Misc. cleanups, unit test for finding leftover template bits. (#340)

* tests: remove gofmt_test.go

The golangci-lint pass run in CI includes an equivalent test. If folks
want to test for unformatted code locally install the linter and run
`golangci-lint run` in the root directory. This will flag findings
above and beyond `gofmt` problems ahead of CI failing.

* lints: remove commented out code.

In three cases, remove a comment ahead of a return that added no
useful context.

In `lints/community/lint_rsa_exp_negative_test.go` remove a commented
out test case for a negative RSA exponent. The test code doesn't build
as-is and the referenced test cert (`rsaExpNegative.pem`) doesn't exist
in-tree. A TODO is left to indicate there's missing test coverage for
later follow-up.

* lints: fix "certtificate" comment typo.

* lints: fix tabs in ref text for lint_sub_cert_or_sub_ca_using_sha1.

* lints: fix field name ref. in lint Descriptions.

These two lints mistakenly said in their `Description` that they only
check the `DNSNames` field of the certificate when in fact they only
check the `IANDNSNames` field. There are two corresponding lints
(`lints/community/lint_san_wildcard_not_first.go` and
`lints/community/lint_san_bare_wildcard.go`) that check `DNSNames`.

* lints: add slice of known LintSources, test for templating leftovers.

There should never be finished lint source code that contains template
text intended to be replaced by the programmer. A new
`TestLeftoverTemplates` unit test is added to make sure we enforce this
during CI to lessen the burden on code reviewers to catch this problem.

* tests: use full path in TestLeftoverTemplates errs

* lints: fix TestLeftoverTemplates findings

Prior to these fixes all of the modified files had templating leftovers:
```
=== RUN   TestLeftoverTemplates
--- FAIL: TestLeftoverTemplates (0.01s)
    template_test.go:49: Lint "cabf_br/lint_root_ca_extended_key_usage_present.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_root_ca_key_usage_present.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_cert_policy_empty.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_certificate_policies_missing.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_eku_extra_values.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_eku_missing.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "rfc/lint_basic_constraints_not_critical.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "rfc/lint_ext_key_usage_not_critical.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "rfc/lint_basic_constraints_not_critical.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "rfc/lint_ext_key_usage_not_critical.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "rfc/lint_basic_constraints_not_critical.go" contains template leftover "// Add actual lint here"
    template_test.go:49: Lint "rfc/lint_ext_key_usage_not_critical.go" contains template leftover "// Add actual lint here"
FAIL
FAIL	command-line-arguments	0.017s
FAIL
```

* lints: update template test with another string, fix occurrences.

```
=== RUN   TestLeftoverTemplates
--- FAIL: TestLeftoverTemplates (0.01s)
    template_test.go:50: Lint "cabf_br/lint_sub_ca_name_constraints_not_critical.go" contains template leftover "Change this to match source TEXT"
    template_test.go:50: Lint "community/lint_validity_time_not_positive.go" contains template leftover "Change this to match source TEXT"
    template_test.go:50: Lint "community/lint_validity_time_not_positive.go" contains template leftover "Change this to match source TEXT"
FAIL
FAIL	command-line-arguments	0.017s
FAIL
```

* lints: move lint_ian_bare_wildcard.go from RFC to community.

It cites RFC 5280 but that RFC doesn't prescribe any semantics to the
use of wildcards in DNSNames or elsewhere. I suspect this lint actually
came from AWSLabs, similar to `lint_ian_wildcard_not_first.go` and
`lint_san_bare_wildcard.go`, both of which are already in
`lints/community/`.

* lints: fix moved lint_ian_bare_wildcard.go source/category/package

* lints: fix off-by-one in RFC max length lint Descs.

The upper bounds being enforced against in the changed lints are
inclusive. The lint tests were doing the right thing but the
descriptions incorrectly described the boundary as if it were exclusive.

For comparison the following lints already did the right thing already
and had the UB+1 in the desc:
```
lints/rfc/lint_subject_given_name_max_length.go
lints/rfc/lint_subject_postal_code_max_length.go
lints/rfc/lint_subject_street_address_max_length.go
lints/rfc/lint_subject_surname_max_length.go
```

* lint: revert accidental whitespace diff

lint/base.go

@@ -46,6 +46,8 @@ type LintInterface interface {
 // An Enum to programmatically represent the source of a lint
 type LintSource int
 
+// NOTE(@cpu): If you are adding a new LintSource make sure you have considered
+// updating the Directory() function.
 const (
 	UnknownLintSource LintSource = iota
 	CABFBaselineRequirements
@@ -59,6 +61,38 @@ const (
 	AppleCTPolicy // https://support.apple.com/en-us/HT205280
 )
 
