Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)

* Add lints to enforce SMIME BR EKU restrictions * Tidy up smime_policies util file by removing some unused code. * Address issue raised with mailbox validated field restrictions lint checkApplies * Add subscriber certificate requirement to EKU lint CheckApplies functions --------- Co-authored-by: Christopher Henderson <chris@chenderson.org>
zmap · Oct 22, 2023 · 1c307f4 · 1c307f4
1 parent 553276d
commit 1c307f4
Show file tree

Hide file tree

Showing 13 changed files with 539 additions and 41 deletions.
diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go
@@ -72,12 +72,13 @@ func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface {
 	}
 }
 
-// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers:
+// CheckApplies returns true if the provided certificate is a subscriber certificate and contains one-or-more of the following
+// SMIME BR policy identifiers:
 //   - Mailbox Validated Legacy
 //   - Mailbox Validated Multipurpose
 //   - Mailbox Validated Strict
 func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool {
-	return util.IsMailboxValidatedCertificate(c)
+	return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c)
 }
 
 // Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates

diff --git a/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go b/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go
@@ -0,0 +1,80 @@
+package cabf_smime_br
+
+/*
+ * ZLint Copyright 2023 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+// shallHaveCrlDistributionPoints - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU
+type legacyMultipurposeEKUCheck struct {
+}
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_smime_legacy_multipurpose_eku_check",
+			Description:   "Strict/Multipurpose and Legacy: id-kp-emailProtection SHALL be present. Other values MAY be present.  The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present.",
+			Citation:      "SMIME BRs: 7.1.2.3.f",
+			Source:        lint.CABFSMIMEBaselineRequirements,
+			EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		},
+		Lint: NewLegacyMultipurposeEKUCheck,
+	})
+}
+
+// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs
+func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface {
+	return &legacyMultipurposeEKUCheck{}
+}
+
+// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers:
+//   - Mailbox Validated Legacy
+//   - Mailbox Validated Multipurpose
+//   - Organization Validated Legacy
+//   - Organization Validated Multipurpose
+//   - Sponsor Validated Legacy
+//   - Sponsor Validated Multipurpose
+//   - Individual Validated Legacy
+//   - Individual Validated Multipurpose
+func (l *legacyMultipurposeEKUCheck) CheckApplies(c *x509.Certificate) bool {
+	return (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsSubscriberCert(c)
+}
+
+// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates
+func (l *legacyMultipurposeEKUCheck) Execute(c *x509.Certificate) *lint.LintResult {
+	hasEmailProtectionEKU := false
+	ekusOK := true
+
+	for _, eku := range c.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageEmailProtection {
+			hasEmailProtectionEKU = true
+		} else if eku == x509.ExtKeyUsageServerAuth || eku == x509.ExtKeyUsageCodeSigning || eku == x509.ExtKeyUsageTimeStamping || eku == x509.ExtKeyUsageAny {
+			ekusOK = false
+		}
+	}
+
+	if !hasEmailProtectionEKU {
+		return &lint.LintResult{Status: lint.Error, Details: "id-kp-emailProtection SHALL be present"}
+	}
+
+	if !ekusOK {
+		return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present"}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check_test.go b/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check_test.go
@@ -0,0 +1,73 @@
+package cabf_smime_br
+
+/*
+ * ZLint Copyright 2021 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestLegacyMultipurposeEKUCheck(t *testing.T) {
+	testCases := []struct {
+		Name          string
+		InputFilename string
+
+		ExpectedResult  lint.LintStatus
+		ExpectedDetails string
+	}{
+		{
+			Name:           "pass - mailbox validated, legacy with commonName",
+			InputFilename:  "smime/mailboxValidatedLegacyWithCommonName.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "na - certificate without mailbox validated policy",
+			InputFilename:  "smime/domainValidatedWithEmailCommonName.pem",
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:           "ne - certificate with NotBefore before effective date of lint",
+			InputFilename:  "smime/mailboxValidatedLegacyWithCommonNameMay2023.pem",
+			ExpectedResult: lint.NE,
+		},
+		{
+			Name:            "error - certificate without emailProtection EKU",
+			InputFilename:   "smime/mailboxValidatedLegacyWithoutEmailProtectionEKU.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "id-kp-emailProtection SHALL be present",
+		},
+		{
+			Name:            "error - certificate containing serverAuthEKU",
+			InputFilename:   "smime/organizationValidatedMultipurposeWithServerAuthEKU.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_smime_legacy_multipurpose_eku_check", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+
+			if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details {
+				t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/lints/cabf_smime_br/smime_strict_eku_check.go b/v3/lints/cabf_smime_br/smime_strict_eku_check.go
@@ -0,0 +1,71 @@
+package cabf_smime_br
+
+/*
