From 38b74849c31c105e7d8469b6efa2d9f9f45281f5 Mon Sep 17 00:00:00 2001 From: Amir Omidi Date: Tue, 1 Aug 2023 16:31:49 -0400 Subject: [PATCH] Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715) Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280. https://github.com/zmap/zlint/pull/715 Co-authored-by: Rob <3725956+robplee@users.noreply.github.com> Co-authored-by: David Adrian --- .../lint_cabf_crl_reason_code_not_critical.go | 60 +++++++++++++++ ..._cabf_crl_reason_code_not_critical_test.go | 64 ++++++++++++++++ .../lint_cabf_crl_valid_reason_codes.go | 68 +++++++++++++++++ .../lint_cabf_crl_valid_reason_codes_test.go | 76 +++++++++++++++++++ v3/lints/rfc/lint_crl_valid_reason_codes.go | 73 ++++++++++++++++++ .../rfc/lint_crl_valid_reason_codes_test.go | 70 +++++++++++++++++ v3/testdata/crlEmpty.pem | 8 ++ v3/testdata/crlReasonCodeCrit.pem | 7 ++ v3/testdata/crlThisUpdate20230505.pem | 7 ++ v3/testdata/crlWithReasonCode0.pem | 7 ++ v3/testdata/crlWithReasonCode2.pem | 7 ++ v3/testdata/crlWithReasonCode5.pem | 7 ++ v3/testdata/crlWithReasonCode7.pem | 7 ++ v3/util/oid.go | 1 + v3/util/time.go | 2 + 15 files changed, 464 insertions(+) create mode 100644 v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go create mode 100644 v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical_test.go create mode 100644 v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go create mode 100644 v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes_test.go create mode 100644 v3/lints/rfc/lint_crl_valid_reason_codes.go create mode 100644 v3/lints/rfc/lint_crl_valid_reason_codes_test.go create mode 100644 v3/testdata/crlEmpty.pem create mode 100644 v3/testdata/crlReasonCodeCrit.pem create mode 100644 v3/testdata/crlThisUpdate20230505.pem create mode 100644 v3/testdata/crlWithReasonCode0.pem create mode 100644 v3/testdata/crlWithReasonCode2.pem create mode 100644 v3/testdata/crlWithReasonCode5.pem create mode 100644 v3/testdata/crlWithReasonCode7.pem diff --git a/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go b/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go new file mode 100644 index 000000000..2147fc446 --- /dev/null +++ b/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go @@ -0,0 +1,60 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlReasonCodeNotCritical struct{} + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_crl_reason_code_not_critical", + Description: "If present, CRL Reason Code extension MUST NOT be marked critical.", + Citation: "BRs: 7.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCrlReasonCodeNotCritical, + }) +} + +func NewCrlReasonCodeNotCritical() lint.RevocationListLintInterface { + return &crlReasonCodeNotCritical{} +} + +func (l *crlReasonCodeNotCritical) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +func (l *crlReasonCodeNotCritical) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + for _, ext := range c.Extensions { + if ext.Id.Equal(util.ReasonCodeOID) { + if ext.Critical { + return &lint.LintResult{Status: lint.Error, Details: "CRL Reason Code extension MUST NOT be marked as critical."} + } + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical_test.go b/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical_test.go new file mode 100644 index 000000000..1a5fbb983 --- /dev/null +++ b/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical_test.go @@ -0,0 +1,64 @@ +package cabf_br + +import ( + "strings" + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +func TestCrlReasonCodeNotCritical(t *testing.T) { + t.Parallel() + testCases := []struct { + name string + path string + want lint.LintStatus + wantSubStr string + }{ + { + name: "CRL reason code critical", + path: "crlReasonCodeCrit.pem", + want: lint.Error, + wantSubStr: "MUST NOT be marked as