63 lines
1.7 KiB
Go
63 lines
1.7 KiB
Go
package rfc
|
|
|
|
import (
|
|
"github.com/zmap/zcrypto/x509"
|
|
"github.com/zmap/zlint/v3/lint"
|
|
"github.com/zmap/zlint/v3/util"
|
|
"golang.org/x/crypto/cryptobyte"
|
|
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
|
|
)
|
|
|
|
type crlHasAKI struct{}
|
|
|
|
/************************************************
|
|
RFC 5280: 5.2.1
|
|
Conforming CRL issuers MUST use the key identifier method, and MUST include this
|
|
extension in all CRLs issued.
|
|
************************************************/
|
|
|
|
func init() {
|
|
lint.RegisterRevocationListLint(&lint.RevocationListLint{
|
|
LintMetadata: lint.LintMetadata{
|
|
Name: "e_crl_has_aki",
|
|
Description: "Conforming",
|
|
Citation: "RFC 5280: 5.2.1",
|
|
Source: lint.RFC5280,
|
|
EffectiveDate: util.RFC5280Date,
|
|
},
|
|
Lint: NewCrlHasAKI,
|
|
})
|
|
}
|
|
|
|
func NewCrlHasAKI() lint.RevocationListLintInterface {
|
|
return &crlHasAKI{}
|
|
}
|
|
|
|
func (l *crlHasAKI) CheckApplies(c *x509.RevocationList) bool {
|
|
return true
|
|
}
|
|
|
|
func (l *crlHasAKI) Execute(c *x509.RevocationList) *lint.LintResult {
|
|
if len(c.AuthorityKeyId) == 0 {
|
|
return &lint.LintResult{
|
|
Status: lint.Error,
|
|
Details: "CRLs MUST include the authority key identifier extension",
|
|
}
|
|
}
|
|
aki := cryptobyte.String(c.AuthorityKeyId)
|
|
var akiBody cryptobyte.String
|
|
if !aki.ReadASN1(&akiBody, cryptobyte_asn1.SEQUENCE) {
|
|
return &lint.LintResult{
|
|
Status: lint.Error,
|
|
Details: "CRL has a malformed authority key identifier extension",
|
|
}
|
|
}
|
|
if !akiBody.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) {
|
|
return &lint.LintResult{
|
|
Status: lint.Error,
|
|
Details: "CRLs MUST use the key identifier method in the authority key identifier extension",
|
|
}
|
|
}
|
|
return &lint.LintResult{Status: lint.Pass}
|
|
}
|