Skip to content

Commit

Permalink
synchronised with project
Browse files Browse the repository at this point in the history
  • Loading branch information
mtgag committed Aug 7, 2024
2 parents 6b4c5ed + f83e4e2 commit b6fbd3d
Show file tree
Hide file tree
Showing 70 changed files with 4,115 additions and 25 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
uses: goreleaser/goreleaser-action@v2
with:
version: latest
args: release --rm-dist
args: release --clean
workdir: v3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ Here are some projects/CAs known to integrate with ZLint in some fashion:
* [Microsoft](https://www.microsoft.com)
* [Nexus Certificate Manager](https://doc.nexusgroup.com/display/PUB/Smart+ID+Certificate+Manager)
* [QuoVadis](https://www.quovadisglobal.com/)
* [Sectigo](https://sectigo.com/) and [crt.sh](https://crt.sh)
* [Sectigo](https://sectigo.com/), [crt.sh](https://crt.sh/), and [pkimetal](https://github.com/pkimetal/pkimetal)
* [Siemens](https://siemens.com/pki)
* [SSL.com](https://www.ssl.com/)
* [PKI Insights](https://www.codegic.com/pki-insights-health-monitoring-for-microsoft-ca/)
Expand Down
18 changes: 10 additions & 8 deletions v3/integration/config.json
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,9 @@
"ErrCount": 2
},
"e_ev_country_name_missing": {},
"e_ev_invalid_business_category": {
"ErrCount": 10957
},
"e_ev_not_wildcard": {
"ErrCount": 1
},
Expand Down Expand Up @@ -839,6 +842,9 @@
"ErrCount": 12
},
"e_cab_dv_subject_invalid_values": {},
"e_aia_must_contain_permitted_access_method": {},
"e_aia_ocsp_must_have_http_only": {},
"e_aia_unique_access_locations": {},
"n_ca_digital_signature_not_set": {
"NoticeCount": 1405
},
Expand Down Expand Up @@ -986,8 +992,6 @@
"w_subject_surname_recommended_max_length": {},
"w_tls_server_cert_valid_time_longer_than_397_days": {
"WarnCount": 223
<<<<<<< HEAD
<<<<<<< HEAD
},
"w_qcstatem_psd2_psd2statem_ncaid_eulist": {
"WarnCount": 2
Expand All @@ -997,14 +1001,12 @@
},
"w_sub_cert_aia_contains_internal_names": {
"WarnCount": 210
=======
>>>>>>> 4b2f38b56132eda5017d637ed07ef9be59ab6976
}
=======
},
"e_ca_invalid_eku": {
"ErrCount": 1
}
>>>>>>> 04d863f7660edfe0498162334524742397226fb2
},
"e_subj_country_not_uppercase": {
"ErrCount": 1303
}
}
}
3 changes: 3 additions & 0 deletions v3/integration/small.config.json
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,9 @@
"n_ca_digital_signature_not_set": {
"NoticeCount": 29
},
"e_aia_must_contain_permitted_access_method": {},
"e_aia_ocsp_must_have_http_only": {},
"e_aia_unique_access_locations": {},
"n_contains_redacted_dnsname": {
"NoticeCount": 8
},
Expand Down
5 changes: 4 additions & 1 deletion v3/lint/base.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,10 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
return &LintResult{Status: NA}
}
if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {
return &LintResult{Status: NA}
}
if l.Source == CABFCSBaselineRequirements && !util.IsCodeSigning(cert.PolicyIdentifiers) {
return &LintResult{Status: NA}
}
lint := l.Lint()
Expand Down
1 change: 1 addition & 0 deletions v3/lint/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ const (
RFC6962 LintSource = "RFC6962"
RFC8813 LintSource = "RFC8813"
CABFBaselineRequirements LintSource = "CABF_BR"
CABFCSBaselineRequirements LintSource = "CABF_CS_BR"
CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR"
CABFEVGuidelines LintSource = "CABF_EV"
MozillaRootStorePolicy LintSource = "Mozilla"
Expand Down
113 changes: 113 additions & 0 deletions v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
package cabf_br

/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"fmt"

"github.com/zmap/zcrypto/encoding/asn1"
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

type bRAIAAccessMethodAllowed struct{}

/************************************************************************
7.1.2.7.7 Subscriber Certificate Authority Information Access
The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
each accessLocation MUST be encoded as the specified GeneralName type.
The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
same accessMethod, if permitted for that accessMethod. When multiple
AccessDescriptions are present with the same accessMethod, each accessLocation
MUST be unique, and each AccessDescription MUST be ordered in priority for that
accessMethod, with the most‐preferred accessLocation being the first
AccessDescription. No ordering requirements are given for AccessDescriptions that
contain different accessMethods, provided that previous requirement is satisfied.
Each AccessDescription MUST only contain a permitted accessMethod, as detailed below,
and each accessLocation MUST be encoded as the specified GeneralName type.
This lint checks that only the id-ad-ocsp or id-ad-caIssuers accessMethod is present
and that the value is a uniformResourceIdentifier GeneralName.
GeneralName ::= CHOICE {
otherName [0] AnotherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
*************************************************************************/

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_aia_must_contain_permitted_access_method",
Description: "The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.",
Citation: "BRs: 7.1.2.7.7",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.SC62EffectiveDate,
},
Lint: NewBRAIAAccessMethodAllowed,
})
}

func NewBRAIAAccessMethodAllowed() lint.LintInterface {
return &bRAIAAccessMethodAllowed{}
}

func (l *bRAIAAccessMethodAllowed) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID)
}

func (l *bRAIAAccessMethodAllowed) Execute(c *x509.Certificate) *lint.LintResult {

