTLD: "alstom", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "am": { - GTLD: "am", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "americanexpress": { - GTLD: "americanexpress", - DelegationDate: "2016-08-08", - RemovalDate: "", - }, - "americanfamily": { - GTLD: "americanfamily", - DelegationDate: "2016-07-26", - RemovalDate: "", - }, - "amex": { - GTLD: "amex", - DelegationDate: "2016-08-08", - RemovalDate: "", - }, - "amfam": { - GTLD: "amfam", - DelegationDate: "2016-07-23", - RemovalDate: "", - }, - "amica": { - GTLD: "amica", - DelegationDate: "2015-08-29", - RemovalDate: "", - }, - "amsterdam": { - GTLD: "amsterdam", - DelegationDate: "2014-12-25", - RemovalDate: "", - }, - "analytics": { - GTLD: "analytics", - DelegationDate: "2015-12-21", - RemovalDate: "", - }, - "android": { - GTLD: "android", - DelegationDate: "2014-11-12", - RemovalDate: "", - }, - "anquan": { - GTLD: "anquan", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "anz": { - GTLD: "anz", - DelegationDate: "2016-06-21", - RemovalDate: "", - }, - "ao": { - GTLD: "ao", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "aol": { - GTLD: "aol", - DelegationDate: "2016-11-04", - RemovalDate: "", - }, - "apartments": { - GTLD: "apartments", - DelegationDate: "2015-02-10", - RemovalDate: "", - }, - "app": { - GTLD: "app", - DelegationDate: "2015-07-02", - RemovalDate: "", - }, - "apple": { - GTLD: "apple", - DelegationDate: "2015-11-03", - RemovalDate: "", - }, - "aq": { - GTLD: "aq", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "aquarelle": { - GTLD: "aquarelle", - DelegationDate: "2014-12-02", - RemovalDate: "", - }, - "ar": { - GTLD: "ar", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "arab": { - GTLD: "arab", - DelegationDate: "2017-05-23", - RemovalDate: "", - }, - "aramco": { - GTLD: "aramco", - DelegationDate: "2015-10-15", - RemovalDate: "", - }, - "archi": { - GTLD: "archi", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "army": { - GTLD: "army", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "arpa": { - GTLD: "arpa", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "art": { - GTLD: "art", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "arte": { - GTLD: "arte", - DelegationDate: "2015-10-20", - RemovalDate: "", - }, - "as": { - GTLD: "as", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "asda": { - GTLD: "asda", - DelegationDate: "2016-08-14", - RemovalDate: "", - }, - "asia": { - GTLD: "asia", - DelegationDate: "2007-05-02", - RemovalDate: "", - }, - "associates": { - GTLD: "associates", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "at": { - GTLD: "at", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "athleta": { - GTLD: "athleta", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "attorney": { - GTLD: "attorney", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "au": { - GTLD: "au", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "auction": { - GTLD: "auction", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "audi": { - GTLD: "audi", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "audible": { - GTLD: "audible", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "audio": { - GTLD: "audio", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "auspost": { - GTLD: "auspost", - DelegationDate: "2016-08-17", - RemovalDate: "", - }, - "author": { - GTLD: "author", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "auto": { - GTLD: "auto", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "autos": { - GTLD: "autos", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "avianca": { - GTLD: "avianca", - DelegationDate: "2016-03-09", - RemovalDate: "", - }, - "aw": { - GTLD: "aw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "aws": { - GTLD: "aws", - DelegationDate: "2016-03-25", - RemovalDate: "", - }, - "ax": { - GTLD: "ax", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "axa": { - GTLD: "axa", - DelegationDate: "2014-03-19", - RemovalDate: "", - }, - "az": { - GTLD: "az", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "azure": { - GTLD: "azure", - DelegationDate: "2015-06-06", - RemovalDate: "", - }, - "ba": { - GTLD: "ba", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "baby": { - GTLD: "baby", - DelegationDate: "2016-04-08", - RemovalDate: "", - }, - "baidu": { - GTLD: "baidu", - DelegationDate: "2016-01-05", - RemovalDate: "", - }, - "banamex": { - GTLD: "banamex", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "bananarepublic": { - GTLD: "bananarepublic", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "band": { - GTLD: "band", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "bank": { - GTLD: "bank", - DelegationDate: "2015-01-09", - RemovalDate: "", - }, - "bar": { - GTLD: "bar", - DelegationDate: "2014-02-27", - RemovalDate: "", - }, - "barcelona": { - GTLD: "barcelona", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "barclaycard": { - GTLD: "barclaycard", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "barclays": { - GTLD: "barclays", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "barefoot": { - GTLD: "barefoot", - DelegationDate: "2016-03-24", - RemovalDate: "", - }, - "bargains": { - GTLD: "bargains", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "baseball": { - GTLD: "baseball", - DelegationDate: "2016-10-30", - RemovalDate: "", - }, - "basketball": { - GTLD: "basketball", - DelegationDate: "2016-10-19", - RemovalDate: "", - }, - "bauhaus": { - GTLD: "bauhaus", - DelegationDate: "2015-04-05", - RemovalDate: "", - }, - "bayern": { - GTLD: "bayern", - DelegationDate: "2014-05-03", - RemovalDate: "", - }, - "bb": { - GTLD: "bb", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bbc": { - GTLD: "bbc", - DelegationDate: "2015-03-21", - RemovalDate: "", - }, - "bbt": { - GTLD: "bbt", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "bbva": { - GTLD: "bbva", - DelegationDate: "2015-05-27", - RemovalDate: "", - }, - "bcg": { - GTLD: "bcg", - DelegationDate: "2016-03-09", - RemovalDate: "", - }, - "bcn": { - GTLD: "bcn", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "bd": { - GTLD: "bd", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "be": { - GTLD: "be", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "beats": { - GTLD: "beats", - DelegationDate: "2015-11-03", - RemovalDate: "", - }, - "beauty": { - GTLD: "beauty", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "beer": { - GTLD: "beer", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "bentley": { - GTLD: "bentley", - DelegationDate: "2015-07-09", - RemovalDate: "", - }, - "berlin": { - GTLD: "berlin", - DelegationDate: "2014-01-08", - RemovalDate: "", - }, - "best": { - GTLD: "best", - DelegationDate: "2014-02-27", - RemovalDate: "", - }, - "bestbuy": { - GTLD: "bestbuy", - DelegationDate: "2016-07-19", - RemovalDate: "", - }, - "bet": { - GTLD: "bet", - DelegationDate: "2015-07-24", - RemovalDate: "", - }, - "bf": { - GTLD: "bf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bg": { - GTLD: "bg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bh": { - GTLD: "bh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bharti": { - GTLD: "bharti", - DelegationDate: "2015-06-14", - RemovalDate: "", - }, - "bi": { - GTLD: "bi", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bible": { - GTLD: "bible", - DelegationDate: "2015-06-02", - RemovalDate: "", - }, - "bid": { - GTLD: "bid", - DelegationDate: "2014-03-02", - RemovalDate: "", - }, - "bike": { - GTLD: "bike", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "bing": { - GTLD: "bing", - DelegationDate: "2015-06-10", - RemovalDate: "", - }, - "bingo": { - GTLD: "bingo", - DelegationDate: "2015-02-04", - RemovalDate: "", - }, - "bio": { - GTLD: "bio", - DelegationDate: "2014-06-02", - RemovalDate: "", - }, - "biz": { - GTLD: "biz", - DelegationDate: "2001-09-25", - RemovalDate: "", - }, - "bj": { - GTLD: "bj", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "black": { - GTLD: "black", - DelegationDate: "2014-03-27", - RemovalDate: "", - }, - "blackfriday": { - GTLD: "blackfriday", - DelegationDate: "2014-04-22", - RemovalDate: "", - }, - "blanco": { - GTLD: "blanco", - DelegationDate: "2016-06-21", - RemovalDate: "2019-02-13", - }, - "blockbuster": { - GTLD: "blockbuster", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "blog": { - GTLD: "blog", - DelegationDate: "2016-05-18", - RemovalDate: "", - }, - "bloomberg": { - GTLD: "bloomberg", - DelegationDate: "2014-11-05", - RemovalDate: "", - }, - "blue": { - GTLD: "blue", - DelegationDate: "2014-02-05", - RemovalDate: "", - }, - "bm": { - GTLD: "bm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bms": { - GTLD: "bms", - DelegationDate: "2015-09-22", - RemovalDate: "", - }, - "bmw": { - GTLD: "bmw", - DelegationDate: "2014-06-21", - RemovalDate: "", - }, - "bn": { - GTLD: "bn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bnl": { - GTLD: "bnl", - DelegationDate: "2015-06-26", - RemovalDate: "2019-07-30", - }, - "bnpparibas": { - GTLD: "bnpparibas", - DelegationDate: "2014-08-14", - RemovalDate: "", - }, - "bo": { - GTLD: "bo", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "boats": { - GTLD: "boats", - DelegationDate: "2015-02-25", - RemovalDate: "", - }, - "boehringer": { - GTLD: "boehringer", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "bofa": { - GTLD: "bofa", - DelegationDate: "2016-08-02", - RemovalDate: "", - }, - "bom": { - GTLD: "bom", - DelegationDate: "2015-09-26", - RemovalDate: "", - }, - "bond": { - GTLD: "bond", - DelegationDate: "2015-03-27", - RemovalDate: "", - }, - "boo": { - GTLD: "boo", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "book": { - GTLD: "book", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "booking": { - GTLD: "booking", - DelegationDate: "2016-07-23", - RemovalDate: "", - }, - "boots": { - GTLD: "boots", - DelegationDate: "2015-08-05", - RemovalDate: "2018-04-06", - }, - "bosch": { - GTLD: "bosch", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "bostik": { - GTLD: "bostik", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "boston": { - GTLD: "boston", - DelegationDate: "2016-11-29", - RemovalDate: "", - }, - "bot": { - GTLD: "bot", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "boutique": { - GTLD: "boutique", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "box": { - GTLD: "box", - DelegationDate: "2016-11-11", - RemovalDate: "", - }, - "br": { - GTLD: "br", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bradesco": { - GTLD: "bradesco", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "bridgestone": { - GTLD: "bridgestone", - DelegationDate: "2015-05-01", - RemovalDate: "", - }, - "broadway": { - GTLD: "broadway", - DelegationDate: "2015-11-18", - RemovalDate: "", - }, - "broker": { - GTLD: "broker", - DelegationDate: "2015-04-29", - RemovalDate: "", - }, - "brother": { - GTLD: "brother", - DelegationDate: "2015-05-12", - RemovalDate: "", - }, - "brussels": { - GTLD: "brussels", - DelegationDate: "2014-06-18", - RemovalDate: "", - }, - "bs": { - GTLD: "bs", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bt": { - GTLD: "bt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "budapest": { - GTLD: "budapest", - DelegationDate: "2014-09-23", - RemovalDate: "", - }, - "bugatti": { - GTLD: "bugatti", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "build": { - GTLD: "build", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "builders": { - GTLD: "builders", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "business": { - GTLD: "business", - DelegationDate: "2014-08-22", - RemovalDate: "", - }, - "buy": { - GTLD: "buy", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "buzz": { - GTLD: "buzz", - DelegationDate: "2013-12-18", - RemovalDate: "", - }, - "bv": { - GTLD: "bv", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bw": { - GTLD: "bw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "by": { - GTLD: "by", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bz": { - GTLD: "bz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "bzh": { - GTLD: "bzh", - DelegationDate: "2014-06-17", - RemovalDate: "", - }, - "ca": { - GTLD: "ca", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cab": { - GTLD: "cab", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "cafe": { - GTLD: "cafe", - DelegationDate: "2015-04-05", - RemovalDate: "", - }, - "cal": { - GTLD: "cal", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "call": { - GTLD: "call", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "calvinklein": { - GTLD: "calvinklein", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "cam": { - GTLD: "cam", - DelegationDate: "2016-06-16", - RemovalDate: "", - }, - "camera": { - GTLD: "camera", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "camp": { - GTLD: "camp", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "cancerresearch": { - GTLD: "cancerresearch", - DelegationDate: "2014-07-03", - RemovalDate: "", - }, - "canon": { - GTLD: "canon", - DelegationDate: "2015-02-04", - RemovalDate: "", - }, - "capetown": { - GTLD: "capetown", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "capital": { - GTLD: "capital", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "capitalone": { - GTLD: "capitalone", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "car": { - GTLD: "car", - DelegationDate: "2015-09-09", - RemovalDate: "", - }, - "caravan": { - GTLD: "caravan", - DelegationDate: "2014-08-15", - RemovalDate: "", - }, - "cards": { - GTLD: "cards", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "care": { - GTLD: "care", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "career": { - GTLD: "career", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "careers": { - GTLD: "careers", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "cars": { - GTLD: "cars", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "cartier": { - GTLD: "cartier", - DelegationDate: "2014-12-11", - RemovalDate: "2019-11-14", - }, - "casa": { - GTLD: "casa", - DelegationDate: "2014-09-23", - RemovalDate: "", - }, - "case": { - GTLD: "case", - DelegationDate: "2016-10-30", - RemovalDate: "", - }, - "caseih": { - GTLD: "caseih", - DelegationDate: "2016-10-30", - RemovalDate: "", - }, - "cash": { - GTLD: "cash", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "casino": { - GTLD: "casino", - DelegationDate: "2015-02-19", - RemovalDate: "", - }, - "cat": { - GTLD: "cat", - DelegationDate: "2005-12-20", - RemovalDate: "", - }, - "catering": { - GTLD: "catering", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "catholic": { - GTLD: "catholic", - DelegationDate: "2016-12-01", - RemovalDate: "", - }, - "cba": { - GTLD: "cba", - DelegationDate: "2015-06-22", - RemovalDate: "", - }, - "cbn": { - GTLD: "cbn", - DelegationDate: "2015-02-13", - RemovalDate: "", - }, - "cbre": { - GTLD: "cbre", - DelegationDate: "2016-07-02", - RemovalDate: "", - }, - "cbs": { - GTLD: "cbs", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "cc": { - GTLD: "cc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cd": { - GTLD: "cd", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ceb": { - GTLD: "ceb", - DelegationDate: "2015-08-08", - RemovalDate: "", - }, - "center": { - GTLD: "center", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "ceo": { - GTLD: "ceo", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "cern": { - GTLD: "cern", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "cf": { - GTLD: "cf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cfa": { - GTLD: "cfa", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "cfd": { - GTLD: "cfd", - DelegationDate: "2015-03-13", - RemovalDate: "", - }, - "cg": { - GTLD: "cg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ch": { - GTLD: "ch", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "chanel": { - GTLD: "chanel", - DelegationDate: "2015-08-05", - RemovalDate: "", - }, - "channel": { - GTLD: "channel", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "charity": { - GTLD: "charity", - DelegationDate: "2018-06-07", - RemovalDate: "", - }, - "chase": { - GTLD: "chase", - DelegationDate: "2016-02-27", - RemovalDate: "", - }, - "chat": { - GTLD: "chat", - DelegationDate: "2015-02-04", - RemovalDate: "", - }, - "cheap": { - GTLD: "cheap", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "chintai": { - GTLD: "chintai", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "chloe": { - GTLD: "chloe", - DelegationDate: "2015-03-09", - RemovalDate: "2017-10-06", - }, - "christmas": { - GTLD: "christmas", - DelegationDate: "2014-02-26", - RemovalDate: "", - }, - "chrome": { - GTLD: "chrome", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "chrysler": { - GTLD: "chrysler", - DelegationDate: "2016-07-28", - RemovalDate: "2019-11-19", - }, - "church": { - GTLD: "church", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "ci": { - GTLD: "ci", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cipriani": { - GTLD: "cipriani", - DelegationDate: "2015-10-09", - RemovalDate: "", - }, - "circle": { - GTLD: "circle", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "cisco": { - GTLD: "cisco", - DelegationDate: "2015-05-15", - RemovalDate: "", - }, - "citadel": { - GTLD: "citadel", - DelegationDate: "2016-07-23", - RemovalDate: "", - }, - "citi": { - GTLD: "citi", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "citic": { - GTLD: "citic", - DelegationDate: "2014-04-29", - RemovalDate: "", - }, - "city": { - GTLD: "city", - DelegationDate: "2014-07-10", - RemovalDate: "", - }, - "cityeats": { - GTLD: "cityeats", - DelegationDate: "2015-11-10", - RemovalDate: "", - }, - "ck": { - GTLD: "ck", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cl": { - GTLD: "cl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "claims": { - GTLD: "claims", - DelegationDate: "2014-05-07", - RemovalDate: "", - }, - "cleaning": { - GTLD: "cleaning", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "click": { - GTLD: "click", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "clinic": { - GTLD: "clinic", - DelegationDate: "2014-04-22", - RemovalDate: "", - }, - "clinique": { - GTLD: "clinique", - DelegationDate: "2015-12-28", - RemovalDate: "", - }, - "clothing": { - GTLD: "clothing", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "cloud": { - GTLD: "cloud", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "club": { - GTLD: "club", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "clubmed": { - GTLD: "clubmed", - DelegationDate: "2015-10-02", - RemovalDate: "", - }, - "cm": { - GTLD: "cm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cn": { - GTLD: "cn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "co": { - GTLD: "co", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "coach": { - GTLD: "coach", - DelegationDate: "2014-11-26", - RemovalDate: "", - }, - "codes": { - GTLD: "codes", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "coffee": { - GTLD: "coffee", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "college": { - GTLD: "college", - DelegationDate: "2014-04-10", - RemovalDate: "", - }, - "cologne": { - GTLD: "cologne", - DelegationDate: "2014-03-19", - RemovalDate: "", - }, - "com": { - GTLD: "com", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "comcast": { - GTLD: "comcast", - DelegationDate: "2016-07-07", - RemovalDate: "", - }, - "commbank": { - GTLD: "commbank", - DelegationDate: "2015-06-22", - RemovalDate: "", - }, - "community": { - GTLD: "community", - DelegationDate: "2014-01-25", - RemovalDate: "", - }, - "company": { - GTLD: "company", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "compare": { - GTLD: "compare", - DelegationDate: "2016-01-15", - RemovalDate: "", - }, - "computer": { - GTLD: "computer", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "comsec": { - GTLD: "comsec", - DelegationDate: "2015-11-16", - RemovalDate: "", - }, - "condos": { - GTLD: "condos", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "construction": { - GTLD: "construction", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "consulting": { - GTLD: "consulting", - DelegationDate: "2014-04-01", - RemovalDate: "", - }, - "contact": { - GTLD: "contact", - DelegationDate: "2015-12-22", - RemovalDate: "", - }, - "contractors": { - GTLD: "contractors", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "cooking": { - GTLD: "cooking", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "cookingchannel": { - GTLD: "cookingchannel", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "cool": { - GTLD: "cool", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "coop": { - GTLD: "coop", - DelegationDate: "2001-12-20", - RemovalDate: "", - }, - "corsica": { - GTLD: "corsica", - DelegationDate: "2015-05-16", - RemovalDate: "", - }, - "country": { - GTLD: "country", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "coupon": { - GTLD: "coupon", - DelegationDate: "2016-02-19", - RemovalDate: "", - }, - "coupons": { - GTLD: "coupons", - DelegationDate: "2015-05-13", - RemovalDate: "", - }, - "courses": { - GTLD: "courses", - DelegationDate: "2015-02-25", - RemovalDate: "", - }, - "cpa": { - GTLD: "cpa", - DelegationDate: "2019-09-20", - RemovalDate: "", - }, - "cr": { - GTLD: "cr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "credit": { - GTLD: "credit", - DelegationDate: "2014-05-07", - RemovalDate: "", - }, - "creditcard": { - GTLD: "creditcard", - DelegationDate: "2014-04-29", - RemovalDate: "", - }, - "creditunion": { - GTLD: "creditunion", - DelegationDate: "2015-11-10", - RemovalDate: "", - }, - "cricket": { - GTLD: "cricket", - DelegationDate: "2014-11-17", - RemovalDate: "", - }, - "crown": { - GTLD: "crown", - DelegationDate: "2015-06-19", - RemovalDate: "", - }, - "crs": { - GTLD: "crs", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "cruise": { - GTLD: "cruise", - DelegationDate: "2016-11-12", - RemovalDate: "", - }, - "cruises": { - GTLD: "cruises", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "csc": { - GTLD: "csc", - DelegationDate: "2015-09-01", - RemovalDate: "", - }, - "cu": { - GTLD: "cu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cuisinella": { - GTLD: "cuisinella", - DelegationDate: "2014-07-03", - RemovalDate: "", - }, - "cv": { - GTLD: "cv", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cw": { - GTLD: "cw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cx": { - GTLD: "cx", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cy": { - GTLD: "cy", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "cymru": { - GTLD: "cymru", - DelegationDate: "2014-08-08", - RemovalDate: "", - }, - "cyou": { - GTLD: "cyou", - DelegationDate: "2015-04-03", - RemovalDate: "", - }, - "cz": { - GTLD: "cz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "dabur": { - GTLD: "dabur", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "dad": { - GTLD: "dad", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "dance": { - GTLD: "dance", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "data": { - GTLD: "data", - DelegationDate: "2016-12-20", - RemovalDate: "", - }, - "date": { - GTLD: "date", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "dating": { - GTLD: "dating", - DelegationDate: "2014-01-25", - RemovalDate: "", - }, - "datsun": { - GTLD: "datsun", - DelegationDate: "2015-03-04", - RemovalDate: "", - }, - "day": { - GTLD: "day", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "dclk": { - GTLD: "dclk", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "dds": { - GTLD: "dds", - DelegationDate: "2016-05-11", - RemovalDate: "", - }, - "de": { - GTLD: "de", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "deal": { - GTLD: "deal", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "dealer": { - GTLD: "dealer", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "deals": { - GTLD: "deals", - DelegationDate: "2014-07-10", - RemovalDate: "", - }, - "degree": { - GTLD: "degree", - DelegationDate: "2014-05-30", - RemovalDate: "", - }, - "delivery": { - GTLD: "delivery", - DelegationDate: "2014-11-01", - RemovalDate: "", - }, - "dell": { - GTLD: "dell", - DelegationDate: "2015-10-14", - RemovalDate: "", - }, - "deloitte": { - GTLD: "deloitte", - DelegationDate: "2016-01-29", - RemovalDate: "", - }, - "delta": { - GTLD: "delta", - DelegationDate: "2015-07-11", - RemovalDate: "", - }, - "democrat": { - GTLD: "democrat", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "dental": { - GTLD: "dental", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "dentist": { - GTLD: "dentist", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "desi": { - GTLD: "desi", - DelegationDate: "2014-04-10", - RemovalDate: "", - }, - "design": { - GTLD: "design", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "dev": { - GTLD: "dev", - DelegationDate: "2014-12-18", - RemovalDate: "", - }, - "dhl": { - GTLD: "dhl", - DelegationDate: "2016-06-02", - RemovalDate: "", - }, - "diamonds": { - GTLD: "diamonds", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "diet": { - GTLD: "diet", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "digital": { - GTLD: "digital", - DelegationDate: "2014-05-07", - RemovalDate: "", - }, - "direct": { - GTLD: "direct", - DelegationDate: "2014-07-02", - RemovalDate: "", - }, - "directory": { - GTLD: "directory", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "discount": { - GTLD: "discount", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "discover": { - GTLD: "discover", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "dish": { - GTLD: "dish", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "diy": { - GTLD: "diy", - DelegationDate: "2016-08-25", - RemovalDate: "", - }, - "dj": { - GTLD: "dj", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "dk": { - GTLD: "dk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "dm": { - GTLD: "dm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "dnp": { - GTLD: "dnp", - DelegationDate: "2014-03-11", - RemovalDate: "", - }, - "do": { - GTLD: "do", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "docs": { - GTLD: "docs", - DelegationDate: "2014-12-18", - RemovalDate: "", - }, - "doctor": { - GTLD: "doctor", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "dodge": { - GTLD: "dodge", - DelegationDate: "2016-08-04", - RemovalDate: "2019-11-19", - }, - "dog": { - GTLD: "dog", - DelegationDate: "2015-04-29", - RemovalDate: "", - }, - "doha": { - GTLD: "doha", - DelegationDate: "2015-03-25", - RemovalDate: "2019-04-09", - }, - "domains": { - GTLD: "domains", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "doosan": { - GTLD: "doosan", - DelegationDate: "2014-12-13", - RemovalDate: "2016-02-24", - }, - "dot": { - GTLD: "dot", - DelegationDate: "2016-05-18", - RemovalDate: "", - }, - "download": { - GTLD: "download", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "drive": { - GTLD: "drive", - DelegationDate: "2015-06-20", - RemovalDate: "", - }, - "dtv": { - GTLD: "dtv", - DelegationDate: "2016-05-27", - RemovalDate: "", - }, - "dubai": { - GTLD: "dubai", - DelegationDate: "2016-01-07", - RemovalDate: "", - }, - "duck": { - GTLD: "duck", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "dunlop": { - GTLD: "dunlop", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "duns": { - GTLD: "duns", - DelegationDate: "2016-07-23", - RemovalDate: "2019-08-30", - }, - "dupont": { - GTLD: "dupont", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "durban": { - GTLD: "durban", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "dvag": { - GTLD: "dvag", - DelegationDate: "2014-09-27", - RemovalDate: "", - }, - "dvr": { - GTLD: "dvr", - DelegationDate: "2016-09-30", - RemovalDate: "", - }, - "dz": { - GTLD: "dz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "earth": { - GTLD: "earth", - DelegationDate: "2015-05-14", - RemovalDate: "", - }, - "eat": { - GTLD: "eat", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "ec": { - GTLD: "ec", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "eco": { - GTLD: "eco", - DelegationDate: "2016-08-28", - RemovalDate: "", - }, - "edeka": { - GTLD: "edeka", - DelegationDate: "2016-01-21", - RemovalDate: "", - }, - "edu": { - GTLD: "edu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "education": { - GTLD: "education", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "ee": { - GTLD: "ee", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "eg": { - GTLD: "eg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "email": { - GTLD: "email", - DelegationDate: "2014-01-02", - RemovalDate: "", - }, - "emerck": { - GTLD: "emerck", - DelegationDate: "2014-10-22", - RemovalDate: "", - }, - "energy": { - GTLD: "energy", - DelegationDate: "2014-11-01", - RemovalDate: "", - }, - "engineer": { - GTLD: "engineer", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "engineering": { - GTLD: "engineering", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "enterprises": { - GTLD: "enterprises", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "epost": { - GTLD: "epost", - DelegationDate: "2016-06-07", - RemovalDate: "2019-02-15", - }, - "epson": { - GTLD: "epson", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "equipment": { - GTLD: "equipment", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "er": { - GTLD: "er", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ericsson": { - GTLD: "ericsson", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "erni": { - GTLD: "erni", - DelegationDate: "2015-03-12", - RemovalDate: "", - }, - "es": { - GTLD: "es", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "esq": { - GTLD: "esq", - DelegationDate: "2014-08-29", - RemovalDate: "", - }, - "estate": { - GTLD: "estate", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "esurance": { - GTLD: "esurance", - DelegationDate: "2016-07-23", - RemovalDate: "", - }, - "et": { - GTLD: "et", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "etisalat": { - GTLD: "etisalat", - DelegationDate: "2017-06-01", - RemovalDate: "", - }, - "eu": { - GTLD: "eu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "eurovision": { - GTLD: "eurovision", - DelegationDate: "2014-12-06", - RemovalDate: "", - }, - "eus": { - GTLD: "eus", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "events": { - GTLD: "events", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "everbank": { - GTLD: "everbank", - DelegationDate: "2014-11-26", - RemovalDate: "2019-11-14", - }, - "exchange": { - GTLD: "exchange", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "expert": { - GTLD: "expert", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "exposed": { - GTLD: "exposed", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "express": { - GTLD: "express", - DelegationDate: "2015-04-05", - RemovalDate: "", - }, - "extraspace": { - GTLD: "extraspace", - DelegationDate: "2016-03-25", - RemovalDate: "", - }, - "fage": { - GTLD: "fage", - DelegationDate: "2015-08-08", - RemovalDate: "", - }, - "fail": { - GTLD: "fail", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "fairwinds": { - GTLD: "fairwinds", - DelegationDate: "2015-11-13", - RemovalDate: "", - }, - "faith": { - GTLD: "faith", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "family": { - GTLD: "family", - DelegationDate: "2015-08-11", - RemovalDate: "", - }, - "fan": { - GTLD: "fan", - DelegationDate: "2015-03-16", - RemovalDate: "", - }, - "fans": { - GTLD: "fans", - DelegationDate: "2015-02-19", - RemovalDate: "", - }, - "farm": { - GTLD: "farm", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "farmers": { - GTLD: "farmers", - DelegationDate: "2016-06-25", - RemovalDate: "", - }, - "fashion": { - GTLD: "fashion", - DelegationDate: "2014-12-06", - RemovalDate: "", - }, - "fast": { - GTLD: "fast", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "fedex": { - GTLD: "fedex", - DelegationDate: "2016-06-25", - RemovalDate: "", - }, - "feedback": { - GTLD: "feedback", - DelegationDate: "2014-04-10", - RemovalDate: "", - }, - "ferrari": { - GTLD: "ferrari", - DelegationDate: "2016-08-02", - RemovalDate: "", - }, - "ferrero": { - GTLD: "ferrero", - DelegationDate: "2015-11-07", - RemovalDate: "", - }, - "fi": { - GTLD: "fi", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "fiat": { - GTLD: "fiat", - DelegationDate: "2016-08-02", - RemovalDate: "", - }, - "fidelity": { - GTLD: "fidelity", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "fido": { - GTLD: "fido", - DelegationDate: "2016-09-20", - RemovalDate: "", - }, - "film": { - GTLD: "film", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "final": { - GTLD: "final", - DelegationDate: "2015-09-26", - RemovalDate: "", - }, - "finance": { - GTLD: "finance", - DelegationDate: "2014-04-29", - RemovalDate: "", - }, - "financial": { - GTLD: "financial", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "fire": { - GTLD: "fire", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "firestone": { - GTLD: "firestone", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "firmdale": { - GTLD: "firmdale", - DelegationDate: "2014-11-20", - RemovalDate: "", - }, - "fish": { - GTLD: "fish", - DelegationDate: "2014-02-21", - RemovalDate: "", - }, - "fishing": { - GTLD: "fishing", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "fit": { - GTLD: "fit", - DelegationDate: "2015-01-09", - RemovalDate: "", - }, - "fitness": { - GTLD: "fitness", - DelegationDate: "2014-04-22", - RemovalDate: "", - }, - "fj": { - GTLD: "fj", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "fk": { - GTLD: "fk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "flickr": { - GTLD: "flickr", - DelegationDate: "2016-02-13", - RemovalDate: "", - }, - "flights": { - GTLD: "flights", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "flir": { - GTLD: "flir", - DelegationDate: "2016-05-10", - RemovalDate: "", - }, - "florist": { - GTLD: "florist", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "flowers": { - GTLD: "flowers", - DelegationDate: "2014-12-25", - RemovalDate: "", - }, - "flsmidth": { - GTLD: "flsmidth", - DelegationDate: "2014-10-15", - RemovalDate: "2016-07-29", - }, - "fly": { - GTLD: "fly", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "fm": { - GTLD: "fm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "fo": { - GTLD: "fo", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "foo": { - GTLD: "foo", - DelegationDate: "2014-04-19", - RemovalDate: "", - }, - "food": { - GTLD: "food", - DelegationDate: "2016-11-10", - RemovalDate: "", - }, - "foodnetwork": { - GTLD: "foodnetwork", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "football": { - GTLD: "football", - DelegationDate: "2015-02-19", - RemovalDate: "", - }, - "ford": { - GTLD: "ford", - DelegationDate: "2015-12-18", - RemovalDate: "", - }, - "forex": { - GTLD: "forex", - DelegationDate: "2015-03-12", - RemovalDate: "", - }, - "forsale": { - GTLD: "forsale", - DelegationDate: "2014-10-01", - RemovalDate: "", - }, - "forum": { - GTLD: "forum", - DelegationDate: "2015-07-01", - RemovalDate: "", - }, - "foundation": { - GTLD: "foundation", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "fox": { - GTLD: "fox", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "fr": { - GTLD: "fr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "free": { - GTLD: "free", - DelegationDate: "2016-11-08", - RemovalDate: "", - }, - "fresenius": { - GTLD: "fresenius", - DelegationDate: "2016-01-09", - RemovalDate: "", - }, - "frl": { - GTLD: "frl", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "frogans": { - GTLD: "frogans", - DelegationDate: "2014-04-19", - RemovalDate: "", - }, - "frontdoor": { - GTLD: "frontdoor", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "frontier": { - GTLD: "frontier", - DelegationDate: "2016-02-06", - RemovalDate: "", - }, - "ftr": { - GTLD: "ftr", - DelegationDate: "2016-04-17", - RemovalDate: "", - }, - "fujitsu": { - GTLD: "fujitsu", - DelegationDate: "2016-07-07", - RemovalDate: "", - }, - "fujixerox": { - GTLD: "fujixerox", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "fun": { - GTLD: "fun", - DelegationDate: "2016-12-21", - RemovalDate: "", - }, - "fund": { - GTLD: "fund", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "furniture": { - GTLD: "furniture", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "futbol": { - GTLD: "futbol", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "fyi": { - GTLD: "fyi", - DelegationDate: "2015-05-22", - RemovalDate: "", - }, - "ga": { - GTLD: "ga", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gal": { - GTLD: "gal", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "gallery": { - GTLD: "gallery", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "gallo": { - GTLD: "gallo", - DelegationDate: "2016-03-22", - RemovalDate: "", - }, - "gallup": { - GTLD: "gallup", - DelegationDate: "2016-02-11", - RemovalDate: "", - }, - "game": { - GTLD: "game", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "games": { - GTLD: "games", - DelegationDate: "2016-06-02", - RemovalDate: "", - }, - "gap": { - GTLD: "gap", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "garden": { - GTLD: "garden", - DelegationDate: "2014-12-13", - RemovalDate: "", - }, - "gay": { - GTLD: "gay", - DelegationDate: "2019-08-09", - RemovalDate: "", - }, - "gb": { - GTLD: "gb", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gbiz": { - GTLD: "gbiz", - DelegationDate: "2014-08-27", - RemovalDate: "", - }, - "gd": { - GTLD: "gd", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gdn": { - GTLD: "gdn", - DelegationDate: "2015-02-13", - RemovalDate: "", - }, - "ge": { - GTLD: "ge", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gea": { - GTLD: "gea", - DelegationDate: "2015-08-28", - RemovalDate: "", - }, - "gent": { - GTLD: "gent", - DelegationDate: "2014-07-12", - RemovalDate: "", - }, - "genting": { - GTLD: "genting", - DelegationDate: "2015-06-20", - RemovalDate: "", - }, - "george": { - GTLD: "george", - DelegationDate: "2016-08-18", - RemovalDate: "", - }, - "gf": { - GTLD: "gf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gg": { - GTLD: "gg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ggee": { - GTLD: "ggee", - DelegationDate: "2014-12-25", - RemovalDate: "", - }, - "gh": { - GTLD: "gh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gi": { - GTLD: "gi", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gift": { - GTLD: "gift", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "gifts": { - GTLD: "gifts", - DelegationDate: "2014-08-08", - RemovalDate: "", - }, - "gives": { - GTLD: "gives", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "giving": { - GTLD: "giving", - DelegationDate: "2015-08-06", - RemovalDate: "", - }, - "gl": { - GTLD: "gl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "glade": { - GTLD: "glade", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "glass": { - GTLD: "glass", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "gle": { - GTLD: "gle", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "global": { - GTLD: "global", - DelegationDate: "2014-06-11", - RemovalDate: "", - }, - "globo": { - GTLD: "globo", - DelegationDate: "2014-05-03", - RemovalDate: "", - }, - "gm": { - GTLD: "gm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gmail": { - GTLD: "gmail", - DelegationDate: "2014-08-27", - RemovalDate: "", - }, - "gmbh": { - GTLD: "gmbh", - DelegationDate: "2016-03-09", - RemovalDate: "", - }, - "gmo": { - GTLD: "gmo", - DelegationDate: "2014-05-03", - RemovalDate: "", - }, - "gmx": { - GTLD: "gmx", - DelegationDate: "2014-09-05", - RemovalDate: "", - }, - "gn": { - GTLD: "gn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "godaddy": { - GTLD: "godaddy", - DelegationDate: "2016-07-07", - RemovalDate: "", - }, - "gold": { - GTLD: "gold", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "goldpoint": { - GTLD: "goldpoint", - DelegationDate: "2015-02-19", - RemovalDate: "", - }, - "golf": { - GTLD: "golf", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "goo": { - GTLD: "goo", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "goodhands": { - GTLD: "goodhands", - DelegationDate: "2016-07-14", - RemovalDate: "2018-09-20", - }, - "goodyear": { - GTLD: "goodyear", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "goog": { - GTLD: "goog", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "google": { - GTLD: "google", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "gop": { - GTLD: "gop", - DelegationDate: "2014-04-04", - RemovalDate: "", - }, - "got": { - GTLD: "got", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "gov": { - GTLD: "gov", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gp": { - GTLD: "gp", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gq": { - GTLD: "gq", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gr": { - GTLD: "gr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "grainger": { - GTLD: "grainger", - DelegationDate: "2015-11-13", - RemovalDate: "", - }, - "graphics": { - GTLD: "graphics", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "gratis": { - GTLD: "gratis", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "green": { - GTLD: "green", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "gripe": { - GTLD: "gripe", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "grocery": { - GTLD: "grocery", - DelegationDate: "2017-06-28", - RemovalDate: "", - }, - "group": { - GTLD: "group", - DelegationDate: "2015-08-08", - RemovalDate: "", - }, - "gs": { - GTLD: "gs", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gt": { - GTLD: "gt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gu": { - GTLD: "gu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "guardian": { - GTLD: "guardian", - DelegationDate: "2016-05-13", - RemovalDate: "", - }, - "gucci": { - GTLD: "gucci", - DelegationDate: "2015-10-27", - RemovalDate: "", - }, - "guge": { - GTLD: "guge", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "guide": { - GTLD: "guide", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "guitars": { - GTLD: "guitars", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "guru": { - GTLD: "guru", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "gw": { - GTLD: "gw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "gy": { - GTLD: "gy", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "hair": { - GTLD: "hair", - DelegationDate: "2016-12-02", - RemovalDate: "", - }, - "hamburg": { - GTLD: "hamburg", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "hangout": { - GTLD: "hangout", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "haus": { - GTLD: "haus", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "hbo": { - GTLD: "hbo", - DelegationDate: "2016-08-14", - RemovalDate: "", - }, - "hdfc": { - GTLD: "hdfc", - DelegationDate: "2016-08-16", - RemovalDate: "", - }, - "hdfcbank": { - GTLD: "hdfcbank", - DelegationDate: "2016-02-11", - RemovalDate: "", - }, - "health": { - GTLD: "health", - DelegationDate: "2016-01-26", - RemovalDate: "", - }, - "healthcare": { - GTLD: "healthcare", - DelegationDate: "2014-07-30", - RemovalDate: "", - }, - "help": { - GTLD: "help", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "helsinki": { - GTLD: "helsinki", - DelegationDate: "2016-01-26", - RemovalDate: "", - }, - "here": { - GTLD: "here", - DelegationDate: "2014-08-29", - RemovalDate: "", - }, - "hermes": { - GTLD: "hermes", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "hgtv": { - GTLD: "hgtv", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "hiphop": { - GTLD: "hiphop", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "hisamitsu": { - GTLD: "hisamitsu", - DelegationDate: "2016-06-02", - RemovalDate: "", - }, - "hitachi": { - GTLD: "hitachi", - DelegationDate: "2015-05-01", - RemovalDate: "", - }, - "hiv": { - GTLD: "hiv", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "hk": { - GTLD: "hk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "hkt": { - GTLD: "hkt", - DelegationDate: "2016-05-12", - RemovalDate: "", - }, - "hm": { - GTLD: "hm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "hn": { - GTLD: "hn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "hockey": { - GTLD: "hockey", - DelegationDate: "2015-05-07", - RemovalDate: "", - }, - "holdings": { - GTLD: "holdings", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "holiday": { - GTLD: "holiday", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "homedepot": { - GTLD: "homedepot", - DelegationDate: "2015-06-04", - RemovalDate: "", - }, - "homegoods": { - GTLD: "homegoods", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "homes": { - GTLD: "homes", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "homesense": { - GTLD: "homesense", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "honda": { - GTLD: "honda", - DelegationDate: "2015-04-30", - RemovalDate: "", - }, - "honeywell": { - GTLD: "honeywell", - DelegationDate: "2016-07-26", - RemovalDate: "2019-06-06", - }, - "horse": { - GTLD: "horse", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "hospital": { - GTLD: "hospital", - DelegationDate: "2016-12-09", - RemovalDate: "", - }, - "host": { - GTLD: "host", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "hosting": { - GTLD: "hosting", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "hot": { - GTLD: "hot", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "hoteles": { - GTLD: "hoteles", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "hotels": { - GTLD: "hotels", - DelegationDate: "2017-04-07", - RemovalDate: "", - }, - "hotmail": { - GTLD: "hotmail", - DelegationDate: "2015-06-10", - RemovalDate: "", - }, - "house": { - GTLD: "house", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "how": { - GTLD: "how", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "hr": { - GTLD: "hr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "hsbc": { - GTLD: "hsbc", - DelegationDate: "2015-07-10", - RemovalDate: "", - }, - "ht": { - GTLD: "ht", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "htc": { - GTLD: "htc", - DelegationDate: "2016-04-02", - RemovalDate: "2017-10-24", - }, - "hu": { - GTLD: "hu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "hughes": { - GTLD: "hughes", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "hyatt": { - GTLD: "hyatt", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "hyundai": { - GTLD: "hyundai", - DelegationDate: "2015-09-26", - RemovalDate: "", - }, - "ibm": { - GTLD: "ibm", - DelegationDate: "2014-10-01", - RemovalDate: "", - }, - "icbc": { - GTLD: "icbc", - DelegationDate: "2015-05-13", - RemovalDate: "", - }, - "ice": { - GTLD: "ice", - DelegationDate: "2015-07-22", - RemovalDate: "", - }, - "icu": { - GTLD: "icu", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "id": { - GTLD: "id", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ie": { - GTLD: "ie", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ieee": { - GTLD: "ieee", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "ifm": { - GTLD: "ifm", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "iinet": { - GTLD: "iinet", - DelegationDate: "2015-07-09", - RemovalDate: "2016-12-21", - }, - "ikano": { - GTLD: "ikano", - DelegationDate: "2016-07-01", - RemovalDate: "", - }, - "il": { - GTLD: "il", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "im": { - GTLD: "im", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "imamat": { - GTLD: "imamat", - DelegationDate: "2016-04-16", - RemovalDate: "", - }, - "imdb": { - GTLD: "imdb", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "immo": { - GTLD: "immo", - DelegationDate: "2014-08-27", - RemovalDate: "", - }, - "immobilien": { - GTLD: "immobilien", - DelegationDate: "2014-01-02", - RemovalDate: "", - }, - "in": { - GTLD: "in", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "inc": { - GTLD: "inc", - DelegationDate: "2018-07-17", - RemovalDate: "", - }, - "industries": { - GTLD: "industries", - DelegationDate: "2014-02-21", - RemovalDate: "", - }, - "infiniti": { - GTLD: "infiniti", - DelegationDate: "2015-03-04", - RemovalDate: "", - }, - "info": { - GTLD: "info", - DelegationDate: "2001-09-19", - RemovalDate: "", - }, - "ing": { - GTLD: "ing", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "ink": { - GTLD: "ink", - DelegationDate: "2014-03-11", - RemovalDate: "", - }, - "institute": { - GTLD: "institute", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "insurance": { - GTLD: "insurance", - DelegationDate: "2015-12-03", - RemovalDate: "", - }, - "insure": { - GTLD: "insure", - DelegationDate: "2014-04-29", - RemovalDate: "", - }, - "int": { - GTLD: "int", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "intel": { - GTLD: "intel", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "international": { - GTLD: "international", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "intuit": { - GTLD: "intuit", - DelegationDate: "2016-07-12", - RemovalDate: "", - }, - "investments": { - GTLD: "investments", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "io": { - GTLD: "io", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ipiranga": { - GTLD: "ipiranga", - DelegationDate: "2015-07-26", - RemovalDate: "", - }, - "iq": { - GTLD: "iq", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ir": { - GTLD: "ir", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "irish": { - GTLD: "irish", - DelegationDate: "2014-12-02", - RemovalDate: "", - }, - "is": { - GTLD: "is", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "iselect": { - GTLD: "iselect", - DelegationDate: "2016-01-15", - RemovalDate: "2019-08-05", - }, - "ismaili": { - GTLD: "ismaili", - DelegationDate: "2016-04-16", - RemovalDate: "", - }, - "ist": { - GTLD: "ist", - DelegationDate: "2015-07-11", - RemovalDate: "", - }, - "istanbul": { - GTLD: "istanbul", - DelegationDate: "2015-07-11", - RemovalDate: "", - }, - "it": { - GTLD: "it", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "itau": { - GTLD: "itau", - DelegationDate: "2015-07-22", - RemovalDate: "", - }, - "itv": { - GTLD: "itv", - DelegationDate: "2016-06-21", - RemovalDate: "", - }, - "iveco": { - GTLD: "iveco", - DelegationDate: "2016-10-30", - RemovalDate: "", - }, - "iwc": { - GTLD: "iwc", - DelegationDate: "2014-12-13", - RemovalDate: "2018-06-28", - }, - "jaguar": { - GTLD: "jaguar", - DelegationDate: "2015-10-27", - RemovalDate: "", - }, - "java": { - GTLD: "java", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "jcb": { - GTLD: "jcb", - DelegationDate: "2015-01-23", - RemovalDate: "", - }, - "jcp": { - GTLD: "jcp", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "je": { - GTLD: "je", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "jeep": { - GTLD: "jeep", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "jetzt": { - GTLD: "jetzt", - DelegationDate: "2014-03-15", - RemovalDate: "", - }, - "jewelry": { - GTLD: "jewelry", - DelegationDate: "2015-04-16", - RemovalDate: "", - }, - "jio": { - GTLD: "jio", - DelegationDate: "2016-11-15", - RemovalDate: "", - }, - "jlc": { - GTLD: "jlc", - DelegationDate: "2015-06-10", - RemovalDate: "2018-09-18", - }, - "jll": { - GTLD: "jll", - DelegationDate: "2015-05-22", - RemovalDate: "", - }, - "jm": { - GTLD: "jm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "jmp": { - GTLD: "jmp", - DelegationDate: "2015-12-18", - RemovalDate: "", - }, - "jnj": { - GTLD: "jnj", - DelegationDate: "2016-04-08", - RemovalDate: "", - }, - "jo": { - GTLD: "jo", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "jobs": { - GTLD: "jobs", - DelegationDate: "2005-09-09", - RemovalDate: "", - }, - "joburg": { - GTLD: "joburg", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "jot": { - GTLD: "jot", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "joy": { - GTLD: "joy", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "jp": { - GTLD: "jp", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "jpmorgan": { - GTLD: "jpmorgan", - DelegationDate: "2016-02-27", - RemovalDate: "", - }, - "jprs": { - GTLD: "jprs", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "juegos": { - GTLD: "juegos", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "juniper": { - GTLD: "juniper", - DelegationDate: "2016-08-02", - RemovalDate: "", - }, - "kaufen": { - GTLD: "kaufen", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "kddi": { - GTLD: "kddi", - DelegationDate: "2015-01-09", - RemovalDate: "", - }, - "ke": { - GTLD: "ke", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "kerryhotels": { - GTLD: "kerryhotels", - DelegationDate: "2016-03-05", - RemovalDate: "", - }, - "kerrylogistics": { - GTLD: "kerrylogistics", - DelegationDate: "2016-03-05", - RemovalDate: "", - }, - "kerryproperties": { - GTLD: "kerryproperties", - DelegationDate: "2016-03-05", - RemovalDate: "", - }, - "kfh": { - GTLD: "kfh", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "kg": { - GTLD: "kg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "kh": { - GTLD: "kh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ki": { - GTLD: "ki", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "kia": { - GTLD: "kia", - DelegationDate: "2015-09-26", - RemovalDate: "", - }, - "kim": { - GTLD: "kim", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "kinder": { - GTLD: "kinder", - DelegationDate: "2015-10-09", - RemovalDate: "", - }, - "kindle": { - GTLD: "kindle", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "kitchen": { - GTLD: "kitchen", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "kiwi": { - GTLD: "kiwi", - DelegationDate: "2014-01-03", - RemovalDate: "", - }, - "km": { - GTLD: "km", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "kn": { - GTLD: "kn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "koeln": { - GTLD: "koeln", - DelegationDate: "2014-03-05", - RemovalDate: "", - }, - "komatsu": { - GTLD: "komatsu", - DelegationDate: "2015-03-26", - RemovalDate: "", - }, - "kosher": { - GTLD: "kosher", - DelegationDate: "2016-06-10", - RemovalDate: "", - }, - "kp": { - GTLD: "kp", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "kpmg": { - GTLD: "kpmg", - DelegationDate: "2016-04-05", - RemovalDate: "", - }, - "kpn": { - GTLD: "kpn", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "kr": { - GTLD: "kr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "krd": { - GTLD: "krd", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "kred": { - GTLD: "kred", - DelegationDate: "2014-02-27", - RemovalDate: "", - }, - "kuokgroup": { - GTLD: "kuokgroup", - DelegationDate: "2016-03-05", - RemovalDate: "", - }, - "kw": { - GTLD: "kw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ky": { - GTLD: "ky", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "kyoto": { - GTLD: "kyoto", - DelegationDate: "2015-01-28", - RemovalDate: "", - }, - "kz": { - GTLD: "kz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "la": { - GTLD: "la", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "lacaixa": { - GTLD: "lacaixa", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "ladbrokes": { - GTLD: "ladbrokes", - DelegationDate: "2016-07-29", - RemovalDate: "2019-11-19", - }, - "lamborghini": { - GTLD: "lamborghini", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "lamer": { - GTLD: "lamer", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "lancaster": { - GTLD: "lancaster", - DelegationDate: "2015-07-15", - RemovalDate: "", - }, - "lancia": { - GTLD: "lancia", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "lancome": { - GTLD: "lancome", - DelegationDate: "2016-07-15", - RemovalDate: "2019-11-28", - }, - "land": { - GTLD: "land", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "landrover": { - GTLD: "landrover", - DelegationDate: "2015-10-27", - RemovalDate: "", - }, - "lanxess": { - GTLD: "lanxess", - DelegationDate: "2016-01-26", - RemovalDate: "", - }, - "lasalle": { - GTLD: "lasalle", - DelegationDate: "2015-06-11", - RemovalDate: "", - }, - "lat": { - GTLD: "lat", - DelegationDate: "2015-01-09", - RemovalDate: "", - }, - "latino": { - GTLD: "latino", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "latrobe": { - GTLD: "latrobe", - DelegationDate: "2014-12-02", - RemovalDate: "", - }, - "law": { - GTLD: "law", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "lawyer": { - GTLD: "lawyer", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "lb": { - GTLD: "lb", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "lc": { - GTLD: "lc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "lds": { - GTLD: "lds", - DelegationDate: "2014-11-19", - RemovalDate: "", - }, - "lease": { - GTLD: "lease", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "leclerc": { - GTLD: "leclerc", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "lefrak": { - GTLD: "lefrak", - DelegationDate: "2016-07-14", - RemovalDate: "", - }, - "legal": { - GTLD: "legal", - DelegationDate: "2014-11-26", - RemovalDate: "", - }, - "lego": { - GTLD: "lego", - DelegationDate: "2016-06-16", - RemovalDate: "", - }, - "lexus": { - GTLD: "lexus", - DelegationDate: "2015-07-26", - RemovalDate: "", - }, - "lgbt": { - GTLD: "lgbt", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "li": { - GTLD: "li", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "liaison": { - GTLD: "liaison", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "lidl": { - GTLD: "lidl", - DelegationDate: "2014-12-13", - RemovalDate: "", - }, - "life": { - GTLD: "life", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "lifeinsurance": { - GTLD: "lifeinsurance", - DelegationDate: "2016-01-19", - RemovalDate: "", - }, - "lifestyle": { - GTLD: "lifestyle", - DelegationDate: "2015-11-10", - RemovalDate: "", - }, - "lighting": { - GTLD: "lighting", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "like": { - GTLD: "like", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "lilly": { - GTLD: "lilly", - DelegationDate: "2016-07-31", - RemovalDate: "", - }, - "limited": { - GTLD: "limited", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "limo": { - GTLD: "limo", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "lincoln": { - GTLD: "lincoln", - DelegationDate: "2015-12-18", - RemovalDate: "", - }, - "linde": { - GTLD: "linde", - DelegationDate: "2015-09-16", - RemovalDate: "", - }, - "link": { - GTLD: "link", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "lipsy": { - GTLD: "lipsy", - DelegationDate: "2016-05-03", - RemovalDate: "", - }, - "live": { - GTLD: "live", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "living": { - GTLD: "living", - DelegationDate: "2015-12-28", - RemovalDate: "", - }, - "lixil": { - GTLD: "lixil", - DelegationDate: "2015-07-30", - RemovalDate: "", - }, - "lk": { - GTLD: "lk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "llc": { - GTLD: "llc", - DelegationDate: "2018-02-22", - RemovalDate: "", - }, - "loan": { - GTLD: "loan", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "loans": { - GTLD: "loans", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "locker": { - GTLD: "locker", - DelegationDate: "2016-05-27", - RemovalDate: "", - }, - "locus": { - GTLD: "locus", - DelegationDate: "2016-03-09", - RemovalDate: "", - }, - "loft": { - GTLD: "loft", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "lol": { - GTLD: "lol", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "london": { - GTLD: "london", - DelegationDate: "2014-03-22", - RemovalDate: "", - }, - "lotte": { - GTLD: "lotte", - DelegationDate: "2015-01-14", - RemovalDate: "", - }, - "lotto": { - GTLD: "lotto", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "love": { - GTLD: "love", - DelegationDate: "2015-04-02", - RemovalDate: "", - }, - "lpl": { - GTLD: "lpl", - DelegationDate: "2016-07-19", - RemovalDate: "", - }, - "lplfinancial": { - GTLD: "lplfinancial", - DelegationDate: "2016-07-19", - RemovalDate: "", - }, - "lr": { - GTLD: "lr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ls": { - GTLD: "ls", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "lt": { - GTLD: "lt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ltd": { - GTLD: "ltd", - DelegationDate: "2015-09-23", - RemovalDate: "", - }, - "ltda": { - GTLD: "ltda", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "lu": { - GTLD: "lu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "lundbeck": { - GTLD: "lundbeck", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "lupin": { - GTLD: "lupin", - DelegationDate: "2015-05-16", - RemovalDate: "", - }, - "luxe": { - GTLD: "luxe", - DelegationDate: "2014-05-15", - RemovalDate: "", - }, - "luxury": { - GTLD: "luxury", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "lv": { - GTLD: "lv", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ly": { - GTLD: "ly", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ma": { - GTLD: "ma", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "macys": { - GTLD: "macys", - DelegationDate: "2016-07-12", - RemovalDate: "", - }, - "madrid": { - GTLD: "madrid", - DelegationDate: "2014-11-20", - RemovalDate: "", - }, - "maif": { - GTLD: "maif", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "maison": { - GTLD: "maison", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "makeup": { - GTLD: "makeup", - DelegationDate: "2016-01-15", - RemovalDate: "", - }, - "man": { - GTLD: "man", - DelegationDate: "2015-07-26", - RemovalDate: "", - }, - "management": { - GTLD: "management", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "mango": { - GTLD: "mango", - DelegationDate: "2014-02-16", - RemovalDate: "", - }, - "map": { - GTLD: "map", - DelegationDate: "2017-06-29", - RemovalDate: "", - }, - "market": { - GTLD: "market", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "marketing": { - GTLD: "marketing", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "markets": { - GTLD: "markets", - DelegationDate: "2015-03-12", - RemovalDate: "", - }, - "marriott": { - GTLD: "marriott", - DelegationDate: "2015-01-14", - RemovalDate: "", - }, - "marshalls": { - GTLD: "marshalls", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "maserati": { - GTLD: "maserati", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "mattel": { - GTLD: "mattel", - DelegationDate: "2016-05-28", - RemovalDate: "", - }, - "mba": { - GTLD: "mba", - DelegationDate: "2015-05-22", - RemovalDate: "", - }, - "mc": { - GTLD: "mc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mcd": { - GTLD: "mcd", - DelegationDate: "2016-08-08", - RemovalDate: "2017-08-31", - }, - "mcdonalds": { - GTLD: "mcdonalds", - DelegationDate: "2016-08-08", - RemovalDate: "2017-08-31", - }, - "mckinsey": { - GTLD: "mckinsey", - DelegationDate: "2016-07-31", - RemovalDate: "", - }, - "md": { - GTLD: "md", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "me": { - GTLD: "me", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "med": { - GTLD: "med", - DelegationDate: "2015-12-03", - RemovalDate: "", - }, - "media": { - GTLD: "media", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "meet": { - GTLD: "meet", - DelegationDate: "2014-03-27", - RemovalDate: "", - }, - "melbourne": { - GTLD: "melbourne", - DelegationDate: "2014-07-10", - RemovalDate: "", - }, - "meme": { - GTLD: "meme", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "memorial": { - GTLD: "memorial", - DelegationDate: "2014-11-26", - RemovalDate: "", - }, - "men": { - GTLD: "men", - DelegationDate: "2015-05-20", - RemovalDate: "", - }, - "menu": { - GTLD: "menu", - DelegationDate: "2013-11-30", - RemovalDate: "", - }, - "meo": { - GTLD: "meo", - DelegationDate: "2015-10-29", - RemovalDate: "2018-05-26", - }, - "merckmsd": { - GTLD: "merckmsd", - DelegationDate: "2017-07-10", - RemovalDate: "", - }, - "metlife": { - GTLD: "metlife", - DelegationDate: "2016-05-11", - RemovalDate: "", - }, - "mg": { - GTLD: "mg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mh": { - GTLD: "mh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "miami": { - GTLD: "miami", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "microsoft": { - GTLD: "microsoft", - DelegationDate: "2015-06-10", - RemovalDate: "", - }, - "mil": { - GTLD: "mil", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mini": { - GTLD: "mini", - DelegationDate: "2014-06-24", - RemovalDate: "", - }, - "mint": { - GTLD: "mint", - DelegationDate: "2016-07-12", - RemovalDate: "", - }, - "mit": { - GTLD: "mit", - DelegationDate: "2016-07-06", - RemovalDate: "", - }, - "mitsubishi": { - GTLD: "mitsubishi", - DelegationDate: "2016-07-07", - RemovalDate: "", - }, - "mk": { - GTLD: "mk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ml": { - GTLD: "ml", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mlb": { - GTLD: "mlb", - DelegationDate: "2016-05-25", - RemovalDate: "", - }, - "mls": { - GTLD: "mls", - DelegationDate: "2016-04-20", - RemovalDate: "", - }, - "mm": { - GTLD: "mm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mma": { - GTLD: "mma", - DelegationDate: "2015-03-31", - RemovalDate: "", - }, - "mn": { - GTLD: "mn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mo": { - GTLD: "mo", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mobi": { - GTLD: "mobi", - DelegationDate: "2005-10-20", - RemovalDate: "", - }, - "mobile": { - GTLD: "mobile", - DelegationDate: "2016-12-20", - RemovalDate: "", - }, - "mobily": { - GTLD: "mobily", - DelegationDate: "2015-12-23", - RemovalDate: "2019-09-09", - }, - "moda": { - GTLD: "moda", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "moe": { - GTLD: "moe", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "moi": { - GTLD: "moi", - DelegationDate: "2015-10-07", - RemovalDate: "", - }, - "mom": { - GTLD: "mom", - DelegationDate: "2015-08-19", - RemovalDate: "", - }, - "monash": { - GTLD: "monash", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "money": { - GTLD: "money", - DelegationDate: "2014-11-26", - RemovalDate: "", - }, - "monster": { - GTLD: "monster", - DelegationDate: "2016-09-14", - RemovalDate: "", - }, - "montblanc": { - GTLD: "montblanc", - DelegationDate: "2015-06-05", - RemovalDate: "2017-09-01", - }, - "mopar": { - GTLD: "mopar", - DelegationDate: "2016-08-02", - RemovalDate: "2019-11-19", - }, - "mormon": { - GTLD: "mormon", - DelegationDate: "2014-11-19", - RemovalDate: "", - }, - "mortgage": { - GTLD: "mortgage", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "moscow": { - GTLD: "moscow", - DelegationDate: "2014-04-24", - RemovalDate: "", - }, - "moto": { - GTLD: "moto", - DelegationDate: "2016-11-12", - RemovalDate: "", - }, - "motorcycles": { - GTLD: "motorcycles", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "mov": { - GTLD: "mov", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "movie": { - GTLD: "movie", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "movistar": { - GTLD: "movistar", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "mp": { - GTLD: "mp", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mq": { - GTLD: "mq", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mr": { - GTLD: "mr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ms": { - GTLD: "ms", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "msd": { - GTLD: "msd", - DelegationDate: "2016-07-23", - RemovalDate: "", - }, - "mt": { - GTLD: "mt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mtn": { - GTLD: "mtn", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "mtpc": { - GTLD: "mtpc", - DelegationDate: "2015-03-04", - RemovalDate: "2017-05-15", - }, - "mtr": { - GTLD: "mtr", - DelegationDate: "2015-10-07", - RemovalDate: "", - }, - "mu": { - GTLD: "mu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "museum": { - GTLD: "museum", - DelegationDate: "2001-11-01", - RemovalDate: "", - }, - "mutual": { - GTLD: "mutual", - DelegationDate: "2016-04-05", - RemovalDate: "", - }, - "mutuelle": { - GTLD: "mutuelle", - DelegationDate: "2015-10-23", - RemovalDate: "2016-12-21", - }, - "mv": { - GTLD: "mv", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mw": { - GTLD: "mw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mx": { - GTLD: "mx", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "my": { - GTLD: "my", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "mz": { - GTLD: "mz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "na": { - GTLD: "na", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nab": { - GTLD: "nab", - DelegationDate: "2016-08-18", - RemovalDate: "", - }, - "nadex": { - GTLD: "nadex", - DelegationDate: "2015-05-02", - RemovalDate: "", - }, - "nagoya": { - GTLD: "nagoya", - DelegationDate: "2014-01-29", - RemovalDate: "", - }, - "name": { - GTLD: "name", - DelegationDate: "2002-01-04", - RemovalDate: "", - }, - "nationwide": { - GTLD: "nationwide", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "natura": { - GTLD: "natura", - DelegationDate: "2016-02-11", - RemovalDate: "", - }, - "navy": { - GTLD: "navy", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "nba": { - GTLD: "nba", - DelegationDate: "2016-08-02", - RemovalDate: "", - }, - "nc": { - GTLD: "nc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ne": { - GTLD: "ne", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nec": { - GTLD: "nec", - DelegationDate: "2015-05-09", - RemovalDate: "", - }, - "net": { - GTLD: "net", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "netbank": { - GTLD: "netbank", - DelegationDate: "2015-06-22", - RemovalDate: "", - }, - "netflix": { - GTLD: "netflix", - DelegationDate: "2016-05-28", - RemovalDate: "", - }, - "network": { - GTLD: "network", - DelegationDate: "2014-08-22", - RemovalDate: "", - }, - "neustar": { - GTLD: "neustar", - DelegationDate: "2014-02-19", - RemovalDate: "", - }, - "new": { - GTLD: "new", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "newholland": { - GTLD: "newholland", - DelegationDate: "2016-10-30", - RemovalDate: "", - }, - "news": { - GTLD: "news", - DelegationDate: "2015-03-21", - RemovalDate: "", - }, - "next": { - GTLD: "next", - DelegationDate: "2016-05-03", - RemovalDate: "", - }, - "nextdirect": { - GTLD: "nextdirect", - DelegationDate: "2016-05-03", - RemovalDate: "", - }, - "nexus": { - GTLD: "nexus", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "nf": { - GTLD: "nf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nfl": { - GTLD: "nfl", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "ng": { - GTLD: "ng", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ngo": { - GTLD: "ngo", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "nhk": { - GTLD: "nhk", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "ni": { - GTLD: "ni", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nico": { - GTLD: "nico", - DelegationDate: "2015-02-10", - RemovalDate: "", - }, - "nike": { - GTLD: "nike", - DelegationDate: "2016-07-09", - RemovalDate: "", - }, - "nikon": { - GTLD: "nikon", - DelegationDate: "2016-01-28", - RemovalDate: "", - }, - "ninja": { - GTLD: "ninja", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "nissan": { - GTLD: "nissan", - DelegationDate: "2015-03-04", - RemovalDate: "", - }, - "nissay": { - GTLD: "nissay", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "nl": { - GTLD: "nl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "no": { - GTLD: "no", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nokia": { - GTLD: "nokia", - DelegationDate: "2015-07-15", - RemovalDate: "", - }, - "northwesternmutual": { - GTLD: "northwesternmutual", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "norton": { - GTLD: "norton", - DelegationDate: "2015-12-03", - RemovalDate: "", - }, - "now": { - GTLD: "now", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "nowruz": { - GTLD: "nowruz", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "nowtv": { - GTLD: "nowtv", - DelegationDate: "2016-05-11", - RemovalDate: "", - }, - "np": { - GTLD: "np", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nr": { - GTLD: "nr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nra": { - GTLD: "nra", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "nrw": { - GTLD: "nrw", - DelegationDate: "2014-07-11", - RemovalDate: "", - }, - "ntt": { - GTLD: "ntt", - DelegationDate: "2015-02-03", - RemovalDate: "", - }, - "nu": { - GTLD: "nu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "nyc": { - GTLD: "nyc", - DelegationDate: "2014-03-20", - RemovalDate: "", - }, - "nz": { - GTLD: "nz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "obi": { - GTLD: "obi", - DelegationDate: "2015-09-23", - RemovalDate: "", - }, - "observer": { - GTLD: "observer", - DelegationDate: "2016-09-27", - RemovalDate: "", - }, - "off": { - GTLD: "off", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "office": { - GTLD: "office", - DelegationDate: "2015-06-23", - RemovalDate: "", - }, - "okinawa": { - GTLD: "okinawa", - DelegationDate: "2014-03-02", - RemovalDate: "", - }, - "olayan": { - GTLD: "olayan", - DelegationDate: "2016-05-03", - RemovalDate: "", - }, - "olayangroup": { - GTLD: "olayangroup", - DelegationDate: "2016-05-06", - RemovalDate: "", - }, - "oldnavy": { - GTLD: "oldnavy", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "ollo": { - GTLD: "ollo", - DelegationDate: "2016-05-27", - RemovalDate: "", - }, - "om": { - GTLD: "om", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "omega": { - GTLD: "omega", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "one": { - GTLD: "one", - DelegationDate: "2015-01-22", - RemovalDate: "", - }, - "ong": { - GTLD: "ong", - DelegationDate: "2014-07-27", - RemovalDate: "", - }, - "onl": { - GTLD: "onl", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "online": { - GTLD: "online", - DelegationDate: "2015-03-16", - RemovalDate: "", - }, - "onyourside": { - GTLD: "onyourside", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "ooo": { - GTLD: "ooo", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "open": { - GTLD: "open", - DelegationDate: "2016-08-08", - RemovalDate: "", - }, - "oracle": { - GTLD: "oracle", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "orange": { - GTLD: "orange", - DelegationDate: "2015-07-09", - RemovalDate: "", - }, - "org": { - GTLD: "org", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "organic": { - GTLD: "organic", - DelegationDate: "2014-06-13", - RemovalDate: "", - }, - "orientexpress": { - GTLD: "orientexpress", - DelegationDate: "2016-06-22", - RemovalDate: "2017-04-14", - }, - "origins": { - GTLD: "origins", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "osaka": { - GTLD: "osaka", - DelegationDate: "2014-12-13", - RemovalDate: "", - }, - "otsuka": { - GTLD: "otsuka", - DelegationDate: "2014-08-27", - RemovalDate: "", - }, - "ott": { - GTLD: "ott", - DelegationDate: "2016-05-27", - RemovalDate: "", - }, - "ovh": { - GTLD: "ovh", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "pa": { - GTLD: "pa", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "page": { - GTLD: "page", - DelegationDate: "2015-03-16", - RemovalDate: "", - }, - "pamperedchef": { - GTLD: "pamperedchef", - DelegationDate: "2016-01-21", - RemovalDate: "2017-09-20", - }, - "panasonic": { - GTLD: "panasonic", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "panerai": { - GTLD: "panerai", - DelegationDate: "2015-03-25", - RemovalDate: "2018-09-18", - }, - "paris": { - GTLD: "paris", - DelegationDate: "2014-04-19", - RemovalDate: "", - }, - "pars": { - GTLD: "pars", - DelegationDate: "2015-12-07", - RemovalDate: "", - }, - "partners": { - GTLD: "partners", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "parts": { - GTLD: "parts", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "party": { - GTLD: "party", - DelegationDate: "2014-11-17", - RemovalDate: "", - }, - "passagens": { - GTLD: "passagens", - DelegationDate: "2016-03-02", - RemovalDate: "", - }, - "pay": { - GTLD: "pay", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "pccw": { - GTLD: "pccw", - DelegationDate: "2016-05-11", - RemovalDate: "", - }, - "pe": { - GTLD: "pe", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pet": { - GTLD: "pet", - DelegationDate: "2015-07-26", - RemovalDate: "", - }, - "pf": { - GTLD: "pf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pfizer": { - GTLD: "pfizer", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "pg": { - GTLD: "pg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ph": { - GTLD: "ph", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pharmacy": { - GTLD: "pharmacy", - DelegationDate: "2014-09-05", - RemovalDate: "", - }, - "phd": { - GTLD: "phd", - DelegationDate: "2017-06-29", - RemovalDate: "", - }, - "philips": { - GTLD: "philips", - DelegationDate: "2015-05-09", - RemovalDate: "", - }, - "phone": { - GTLD: "phone", - DelegationDate: "2016-12-20", - RemovalDate: "", - }, - "photo": { - GTLD: "photo", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "photography": { - GTLD: "photography", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "photos": { - GTLD: "photos", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "physio": { - GTLD: "physio", - DelegationDate: "2014-06-19", - RemovalDate: "", - }, - "piaget": { - GTLD: "piaget", - DelegationDate: "2015-03-16", - RemovalDate: "2019-11-14", - }, - "pics": { - GTLD: "pics", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "pictet": { - GTLD: "pictet", - DelegationDate: "2015-03-07", - RemovalDate: "", - }, - "pictures": { - GTLD: "pictures", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "pid": { - GTLD: "pid", - DelegationDate: "2015-12-22", - RemovalDate: "", - }, - "pin": { - GTLD: "pin", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "ping": { - GTLD: "ping", - DelegationDate: "2015-10-29", - RemovalDate: "", - }, - "pink": { - GTLD: "pink", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "pioneer": { - GTLD: "pioneer", - DelegationDate: "2016-06-02", - RemovalDate: "", - }, - "pizza": { - GTLD: "pizza", - DelegationDate: "2014-08-27", - RemovalDate: "", - }, - "pk": { - GTLD: "pk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pl": { - GTLD: "pl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "place": { - GTLD: "place", - DelegationDate: "2014-07-02", - RemovalDate: "", - }, - "play": { - GTLD: "play", - DelegationDate: "2015-06-20", - RemovalDate: "", - }, - "playstation": { - GTLD: "playstation", - DelegationDate: "2015-11-07", - RemovalDate: "", - }, - "plumbing": { - GTLD: "plumbing", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "plus": { - GTLD: "plus", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "pm": { - GTLD: "pm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pn": { - GTLD: "pn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pnc": { - GTLD: "pnc", - DelegationDate: "2016-07-01", - RemovalDate: "", - }, - "pohl": { - GTLD: "pohl", - DelegationDate: "2014-09-27", - RemovalDate: "", - }, - "poker": { - GTLD: "poker", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "politie": { - GTLD: "politie", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "porn": { - GTLD: "porn", - DelegationDate: "2014-12-06", - RemovalDate: "", - }, - "post": { - GTLD: "post", - DelegationDate: "2012-08-07", - RemovalDate: "", - }, - "pr": { - GTLD: "pr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pramerica": { - GTLD: "pramerica", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "praxi": { - GTLD: "praxi", - DelegationDate: "2014-07-22", - RemovalDate: "", - }, - "press": { - GTLD: "press", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "prime": { - GTLD: "prime", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "pro": { - GTLD: "pro", - DelegationDate: "2004-05-27", - RemovalDate: "", - }, - "prod": { - GTLD: "prod", - DelegationDate: "2014-08-29", - RemovalDate: "", - }, - "productions": { - GTLD: "productions", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "prof": { - GTLD: "prof", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "progressive": { - GTLD: "progressive", - DelegationDate: "2016-04-20", - RemovalDate: "", - }, - "promo": { - GTLD: "promo", - DelegationDate: "2015-12-31", - RemovalDate: "", - }, - "properties": { - GTLD: "properties", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "property": { - GTLD: "property", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "protection": { - GTLD: "protection", - DelegationDate: "2015-09-13", - RemovalDate: "", - }, - "pru": { - GTLD: "pru", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "prudential": { - GTLD: "prudential", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "ps": { - GTLD: "ps", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pt": { - GTLD: "pt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pub": { - GTLD: "pub", - DelegationDate: "2014-02-26", - RemovalDate: "", - }, - "pw": { - GTLD: "pw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "pwc": { - GTLD: "pwc", - DelegationDate: "2016-02-11", - RemovalDate: "", - }, - "py": { - GTLD: "py", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "qa": { - GTLD: "qa", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "qpon": { - GTLD: "qpon", - DelegationDate: "2014-02-12", - RemovalDate: "", - }, - "quebec": { - GTLD: "quebec", - DelegationDate: "2014-04-16", - RemovalDate: "", - }, - "quest": { - GTLD: "quest", - DelegationDate: "2016-02-06", - RemovalDate: "", - }, - "qvc": { - GTLD: "qvc", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "racing": { - GTLD: "racing", - DelegationDate: "2015-04-03", - RemovalDate: "", - }, - "radio": { - GTLD: "radio", - DelegationDate: "2016-10-12", - RemovalDate: "", - }, - "raid": { - GTLD: "raid", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "re": { - GTLD: "re", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "read": { - GTLD: "read", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "realestate": { - GTLD: "realestate", - DelegationDate: "2016-05-23", - RemovalDate: "", - }, - "realtor": { - GTLD: "realtor", - DelegationDate: "2014-07-30", - RemovalDate: "", - }, - "realty": { - GTLD: "realty", - DelegationDate: "2015-07-01", - RemovalDate: "", - }, - "recipes": { - GTLD: "recipes", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "red": { - GTLD: "red", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "redstone": { - GTLD: "redstone", - DelegationDate: "2015-03-28", - RemovalDate: "", - }, - "redumbrella": { - GTLD: "redumbrella", - DelegationDate: "2015-12-11", - RemovalDate: "", - }, - "rehab": { - GTLD: "rehab", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "reise": { - GTLD: "reise", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "reisen": { - GTLD: "reisen", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "reit": { - GTLD: "reit", - DelegationDate: "2014-11-12", - RemovalDate: "", - }, - "reliance": { - GTLD: "reliance", - DelegationDate: "2016-11-15", - RemovalDate: "", - }, - "ren": { - GTLD: "ren", - DelegationDate: "2014-03-27", - RemovalDate: "", - }, - "rent": { - GTLD: "rent", - DelegationDate: "2015-04-30", - RemovalDate: "", - }, - "rentals": { - GTLD: "rentals", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "repair": { - GTLD: "repair", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "report": { - GTLD: "report", - DelegationDate: "2014-02-04", - RemovalDate: "", - }, - "republican": { - GTLD: "republican", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "rest": { - GTLD: "rest", - DelegationDate: "2014-04-02", - RemovalDate: "", - }, - "restaurant": { - GTLD: "restaurant", - DelegationDate: "2014-08-08", - RemovalDate: "", - }, - "review": { - GTLD: "review", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "reviews": { - GTLD: "reviews", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "rexroth": { - GTLD: "rexroth", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "rich": { - GTLD: "rich", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "richardli": { - GTLD: "richardli", - DelegationDate: "2016-05-11", - RemovalDate: "", - }, - "ricoh": { - GTLD: "ricoh", - DelegationDate: "2015-06-22", - RemovalDate: "", - }, - "rightathome": { - GTLD: "rightathome", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "ril": { - GTLD: "ril", - DelegationDate: "2016-11-15", - RemovalDate: "", - }, - "rio": { - GTLD: "rio", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "rip": { - GTLD: "rip", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "rmit": { - GTLD: "rmit", - DelegationDate: "2016-11-24", - RemovalDate: "", - }, - "ro": { - GTLD: "ro", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "rocher": { - GTLD: "rocher", - DelegationDate: "2015-11-07", - RemovalDate: "", - }, - "rocks": { - GTLD: "rocks", - DelegationDate: "2014-04-10", - RemovalDate: "", - }, - "rodeo": { - GTLD: "rodeo", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "rogers": { - GTLD: "rogers", - DelegationDate: "2016-09-20", - RemovalDate: "", - }, - "room": { - GTLD: "room", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "rs": { - GTLD: "rs", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "rsvp": { - GTLD: "rsvp", - DelegationDate: "2014-08-30", - RemovalDate: "", - }, - "ru": { - GTLD: "ru", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "rugby": { - GTLD: "rugby", - DelegationDate: "2017-04-07", - RemovalDate: "", - }, - "ruhr": { - GTLD: "ruhr", - DelegationDate: "2013-12-10", - RemovalDate: "", - }, - "run": { - GTLD: "run", - DelegationDate: "2015-05-07", - RemovalDate: "", - }, - "rw": { - GTLD: "rw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "rwe": { - GTLD: "rwe", - DelegationDate: "2015-10-27", - RemovalDate: "", - }, - "ryukyu": { - GTLD: "ryukyu", - DelegationDate: "2014-04-03", - RemovalDate: "", - }, - "sa": { - GTLD: "sa", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "saarland": { - GTLD: "saarland", - DelegationDate: "2014-04-02", - RemovalDate: "", - }, - "safe": { - GTLD: "safe", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "safety": { - GTLD: "safety", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "sakura": { - GTLD: "sakura", - DelegationDate: "2015-07-02", - RemovalDate: "", - }, - "sale": { - GTLD: "sale", - DelegationDate: "2014-12-25", - RemovalDate: "", - }, - "salon": { - GTLD: "salon", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "samsclub": { - GTLD: "samsclub", - DelegationDate: "2016-08-18", - RemovalDate: "", - }, - "samsung": { - GTLD: "samsung", - DelegationDate: "2014-12-10", - RemovalDate: "", - }, - "sandvik": { - GTLD: "sandvik", - DelegationDate: "2015-05-27", - RemovalDate: "", - }, - "sandvikcoromant": { - GTLD: "sandvikcoromant", - DelegationDate: "2015-05-27", - RemovalDate: "", - }, - "sanofi": { - GTLD: "sanofi", - DelegationDate: "2015-07-24", - RemovalDate: "", - }, - "sap": { - GTLD: "sap", - DelegationDate: "2015-03-26", - RemovalDate: "", - }, - "sapo": { - GTLD: "sapo", - DelegationDate: "2015-10-29", - RemovalDate: "2018-05-26", - }, - "sarl": { - GTLD: "sarl", - DelegationDate: "2014-08-08", - RemovalDate: "", - }, - "sas": { - GTLD: "sas", - DelegationDate: "2015-12-18", - RemovalDate: "", - }, - "save": { - GTLD: "save", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "saxo": { - GTLD: "saxo", - DelegationDate: "2015-02-10", - RemovalDate: "", - }, - "sb": { - GTLD: "sb", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sbi": { - GTLD: "sbi", - DelegationDate: "2016-04-16", - RemovalDate: "", - }, - "sbs": { - GTLD: "sbs", - DelegationDate: "2015-10-29", - RemovalDate: "", - }, - "sc": { - GTLD: "sc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sca": { - GTLD: "sca", - DelegationDate: "2014-08-14", - RemovalDate: "", - }, - "scb": { - GTLD: "scb", - DelegationDate: "2014-07-11", - RemovalDate: "", - }, - "schaeffler": { - GTLD: "schaeffler", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "schmidt": { - GTLD: "schmidt", - DelegationDate: "2014-07-03", - RemovalDate: "", - }, - "scholarships": { - GTLD: "scholarships", - DelegationDate: "2015-04-02", - RemovalDate: "", - }, - "school": { - GTLD: "school", - DelegationDate: "2015-02-19", - RemovalDate: "", - }, - "schule": { - GTLD: "schule", - DelegationDate: "2014-04-22", - RemovalDate: "", - }, - "schwarz": { - GTLD: "schwarz", - DelegationDate: "2014-12-13", - RemovalDate: "", - }, - "science": { - GTLD: "science", - DelegationDate: "2014-11-15", - RemovalDate: "", - }, - "scjohnson": { - GTLD: "scjohnson", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "scor": { - GTLD: "scor", - DelegationDate: "2015-06-23", - RemovalDate: "", - }, - "scot": { - GTLD: "scot", - DelegationDate: "2014-06-13", - RemovalDate: "", - }, - "sd": { - GTLD: "sd", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "se": { - GTLD: "se", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "search": { - GTLD: "search", - DelegationDate: "2017-06-29", - RemovalDate: "", - }, - "seat": { - GTLD: "seat", - DelegationDate: "2015-04-18", - RemovalDate: "", - }, - "secure": { - GTLD: "secure", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "security": { - GTLD: "security", - DelegationDate: "2015-09-17", - RemovalDate: "", - }, - "seek": { - GTLD: "seek", - DelegationDate: "2015-08-11", - RemovalDate: "", - }, - "select": { - GTLD: "select", - DelegationDate: "2016-01-15", - RemovalDate: "", - }, - "sener": { - GTLD: "sener", - DelegationDate: "2015-05-01", - RemovalDate: "", - }, - "services": { - GTLD: "services", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "ses": { - GTLD: "ses", - DelegationDate: "2016-07-09", - RemovalDate: "", - }, - "seven": { - GTLD: "seven", - DelegationDate: "2015-09-26", - RemovalDate: "", - }, - "sew": { - GTLD: "sew", - DelegationDate: "2014-12-13", - RemovalDate: "", - }, - "sex": { - GTLD: "sex", - DelegationDate: "2015-04-18", - RemovalDate: "", - }, - "sexy": { - GTLD: "sexy", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "sfr": { - GTLD: "sfr", - DelegationDate: "2015-12-01", - RemovalDate: "", - }, - "sg": { - GTLD: "sg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sh": { - GTLD: "sh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "shangrila": { - GTLD: "shangrila", - DelegationDate: "2016-07-02", - RemovalDate: "", - }, - "sharp": { - GTLD: "sharp", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "shaw": { - GTLD: "shaw", - DelegationDate: "2016-03-22", - RemovalDate: "", - }, - "shell": { - GTLD: "shell", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "shia": { - GTLD: "shia", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "shiksha": { - GTLD: "shiksha", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "shoes": { - GTLD: "shoes", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "shop": { - GTLD: "shop", - DelegationDate: "2016-05-23", - RemovalDate: "", - }, - "shopping": { - GTLD: "shopping", - DelegationDate: "2016-06-21", - RemovalDate: "", - }, - "shouji": { - GTLD: "shouji", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "show": { - GTLD: "show", - DelegationDate: "2015-04-16", - RemovalDate: "", - }, - "showtime": { - GTLD: "showtime", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "shriram": { - GTLD: "shriram", - DelegationDate: "2014-12-30", - RemovalDate: "", - }, - "si": { - GTLD: "si", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "silk": { - GTLD: "silk", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "sina": { - GTLD: "sina", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "singles": { - GTLD: "singles", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "site": { - GTLD: "site", - DelegationDate: "2015-03-16", - RemovalDate: "", - }, - "sj": { - GTLD: "sj", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sk": { - GTLD: "sk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ski": { - GTLD: "ski", - DelegationDate: "2015-05-30", - RemovalDate: "", - }, - "skin": { - GTLD: "skin", - DelegationDate: "2016-01-15", - RemovalDate: "", - }, - "sky": { - GTLD: "sky", - DelegationDate: "2014-12-12", - RemovalDate: "", - }, - "skype": { - GTLD: "skype", - DelegationDate: "2015-06-23", - RemovalDate: "", - }, - "sl": { - GTLD: "sl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sling": { - GTLD: "sling", - DelegationDate: "2016-08-10", - RemovalDate: "", - }, - "sm": { - GTLD: "sm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "smart": { - GTLD: "smart", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "smile": { - GTLD: "smile", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "sn": { - GTLD: "sn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sncf": { - GTLD: "sncf", - DelegationDate: "2015-06-03", - RemovalDate: "", - }, - "so": { - GTLD: "so", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "soccer": { - GTLD: "soccer", - DelegationDate: "2015-05-13", - RemovalDate: "", - }, - "social": { - GTLD: "social", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "softbank": { - GTLD: "softbank", - DelegationDate: "2016-01-16", - RemovalDate: "", - }, - "software": { - GTLD: "software", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "sohu": { - GTLD: "sohu", - DelegationDate: "2014-03-25", - RemovalDate: "", - }, - "solar": { - GTLD: "solar", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "solutions": { - GTLD: "solutions", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "song": { - GTLD: "song", - DelegationDate: "2016-02-24", - RemovalDate: "", - }, - "sony": { - GTLD: "sony", - DelegationDate: "2015-04-16", - RemovalDate: "", - }, - "soy": { - GTLD: "soy", - DelegationDate: "2014-04-19", - RemovalDate: "", - }, - "space": { - GTLD: "space", - DelegationDate: "2014-05-30", - RemovalDate: "", - }, - "spiegel": { - GTLD: "spiegel", - DelegationDate: "2014-07-18", - RemovalDate: "2018-12-15", - }, - "sport": { - GTLD: "sport", - DelegationDate: "2018-01-10", - RemovalDate: "", - }, - "spot": { - GTLD: "spot", - DelegationDate: "2016-02-19", - RemovalDate: "", - }, - "spreadbetting": { - GTLD: "spreadbetting", - DelegationDate: "2015-03-13", - RemovalDate: "", - }, - "sr": { - GTLD: "sr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "srl": { - GTLD: "srl", - DelegationDate: "2015-07-24", - RemovalDate: "", - }, - "srt": { - GTLD: "srt", - DelegationDate: "2016-07-28", - RemovalDate: "2019-11-19", - }, - "ss": { - GTLD: "ss", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "st": { - GTLD: "st", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "stada": { - GTLD: "stada", - DelegationDate: "2015-09-13", - RemovalDate: "", - }, - "staples": { - GTLD: "staples", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "star": { - GTLD: "star", - DelegationDate: "2015-12-22", - RemovalDate: "", - }, - "starhub": { - GTLD: "starhub", - DelegationDate: "2015-06-22", - RemovalDate: "2019-08-02", - }, - "statebank": { - GTLD: "statebank", - DelegationDate: "2016-04-16", - RemovalDate: "", - }, - "statefarm": { - GTLD: "statefarm", - DelegationDate: "2015-12-24", - RemovalDate: "", - }, - "statoil": { - GTLD: "statoil", - DelegationDate: "2015-06-19", - RemovalDate: "2018-10-03", - }, - "stc": { - GTLD: "stc", - DelegationDate: "2015-08-29", - RemovalDate: "", - }, - "stcgroup": { - GTLD: "stcgroup", - DelegationDate: "2015-08-28", - RemovalDate: "", - }, - "stockholm": { - GTLD: "stockholm", - DelegationDate: "2015-09-26", - RemovalDate: "", - }, - "storage": { - GTLD: "storage", - DelegationDate: "2015-12-18", - RemovalDate: "", - }, - "store": { - GTLD: "store", - DelegationDate: "2016-02-22", - RemovalDate: "", - }, - "stream": { - GTLD: "stream", - DelegationDate: "2016-03-18", - RemovalDate: "", - }, - "studio": { - GTLD: "studio", - DelegationDate: "2015-07-08", - RemovalDate: "", - }, - "study": { - GTLD: "study", - DelegationDate: "2015-02-25", - RemovalDate: "", - }, - "style": { - GTLD: "style", - DelegationDate: "2015-02-04", - RemovalDate: "", - }, - "su": { - GTLD: "su", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sucks": { - GTLD: "sucks", - DelegationDate: "2015-02-25", - RemovalDate: "", - }, - "supplies": { - GTLD: "supplies", - DelegationDate: "2014-02-25", - RemovalDate: "", - }, - "supply": { - GTLD: "supply", - DelegationDate: "2014-02-21", - RemovalDate: "", - }, - "support": { - GTLD: "support", - DelegationDate: "2013-12-18", - RemovalDate: "", - }, - "surf": { - GTLD: "surf", - DelegationDate: "2014-06-18", - RemovalDate: "", - }, - "surgery": { - GTLD: "surgery", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "suzuki": { - GTLD: "suzuki", - DelegationDate: "2014-07-02", - RemovalDate: "", - }, - "sv": { - GTLD: "sv", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "swatch": { - GTLD: "swatch", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "swiftcover": { - GTLD: "swiftcover", - DelegationDate: "2016-07-21", - RemovalDate: "", - }, - "swiss": { - GTLD: "swiss", - DelegationDate: "2015-04-29", - RemovalDate: "", - }, - "sx": { - GTLD: "sx", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sy": { - GTLD: "sy", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "sydney": { - GTLD: "sydney", - DelegationDate: "2014-11-05", - RemovalDate: "", - }, - "symantec": { - GTLD: "symantec", - DelegationDate: "2015-12-03", - RemovalDate: "", - }, - "systems": { - GTLD: "systems", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "sz": { - GTLD: "sz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tab": { - GTLD: "tab", - DelegationDate: "2015-11-13", - RemovalDate: "", - }, - "taipei": { - GTLD: "taipei", - DelegationDate: "2014-10-23", - RemovalDate: "", - }, - "talk": { - GTLD: "talk", - DelegationDate: "2016-03-25", - RemovalDate: "", - }, - "taobao": { - GTLD: "taobao", - DelegationDate: "2016-01-21", - RemovalDate: "", - }, - "target": { - GTLD: "target", - DelegationDate: "2016-08-04", - RemovalDate: "", - }, - "tatamotors": { - GTLD: "tatamotors", - DelegationDate: "2015-07-24", - RemovalDate: "", - }, - "tatar": { - GTLD: "tatar", - DelegationDate: "2014-08-07", - RemovalDate: "", - }, - "tattoo": { - GTLD: "tattoo", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "tax": { - GTLD: "tax", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "taxi": { - GTLD: "taxi", - DelegationDate: "2015-05-07", - RemovalDate: "", - }, - "tc": { - GTLD: "tc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tci": { - GTLD: "tci", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "td": { - GTLD: "td", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tdk": { - GTLD: "tdk", - DelegationDate: "2016-06-07", - RemovalDate: "", - }, - "team": { - GTLD: "team", - DelegationDate: "2015-04-16", - RemovalDate: "", - }, - "tech": { - GTLD: "tech", - DelegationDate: "2015-03-21", - RemovalDate: "", - }, - "technology": { - GTLD: "technology", - DelegationDate: "2013-11-14", - RemovalDate: "", - }, - "tel": { - GTLD: "tel", - DelegationDate: "2007-03-02", - RemovalDate: "", - }, - "telecity": { - GTLD: "telecity", - DelegationDate: "2016-02-25", - RemovalDate: "2018-08-19", - }, - "telefonica": { - GTLD: "telefonica", - DelegationDate: "2015-06-26", - RemovalDate: "", - }, - "temasek": { - GTLD: "temasek", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "tennis": { - GTLD: "tennis", - DelegationDate: "2015-02-04", - RemovalDate: "", - }, - "teva": { - GTLD: "teva", - DelegationDate: "2016-04-13", - RemovalDate: "", - }, - "tf": { - GTLD: "tf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tg": { - GTLD: "tg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "th": { - GTLD: "th", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "thd": { - GTLD: "thd", - DelegationDate: "2015-05-22", - RemovalDate: "", - }, - "theater": { - GTLD: "theater", - DelegationDate: "2015-05-06", - RemovalDate: "", - }, - "theatre": { - GTLD: "theatre", - DelegationDate: "2015-09-13", - RemovalDate: "", - }, - "tiaa": { - GTLD: "tiaa", - DelegationDate: "2016-07-20", - RemovalDate: "", - }, - "tickets": { - GTLD: "tickets", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "tienda": { - GTLD: "tienda", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "tiffany": { - GTLD: "tiffany", - DelegationDate: "2016-01-21", - RemovalDate: "", - }, - "tips": { - GTLD: "tips", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "tires": { - GTLD: "tires", - DelegationDate: "2014-12-18", - RemovalDate: "", - }, - "tirol": { - GTLD: "tirol", - DelegationDate: "2014-06-04", - RemovalDate: "", - }, - "tj": { - GTLD: "tj", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tjmaxx": { - GTLD: "tjmaxx", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "tjx": { - GTLD: "tjx", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "tk": { - GTLD: "tk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tkmaxx": { - GTLD: "tkmaxx", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "tl": { - GTLD: "tl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tm": { - GTLD: "tm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tmall": { - GTLD: "tmall", - DelegationDate: "2016-01-21", - RemovalDate: "", - }, - "tn": { - GTLD: "tn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "to": { - GTLD: "to", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "today": { - GTLD: "today", - DelegationDate: "2013-11-19", - RemovalDate: "", - }, - "tokyo": { - GTLD: "tokyo", - DelegationDate: "2014-01-29", - RemovalDate: "", - }, - "tools": { - GTLD: "tools", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "top": { - GTLD: "top", - DelegationDate: "2014-08-03", - RemovalDate: "", - }, - "toray": { - GTLD: "toray", - DelegationDate: "2015-05-01", - RemovalDate: "", - }, - "toshiba": { - GTLD: "toshiba", - DelegationDate: "2015-02-04", - RemovalDate: "", - }, - "total": { - GTLD: "total", - DelegationDate: "2016-03-09", - RemovalDate: "", - }, - "tours": { - GTLD: "tours", - DelegationDate: "2015-03-24", - RemovalDate: "", - }, - "town": { - GTLD: "town", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "toyota": { - GTLD: "toyota", - DelegationDate: "2015-07-26", - RemovalDate: "", - }, - "toys": { - GTLD: "toys", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "tr": { - GTLD: "tr", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "trade": { - GTLD: "trade", - DelegationDate: "2014-03-19", - RemovalDate: "", - }, - "trading": { - GTLD: "trading", - DelegationDate: "2015-03-13", - RemovalDate: "", - }, - "training": { - GTLD: "training", - DelegationDate: "2013-12-28", - RemovalDate: "", - }, - "travel": { - GTLD: "travel", - DelegationDate: "2005-07-21", - RemovalDate: "", - }, - "travelchannel": { - GTLD: "travelchannel", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "travelers": { - GTLD: "travelers", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "travelersinsurance": { - GTLD: "travelersinsurance", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "trust": { - GTLD: "trust", - DelegationDate: "2014-12-06", - RemovalDate: "", - }, - "trv": { - GTLD: "trv", - DelegationDate: "2015-12-11", - RemovalDate: "", - }, - "tt": { - GTLD: "tt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tube": { - GTLD: "tube", - DelegationDate: "2016-01-11", - RemovalDate: "", - }, - "tui": { - GTLD: "tui", - DelegationDate: "2014-09-27", - RemovalDate: "", - }, - "tunes": { - GTLD: "tunes", - DelegationDate: "2016-02-25", - RemovalDate: "", - }, - "tushu": { - GTLD: "tushu", - DelegationDate: "2015-12-14", - RemovalDate: "", - }, - "tv": { - GTLD: "tv", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tvs": { - GTLD: "tvs", - DelegationDate: "2016-02-13", - RemovalDate: "", - }, - "tw": { - GTLD: "tw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "tz": { - GTLD: "tz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ua": { - GTLD: "ua", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ubank": { - GTLD: "ubank", - DelegationDate: "2016-08-18", - RemovalDate: "", - }, - "ubs": { - GTLD: "ubs", - DelegationDate: "2015-07-11", - RemovalDate: "", - }, - "uconnect": { - GTLD: "uconnect", - DelegationDate: "2016-07-28", - RemovalDate: "2019-11-19", - }, - "ug": { - GTLD: "ug", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "uk": { - GTLD: "uk", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "unicom": { - GTLD: "unicom", - DelegationDate: "2016-02-04", - RemovalDate: "", - }, - "university": { - GTLD: "university", - DelegationDate: "2014-04-11", - RemovalDate: "", - }, - "uno": { - GTLD: "uno", - DelegationDate: "2013-11-30", - RemovalDate: "", - }, - "uol": { - GTLD: "uol", - DelegationDate: "2014-08-16", - RemovalDate: "", - }, - "ups": { - GTLD: "ups", - DelegationDate: "2016-05-31", - RemovalDate: "", - }, - "us": { - GTLD: "us", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "uy": { - GTLD: "uy", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "uz": { - GTLD: "uz", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "va": { - GTLD: "va", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "vacations": { - GTLD: "vacations", - DelegationDate: "2014-02-21", - RemovalDate: "", - }, - "vana": { - GTLD: "vana", - DelegationDate: "2015-11-10", - RemovalDate: "", - }, - "vanguard": { - GTLD: "vanguard", - DelegationDate: "2016-08-28", - RemovalDate: "", - }, - "vc": { - GTLD: "vc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "ve": { - GTLD: "ve", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "vegas": { - GTLD: "vegas", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "ventures": { - GTLD: "ventures", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "verisign": { - GTLD: "verisign", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "versicherung": { - GTLD: "versicherung", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "vet": { - GTLD: "vet", - DelegationDate: "2014-05-31", - RemovalDate: "", - }, - "vg": { - GTLD: "vg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "vi": { - GTLD: "vi", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "viajes": { - GTLD: "viajes", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "video": { - GTLD: "video", - DelegationDate: "2014-12-25", - RemovalDate: "", - }, - "vig": { - GTLD: "vig", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "viking": { - GTLD: "viking", - DelegationDate: "2016-02-22", - RemovalDate: "", - }, - "villas": { - GTLD: "villas", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "vin": { - GTLD: "vin", - DelegationDate: "2015-08-05", - RemovalDate: "", - }, - "vip": { - GTLD: "vip", - DelegationDate: "2015-11-25", - RemovalDate: "", - }, - "virgin": { - GTLD: "virgin", - DelegationDate: "2015-10-07", - RemovalDate: "", - }, - "visa": { - GTLD: "visa", - DelegationDate: "2016-07-28", - RemovalDate: "", - }, - "vision": { - GTLD: "vision", - DelegationDate: "2014-02-11", - RemovalDate: "", - }, - "vista": { - GTLD: "vista", - DelegationDate: "2015-06-22", - RemovalDate: "2018-09-13", - }, - "vistaprint": { - GTLD: "vistaprint", - DelegationDate: "2015-06-22", - RemovalDate: "", - }, - "viva": { - GTLD: "viva", - DelegationDate: "2015-08-28", - RemovalDate: "", - }, - "vivo": { - GTLD: "vivo", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "vlaanderen": { - GTLD: "vlaanderen", - DelegationDate: "2014-06-18", - RemovalDate: "", - }, - "vn": { - GTLD: "vn", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "vodka": { - GTLD: "vodka", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "volkswagen": { - GTLD: "volkswagen", - DelegationDate: "2016-01-09", - RemovalDate: "", - }, - "volvo": { - GTLD: "volvo", - DelegationDate: "2016-10-24", - RemovalDate: "", - }, - "vote": { - GTLD: "vote", - DelegationDate: "2014-03-02", - RemovalDate: "", - }, - "voting": { - GTLD: "voting", - DelegationDate: "2014-01-29", - RemovalDate: "", - }, - "voto": { - GTLD: "voto", - DelegationDate: "2014-03-02", - RemovalDate: "", - }, - "voyage": { - GTLD: "voyage", - DelegationDate: "2013-11-06", - RemovalDate: "", - }, - "vu": { - GTLD: "vu", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "vuelos": { - GTLD: "vuelos", - DelegationDate: "2016-03-02", - RemovalDate: "", - }, - "wales": { - GTLD: "wales", - DelegationDate: "2014-08-07", - RemovalDate: "", - }, - "walmart": { - GTLD: "walmart", - DelegationDate: "2016-08-18", - RemovalDate: "", - }, - "walter": { - GTLD: "walter", - DelegationDate: "2015-05-27", - RemovalDate: "", - }, - "wang": { - GTLD: "wang", - DelegationDate: "2014-01-03", - RemovalDate: "", - }, - "wanggou": { - GTLD: "wanggou", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "warman": { - GTLD: "warman", - DelegationDate: "2016-05-03", - RemovalDate: "2019-11-19", - }, - "watch": { - GTLD: "watch", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "watches": { - GTLD: "watches", - DelegationDate: "2015-12-14", - RemovalDate: "", - }, - "weather": { - GTLD: "weather", - DelegationDate: "2016-01-12", - RemovalDate: "", - }, - "weatherchannel": { - GTLD: "weatherchannel", - DelegationDate: "2016-01-28", - RemovalDate: "", - }, - "webcam": { - GTLD: "webcam", - DelegationDate: "2014-03-19", - RemovalDate: "", - }, - "weber": { - GTLD: "weber", - DelegationDate: "2015-12-22", - RemovalDate: "", - }, - "website": { - GTLD: "website", - DelegationDate: "2014-05-30", - RemovalDate: "", - }, - "wed": { - GTLD: "wed", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "wedding": { - GTLD: "wedding", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "weibo": { - GTLD: "weibo", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "weir": { - GTLD: "weir", - DelegationDate: "2015-04-17", - RemovalDate: "", - }, - "wf": { - GTLD: "wf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "whoswho": { - GTLD: "whoswho", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "wien": { - GTLD: "wien", - DelegationDate: "2014-01-03", - RemovalDate: "", - }, - "wiki": { - GTLD: "wiki", - DelegationDate: "2014-02-19", - RemovalDate: "", - }, - "williamhill": { - GTLD: "williamhill", - DelegationDate: "2014-07-27", - RemovalDate: "", - }, - "win": { - GTLD: "win", - DelegationDate: "2015-03-25", - RemovalDate: "", - }, - "windows": { - GTLD: "windows", - DelegationDate: "2015-06-10", - RemovalDate: "", - }, - "wine": { - GTLD: "wine", - DelegationDate: "2015-08-05", - RemovalDate: "", - }, - "winners": { - GTLD: "winners", - DelegationDate: "2016-07-15", - RemovalDate: "", - }, - "wme": { - GTLD: "wme", - DelegationDate: "2014-09-10", - RemovalDate: "", - }, - "wolterskluwer": { - GTLD: "wolterskluwer", - DelegationDate: "2016-02-11", - RemovalDate: "", - }, - "woodside": { - GTLD: "woodside", - DelegationDate: "2016-06-23", - RemovalDate: "", - }, - "work": { - GTLD: "work", - DelegationDate: "2014-09-23", - RemovalDate: "", - }, - "works": { - GTLD: "works", - DelegationDate: "2014-01-23", - RemovalDate: "", - }, - "world": { - GTLD: "world", - DelegationDate: "2014-09-19", - RemovalDate: "", - }, - "wow": { - GTLD: "wow", - DelegationDate: "2016-09-26", - RemovalDate: "", - }, - "ws": { - GTLD: "ws", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "wtc": { - GTLD: "wtc", - DelegationDate: "2014-04-29", - RemovalDate: "", - }, - "wtf": { - GTLD: "wtf", - DelegationDate: "2014-04-23", - RemovalDate: "", - }, - "xbox": { - GTLD: "xbox", - DelegationDate: "2015-06-04", - RemovalDate: "", - }, - "xerox": { - GTLD: "xerox", - DelegationDate: "2015-04-16", - RemovalDate: "", - }, - "xfinity": { - GTLD: "xfinity", - DelegationDate: "2016-07-07", - RemovalDate: "", - }, - "xihuan": { - GTLD: "xihuan", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "xin": { - GTLD: "xin", - DelegationDate: "2015-03-07", - RemovalDate: "", - }, - "xn--11b4c3d": { - GTLD: "xn--11b4c3d", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--1ck2e1b": { - GTLD: "xn--1ck2e1b", - DelegationDate: "2016-02-19", - RemovalDate: "", - }, - "xn--1qqw23a": { - GTLD: "xn--1qqw23a", - DelegationDate: "2014-08-14", - RemovalDate: "", - }, - "xn--2scrj9c": { - GTLD: "xn--2scrj9c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--30rr7y": { - GTLD: "xn--30rr7y", - DelegationDate: "2015-03-31", - RemovalDate: "", - }, - "xn--3bst00m": { - GTLD: "xn--3bst00m", - DelegationDate: "2014-01-03", - RemovalDate: "", - }, - "xn--3ds443g": { - GTLD: "xn--3ds443g", - DelegationDate: "2014-01-02", - RemovalDate: "", - }, - "xn--3e0b707e": { - GTLD: "xn--3e0b707e", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--3hcrj9c": { - GTLD: "xn--3hcrj9c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--3oq18vl8pn36a": { - GTLD: "xn--3oq18vl8pn36a", - DelegationDate: "2016-08-16", - RemovalDate: "", - }, - "xn--3pxu8k": { - GTLD: "xn--3pxu8k", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--42c2d9a": { - GTLD: "xn--42c2d9a", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--45br5cyl": { - GTLD: "xn--45br5cyl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--45brj9c": { - GTLD: "xn--45brj9c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--45q11c": { - GTLD: "xn--45q11c", - DelegationDate: "2014-11-17", - RemovalDate: "", - }, - "xn--4gbrim": { - GTLD: "xn--4gbrim", - DelegationDate: "2014-05-28", - RemovalDate: "", - }, - "xn--54b7fta0cc": { - GTLD: "xn--54b7fta0cc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--55qw42g": { - GTLD: "xn--55qw42g", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "xn--55qx5d": { - GTLD: "xn--55qx5d", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "xn--5su34j936bgsg": { - GTLD: "xn--5su34j936bgsg", - DelegationDate: "2016-07-02", - RemovalDate: "", - }, - "xn--5tzm5g": { - GTLD: "xn--5tzm5g", - DelegationDate: "2016-04-17", - RemovalDate: "", - }, - "xn--6frz82g": { - GTLD: "xn--6frz82g", - DelegationDate: "2014-02-05", - RemovalDate: "", - }, - "xn--6qq986b3xl": { - GTLD: "xn--6qq986b3xl", - DelegationDate: "2014-01-03", - RemovalDate: "", - }, - "xn--80adxhks": { - GTLD: "xn--80adxhks", - DelegationDate: "2014-04-24", - RemovalDate: "", - }, - "xn--80ao21a": { - GTLD: "xn--80ao21a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--80aqecdr1a": { - GTLD: "xn--80aqecdr1a", - DelegationDate: "2016-12-01", - RemovalDate: "", - }, - "xn--80asehdb": { - GTLD: "xn--80asehdb", - DelegationDate: "2013-10-23", - RemovalDate: "", - }, - "xn--80aswg": { - GTLD: "xn--80aswg", - DelegationDate: "2013-10-23", - RemovalDate: "", - }, - "xn--8y0a063a": { - GTLD: "xn--8y0a063a", - DelegationDate: "2016-02-06", - RemovalDate: "", - }, - "xn--90a3ac": { - GTLD: "xn--90a3ac", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--90ae": { - GTLD: "xn--90ae", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--90ais": { - GTLD: "xn--90ais", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--9dbq2a": { - GTLD: "xn--9dbq2a", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--9et52u": { - GTLD: "xn--9et52u", - DelegationDate: "2015-03-27", - RemovalDate: "", - }, - "xn--9krt00a": { - GTLD: "xn--9krt00a", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "xn--b4w605ferd": { - GTLD: "xn--b4w605ferd", - DelegationDate: "2015-01-24", - RemovalDate: "", - }, - "xn--bck1b9a5dre4c": { - GTLD: "xn--bck1b9a5dre4c", - DelegationDate: "2016-02-21", - RemovalDate: "", - }, - "xn--c1avg": { - GTLD: "xn--c1avg", - DelegationDate: "2014-03-05", - RemovalDate: "", - }, - "xn--c2br7g": { - GTLD: "xn--c2br7g", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--cck2b3b": { - GTLD: "xn--cck2b3b", - DelegationDate: "2016-02-19", - RemovalDate: "", - }, - "xn--cg4bki": { - GTLD: "xn--cg4bki", - DelegationDate: "2014-02-21", - RemovalDate: "", - }, - "xn--clchc0ea0b2g2a9gcd": { - GTLD: "xn--clchc0ea0b2g2a9gcd", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--czr694b": { - GTLD: "xn--czr694b", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "xn--czrs0t": { - GTLD: "xn--czrs0t", - DelegationDate: "2014-12-06", - RemovalDate: "", - }, - "xn--czru2d": { - GTLD: "xn--czru2d", - DelegationDate: "2014-03-31", - RemovalDate: "", - }, - "xn--d1acj3b": { - GTLD: "xn--d1acj3b", - DelegationDate: "2014-02-26", - RemovalDate: "", - }, - "xn--d1alf": { - GTLD: "xn--d1alf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--e1a4c": { - GTLD: "xn--e1a4c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--eckvdtc9d": { - GTLD: "xn--eckvdtc9d", - DelegationDate: "2015-12-14", - RemovalDate: "", - }, - "xn--efvy88h": { - GTLD: "xn--efvy88h", - DelegationDate: "2015-08-24", - RemovalDate: "", - }, - "xn--estv75g": { - GTLD: "xn--estv75g", - DelegationDate: "2015-05-07", - RemovalDate: "", - }, - "xn--fct429k": { - GTLD: "xn--fct429k", - DelegationDate: "2016-03-25", - RemovalDate: "", - }, - "xn--fhbei": { - GTLD: "xn--fhbei", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--fiq228c5hs": { - GTLD: "xn--fiq228c5hs", - DelegationDate: "2014-01-03", - RemovalDate: "", - }, - "xn--fiq64b": { - GTLD: "xn--fiq64b", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "xn--fiqs8s": { - GTLD: "xn--fiqs8s", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--fiqz9s": { - GTLD: "xn--fiqz9s", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--fjq720a": { - GTLD: "xn--fjq720a", - DelegationDate: "2015-05-09", - RemovalDate: "", - }, - "xn--flw351e": { - GTLD: "xn--flw351e", - DelegationDate: "2014-11-20", - RemovalDate: "", - }, - "xn--fpcrj9c3d": { - GTLD: "xn--fpcrj9c3d", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--fzc2c9e2c": { - GTLD: "xn--fzc2c9e2c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--fzys8d69uvgm": { - GTLD: "xn--fzys8d69uvgm", - DelegationDate: "2016-05-11", - RemovalDate: "", - }, - "xn--g2xx48c": { - GTLD: "xn--g2xx48c", - DelegationDate: "2016-01-16", - RemovalDate: "", - }, - "xn--gckr3f0f": { - GTLD: "xn--gckr3f0f", - DelegationDate: "2016-02-19", - RemovalDate: "", - }, - "xn--gecrj9c": { - GTLD: "xn--gecrj9c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--gk3at1e": { - GTLD: "xn--gk3at1e", - DelegationDate: "2016-09-30", - RemovalDate: "", - }, - "xn--h2breg3eve": { - GTLD: "xn--h2breg3eve", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--h2brj9c": { - GTLD: "xn--h2brj9c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--h2brj9c8c": { - GTLD: "xn--h2brj9c8c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--hxt814e": { - GTLD: "xn--hxt814e", - DelegationDate: "2014-12-02", - RemovalDate: "", - }, - "xn--i1b6b1a6a2e": { - GTLD: "xn--i1b6b1a6a2e", - DelegationDate: "2014-03-09", - RemovalDate: "", - }, - "xn--imr513n": { - GTLD: "xn--imr513n", - DelegationDate: "2015-05-30", - RemovalDate: "", - }, - "xn--io0a7i": { - GTLD: "xn--io0a7i", - DelegationDate: "2014-01-18", - RemovalDate: "", - }, - "xn--j1aef": { - GTLD: "xn--j1aef", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--j1amh": { - GTLD: "xn--j1amh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--j6w193g": { - GTLD: "xn--j6w193g", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--jlq61u9w7b": { - GTLD: "xn--jlq61u9w7b", - DelegationDate: "2015-12-18", - RemovalDate: "", - }, - "xn--jvr189m": { - GTLD: "xn--jvr189m", - DelegationDate: "2016-02-22", - RemovalDate: "", - }, - "xn--kcrx77d1x4a": { - GTLD: "xn--kcrx77d1x4a", - DelegationDate: "2015-04-07", - RemovalDate: "", - }, - "xn--kprw13d": { - GTLD: "xn--kprw13d", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--kpry57d": { - GTLD: "xn--kpry57d", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--kpu716f": { - GTLD: "xn--kpu716f", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "xn--kput3i": { - GTLD: "xn--kput3i", - DelegationDate: "2014-06-17", - RemovalDate: "", - }, - "xn--l1acc": { - GTLD: "xn--l1acc", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--lgbbat1ad8j": { - GTLD: "xn--lgbbat1ad8j", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgb9awbf": { - GTLD: "xn--mgb9awbf", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgba3a3ejt": { - GTLD: "xn--mgba3a3ejt", - DelegationDate: "2015-10-15", - RemovalDate: "", - }, - "xn--mgba3a4f16a": { - GTLD: "xn--mgba3a4f16a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgba7c0bbn0a": { - GTLD: "xn--mgba7c0bbn0a", - DelegationDate: "2016-05-03", - RemovalDate: "", - }, - "xn--mgbaakc7dvf": { - GTLD: "xn--mgbaakc7dvf", - DelegationDate: "2017-06-10", - RemovalDate: "", - }, - "xn--mgbaam7a8h": { - GTLD: "xn--mgbaam7a8h", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbab2bd": { - GTLD: "xn--mgbab2bd", - DelegationDate: "2014-02-18", - RemovalDate: "", - }, - "xn--mgbah1a3hjkrd": { - GTLD: "xn--mgbah1a3hjkrd", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbai9azgqp6j": { - GTLD: "xn--mgbai9azgqp6j", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbayh7gpa": { - GTLD: "xn--mgbayh7gpa", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbb9fbpob": { - GTLD: "xn--mgbb9fbpob", - DelegationDate: "2015-12-23", - RemovalDate: "2019-09-09", - }, - "xn--mgbbh1a": { - GTLD: "xn--mgbbh1a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbbh1a71e": { - GTLD: "xn--mgbbh1a71e", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbc0a9azcg": { - GTLD: "xn--mgbc0a9azcg", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbca7dzdo": { - GTLD: "xn--mgbca7dzdo", - DelegationDate: "2016-04-06", - RemovalDate: "", - }, - "xn--mgberp4a5d4ar": { - GTLD: "xn--mgberp4a5d4ar", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbgu82a": { - GTLD: "xn--mgbgu82a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbi4ecexp": { - GTLD: "xn--mgbi4ecexp", - DelegationDate: "2016-12-01", - RemovalDate: "", - }, - "xn--mgbpl2fh": { - GTLD: "xn--mgbpl2fh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbt3dhd": { - GTLD: "xn--mgbt3dhd", - DelegationDate: "2015-12-07", - RemovalDate: "", - }, - "xn--mgbtx2b": { - GTLD: "xn--mgbtx2b", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mgbx4cd0ab": { - GTLD: "xn--mgbx4cd0ab", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mix891f": { - GTLD: "xn--mix891f", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--mk1bu44c": { - GTLD: "xn--mk1bu44c", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--mxtq1m": { - GTLD: "xn--mxtq1m", - DelegationDate: "2015-03-03", - RemovalDate: "", - }, - "xn--ngbc5azd": { - GTLD: "xn--ngbc5azd", - DelegationDate: "2013-10-23", - RemovalDate: "", - }, - "xn--ngbe9e0a": { - GTLD: "xn--ngbe9e0a", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "xn--ngbrx": { - GTLD: "xn--ngbrx", - DelegationDate: "2017-05-23", - RemovalDate: "", - }, - "xn--node": { - GTLD: "xn--node", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--nqv7f": { - GTLD: "xn--nqv7f", - DelegationDate: "2014-03-09", - RemovalDate: "", - }, - "xn--nqv7fs00ema": { - GTLD: "xn--nqv7fs00ema", - DelegationDate: "2014-03-09", - RemovalDate: "", - }, - "xn--nyqy26a": { - GTLD: "xn--nyqy26a", - DelegationDate: "2015-04-02", - RemovalDate: "", - }, - "xn--o3cw4h": { - GTLD: "xn--o3cw4h", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--ogbpf8fl": { - GTLD: "xn--ogbpf8fl", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--otu796d": { - GTLD: "xn--otu796d", - DelegationDate: "2018-01-24", - RemovalDate: "", - }, - "xn--p1acf": { - GTLD: "xn--p1acf", - DelegationDate: "2014-09-27", - RemovalDate: "", - }, - "xn--p1ai": { - GTLD: "xn--p1ai", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--pbt977c": { - GTLD: "xn--pbt977c", - DelegationDate: "2015-12-15", - RemovalDate: "", - }, - "xn--pgbs0dh": { - GTLD: "xn--pgbs0dh", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--pssy2u": { - GTLD: "xn--pssy2u", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--q9jyb4c": { - GTLD: "xn--q9jyb4c", - DelegationDate: "2013-11-23", - RemovalDate: "", - }, - "xn--qcka1pmc": { - GTLD: "xn--qcka1pmc", - DelegationDate: "2014-11-20", - RemovalDate: "", - }, - "xn--qxa6a": { - GTLD: "xn--qxa6a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--qxam": { - GTLD: "xn--qxam", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--rhqv96g": { - GTLD: "xn--rhqv96g", - DelegationDate: "2014-03-12", - RemovalDate: "", - }, - "xn--rovu88b": { - GTLD: "xn--rovu88b", - DelegationDate: "2016-02-19", - RemovalDate: "", - }, - "xn--rvc1e0am3e": { - GTLD: "xn--rvc1e0am3e", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--s9brj9c": { - GTLD: "xn--s9brj9c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--ses554g": { - GTLD: "xn--ses554g", - DelegationDate: "2014-04-10", - RemovalDate: "", - }, - "xn--t60b56a": { - GTLD: "xn--t60b56a", - DelegationDate: "2015-07-28", - RemovalDate: "", - }, - "xn--tckwe": { - GTLD: "xn--tckwe", - DelegationDate: "2015-07-29", - RemovalDate: "", - }, - "xn--tiq49xqyj": { - GTLD: "xn--tiq49xqyj", - DelegationDate: "2016-12-01", - RemovalDate: "", - }, - "xn--unup4y": { - GTLD: "xn--unup4y", - DelegationDate: "2013-10-23", - RemovalDate: "", - }, - "xn--vermgensberater-ctb": { - GTLD: "xn--vermgensberater-ctb", - DelegationDate: "2014-09-27", - RemovalDate: "", - }, - "xn--vermgensberatung-pwb": { - GTLD: "xn--vermgensberatung-pwb", - DelegationDate: "2014-09-27", - RemovalDate: "", - }, - "xn--vhquv": { - GTLD: "xn--vhquv", - DelegationDate: "2014-08-22", - RemovalDate: "", - }, - "xn--vuq861b": { - GTLD: "xn--vuq861b", - DelegationDate: "2015-03-18", - RemovalDate: "", - }, - "xn--w4r85el8fhu5dnra": { - GTLD: "xn--w4r85el8fhu5dnra", - DelegationDate: "2016-03-05", - RemovalDate: "", - }, - "xn--w4rs40l": { - GTLD: "xn--w4rs40l", - DelegationDate: "2016-05-16", - RemovalDate: "", - }, - "xn--wgbh1c": { - GTLD: "xn--wgbh1c", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--wgbl6a": { - GTLD: "xn--wgbl6a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--xhq521b": { - GTLD: "xn--xhq521b", - DelegationDate: "2014-08-14", - RemovalDate: "", - }, - "xn--xkc2al3hye2a": { - GTLD: "xn--xkc2al3hye2a", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--xkc2dl3a5ee0h": { - GTLD: "xn--xkc2dl3a5ee0h", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--y9a3aq": { - GTLD: "xn--y9a3aq", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--yfro4i67o": { - GTLD: "xn--yfro4i67o", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--ygbi2ammx": { - GTLD: "xn--ygbi2ammx", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "xn--zfr164b": { - GTLD: "xn--zfr164b", - DelegationDate: "2013-12-17", - RemovalDate: "", - }, - "xperia": { - GTLD: "xperia", - DelegationDate: "2015-08-05", - RemovalDate: "2018-07-20", - }, - "xxx": { - GTLD: "xxx", - DelegationDate: "2011-04-15", - RemovalDate: "", - }, - "xyz": { - GTLD: "xyz", - DelegationDate: "2014-02-19", - RemovalDate: "", - }, - "yachts": { - GTLD: "yachts", - DelegationDate: "2014-05-22", - RemovalDate: "", - }, - "yahoo": { - GTLD: "yahoo", - DelegationDate: "2016-02-13", - RemovalDate: "", - }, - "yamaxun": { - GTLD: "yamaxun", - DelegationDate: "2015-10-07", - RemovalDate: "", - }, - "yandex": { - GTLD: "yandex", - DelegationDate: "2014-07-18", - RemovalDate: "", - }, - "ye": { - GTLD: "ye", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "yodobashi": { - GTLD: "yodobashi", - DelegationDate: "2015-02-19", - RemovalDate: "", - }, - "yoga": { - GTLD: "yoga", - DelegationDate: "2014-10-15", - RemovalDate: "", - }, - "yokohama": { - GTLD: "yokohama", - DelegationDate: "2014-04-03", - RemovalDate: "", - }, - "you": { - GTLD: "you", - DelegationDate: "2016-03-25", - RemovalDate: "", - }, - "youtube": { - GTLD: "youtube", - DelegationDate: "2014-08-29", - RemovalDate: "", - }, - "yt": { - GTLD: "yt", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "yun": { - GTLD: "yun", - DelegationDate: "2016-03-30", - RemovalDate: "", - }, - "za": { - GTLD: "za", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "zappos": { - GTLD: "zappos", - DelegationDate: "2016-06-02", - RemovalDate: "", - }, - "zara": { - GTLD: "zara", - DelegationDate: "2015-10-27", - RemovalDate: "", - }, - "zero": { - GTLD: "zero", - DelegationDate: "2015-12-05", - RemovalDate: "", - }, - "zip": { - GTLD: "zip", - DelegationDate: "2014-09-15", - RemovalDate: "", - }, - "zippo": { - GTLD: "zippo", - DelegationDate: "2016-07-02", - RemovalDate: "2019-02-15", - }, - "zm": { - GTLD: "zm", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - "zone": { - GTLD: "zone", - DelegationDate: "2014-01-14", - RemovalDate: "", - }, - "zuerich": { - GTLD: "zuerich", - DelegationDate: "2014-12-25", - RemovalDate: "", - }, - "zw": { - GTLD: "zw", - DelegationDate: "1985-01-01", - RemovalDate: "", - }, - // .onion is a special case and not a general gTLD. However, it is allowed in - // some circumstances in the web PKI so the Zlint gtldMap includes it with - // a delegationDate based on the CABF ballot to allow EV issuance for .onion - // domains: https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/ - "onion": { - GTLD: "onion", - DelegationDate: "2015-02-18", - RemovalDate: "", - }, -} diff --git a/vendor/github.com/zmap/zlint/util/ip.go b/vendor/github.com/zmap/zlint/util/ip.go deleted file mode 100644 index 153dc0fdc..000000000 --- a/vendor/github.com/zmap/zlint/util/ip.go +++ /dev/null @@ -1,115 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// contains helper functions for ip address lints - -package util - -import ( - "fmt" - "net" -) - -type subnetCategory int - -const ( - privateUse subnetCategory = iota - sharedAddressSpace - benchmarking - documentation - reserved - protocolAssignment - as112 - amt - orchidV2 - lisp - thisHostOnThisNetwork - translatableAddress6to4 - translatableAddress4to6 - dummyAddress - portControlProtocolAnycast - traversalUsingRelaysAroundNATAnycast - nat64DNS64Discovery - limitedBroadcast - discardOnly - teredo - uniqueLocal - linkLocalUnicast - ianaReservedForFutureUse - ianaReservedMulticast -) - -var reservedNetworks []*net.IPNet - -// IsIANAReserved checks IP validity as per IANA reserved IPs -// IPv4 -// https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml -// https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml -// IPv6 -// https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml -// https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml -func IsIANAReserved(ip net.IP) bool { - if !ip.IsGlobalUnicast() { - return true - } - - for _, network := range reservedNetworks { - if network.Contains(ip) { - return true - } - } - - return false -} - -func init() { - var networks = map[subnetCategory][]string{ - privateUse: {"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"}, - sharedAddressSpace: {"100.64.0.0/10"}, - benchmarking: {"198.18.0.0/15", "2001:2::/48"}, - documentation: {"192.0.2.0/24", "198.51.100.0/24", "203.0.113.0/24", "2001:db8::/32"}, - reserved: {"240.0.0.0/4", "0400::/6", "0800::/5", "1000::/4", "4000::/3", "6000::/3", "8000::/3", "a000::/3", "c000::/3", "e000::/4", "f000::/5", "f800::/6", "fe00::/9"}, // https://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml - protocolAssignment: {"192.0.0.0/24", "2001::/23"}, // 192.0.0.0/24 contains 192.0.0.0/29 - IPv4 Service Continuity Prefix - as112: {"192.31.196.0/24", "192.175.48.0/24", "2001:4:112::/48", "2620:4f:8000::/48"}, - amt: {"192.52.193.0/24", "2001:3::/32"}, - orchidV2: {"2001:20::/28"}, - lisp: {"2001:5::/32"}, // TODO: this could expire at 2019-09. Please check https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml for updates - thisHostOnThisNetwork: {"0.0.0.0/8"}, - translatableAddress4to6: {"2002::/16"}, - translatableAddress6to4: {"64:ff9b::/96", "64:ff9b:1::/48"}, - dummyAddress: {"192.0.0.8/32"}, - portControlProtocolAnycast: {"192.0.0.9/32", "2001:1::1/128"}, - traversalUsingRelaysAroundNATAnycast: {"192.0.0.10/32", "2001:1::2/128"}, - nat64DNS64Discovery: {"192.0.0.170/32", "192.0.0.171/32"}, - limitedBroadcast: {"255.255.255.255/32"}, - discardOnly: {"100::/64"}, - teredo: {"2001::/32"}, - uniqueLocal: {"fc00::/7"}, - linkLocalUnicast: {"fe80::/10", "169.254.0.0/16"}, // this range is covered by ip.IsLinkLocalUnicast(), which is in turn called by net.IP.IsGlobalUnicast(ip) - ianaReservedForFutureUse: {"255.0.0.0/8", "254.0.0.0/8", "253.0.0.0/8", "252.0.0.0/8", "251.0.0.0/8", "250.0.0.0/8", "249.0.0.0/8", "248.0.0.0/8", "247.0.0.0/8", "246.0.0.0/8", "245.0.0.0/8", "244.0.0.0/8", "243.0.0.0/8", "242.0.0.0/8", "241.0.0.0/8", "240.0.0.0/8"}, - ianaReservedMulticast: {"239.0.0.0/8", "238.0.0.0/8", "237.0.0.0/8", "236.0.0.0/8", "235.0.0.0/8", "234.0.0.0/8", "233.0.0.0/8", "232.0.0.0/8", "231.0.0.0/8", "230.0.0.0/8", "229.0.0.0/8", "228.0.0.0/8", "227.0.0.0/8", "226.0.0.0/8", "225.0.0.0/8", "224.0.0.0/8", "ff00::/8"}, // this range is covered by ip.IsMulticast() call, which is in turn called by net.IP.IsGlobalUnicast(ip) - } - - for _, netList := range networks { - for _, network := range netList { - var ipNet *net.IPNet - var err error - - if _, ipNet, err = net.ParseCIDR(network); err != nil { - panic(fmt.Sprintf("unexpected internal network value provided: %s", err.Error())) - } - reservedNetworks = append(reservedNetworks, ipNet) - } - } -} diff --git a/vendor/github.com/zmap/zlint/util/ku.go b/vendor/github.com/zmap/zlint/util/ku.go deleted file mode 100644 index 31a828fb4..000000000 --- a/vendor/github.com/zmap/zlint/util/ku.go +++ /dev/null @@ -1,18 +0,0 @@ -package util - -import "github.com/zmap/zcrypto/x509" - -var ( - // KeyUsageToString maps an x509.KeyUsage bitmask to its name. - KeyUsageToString = map[x509.KeyUsage]string{ - x509.KeyUsageDigitalSignature: "KeyUsageDigitalSignature", - x509.KeyUsageContentCommitment: "KeyUsageContentCommitment", - x509.KeyUsageKeyEncipherment: "KeyUsageKeyEncipherment", - x509.KeyUsageDataEncipherment: "KeyUsageDataEncipherment", - x509.KeyUsageKeyAgreement: "KeyUsageKeyAgreement", - x509.KeyUsageCertSign: "KeyUsageCertSign", - x509.KeyUsageCRLSign: "KeyUsageCRLSign", - x509.KeyUsageEncipherOnly: "KeyUsageEncipherOnly", - x509.KeyUsageDecipherOnly: "KeyUsageDecipherOnly", - } -) diff --git a/vendor/github.com/zmap/zlint/util/names.go b/vendor/github.com/zmap/zlint/util/names.go deleted file mode 100644 index a66f02143..000000000 --- a/vendor/github.com/zmap/zlint/util/names.go +++ /dev/null @@ -1,64 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "encoding/asn1" - - "github.com/zmap/zcrypto/x509/pkix" -) - -type empty struct{} - -var nameAttributePrefix = asn1.ObjectIdentifier{2, 5, 4} -var nameAttributeLeaves = map[int]empty{ - // Name attributes defined in RFC 5280 appendix A - 3: {}, // id-at-commonName AttributeType ::= { id-at 3 } - 4: {}, // id-at-surname AttributeType ::= { id-at 4 } - 5: {}, // id-at-serialNumber AttributeType ::= { id-at 5 } - 6: {}, // id-at-countryName AttributeType ::= { id-at 6 } - 7: {}, // id-at-localityName AttributeType ::= { id-at 7 } - 8: {}, // id-at-stateOrProvinceName AttributeType ::= { id-at 8 } - 10: {}, // id-at-organizationName AttributeType ::= { id-at 10 } - 11: {}, // id-at-organizationalUnitName AttributeType ::= { id-at 11 } - 12: {}, // id-at-title AttributeType ::= { id-at 12 } - 41: {}, // id-at-name AttributeType ::= { id-at 41 } - 42: {}, // id-at-givenName AttributeType ::= { id-at 42 } - 43: {}, // id-at-initials AttributeType ::= { id-at 43 } - 44: {}, // id-at-generationQualifier AttributeType ::= { id-at 44 } - 46: {}, // id-at-dnQualifier AttributeType ::= { id-at 46 } - - // Name attributes not present in RFC 5280, but appeared in Go's crypto/x509/pkix.go - 9: {}, // id-at-streetName AttributeType ::= { id-at 9 } - 17: {}, // id-at-postalCodeName AttributeType ::= { id-at 17 } -} - -// IsNameAttribute returns true if the given ObjectIdentifier corresponds with -// the type of any name attribute for PKIX. -func IsNameAttribute(oid asn1.ObjectIdentifier) bool { - if len(oid) != 4 { - return false - } - if !nameAttributePrefix.Equal(oid[0:3]) { - return false - } - _, ok := nameAttributeLeaves[oid[3]] - return ok -} - -func NotAllNameFieldsAreEmpty(name *pkix.Name) bool { - //Return true if at least one field is non-empty - return len(name.Names) >= 1 -} diff --git a/vendor/github.com/zmap/zlint/util/oid.go b/vendor/github.com/zmap/zlint/util/oid.go deleted file mode 100644 index e011f4858..000000000 --- a/vendor/github.com/zmap/zlint/util/oid.go +++ /dev/null @@ -1,184 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "encoding/asn1" - "errors" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zcrypto/x509/pkix" -) - -var ( - //extension OIDs - AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access - AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier - BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints - CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies - CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points - CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax - FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL - InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy - IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name - KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage - LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext - NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints - OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check - PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints - PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings - PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period - QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements - TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List - SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities - SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name - SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes - SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax - SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier - // CA/B reserved policies - BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated - BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated - BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated - BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor - //X.500 attribute types - CommonNameOID = asn1.ObjectIdentifier{2, 5, 4, 3} - SurnameOID = asn1.ObjectIdentifier{2, 5, 4, 4} - SerialOID = asn1.ObjectIdentifier{2, 5, 4, 5} - CountryNameOID = asn1.ObjectIdentifier{2, 5, 4, 6} - LocalityNameOID = asn1.ObjectIdentifier{2, 5, 4, 7} - StateOrProvinceNameOID = asn1.ObjectIdentifier{2, 5, 4, 8} - StreetAddressOID = asn1.ObjectIdentifier{2, 5, 4, 9} - OrganizationNameOID = asn1.ObjectIdentifier{2, 5, 4, 10} - OrganizationalUnitNameOID = asn1.ObjectIdentifier{2, 5, 4, 11} - BusinessOID = asn1.ObjectIdentifier{2, 5, 4, 15} - PostalCodeOID = asn1.ObjectIdentifier{2, 5, 4, 17} - GivenNameOID = asn1.ObjectIdentifier{2, 5, 4, 42} - // Hash algorithms - see https://golang.org/src/crypto/x509/x509.go - SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} - SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} - SHA512OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} - // other OIDs - OidRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} - OidRSASSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} - OidMD2WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} - OidMD5WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} - OidSHA1WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} - OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14} - OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} - OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} - OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} - AnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32, 0} - UserNoticeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2} - CpsOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1} - IdEtsiQcsQcCompliance = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1} - IdEtsiQcsQcLimitValue = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2} - IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3} - IdEtsiQcsQcSSCD = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4} - IdEtsiQcsQcEuPDS = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5} - IdEtsiQcsQcType = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6} - IdEtsiQcsQctEsign = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1} - IdEtsiQcsQctEseal = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2} - IdEtsiQcsQctWeb = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3} -) - -const ( - // Tags - DNSNameTag = 2 -) - -// IsExtInCert is equivalent to GetExtFromCert() != nil. -func IsExtInCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) bool { - if cert != nil && GetExtFromCert(cert, oid) != nil { - return true - } - return false -} - -// GetExtFromCert returns the extension with the matching OID, if present. If -// the extension if not present, it returns nil. -func GetExtFromCert(cert *x509.Certificate, oid asn1.ObjectIdentifier) *pkix.Extension { - // Since this function is called by many Lint CheckApplies functions we use - // the x509.Certificate.ExtensionsMap