critical", + }, + { + name: "CRL with reason code 5", + path: "crlWithReasonCode5.pem", + want: lint.Pass, + }, + { + name: "CRL no revoked certificates", + path: "crlEmpty.pem", + want: lint.NA, + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + gotStatus := test.TestRevocationListLint(t, "e_cab_crl_reason_code_not_critical", tc.path) + if tc.want != gotStatus.Status { + t.Errorf("%s: expected %s, got %s", tc.path, tc.want, gotStatus.Status) + } + if !strings.Contains(gotStatus.Details, tc.wantSubStr) { + t.Errorf("%s: expected %s, got %s", tc.path, tc.wantSubStr, gotStatus.Details) + } + }) + } + +} diff --git a/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go b/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go new file mode 100644 index 000000000..70aea45eb --- /dev/null +++ b/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go @@ -0,0 +1,68 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlHasValidReasonCodes struct{} + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_crl_has_valid_reason_code", + Description: "Only the following CRLReasons MAY be present: 1, 3, 4, 5, 9.", + Citation: "BRs: 7.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_8_7_Date, + }, + Lint: NewCrlHasValidReasonCode, + }) +} + +func NewCrlHasValidReasonCode() lint.RevocationListLintInterface { + return &crlHasValidReasonCodes{} +} + +func (l *crlHasValidReasonCodes) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +var validReasons = map[int]bool{ + 1: true, + 3: true, + 4: true, + 5: true, + 9: true, +} + +func (l *crlHasValidReasonCodes) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + code := *c.ReasonCode + if code == 0 { + return &lint.LintResult{Status: lint.Error, Details: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value."} + } + if _, ok := validReasons[code]; !ok { + return &lint.LintResult{Status: lint.Error, Details: "Reason code not included in BR: 7.2.2"} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes_test.go b/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes_test.go new file mode 100644 index 000000000..eb16d894f --- /dev/null +++ b/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes_test.go @@ -0,0 +1,76 @@ +package cabf_br + +import ( + "strings" + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +func TestCrlValidReasonCodes(t *testing.T) { + t.Parallel() + testCases := []struct { + name string + path string + want lint.LintStatus + wantSubStr string + }{ + { + name: "CRL with reason code 0", + path: "crlWithReasonCode0.pem", + want: lint.Error, + wantSubStr: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified", + }, + { + // This test case is significant since reason code 2 is not allowed by CABF + name: "CRL with reason code 2", + path: "crlWithReasonCode2.pem", + want: lint.Error, + wantSubStr: "Reason code not included in BR: 7.2.2", + }, + { + name: "CRL with reason code 5", + path: "crlWithReasonCode5.pem", + want: lint.Pass, + }, + { + name: "CRL with reason code 7", + path: "crlWithReasonCode7.pem", + want: lint.Error, + wantSubStr: "Reason code not included in BR: 7.2.2", + }, + { + name: "CRL thisUpdate before enforcement", + path: "crlThisUpdate20230505.pem", + want: lint.NE, + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + gotStatus := test.TestRevocationListLint(t, "e_cab_crl_has_valid_reason_code", tc.path) + if tc.want != gotStatus.Status { + t.Errorf("%s: expected %s, got %s", tc.path, tc.want, gotStatus.Status) + } + if !strings.Contains(gotStatus.Details, tc.wantSubStr) { + t.Errorf("%s: expected %s, got %s", tc.path, tc.wantSubStr, gotStatus.Details) + } + }) + } +} diff --git a/v3/lints/rfc/lint_crl_valid_reason_codes.go b/v3/lints/rfc/lint_crl_valid_reason_codes.go new file mode 100644 index 000000000..602ec1823 --- /dev/null +++ b/v3/lints/rfc/lint_crl_valid_reason_codes.go @@ -0,0 +1,73 @@ +package rfc + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlHasValidReasonCode struct{} + +/* +*********************************************** +RFC 5280: 5.3.1 + + CRL issuers are strongly + encouraged to include meaningful reason codes in CRL entries; + however, the reason code CRL entry extension SHOULD be absent instead + of using the unspecified (0) reasonCode value. + +*********************************************** +*/ +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_has_valid_reason_code", + Description: "If a CRL entry has a reason code, it MUST be in RFC5280 section 5.3.1 and SHOULD be absent instead of using unspecified (0)", + Citation: "RFC 5280: 5.3.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCrlHasValidReasonCode, + }) +} + +func NewCrlHasValidReasonCode() lint.RevocationListLintInterface { + return &crlHasValidReasonCode{} +} + +func (l *crlHasValidReasonCode) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +func (l *crlHasValidReasonCode) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + code := *c.ReasonCode + if code == 0 { + return &lint.LintResult{Status: lint.Warn, Details: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value."} + } + if code == 7 || code > 10 { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Reason code, %v, not included in RFC 5280 section 5.3.1", code)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/rfc/lint_crl_valid_reason_codes_test.go b/v3/lints/rfc/lint_crl_valid_reason_codes_test.go new file mode 100644 index 000000000..656a2d99d --- /dev/null +++ b/v3/lints/rfc/lint_crl_valid_reason_codes_test.go @@ -0,0 +1,70 @@ +package rfc + +import ( + "strings" + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +func TestCrlValidReasonCodes(t *testing.T) { + t.Parallel() + testCases := []struct { + name string + path string + want lint.LintStatus + wantSubStr string + }{ + { + name: "CRL with reason code 0", + path: "crlWithReasonCode0.pem", + want: lint.Warn, + wantSubStr: "SHOULD be absent instead of using the unspecified", + }, + { + // This test case is significant since reason code 2 is not allowed by CABF + name: "CRL with reason code 2", + path: "crlWithReasonCode2.pem", + want: lint.Pass, + }, + { + name: "CRL with reason code 5", + path: "crlWithReasonCode5.pem", + want: lint.Pass, + }, + { + name: "CRL with reason code 7", + path: "crlWithReasonCode7.pem", + want: lint.Error, + wantSubStr: "Reason code, 7, not included in RFC 5280 section 5.3.1", + }, + } + + for _, tc := range testCases { + tc := tc + t.Run(tc.name, func(t *testing.T) { + gotStatus := test.TestRevocationListLint(t, "e_crl_has_valid_reason_code", tc.path) + if tc.want != gotStatus.Status { + t.Errorf("%s: expected %s, got %s", tc.path, tc.want, gotStatus.Status) + } + if !strings.Contains(gotStatus.Details, tc.wantSubStr) { + t.Errorf("%s: expected %s, got %s", tc.path, tc.wantSubStr, gotStatus.Details) + } + }) + } +} diff --git a/v3/testdata/crlEmpty.pem b/v3/testdata/crlEmpty.pem new file mode 100644 index 000000000..638bc76ee --- /dev/null +++ b/v3/testdata/crlEmpty.pem @@ -0,0 +1,8 @@ +-----BEGIN X509 CRL----- +MIIBEjCBuQIBATAKBggqhkjOPQQDAjAAFw0yMzA1MDkxNzU0NTVaoIGWMIGTMIGE +BgNVHSMEfTB7gHkwdwIBAQQg4sC166JaXHUVDRXXFc7ZyoZmSghHDWoVUBz6L1xp +rv+gCgYIKoZIzj0DAQehRANCAATfDbtdhRX3RnNa5dhfkMOKzkT0AmHwn2w6bLex +KG8GNbwnBEYWQU7fYTU8vjd6UsrmF/SWXWNe8tAVjdE1kB0HMAoGA1UdFAQDAgEC +MAoGCCqGSM49BAMCA0gAMEUCIAvuaPf4KZ3Ukw+R1InKWoj+i8HvAy29S2lHRDGs +rTQxAiEA4zJSU0qGeWvpsa/JMvWpaYLDsOqMN77Zk0qWAOTlH/c= +-----END X509 CRL----- diff --git a/v3/testdata/crlReasonCodeCrit.pem b/v3/testdata/crlReasonCodeCrit.pem new file mode 100644 index 000000000..29ece0041 --- /dev/null +++ b/v3/testdata/crlReasonCodeCrit.