From 08a9354f3002c9eb0b8823d663cd71e7d5a14aa3 Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 15 Oct 2023 08:28:31 -0700 Subject: [PATCH] Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744) * Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) * not exporting --- .../lint_san_shall_be_present.go | 53 +++++++++++++++++++ .../lint_san_shall_be_present_test.go | 35 ++++++++++++ .../smime/with_subject_alternative_name.pem | 41 ++++++++++++++ .../without_subject_alternative_name.pem | 38 +++++++++++++ 4 files changed, 167 insertions(+) create mode 100644 v3/lints/cabf_smime_br/lint_san_shall_be_present.go create mode 100644 v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go create mode 100644 v3/testdata/smime/with_subject_alternative_name.pem create mode 100644 v3/testdata/smime/without_subject_alternative_name.pem diff --git a/v3/lints/cabf_smime_br/lint_san_shall_be_present.go b/v3/lints/cabf_smime_br/lint_san_shall_be_present.go new file mode 100644 index 000000000..48a35b7c8 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_san_shall_be_present.go @@ -0,0 +1,53 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_san_shall_be_present", + Description: "Subject alternative name SHALL be present", + Citation: "7.1.2.3.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewSubjectAlternativeNameShallBePresent, + }) +} + +type subjectAlternativeNameShallBePresent struct{} + +func NewSubjectAlternativeNameShallBePresent() lint.LintInterface { + return &subjectAlternativeNameShallBePresent{} +} + +func (l *subjectAlternativeNameShallBePresent) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *subjectAlternativeNameShallBePresent) Execute(c *x509.Certificate) *lint.LintResult { + if !util.IsExtInCert(c, util.SubjectAlternateNameOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate does not have a subject alternative name extension", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go b/v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go new file mode 100644 index 000000000..b4cc94a84 --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go @@ -0,0 +1,35 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestSubscriberSubjectAlternativeNameShallBePresent(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with SAN", + InputFilename: "smime/with_subject_alternative_name.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "error - cert without SAN", + InputFilename: "smime/without_subject_alternative_name.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_san_shall_be_present", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/testdata/smime/with_subject_alternative_name.pem b/v3/testdata/smime/with_subject_alternative_name.pem new file mode 100644 index 000000000..f34052eed --- /dev/null +++ b/v3/testdata/smime/with_subject_alternative_name.pem @@ -0,0 +1,41 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 30 15:56:47 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:69:58:02:49:7d:98:10:6e:6d:f3:3f:8f:2b:9f: + 10:df:09:42:d6:c5:1c:22:9c:86:87:e6:1d:ed:ed: + d5:98:1d:93:ce:ce:61:2a:8d:44:cb:73:59:90:06: + bb:68:e4:7c:24:d0:47:6a:b9:a4:a3:c9:60:a7:4d: + 5e:c5:46:dd:bd + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Subject Alternative Name: + email:coolguy@coolplace.come + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:21:00:eb:30:e0:f2:cf:6f:a4:95:ca:6a:e0:a9:e7: + 06:ea:4d:b2:18:b7:bd:6e:69:4f:96:c0:07:86:3c:73:b2:2e: + 3f:02:20:6e:83:bb:ca:79:8f:91:43:22:08:02:b3:86:30:85: + d7:1f:e7:ec:9c:0b:06:58:1b:47:15:08:25:26:99:c2:26 +-----BEGIN CERTIFICATE----- +MIIBKjCB0aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU1NjQ3WhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpWAJJ +fZgQbm3zP48rnxDfCULWxRwinIaH5h3t7dWYHZPOzmEqjUTLc1mQBrto5Hwk0Edq +uaSjyWCnTV7FRt29ozowODATBgNVHSUEDDAKBggrBgEFBQcDBDAhBgNVHREEGjAY +gRZjb29sZ3V5QGNvb2xwbGFjZS5jb21lMAoGCCqGSM49BAMCA0gAMEUCIQDrMODy +z2+klcpq4KnnBupNshi3vW5pT5bAB4Y8c7IuPwIgboO7ynmPkUMiCAKzhjCF1x/n +7JwLBlgbRxUIJSaZwiY= +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/without_subject_alternative_name.pem b/v3/testdata/smime/without_subject_alternative_name.pem new file mode 100644 index 000000000..67c187986 --- /dev/null +++ b/v3/testdata/smime/without_subject_alternative_name.pem @@ -0,0 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 30 15:41:50 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8b:93:b2:84:b1:56:f4:cc:df:55:3f:f4:07:2b: + d1:5a:bc:52:10:41:aa:91:88:aa:25:ac:02:da:3e: + 0c:0e:af:3b:65:49:d5:22:f9:a5:80:f1:83:c6:bc: + bb:8e:cf:d1:a6:b5:92:5d:85:6f:91:5e:31:1a:af: + 69:04:62:31:86 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:0f:4a:43:42:ff:8b:5a:b3:30:f0:c6:b2:63:1c: + 92:39:4d:17:5d:b0:15:70:e9:15:2e:9a:3f:a1:d6:12:c2:79: + 02:21:00:a6:91:19:20:11:17:8d:f1:65:e0:f1:33:89:38:42: + 24:a5:41:e5:33:6b:53:21:7f:1f:49:49:0f:57:d8:0a:f2 +-----BEGIN CERTIFICATE----- +MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLk7KE +sVb0zN9VP/QHK9FavFIQQaqRiKolrALaPgwOrztlSdUi+aWA8YPGvLuOz9GmtZJd +hW+RXjEar2kEYjGGoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD +AgNIADBFAiAPSkNC/4taszDwxrJjHJI5TRddsBVw6RUumj+h1hLCeQIhAKaRGSAR +F43xZeDxM4k4QiSlQeUza1Mhfx9JSQ9X2Ary +-----END CERTIFICATE-----