+// LintSources contains a list of the valid lint sources we expect to be used
+// by ZLint lints.
+var LintSources = []LintSource{
+	CABFBaselineRequirements,
+	CABFEVGuidelines,
+	RFC5280,
+	RFC5480,
+	RFC5891,
+	AppleCTPolicy,
+	EtsiEsi,
+	ZLint,
+	AWSLabs,
+}
+
+// Directory returns the directory name in `lints/` for the LintSource.
+func (l LintSource) Directory() string {
+	switch l {
+	case CABFBaselineRequirements:
+		return "cabf_br"
+	case CABFEVGuidelines:
+		return "cabf_ev"
+	case RFC5280, RFC5480, RFC5891:
+		return "rfc"
+	case AppleCTPolicy:
+		return "apple"
+	case EtsiEsi:
+		return "etsi"
+	default:
+		return "community"
+	}
+}
+
 // A Lint struct represents a single lint, e.g.
 // "e_basic_constraints_not_critical". It contains an implementation of LintInterface.
 type Lint struct {

lints/cabf_br/lint_invalid_certificate_version.go

@@ -38,7 +38,6 @@ func (l *InvalidCertificateVersion) Execute(cert *x509.Certificate) *lint.LintRe
 	if cert.Version != 3 {
 		return &lint.LintResult{Status: lint.Error}
 	}
-	//else
 	return &lint.LintResult{Status: lint.Pass}
 }
 

lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go

@@ -14,10 +14,6 @@ package cabf_br
  * permissions and limitations under the License.
  */
 
-/************************************************
-Change this to match source TEXT
-************************************************/
-
 import (
 	"crypto/rsa"
 

lints/cabf_br/lint_root_ca_extended_key_usage_present.go

@@ -36,7 +36,6 @@ func (l *rootCAContainsEKU) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *rootCAContainsEKU) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.EkuSynOid) {
 		return &lint.LintResult{Status: lint.Error}
 	} else {

lints/cabf_br/lint_root_ca_key_usage_present.go

@@ -31,7 +31,6 @@ func (l *rootCAKeyUsagePresent) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *rootCAKeyUsagePresent) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.KeyUsageOID) {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go

@@ -14,10 +14,6 @@ package cabf_br
  * permissions and limitations under the License.
  */
 
-/************************************************
-Change this to match source TEXT
-************************************************/
-
 import (
 	"crypto/rsa"
 

lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go

@@ -15,7 +15,14 @@ package cabf_br
  */
 
 /************************************************
-Change this to match source TEXT
+CA Brower Forum Baseline Requirements, Section 7.1.2.2:
+
+   f. nameConstraints (optional)
+If present, this extension SHOULD be marked critical*.
+
+* Non-critical Name Constraints are an exception to RFC 5280 (4.2.1.10), however, they MAY be used until the
+Name Constraints extension is supported by Application Software Suppliers whose software is used by a
+substantial portion of Relying Parties worldwide
 ************************************************/
 
 import (

lints/cabf_br/lint_sub_cert_cert_policy_empty.go

@@ -39,7 +39,6 @@ func (l *subCertPolicyEmpty) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCertPolicyEmpty) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.CertPolicyOID) && c.PolicyIdentifiers != nil {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

lints/cabf_br/lint_sub_cert_certificate_policies_missing.go

@@ -37,7 +37,6 @@ func (l *subCertPolicy) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCertPolicy) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.CertPolicyOID) {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go

@@ -40,7 +40,6 @@ func (l *subCRLDistNoURL) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCRLDistNoURL) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	for _, s := range c.CRLDistributionPoints {
 		if strings.HasPrefix(s, "http://") {
 			return &lint.LintResult{Status: lint.Pass}

lints/cabf_br/lint_sub_cert_eku_extra_values.go

@@ -37,7 +37,6 @@ func (l *subExtKeyUsageLegalUsage) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subExtKeyUsageLegalUsage) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	for _, kp := range c.ExtKeyUsage {
 		if kp == x509.ExtKeyUsageServerAuth ||
 			kp == x509.ExtKeyUsageClientAuth ||

lints/cabf_br/lint_sub_cert_eku_missing.go

@@ -37,7 +37,6 @@ func (l *subExtKeyUsage) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subExtKeyUsage) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.EkuSynOid) {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go

