boulder

History

Daniel McCarney 590dca0fe1 Cert-checker: Update certlint, add CN/SAN==PSL err ignore. (#3600 ) * Update `globalsign/certlint` to d4a45be. This commit updates the `github.com/globalsign/certlint` dependency to the latest tip of master (d4a45be06892f3e664f69892aca79a48df510be0). Unit tests are confirmed to pass: ``` $ go test ./... ok github.com/globalsign/certlint 3.816s ok github.com/globalsign/certlint/asn1 (cached) ? github.com/globalsign/certlint/certdata [no test files] ? github.com/globalsign/certlint/checks [no test files] ? github.com/globalsign/certlint/checks/certificate/aiaissuers [no test files] ? github.com/globalsign/certlint/checks/certificate/all [no test files] ? github.com/globalsign/certlint/checks/certificate/basicconstraints [no test files] ? github.com/globalsign/certlint/checks/certificate/extensions [no test files] ? github.com/globalsign/certlint/checks/certificate/extkeyusage [no test files] ok github.com/globalsign/certlint/checks/certificate/internal (cached) ? github.com/globalsign/certlint/checks/certificate/issuerdn [no test files] ? github.com/globalsign/certlint/checks/certificate/keyusage [no test files] ? github.com/globalsign/certlint/checks/certificate/publickey [no test files] ? github.com/globalsign/certlint/checks/certificate/publickey/goodkey [no test files] ok github.com/globalsign/certlint/checks/certificate/publicsuffix (cached) ? github.com/globalsign/certlint/checks/certificate/revocation [no test files] ? github.com/globalsign/certlint/checks/certificate/serialnumber [no test files] ? github.com/globalsign/certlint/checks/certificate/signaturealgorithm [no test files] ok github.com/globalsign/certlint/checks/certificate/subject (cached) ok github.com/globalsign/certlint/checks/certificate/subjectaltname (cached) ? github.com/globalsign/certlint/checks/certificate/validity [no test files] ? github.com/globalsign/certlint/checks/certificate/version [no test files] ? github.com/globalsign/certlint/checks/certificate/wildcard [no test files] ? github.com/globalsign/certlint/checks/extensions/adobetimestamp [no test files] ? github.com/globalsign/certlint/checks/extensions/all [no test files] ? github.com/globalsign/certlint/checks/extensions/authorityinfoaccess [no test files] ? github.com/globalsign/certlint/checks/extensions/authoritykeyid [no test files] ? github.com/globalsign/certlint/checks/extensions/basicconstraints [no test files] ? github.com/globalsign/certlint/checks/extensions/crldistributionpoints [no test files] ? github.com/globalsign/certlint/checks/extensions/ct [no test files] ? github.com/globalsign/certlint/checks/extensions/extkeyusage [no test files] ? github.com/globalsign/certlint/checks/extensions/keyusage [no test files] ? github.com/globalsign/certlint/checks/extensions/nameconstraints [no test files] ok github.com/globalsign/certlint/checks/extensions/ocspmuststaple (cached) ? github.com/globalsign/certlint/checks/extensions/ocspnocheck [no test files] ? github.com/globalsign/certlint/checks/extensions/pdfrevocation [no test files] ? github.com/globalsign/certlint/checks/extensions/policyidentifiers [no test files] ? github.com/globalsign/certlint/checks/extensions/smimecapabilities [no test files] ? github.com/globalsign/certlint/checks/extensions/subjectaltname [no test files] ? github.com/globalsign/certlint/checks/extensions/subjectkeyid [no test files] ok github.com/globalsign/certlint/errors (cached) ? github.com/globalsign/certlint/examples/ct [no test files] ? github.com/globalsign/certlint/examples/specificchecks [no test files] ``` * Certchecker: Remove OCSP Must Staple err ignore, fix typos. This commit removes the explicit ignore for OCSP Must Staple errors that was added when the upstream `certlint` package didn't understand that PKIX extension. That problem was resolved and so we can remove the ignore from `cert-checker`. This commit also fixes two typos that were fixed upstream and needed to be reflected in expected error messages in the `certlint` unit test. * Certchecker: Ignore Certlint CN/SAN == PSL errors. `globalsign/certlint`, used by `cmd/cert-checker` to vet certs, improperly flags certificates that have subj CN/SANs equal to a private entry in the public suffix list as faulty. This commit adds a regex that will skip errors that match the certlint PSL error string. Prior to this workaround the addition of a private PSL entry as a SAN in the `TestCheckCert` test cert fails the test: ``` --- FAIL: TestCheckCert (1.72s) main_test.go:221: Found unexpected problem 'Certificate subjectAltName "dev-myqnapcloud.com" equals "dev-myqnapcloud.com" from the public suffix list'. ``` With the workaround in place, the test passes again.	2018-04-04 12:20:43 -04:00
..
main.go	Cert-checker: Update certlint, add CN/SAN==PSL err ignore. (#3600 )	2018-04-04 12:20:43 -04:00
main_test.go	Cert-checker: Update certlint, add CN/SAN==PSL err ignore. (#3600 )	2018-04-04 12:20:43 -04:00

Cert-checker: Update certlint, add CN/SAN==PSL err ignore. (#3600 )

* Update `globalsign/certlint` to d4a45be.