+ * ZLint Copyright 2023 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+// strictEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU
+type strictEKUCheck struct {
+}
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_smime_strict_eku_check",
+			Description:   "Strict: id-kp-emailProtection SHALL be present.  Other values SHALL NOT be present",
+			Citation:      "SMIME BRs: 7.1.2.3.f",
+			Source:        lint.CABFSMIMEBaselineRequirements,
+			EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		},
+		Lint: NewStrictEKUCheck,
+	})
+}
+
+// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs
+func NewStrictEKUCheck() lint.CertificateLintInterface {
+	return &strictEKUCheck{}
+}
+
+// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers:
+//   - Mailbox Validated Strict
+//   - Organization Validated Strict
+//   - Sponsor Validated Strict
+//   - Individual Validated Strict
+func (l *strictEKUCheck) CheckApplies(c *x509.Certificate) bool {
+	return util.IsStrictSMIMECertificate(c) && util.IsSubscriberCert(c)
+}
+
+// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates
+func (l *strictEKUCheck) Execute(c *x509.Certificate) *lint.LintResult {
+	hasEmailProtectionEKU := false
+
+	for _, eku := range c.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageEmailProtection {
+			hasEmailProtectionEKU = true
+		} else {
+			return &lint.LintResult{Status: lint.Error}
+		}
+	}
+
+	if hasEmailProtectionEKU {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+
+	return &lint.LintResult{Status: lint.Error}
+}
diff --git a/v3/lints/cabf_smime_br/smime_strict_eku_check_test.go b/v3/lints/cabf_smime_br/smime_strict_eku_check_test.go
@@ -0,0 +1,66 @@
+package cabf_smime_br
+
+/*
+ * ZLint Copyright 2021 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestStrictEKUCheck(t *testing.T) {
+	testCases := []struct {
+		Name          string
+		InputFilename string
+
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - mailbox validated, strict with EmailProtectionEKU",
+			InputFilename:  "smime/mailboxValidatedStrictWithCommonName.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "na - certificate without mailbox validated policy",
+			InputFilename:  "smime/domainValidatedWithEmailCommonName.pem",
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:           "na - mailbox validated legacy certificate",
+			InputFilename:  "smime/mailboxValidatedLegacyWithCommonName.pem",
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:           "ne - certificate with NotBefore before effective date of lint",
+			InputFilename:  "smime/mailboxValidatedStrictMay2023.pem",
+			ExpectedResult: lint.NE,
+		},
+		{
+			Name:           "error - certificate with extra EKU",
+			InputFilename:  "smime/individualValidatedStrictWithServerAuthEKU.pem",
+			ExpectedResult: lint.Error,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_smime_strict_eku_check", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/smime/individualValidatedStrictWithServerAuthEKU.pem b/v3/testdata/smime/individualValidatedStrictWithServerAuthEKU.pem
@@ -0,0 +1,41 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep  2 00:00:00 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: CN = johnsmith@example.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:f3:96:63:02:f4:04:19:9b:03:3f:01:a4:78:80:
+                    f3:fe:ca:fb:ea:54:d1:e0:5c:1d:f9:58:9e:38:9a:
+                    3f:70:b4:b9:3e:41:6f:a5:4c:5f:c3:fc:d4:a6:a3:
+                    e6:c2:34:31:31:f4:ef:7c:15:f4:0d:f3:c5:0d:5d:
+                    36:08:d0:67:20
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection, TLS Web Server Authentication
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.4.3
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:8e:9c:01:a7:ea:ea:5a:ba:1a:7a:a0:e8:34:
+         ef:75:65:32:23:ed:db:6d:b6:f0:6a:c0:6d:f4:1c:6c:17:91:
+         72:02:21:00:e5:1e:31:8b:4e:4f:7e:65:74:c0:75:1d:03:54:
+         6b:c1:21:b7:93:10:81:bf:e2:8c:39:36:05:8d:fb:cf:5b:66
+-----BEGIN CERTIFICATE-----
+MIIBSDCB7qADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
+OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv
+bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPOWYwL0BBmbAz8BpHiA8/7K++pU
+0eBcHflYnjiaP3C0uT5Bb6VMX8P81Kaj5sI0MTH073wV9A3zxQ1dNgjQZyCjNzA1
+MB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDATAUBgNVHSAEDTALMAkGB2eB
+DAEFBAMwCgYIKoZIzj0EAwIDSQAwRgIhAI6cAafq6lq6Gnqg6DTvdWUyI+3bbbbw
+asBt9BxsF5FyAiEA5R4xi05PfmV0wHUdA1RrwSG3kxCBv+KMOTYFjfvPW2Y=
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem b/v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem
@@ -12,28 +12,30 @@ Certificate:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:a1:ed:8b:dd:62:fc:cc:2d:f4:28:cd:8c:8d:5a:
-                    1d:1f:6c:36:c3:03:81:b4:9f:6e:6d:2d:90:b1:7d:
-                    fa:2f:eb:d6:3c:83:7c:9f:2c:5a:b4:37:3e:ae:56:
-                    57:6b:db:df:6a:1c:db:73:e6:d4:25:b1:15:d6:47:
-                    f2:71:de:51:d0
+                    04:d7:dd:dd:da:90:73:84:98:a6:9c:29:96:f2:9f:
+                    ae:33:b1:0c:f6:43:5d:78:7f:a7:4a:6b:d0:e4:bf:
+                    9b:b0:13:cb:14:4c:da:79:5b:25:6c:f9:62:e1:fc:
+                    f2:a7:22:6f:3b:98:97:76:08:6b:0e:e7:8b:11:4a:
+                    24:64:e9:c1:bd
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
             X509v3 Certificate Policies: 
                 Policy: 2.23.140.1.5.1.1
 