@@ -37,7 +37,6 @@ func (l *subExtKeyUsageClientOrServer) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subExtKeyUsageClientOrServer) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	for _, kp := range c.ExtKeyUsage {
 		if kp == x509.ExtKeyUsageServerAuth || kp == x509.ExtKeyUsageClientAuth {
 			// If we find either of ServerAuth or ClientAuth, lint.Pass

lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go

@@ -37,7 +37,6 @@ func (l *subCertKeyUsageBitSet) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCertKeyUsageBitSet) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if (c.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign {
 		return &lint.LintResult{Status: lint.Error}
 	} else { //key usage doesn't allow cert signing or isn't present

lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go

@@ -37,7 +37,6 @@ func (l *subCrlSignAllowed) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCrlSignAllowed) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if (c.KeyUsage & x509.KeyUsageCRLSign) == x509.KeyUsageCRLSign {
 		return &lint.LintResult{Status: lint.Error}
 	} else { //key usage doesn't allow cert signing or isn't present

lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go

@@ -16,7 +16,7 @@ package cabf_br
 
 /**************************************************************************************************
 BRs: 7.1.3
-SHA‐1	MAY	be	used	with	RSA	keys	in	accordance	with	the	criteria	defined	in	Section	7.1.3.
+SHA‐1 MAY be used with RSA keys in accordance with the criteria defined in Section 7.1.3.
 **************************************************************************************************/
 
 import (

lints/rfc/lint_ian_bare_wildcard.go → lints/community/lint_ian_bare_wildcard.go

@@ -1,4 +1,4 @@
-package rfc
+package community
 
 /*
  * ZLint Copyright 2020 Regents of the University of Michigan
@@ -44,9 +44,9 @@ func (l *brIANBareWildcard) Execute(c *x509.Certificate) *lint.LintResult {
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_ian_bare_wildcard",
-		Description:   "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)",
-		Citation:      "RFC5280",
-		Source:        lint.RFC5280,
+		Description:   "A wildcard MUST be accompanied by other data to its right (Only checks IANDNSNames)",
+		Citation:      "awslabs certlint",
+		Source:        lint.AWSLabs,
 		EffectiveDate: util.ZeroDate,
 		Lint:          &brIANBareWildcard{},
 	})

lints/rfc/lint_ian_bare_wildcard_test.go → lints/community/lint_ian_bare_wildcard_test.go

@@ -1,4 +1,4 @@
-package rfc
+package community
 
 /*
  * ZLint Copyright 2020 Regents of the University of Michigan

lints/community/lint_ian_wildcard_not_first.go

@@ -44,7 +44,7 @@ func (l *brIANWildcardFirst) Execute(c *x509.Certificate) *lint.LintResult {
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_ian_wildcard_not_first",
-		Description:   "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)",
+		Description:   "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks IANDNSNames)",
 		Citation:      "awslabs certlint",
 		Source:        lint.AWSLabs,
 		EffectiveDate: util.ZeroDate,

lints/community/lint_rsa_exp_negative_test.go

@@ -21,18 +21,7 @@ import (
 	"github.com/zmap/zlint/util"
 )
 
-// func TestRsaExpNegative(t *testing.T) {
-// 	inputPath := "../../testlint/testCerts/rsaExpNegative.pem"
-// 	expected := lint.Error
-// 	out := lint.Lints["rsa_exp_negative"].ExecuteTest(util.ReadCertificate(inputPath))
-// 	if out.Result != expected {
-// 		t.Error(
-// 			"For", inputPath,
-// 			"expected", expected,
-// 			"got", out.Result,
-// 		)
-// 	}
-// }
+// TODO: There should be a test for negative RSA exp.
 
 func TestRsaExpPositive(t *testing.T) {
 	inputPath := "../../testlint/testCerts/IANURIValid.pem"

lints/community/lint_validity_time_not_positive.go

@@ -14,10 +14,6 @@ package community
  * permissions and limitations under the License.
  */
 