// see x509.go
for _, ext := range c.Extensions {
if ext.Id.Equal(util.AiaOID) {
var aia []authorityInfoAccess
_, err := asn1.Unmarshal(ext.Value, &aia)
if err != nil {
return &lint.LintResult{Status: lint.Fatal}
}
for _, v := range aia {
if v.Location.Tag != 6 {
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid GeneralName with tag %d in an accessLocation.", v.Location.Tag)}
}

if !(v.Method.Equal(idAdCaIssuers) || v.Method.Equal(idAdOCSP)) {
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid accessMethod with OID %s.", v.Method)}
}
}
}
}

return &lint.LintResult{Status: lint.Pass}
}

type authorityInfoAccess struct {
Method asn1.ObjectIdentifier
Location asn1.RawValue
}

var (
idAdOCSP = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
idAdCaIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
)
102 changes: 102 additions & 0 deletions v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
package cabf_br

/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

func TestBRAIAAccessMethodAllowed(t *testing.T) {
testCases := []struct {
Name string
InputFilename string

ExpectedResult lint.LintStatus
ExpectedDetails string
}{
{
Name: "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.",
InputFilename: "aiaCaIssuersHTTPOnly.pem",

ExpectedResult: lint.Pass,
},
{
Name: "NA - AIA is missing.",
InputFilename: "subjectOCorrectEncoding.pem",

ExpectedResult: lint.NA,
},
{
Name: "pass - AIA has one HTTP URL for id-ad-ocsp accessMethod.",
InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem",

ExpectedResult: lint.Pass,
},
{
Name: "pass - AIA has two HTTP URLs for id-ad-ocsp accessMethod, one is HTTP the other is LDAP.",
InputFilename: "aiaOCSPOneHTTPOneLDAP.pem",

ExpectedResult: lint.Pass,
},
{
Name: "pass - AIA has one HTTPS URL for id-ad-ocsp accessMethod.",
InputFilename: "aiaOCSPWithHTTPSURL.pem",

ExpectedResult: lint.Pass,
},
{
Name: "error - AIA has one unsupported access method (OID is the DV policy OID).",
InputFilename: "unsupportedAccessMethod.pem",

ExpectedResult: lint.Error,
ExpectedDetails: "Certificate has an invalid accessMethod with OID 2.23.140.1.2.1.",
},
{
Name: "error - AIA has the id-ad-ocsp accessMethod with an rfc822Name as value.",
InputFilename: "aiaWrongGeneralName.pem",

ExpectedResult: lint.Error,
ExpectedDetails: "Certificate has an invalid GeneralName with tag 1 in an accessLocation.",
},
{
Name: "NE - AIA has only one HTTP URI for id-ad-ocsp accessMethod and it is issued before September 15th 2023.",
InputFilename: "aiaOCSPHttpOnlyNE.pem",

ExpectedResult: lint.NE,
},
{
Name: "NA - CA certificate issued on September 15th 2023.",
InputFilename: "caCertificateAfter15092023.pem",

ExpectedResult: lint.NA,
},
}

for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) {
result := test.TestLint("e_aia_must_contain_permitted_access_method", tc.InputFilename)
if result.Status != tc.ExpectedResult {
t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status)
}

if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details {
t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details)
}
})
}
}
78 changes: 78 additions & 0 deletions v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
package cabf_br

/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"fmt"
"net/url"

"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

type bRAIAOCSPHasHTTPOnly struct{}

/************************************************************************
7.1.2.7.7 Subscriber Certificate Authority Information Access
The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
each accessLocation MUST be encoded as the specified GeneralName type.
The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
same accessMethod, if permitted for that accessMethod. When multiple
AccessDescriptions are present with the same accessMethod, each accessLocation
MUST be unique, and each AccessDescription MUST be ordered in priority for that
accessMethod, with the most‐preferred accessLocation being the first
AccessDescription. No ordering requirements are given for AccessDescriptions that
contain different accessMethods, provided that previous requirement is satisfied.
id-ad-ocsp
1.3.6.1.5.5.7.48.1 uniformResourceIdentifier MUST A HTTP URL of the
Issuing CA’s OCSP responder.
*************************************************************************/

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_aia_ocsp_must_have_http_only",
Description: "The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed.",
Citation: "BRs: 7.1.2.7.7",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.SC62EffectiveDate,
},
Lint: NewBRAIAOCSPHasHTTPOnly,
})
}

func NewBRAIAOCSPHasHTTPOnly() lint.LintInterface {
return &bRAIAOCSPHasHTTPOnly{}
}

func (l *bRAIAOCSPHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
return len(c.OCSPServer) > 0 && util.IsSubscriberCert(c)
}

func (l *bRAIAOCSPHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
for _, u := range c.OCSPServer {
purl, err := url.Parse(u)
if err != nil {
return &lint.LintResult{Status: lint.Error, Details: "Could not parse OCSP URL in AIA."}
}
if purl.Scheme != "http" {
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in OCSP URL of AIA, which is not allowed.", purl.Scheme)}
}
}
return &lint.LintResult{Status: lint.Pass}
}
Loading

0 comments on commit b6fbd3d

Please sign in to comment.