     Signature Algorithm: ecdsa-with-SHA256
-         30:45:02:20:41:fa:93:51:d2:80:69:a5:5e:4a:cb:85:6a:1e:
-         47:eb:cb:9b:b3:7b:2b:94:a7:be:a4:b2:55:cc:4a:15:16:f7:
-         02:21:00:81:0c:18:bd:55:7a:16:6a:0c:84:a9:3b:bf:29:e2:
-         21:d0:fd:b6:9b:99:14:5b:0b:55:a8:43:b9:64:b6:8e:dc
+         30:45:02:20:5c:fe:57:a1:85:87:b9:ec:61:51:c0:8d:da:96:
+         d1:1a:09:bd:29:4a:8a:22:f7:c1:a3:93:45:f3:7e:a5:cd:cf:
+         02:21:00:c4:27:2c:38:2e:87:f0:d3:32:5f:82:d5:68:8c:bc:
+         c5:1f:db:c2:9b:ab:5f:07:cf:39:de:49:52:a1:f4:3c:4d
 -----BEGIN CERTIFICATE-----
-MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
+MIIBPTCB5KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
 OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv
-bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKHti91i/Mwt9CjNjI1aHR9sNsMD
-gbSfbm0tkLF9+i/r1jyDfJ8sWrQ3Pq5WV2vb32oc23Pm1CWxFdZH8nHeUdCjGDAW
-MBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggqhkjOPQQDAgNIADBFAiBB+pNR0oBp
-pV5Ky4VqHkfry5uzeyuUp76kslXMShUW9wIhAIEMGL1VehZqDISpO78p4iHQ/bab
-mRRbC1WoQ7lkto7c
+bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNfd3dqQc4SYppwplvKfrjOxDPZD
+XXh/p0pr0OS/m7ATyxRM2nlbJWz5YuH88qcibzuYl3YIaw7nixFKJGTpwb2jLTAr
+MBMGA1UdJQQMMAoGCCsGAQUFBwMEMBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggq
+hkjOPQQDAgNIADBFAiBc/lehhYe57GFRwI3altEaCb0pSooi98Gjk0XzfqXNzwIh
+AMQnLDguh/DTMl+C1WiMvMUf28Kbq18HzzneSVKh9DxN
 -----END CERTIFICATE-----