field added by zcrypto to check for - // the extension in O(1) instead of looping through the - // `x509.Certificate.Extensions` in O(n). - if ext, found := cert.ExtensionsMap[oid.String()]; found { - return &ext - } - return nil -} - -// Helper function that checks if an []asn1.ObjectIdentifier slice contains an asn1.ObjectIdentifier -func SliceContainsOID(list []asn1.ObjectIdentifier, oid asn1.ObjectIdentifier) bool { - for _, v := range list { - if oid.Equal(v) { - return true - } - } - return false -} - -// Helper function that checks for a name type in a pkix.Name -func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool { - for _, v := range name.Names { - if oid.Equal(v.Type) { - return true - } - } - return false -} - -//helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain -func GetMappedPolicies(polMap *pkix.Extension) (out [][2]asn1.ObjectIdentifier, err error) { - if polMap == nil { - return nil, errors.New("policyMap: null pointer") - } - var outSeq, inSeq asn1.RawValue - - empty, err := asn1.Unmarshal(polMap.Value, &outSeq) //strip outer sequence tag/length should be nothing extra - if err != nil || len(empty) != 0 || outSeq.Class != 0 || outSeq.Tag != 16 || outSeq.IsCompound == false { - return nil, errors.New("policyMap: Could not unmarshal outer sequence.") - } - - for done := false; !done; { //loop through SEQUENCE OF - outSeq.Bytes, err = asn1.Unmarshal(outSeq.Bytes, &inSeq) //extract next inner SEQUENCE (OID pair) - if err != nil || inSeq.Class != 0 || inSeq.Tag != 16 || inSeq.IsCompound == false { - err = errors.New("policyMap: Could not unmarshal inner sequence.") - return - } - if len(outSeq.Bytes) == 0 { //nothing remaining to parse, stop looping after - done = true - } - - var oidIssue, oidSubject asn1.ObjectIdentifier - var restIn asn1.RawContent - restIn, err = asn1.Unmarshal(inSeq.Bytes, &oidIssue) //extract first inner CertPolicyId (issuer domain) - if err != nil || len(restIn) == 0 { - err = errors.New("policyMap: Could not unmarshal inner sequence.") - return - } - - empty, err = asn1.Unmarshal(restIn, &oidSubject) //extract second inner CertPolicyId (subject domain) - if err != nil || len(empty) != 0 { - err = errors.New("policyMap: Could not unmarshal inner sequence.") - return - } - - //append found OIDs - out = append(out, [2]asn1.ObjectIdentifier{oidIssue, oidSubject}) - } - - return -} diff --git a/vendor/github.com/zmap/zlint/util/primes.go b/vendor/github.com/zmap/zlint/util/primes.go deleted file mode 100644 index 2483097d4..000000000 --- a/vendor/github.com/zmap/zlint/util/primes.go +++ /dev/null @@ -1,57 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import "math/big" - -var bigIntPrimes = []*big.Int{ - big.NewInt(2), big.NewInt(3), big.NewInt(5), big.NewInt(7), big.NewInt(11), big.NewInt(13), - big.NewInt(17), big.NewInt(19), big.NewInt(23), big.NewInt(29), big.NewInt(31), big.NewInt(37), - big.NewInt(41), big.NewInt(43), big.NewInt(47), big.NewInt(53), big.NewInt(59), big.NewInt(61), - big.NewInt(67), big.NewInt(71), big.NewInt(73), big.NewInt(79), big.NewInt(83), big.NewInt(89), - big.NewInt(97), big.NewInt(101), big.NewInt(103), big.NewInt(107), big.NewInt(109), big.NewInt(113), - big.NewInt(127), big.NewInt(131), big.NewInt(137), big.NewInt(139), big.NewInt(149), big.NewInt(151), - big.NewInt(157), big.NewInt(163), big.NewInt(167), big.NewInt(173), big.NewInt(179), big.NewInt(181), - big.NewInt(191), big.NewInt(193), big.NewInt(197), big.NewInt(199), big.NewInt(211), big.NewInt(223), - big.NewInt(227), big.NewInt(229), big.NewInt(233), big.NewInt(239), big.NewInt(241), big.NewInt(251), - big.NewInt(257), big.NewInt(263), big.NewInt(269), big.NewInt(271), big.NewInt(277), big.NewInt(281), - big.NewInt(283), big.NewInt(293), big.NewInt(307), big.NewInt(311), big.NewInt(353), big.NewInt(359), - big.NewInt(367), big.NewInt(373), big.NewInt(379), big.NewInt(383), big.NewInt(313), big.NewInt(317), - big.NewInt(331), big.NewInt(337), big.NewInt(347), big.NewInt(349), big.NewInt(389), big.NewInt(397), - big.NewInt(401), big.NewInt(409), big.NewInt(419), big.NewInt(421), big.NewInt(431), big.NewInt(433), - big.NewInt(439), big.NewInt(443), big.NewInt(449), big.NewInt(457), big.NewInt(461), big.NewInt(463), - big.NewInt(467), big.NewInt(479), big.NewInt(487), big.NewInt(491), big.NewInt(499), big.NewInt(503), - big.NewInt(509), big.NewInt(521), big.NewInt(523), big.NewInt(541), big.NewInt(547), big.NewInt(557), - big.NewInt(563), big.NewInt(569), big.NewInt(571), big.NewInt(577), big.NewInt(587), big.NewInt(593), - big.NewInt(599), big.NewInt(601), big.NewInt(607), big.NewInt(613), big.NewInt(617), big.NewInt(619), - big.NewInt(631), big.NewInt(641), big.NewInt(643), big.NewInt(647), big.NewInt(653), big.NewInt(659), - big.NewInt(661), big.NewInt(673), big.NewInt(677), big.NewInt(683), big.NewInt(691), big.NewInt(701), - big.NewInt(709), big.NewInt(719), big.NewInt(727), big.NewInt(733), big.NewInt(739), big.NewInt(743), - big.NewInt(751), -} - -var zero = big.NewInt(0) - -func PrimeNoSmallerThan752(dividend *big.Int) bool { - quotient := big.NewInt(0) - mod := big.NewInt(0) - for _, divisor := range bigIntPrimes { - quotient.DivMod(dividend, divisor, mod) - if mod.Cmp(zero) == 0 { - return false - } - } - return true -} diff --git a/vendor/github.com/zmap/zlint/util/qc_stmt.go b/vendor/github.com/zmap/zlint/util/qc_stmt.go deleted file mode 100644 index 6fb2d4a8b..000000000 --- a/vendor/github.com/zmap/zlint/util/qc_stmt.go +++ /dev/null @@ -1,285 +0,0 @@ -/* - * ZLint Copyright 2017 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "bytes" - "encoding/asn1" - "fmt" - "reflect" -) - -func etsiOidToDescString(oid asn1.ObjectIdentifier) string { - switch { - case oid.Equal(IdEtsiQcsQcCompliance): - { - return "IdEtsiQcsQcCompliance" - } - case oid.Equal(IdEtsiQcsQcLimitValue): - { - return "IdEtsiQcsQcLimitValue" - } - case oid.Equal(IdEtsiQcsQcRetentionPeriod): - { - return "IdEtsiQcsQcRetentionPeriod" - } - case oid.Equal(IdEtsiQcsQcSSCD): - { - return "IdEtsiQcsQcSSCSD" - } - case oid.Equal(IdEtsiQcsQcEuPDS): - { - return "IdEtsiQcsQcEuPDS" - } - case oid.Equal(IdEtsiQcsQcType): - { - return "IdEtsiQcsQcType" - } - default: - { - panic("unresolved ETSI QC Statement OID") - } - } -} - -type anyContent struct { - Raw asn1.RawContent -} - -type qcStatementWithInfoField struct { - Oid asn1.ObjectIdentifier - Any asn1.RawValue -} -type qcStatementWithoutInfoField struct { - Oid asn1.ObjectIdentifier -} - -type etsiBase struct { - errorInfo string - isPresent bool -} - -func (this etsiBase) GetErrorInfo() string { - return this.errorInfo -} - -func (this etsiBase) IsPresent() bool { - return this.isPresent -} - -type EtsiQcStmtIf interface { - GetErrorInfo() string - IsPresent() bool -} - -type Etsi421QualEuCert struct { - etsiBase -} - -type Etsi423QcType struct { - etsiBase - TypeOids []asn1.ObjectIdentifier -} - -type EtsiQcSscd struct { - etsiBase -} - -type EtsiMonetaryValueAlph struct { - Iso4217CurrencyCodeAlph string `asn1:"printable"` - Amount int - Exponent int -} -type EtsiMonetaryValueNum struct { - Iso4217CurrencyCodeNum int - Amount int - Exponent int -} - -type EtsiQcLimitValue struct { - etsiBase - Amount int - Exponent int - IsNum bool - CurrencyAlph string - CurrencyNum int -} - -type EtsiQcRetentionPeriod struct { - etsiBase - Period int -} -type PdsLocation struct { - Url string `asn1:"ia5"` - Language string `asn1:"printable"` -} -type EtsiQcPds struct { - etsiBase - PdsLocations []PdsLocation -} - -func AppendToStringSemicolonDelim(this *string, s string) { - if len(*this) > 0 && len(s) > 0 { - (*this) += "; " - } - (*this) += s -} - -func checkAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfComparisonFails string) string { - result := "" - reencoded, marshErr := asn1.Marshal(i) - if marshErr != nil { - AppendToStringSemicolonDelim(&result, fmt.Sprintf("error reencoding ASN1 value of statementInfo field: %s", - marshErr)) - } - if !bytes.Equal(reencoded, originalEncoding) { - AppendToStringSemicolonDelim(&result, appendIfComparisonFails) - } - return result -} - -func IsAnyEtsiQcStatementPresent(extVal []byte) bool { - oidList := make([]*asn1.ObjectIdentifier, 6) - oidList[0] = &IdEtsiQcsQcCompliance - oidList[1] = &IdEtsiQcsQcLimitValue - oidList[2] = &IdEtsiQcsQcRetentionPeriod - oidList[3] = &IdEtsiQcsQcSSCD - oidList[4] = &IdEtsiQcsQcEuPDS - oidList[5] = &IdEtsiQcsQcType - for _, oid := range oidList { - r := ParseQcStatem(extVal, *oid) - if r.IsPresent() { - return true - } - } - return false -} - -func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf { - sl := make([]anyContent, 0) - rest, err := asn1.Unmarshal(extVal, &sl) - if err != nil { - return etsiBase{errorInfo: "error parsing outer SEQ", isPresent: true} - } - if len(rest) != 0 { - return etsiBase{errorInfo: "rest len of outer seq != 0", isPresent: true} - } - - for _, raw := range sl { - parseErrorString := "format error in at least one QC statement within the QC statements extension." + - " this message may appear multiple times for the same error cause." - var statem qcStatementWithInfoField - rest, err = asn1.Unmarshal(raw.Raw, &statem) - if err != nil { - var statemWithoutInfo qcStatementWithoutInfoField - - rest, err = asn1.Unmarshal(raw.Raw, &statemWithoutInfo) - if err != nil || len(rest) != 0 { - return etsiBase{errorInfo: parseErrorString, isPresent: false} - } - copy(statem.Oid, statemWithoutInfo.Oid) - if len(statem.Any.FullBytes) != 0 { - return etsiBase{errorInfo: "internal error, default optional content len is not zero"} - } - } else if 0 != len(rest) { - return etsiBase{errorInfo: parseErrorString, isPresent: false} - } - - if !statem.Oid.Equal(sought) { - continue - } - if statem.Oid.Equal(IdEtsiQcsQcCompliance) { - etsiObj := Etsi421QualEuCert{etsiBase: etsiBase{isPresent: true}} - statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} - AppendToStringSemicolonDelim(&etsiObj.errorInfo, checkAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, - "invalid format of ETSI Complicance statement")) - return etsiObj - } else if statem.Oid.Equal(IdEtsiQcsQcLimitValue) { - etsiObj := EtsiQcLimitValue{etsiBase: etsiBase{isPresent: true}} - numErr := false - alphErr := false - var numeric EtsiMonetaryValueNum - var alphabetic EtsiMonetaryValueAlph - restNum, errNum := asn1.Unmarshal(statem.Any.FullBytes, &numeric) - if len(restNum) != 0 || errNum != nil { - numErr = true - } else { - etsiObj.IsNum = true - etsiObj.Amount = numeric.Amount - etsiObj.Exponent = numeric.Exponent - etsiObj.CurrencyNum = numeric.Iso4217CurrencyCodeNum - - } - if numErr { - restAlph, errAlph := asn1.Unmarshal(statem.Any.FullBytes, &alphabetic) - if len(restAlph) != 0 || errAlph != nil { - alphErr = true - } else { - etsiObj.IsNum = false - etsiObj.Amount = alphabetic.Amount - etsiObj.Exponent = alphabetic.Exponent - etsiObj.CurrencyAlph = alphabetic.Iso4217CurrencyCodeAlph - AppendToStringSemicolonDelim(&etsiObj.errorInfo, - checkAsn1Reencoding(reflect.ValueOf(alphabetic).Interface(), - statem.Any.FullBytes, "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) - } - } - if numErr && alphErr { - etsiObj.errorInfo = "error parsing the ETSI Qc Statement statementInfo field" - } - return etsiObj - - } else if statem.Oid.Equal(IdEtsiQcsQcRetentionPeriod) { - etsiObj := EtsiQcRetentionPeriod{etsiBase: etsiBase{isPresent: true}} - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.Period) - - if len(rest) != 0 || err != nil { - etsiObj.errorInfo = "error parsing the statementInfo field" - } - return etsiObj - } else if statem.Oid.Equal(IdEtsiQcsQcSSCD) { - etsiObj := EtsiQcSscd{etsiBase: etsiBase{isPresent: true}} - statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} - AppendToStringSemicolonDelim(&etsiObj.errorInfo, checkAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, - "invalid format of ETSI SCSD statement")) - return etsiObj - } else if statem.Oid.Equal(IdEtsiQcsQcEuPDS) { - etsiObj := EtsiQcPds{etsiBase: etsiBase{isPresent: true}} - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.PdsLocations) - if len(rest) != 0 || err != nil { - etsiObj.errorInfo = "error parsing the statementInfo field" - } else { - AppendToStringSemicolonDelim(&etsiObj.errorInfo, - checkAsn1Reencoding(reflect.ValueOf(etsiObj.PdsLocations).Interface(), statem.Any.FullBytes, - "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) - } - return etsiObj - } else if statem.Oid.Equal(IdEtsiQcsQcType) { - var qcType Etsi423QcType - qcType.isPresent = true - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcType.TypeOids) - if len(rest) != 0 || err != nil { - return etsiBase{errorInfo: "error parsing IdEtsiQcsQcType extension statementInfo field", isPresent: true} - } - return qcType - } else { - return etsiBase{errorInfo: "", isPresent: true} - } - - } - - return etsiBase{errorInfo: "", isPresent: false} - -} diff --git a/vendor/github.com/zmap/zlint/util/rdn.go b/vendor/github.com/zmap/zlint/util/rdn.go deleted file mode 100644 index 9bff383cb..000000000 --- a/vendor/github.com/zmap/zlint/util/rdn.go +++ /dev/null @@ -1,26 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import "encoding/asn1" - -type AttributeTypeAndRawValue struct { - Type asn1.ObjectIdentifier - Value asn1.RawValue -} - -type AttributeTypeAndRawValueSET []AttributeTypeAndRawValue - -type RawRDNSequence []AttributeTypeAndRawValueSET diff --git a/vendor/github.com/zmap/zlint/util/time.go b/vendor/github.com/zmap/zlint/util/time.go deleted file mode 100644 index f5e525969..000000000 --- a/vendor/github.com/zmap/zlint/util/time.go +++ /dev/null @@ -1,83 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "encoding/asn1" - "time" - - "github.com/zmap/zcrypto/x509" -) - -var ( - ZeroDate = time.Date(0000, time.January, 1, 0, 0, 0, 0, time.UTC) - RFC1035Date = time.Date(1987, time.January, 1, 0, 0, 0, 0, time.UTC) - RFC2459Date = time.Date(1999, time.January, 1, 0, 0, 0, 0, time.UTC) - RFC3280Date = time.Date(2002, time.April, 1, 0, 0, 0, 0, time.UTC) - RFC3490Date = time.Date(2003, time.March, 1, 0, 0, 0, 0, time.UTC) - RFC8399Date = time.Date(2018, time.May, 1, 0, 0, 0, 0, time.UTC) - RFC4325Date = time.Date(2005, time.December, 1, 0, 0, 0, 0, time.UTC) - RFC4630Date = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC) - RFC5280Date = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC) - RFC6818Date = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC) - CABEffectiveDate = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC) - CABReservedIPDate = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC) - CABGivenNameDate = time.Date(2016, time.September, 7, 0, 0, 0, 0, time.UTC) - CABSerialNumberEntropyDate = time.Date(2016, time.September, 30, 0, 0, 0, 0, time.UTC) - CABV102Date = time.Date(2012, time.June, 8, 0, 0, 0, 0, time.UTC) - CABV113Date = time.Date(2013, time.February, 21, 0, 0, 0, 0, time.UTC) - CABV114Date = time.Date(2013, time.May, 3, 0, 0, 0, 0, time.UTC) - CABV116Date = time.Date(2013, time.July, 29, 0, 0, 0, 0, time.UTC) - CABV130Date = time.Date(2015, time.April, 16, 0, 0, 0, 0, time.UTC) - CABV131Date = time.Date(2015, time.September, 28, 0, 0, 0, 0, time.UTC) - NO_SHA1 = time.Date(2016, time.January, 1, 0, 0, 0, 0, time.UTC) - NoRSA1024RootDate = time.Date(2011, time.January, 1, 0, 0, 0, 0, time.UTC) - NoRSA1024Date = time.Date(2014, time.January, 1, 0, 0, 0, 0, time.UTC) - GeneralizedDate = time.Date(2050, time.January, 1, 0, 0, 0, 0, time.UTC) - NoReservedIP = time.Date(2015, time.November, 1, 0, 0, 0, 0, time.UTC) - SubCert39Month = time.Date(2016, time.July, 2, 0, 0, 0, 0, time.UTC) - SubCert825Days = time.Date(2018, time.March, 2, 0, 0, 0, 0, time.UTC) - CABV148Date = time.Date(2017, time.June, 8, 0, 0, 0, 0, time.UTC) - EtsiEn319_412_5_V2_2_1_Date = time.Date(2017, time.November, 1, 0, 0, 0, 0, time.UTC) - OnionOnlyEVDate = time.Date(2015, time.May, 1, 0, 0, 0, 0, time.UTC) - CABV201Date = time.Date(2017, time.July, 28, 0, 0, 0, 0, time.UTC) - AppleCTPolicyDate = time.Date(2018, time.October, 15, 0, 0, 0, 0, time.UTC) -) - -func FindTimeType(firstDate, secondDate asn1.RawValue) (int, int) { - return firstDate.Tag, secondDate.Tag -} - -func GetTimes(cert *x509.Certificate) (asn1.RawValue, asn1.RawValue) { - var outSeq, firstDate, secondDate asn1.RawValue - // Unmarshal into the sequence - rest, err := asn1.Unmarshal(cert.RawTBSCertificate, &outSeq) - // Start unmarshalling the bytes - rest, err = asn1.Unmarshal(outSeq.Bytes, &outSeq) - // This is here to account for if version is not included - if outSeq.Tag == 0 { - rest, err = asn1.Unmarshal(rest, &outSeq) - } - rest, err = asn1.Unmarshal(rest, &outSeq) - rest, err = asn1.Unmarshal(rest, &outSeq) - rest, err = asn1.Unmarshal(rest, &outSeq) - // Finally at the validity date, load them into a different RawValue - rest, err = asn1.Unmarshal(outSeq.Bytes, &firstDate) - _, err = asn1.Unmarshal(rest, &secondDate) - if err != nil { - return asn1.RawValue{}, asn1.RawValue{} - } - return firstDate, secondDate -} diff --git a/vendor/github.com/zmap/zlint/zlint.go b/vendor/github.com/zmap/zlint/zlint.go deleted file mode 100644 index 8babc14b5..000000000 --- a/vendor/github.com/zmap/zlint/zlint.go +++ /dev/null @@ -1,102 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -// Used to check parsed info from certificate for compliance - -package zlint - -import ( - "encoding/json" - "io" - "regexp" - "time" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/lints" -) - -const Version int64 = 3 - -// ResultSet contains the output of running all lints against a single certificate. -type ResultSet struct { - Version int64 `json:"version"` - Timestamp int64 `json:"timestamp"` - Results map[string]*lints.LintResult `json:"lints"` - NoticesPresent bool `json:"notices_present"` - WarningsPresent bool `json:"warnings_present"` - ErrorsPresent bool `json:"errors_present"` - FatalsPresent bool `json:"fatals_present"` -} - -func (z *ResultSet) execute(cert *x509.Certificate, filter *regexp.Regexp) { - z.Results = make(map[string]*lints.LintResult, len(lints.Lints)) - for name, l := range lints.Lints { - if filter != nil && !filter.MatchString(name) { - continue - } - res := l.Execute(cert) - z.Results[name] = res - z.updateErrorStatePresent(res) - } -} - -func (z *ResultSet) updateErrorStatePresent(result *lints.LintResult) { - switch result.Status { - case lints.Notice: - z.NoticesPresent = true - case lints.Warn: - z.WarningsPresent = true - case lints.Error: - z.ErrorsPresent = true - case lints.Fatal: - z.FatalsPresent = true - } -} - -// EncodeLintDescriptionsToJSON outputs a description of each lint as JSON -// object, one object per line. -func EncodeLintDescriptionsToJSON(w io.Writer) { - enc := json.NewEncoder(w) - enc.SetEscapeHTML(false) - for _, lint := range lints.Lints { - enc.Encode(lint) - } -} - -// LintCertificate runs all registered lints on c, producing a ZLint. -func LintCertificate(c *x509.Certificate) *ResultSet { - // Instead of panicing on nil certificate, just returns nil and let the client - // panic when accessing ZLint, if they're into panicing. - if c == nil { - return nil - } - - // Run all tests - return LintCertificateFiltered(c, nil) -} - -// LintCertificateFiltered runs all lints with names matching the provided -// regexp on c, producing a ResultSet. -func LintCertificateFiltered(c *x509.Certificate, filter *regexp.Regexp) *ResultSet { - if c == nil { - return nil - } - - // Run tests with provided filter - res := new(ResultSet) - res.execute(c, filter) - res.Version = Version - res.Timestamp = time.Now().Unix() - return res -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 7c1170873..74b558115 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -99,10 +99,6 @@ github.com/zmap/zcrypto/util github.com/zmap/zcrypto/x509 github.com/zmap/zcrypto/x509/ct github.com/zmap/zcrypto/x509/pkix -# github.com/zmap/zlint v1.1.0 -github.com/zmap/zlint -github.com/zmap/zlint/lints -github.com/zmap/zlint/util # github.com/zmap/zlint/v2 v2.0.0 github.com/zmap/zlint/v2 github.com/zmap/zlint/v2/lint