-/************************************************
-Change this to match source TEXT
-************************************************/
-
 import (
 	"github.com/zmap/zcrypto/x509"
 	"github.com/zmap/zlint/lint"

lints/rfc/lint_basic_constraints_not_critical.go

@@ -43,7 +43,6 @@ func (l *basicConstCrit) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *basicConstCrit) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil {
 		if e.Critical {
 			return &lint.LintResult{Status: lint.Pass}

lints/rfc/lint_cert_contains_unique_identifier.go

@@ -46,7 +46,7 @@ func (l *CertContainsUniqueIdentifier) CheckApplies(cert *x509.Certificate) bool
 func (l *CertContainsUniqueIdentifier) Execute(cert *x509.Certificate) *lint.LintResult {
 	if cert.IssuerUniqueId.Bytes == nil && cert.SubjectUniqueId.Bytes == nil {
 		return &lint.LintResult{Status: lint.Pass}
-	} //else
+	}
 	return &lint.LintResult{Status: lint.Error}
 }
 

lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go

@@ -43,7 +43,7 @@ func (l *keyUsageCertSignNoCa) CheckApplies(c *x509.Certificate) bool {
 
 func (l *keyUsageCertSignNoCa) Execute(c *x509.Certificate) *lint.LintResult {
 	if (c.KeyUsage & x509.KeyUsageCertSign) != 0 {
-		if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certtificate signing usage
+		if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certificate signing usage
 			return &lint.LintResult{Status: lint.Pass}
 		} else {
 			return &lint.LintResult{Status: lint.Error}

lints/rfc/lint_ext_key_usage_not_critical.go

@@ -33,7 +33,6 @@ func (l *checkKeyUsageCritical) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *checkKeyUsageCritical) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	keyUsage := util.GetExtFromCert(c, util.KeyUsageOID)
 	if keyUsage == nil {
 		return &lint.LintResult{Status: lint.NA}

lints/rfc/lint_inhibit_any_policy_not_critical.go

@@ -48,7 +48,7 @@ func (l *InhibitAnyPolicyNotCritical) CheckApplies(cert *x509.Certificate) bool
 func (l *InhibitAnyPolicyNotCritical) Execute(cert *x509.Certificate) *lint.LintResult {
 	if anyPol := util.GetExtFromCert(cert, util.InhibitAnyPolicyOID); !anyPol.Critical {
 		return &lint.LintResult{Status: lint.Error}
-	} //else
+	}
 	return &lint.LintResult{Status: lint.Pass}
 }
 

lints/rfc/lint_subject_common_name_max_length.go

@@ -50,7 +50,7 @@ func (l *subjectCommonNameMaxLength) Execute(c *x509.Certificate) *lint.LintResu
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_common_name_max_length",
-		Description:   "The commonName field of the subject MUST be less than 64 characters",
+		Description:   "The commonName field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

lints/rfc/lint_subject_dn_serial_number_max_length.go

@@ -42,7 +42,7 @@ func (l *SubjectDNSerialNumberMaxLength) Execute(c *x509.Certificate) *lint.Lint
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_dn_serial_number_max_length",
-		Description:   "The 'Serial Number' field of the subject MUST be less than 64 characters",
+		Description:   "The 'Serial Number' field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: Appendix A",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.ZeroDate,

lints/rfc/lint_subject_email_max_length.go

@@ -59,7 +59,7 @@ func (l *subjectEmailMaxLength) Execute(c *x509.Certificate) *lint.LintResult {
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_email_max_length",
-		Description:   "The 'Email' field of the subject MUST be less than 255 characters",
+		Description:   "The 'Email' field of the subject MUST be less than 256 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

lints/rfc/lint_subject_locality_name_max_length.go

@@ -52,7 +52,7 @@ func (l *subjectLocalityNameMaxLength) Execute(c *x509.Certificate) *lint.LintRe
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_locality_name_max_length",
-		Description:   "The 'Locality Name' field of the subject MUST be less than 128 characters",
+		Description:   "The 'Locality Name' field of the subject MUST be less than 129 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

lints/rfc/lint_subject_organization_name_max_length.go

@@ -52,7 +52,7 @@ func (l *subjectOrganizationNameMaxLength) Execute(c *x509.Certificate) *lint.Li
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_organization_name_max_length",
-		Description:   "The 'Organization Name' field of the subject MUST be less than 64 characters",
+		Description:   "The 'Organization Name' field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

lints/rfc/lint_subject_organizational_unit_name_max_length.go

@@ -52,7 +52,7 @@ func (l *subjectOrganizationalUnitNameMaxLength) Execute(c *x509.Certificate) *l
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_organizational_unit_name_max_length",
-		Description:   "The 'Organizational Unit Name' field of the subject MUST be less than 64 characters",
+		Description:   "The 'Organizational Unit Name' field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

lints/rfc/lint_subject_state_name_max_length.go

@@ -52,7 +52,7 @@ func (l *subjectStateNameMaxLength) Execute(c *x509.Certificate) *lint.LintResul
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_state_name_max_length",
-		Description:   "The 'State Name' field of the subject MUST be less than 128 characters",
+		Description:   "The 'State Name' field of the subject MUST be less than 129 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,