This commit updates the `github.com/globalsign/certlint` dependency to
the latest tip of master (d4a45be06892f3e664f69892aca79a48df510be0).

Unit tests are confirmed to pass:
```
$ go test ./...
ok    github.com/globalsign/certlint  3.816s
ok    github.com/globalsign/certlint/asn1 (cached)
?     github.com/globalsign/certlint/certdata [no test files]
?     github.com/globalsign/certlint/checks [no test files]
?     github.com/globalsign/certlint/checks/certificate/aiaissuers  [no
test files]
?     github.com/globalsign/certlint/checks/certificate/all [no test
files]
?     github.com/globalsign/certlint/checks/certificate/basicconstraints
[no test files]
?     github.com/globalsign/certlint/checks/certificate/extensions  [no
test files]
?     github.com/globalsign/certlint/checks/certificate/extkeyusage [no
test files]
ok    github.com/globalsign/certlint/checks/certificate/internal
(cached)
?     github.com/globalsign/certlint/checks/certificate/issuerdn  [no
test files]
?     github.com/globalsign/certlint/checks/certificate/keyusage  [no
test files]
?     github.com/globalsign/certlint/checks/certificate/publickey [no
test files]
?     github.com/globalsign/certlint/checks/certificate/publickey/goodkey
[no test files]
ok    github.com/globalsign/certlint/checks/certificate/publicsuffix
(cached)
?     github.com/globalsign/certlint/checks/certificate/revocation  [no
test files]
?     github.com/globalsign/certlint/checks/certificate/serialnumber
[no test files]
?     github.com/globalsign/certlint/checks/certificate/signaturealgorithm
[no test files]
ok    github.com/globalsign/certlint/checks/certificate/subject (cached)
ok    github.com/globalsign/certlint/checks/certificate/subjectaltname
(cached)
?     github.com/globalsign/certlint/checks/certificate/validity  [no
test files]
?     github.com/globalsign/certlint/checks/certificate/version [no test
files]
?     github.com/globalsign/certlint/checks/certificate/wildcard  [no
test files]
?     github.com/globalsign/certlint/checks/extensions/adobetimestamp
[no test files]
?     github.com/globalsign/certlint/checks/extensions/all  [no test
files]
?     github.com/globalsign/certlint/checks/extensions/authorityinfoaccess
[no test files]
?     github.com/globalsign/certlint/checks/extensions/authoritykeyid
[no test files]
?     github.com/globalsign/certlint/checks/extensions/basicconstraints
[no test files]
?     github.com/globalsign/certlint/checks/extensions/crldistributionpoints
[no test files]
?     github.com/globalsign/certlint/checks/extensions/ct [no test
files]
?     github.com/globalsign/certlint/checks/extensions/extkeyusage  [no
test files]
?     github.com/globalsign/certlint/checks/extensions/keyusage [no test
files]
?     github.com/globalsign/certlint/checks/extensions/nameconstraints
[no test files]
ok    github.com/globalsign/certlint/checks/extensions/ocspmuststaple
(cached)
?     github.com/globalsign/certlint/checks/extensions/ocspnocheck  [no
test files]
?     github.com/globalsign/certlint/checks/extensions/pdfrevocation
[no test files]
?     github.com/globalsign/certlint/checks/extensions/policyidentifiers
[no test files]
?     github.com/globalsign/certlint/checks/extensions/smimecapabilities
[no test files]
?     github.com/globalsign/certlint/checks/extensions/subjectaltname
[no test files]
?     github.com/globalsign/certlint/checks/extensions/subjectkeyid [no
test files]
ok    github.com/globalsign/certlint/errors (cached)
?     github.com/globalsign/certlint/examples/ct  [no test files]
?     github.com/globalsign/certlint/examples/specificchecks  [no test
files]
```

* Certchecker: Remove OCSP Must Staple err ignore, fix typos.

This commit removes the explicit ignore for OCSP Must Staple errors that
was added when the upstream `certlint` package didn't understand that
PKIX extension. That problem was resolved and so we can remove the
ignore from `cert-checker`.

This commit also fixes two typos that were fixed upstream and needed to
be reflected in expected error messages in the `certlint` unit test.

* Certchecker: Ignore Certlint CN/SAN == PSL errors.

`globalsign/certlint`, used by `cmd/cert-checker` to vet certs,
improperly flags certificates that have subj CN/SANs equal to a private
entry in the public suffix list as faulty.

This commit adds a regex that will skip errors that match the certlint
PSL error string. Prior to this workaround the addition of a private PSL
entry as a SAN in the `TestCheckCert` test cert fails the test:

```
--- FAIL: TestCheckCert (1.72s)
  main_test.go:221: Found unexpected problem 'Certificate subjectAltName
  "dev-myqnapcloud.com" equals "dev-myqnapcloud.com" from the public
  suffix list'.
```

With the workaround in place, the test passes again.

2018-04-04 12:20:43 -04:00

main.go

Cert-checker: Update certlint, add CN/SAN==PSL err ignore. (#3600 )

2018-04-04 12:20:43 -04:00

main_test.go

Cert-checker: Update certlint, add CN/SAN==PSL err ignore. (#3600 )

2018-04-04 12:20:43 -04:00