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHfMIGGAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzMzU0NVowJzAlAgEDGA8w +MDAxMDEwMTAwMDAwMFowDzANBgNVHRUBAf8EAwoBAKA7MDkwKwYDVR0jBCQwIoAg +B6is8nK0AI9ZyMGgUI2dAkS+NbOYYe92ZoFyaa4dq8MwCgYDVR0UBAMCAQIwCgYI +KoZIzj0EAwIDSAAwRQIhALGfy/9w8vgp3QlkYCtmfqeGtkvftNBhBFPfwqfmURBE +AiAj/DvhTE4C6639BPuwDONrdA7B6yvxddMWKM2rUA/pvw== +-----END X509 CRL----- diff --git a/v3/testdata/crlThisUpdate20230505.pem b/v3/testdata/crlThisUpdate20230505.pem new file mode 100644 index 000000000..e2aab72c7 --- /dev/null +++ b/v3/testdata/crlThisUpdate20230505.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHdMIGDAgEBMAoGCCqGSM49BAMCMAAXDTIzMDUwNjAzNDA1NVowJDAiAgEDGA8w +MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBBaA7MDkwKwYDVR0jBCQwIoAgSSxH +cv+MyXTPfj99JsIKgswmBf7Xn5pP7Lwiew7Znn8wCgYDVR0UBAMCAQIwCgYIKoZI +zj0EAwIDSQAwRgIhAIRnGCwy6E/9Tg4mdcXzDOw+yToPMTfVVcyg0uHUl4cdAiEA +hvghFGNBRAWWm3acYsb+KBX9wCg3kfWBt6L7JnXovAU= +-----END X509 CRL----- diff --git a/v3/testdata/crlWithReasonCode0.pem b/v3/testdata/crlWithReasonCode0.pem new file mode 100644 index 000000000..0d6c88308 --- /dev/null +++ b/v3/testdata/crlWithReasonCode0.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzMjgzMFowJDAiAgEDGA8w +MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBAKA7MDkwKwYDVR0jBCQwIoAgTNow +i3fmv11CTOp+ECXxItsklofKPiMEhbkF2CDFkDIwCgYDVR0UBAMCAQIwCgYIKoZI +zj0EAwIDSAAwRQIhAP2Wao7WtdGSYVMbTQdPIPFztP7oJvXkNCR45o0Ca19RAiAQ +rLw1aajKw3p4iOXxpdAetbMh7GUvuJjgb8f4PmmS8w== +-----END X509 CRL----- diff --git a/v3/testdata/crlWithReasonCode2.pem b/v3/testdata/crlWithReasonCode2.pem new file mode 100644 index 000000000..638ab2154 --- /dev/null +++ b/v3/testdata/crlWithReasonCode2.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzMjc0NlowJDAiAgEDGA8w +MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBAqA7MDkwKwYDVR0jBCQwIoAgaKfL +ufc1P2u5ckFBzp9JeJi/7SOij/uVWEB04Fq7oJowCgYDVR0UBAMCAQIwCgYIKoZI +zj0EAwIDSAAwRQIgdnoQOfGZ7Hifb6vUwDGmta1Pngz8VlJ39q0Z8uZApWgCIQCO +NcpgZ4xFtRurF6I82LkrCKweIY4jHoYEx97gCUlfrA== +-----END X509 CRL----- diff --git a/v3/testdata/crlWithReasonCode5.pem b/v3/testdata/crlWithReasonCode5.pem new file mode 100644 index 000000000..2094e2007 --- /dev/null +++ b/v3/testdata/crlWithReasonCode5.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzNDAxNVowJDAiAgEDGA8w +MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBBaA7MDkwKwYDVR0jBCQwIoAgLQ5J +FJK78KIMTp4/AXlnjbmnWUp72aRFh6+6++zjF5owCgYDVR0UBAMCAQIwCgYIKoZI +zj0EAwIDSAAwRQIhAJsjck+HO4/ae7S38jyZbE4JA7DfnisEPkePrLIEKoULAiAx +OWdDCTntIZk0dFqZlEtDeEc/5M1bjqQ8S1q4I3jocw== +-----END X509 CRL----- diff --git a/v3/testdata/crlWithReasonCode7.pem b/v3/testdata/crlWithReasonCode7.pem new file mode 100644 index 000000000..6548d4943 --- /dev/null +++ b/v3/testdata/crlWithReasonCode7.pem @@ -0,0 +1,7 @@ +-----BEGIN X509 CRL----- +MIHcMIGDAgEBMAoGCCqGSM49BAMCMAAXDTI0MDUwNjAzNDAyNlowJDAiAgEDGA8w +MDAxMDEwMTAwMDAwMFowDDAKBgNVHRUEAwoBB6A7MDkwKwYDVR0jBCQwIoAgZXC6 +GE/pCZGmsIGy7QDB/9zUbZW9YJuDiRJ5C5gG1BIwCgYDVR0UBAMCAQIwCgYIKoZI +zj0EAwIDSAAwRQIga5n/5ccM2/pDJbME1QFzbBQALZ8XveiEn3WLz4T000ICIQCm +f03FTQ8FZrTR9sD+Wr4gEVoNB8FfYEISvG9Maone+Q== +-----END X509 CRL----- diff --git a/v3/util/oid.go b/v3/util/oid.go index a8f976538..0f3143454 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -48,6 +48,7 @@ var ( SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code // CA/B reserved policies BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated diff --git a/v3/util/time.go b/v3/util/time.go index 04dfeddb6..79e3a39cf 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -72,6 +72,8 @@ var ( CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + // Enforcement date of CRL reason codes from Ballot SC 061 + CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) ) var (