Add lint to detect IP addresses in EV certs (#650)

zmap · Dec 9, 2021 · bbc7e36 · bbc7e36
1 parent cb3e7e8
commit bbc7e36
Show file tree

Hide file tree

Showing 3 changed files with 131 additions and 0 deletions.
diff --git a/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go b/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go
@@ -0,0 +1,49 @@
+/*
+ * ZLint Copyright 2021 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterLint(&lint.Lint{
+		Name:          "e_ev_san_ip_address_present",
+		Description:   "The Subject Alternate Name extension MUST contain only 'dnsName' name types.",
+		Citation:      "CABF EV Guidelines 1.7.8 Section 9.8.1",
+		Source:        lint.CABFEVGuidelines,
+		EffectiveDate: util.ZeroDate,
+		Lint:          NewEvSanIpAddressPresent,
+	})
+}
+
+type EvSanIpAddressPresent struct{}
+
+func NewEvSanIpAddressPresent() lint.LintInterface {
+	return &EvSanIpAddressPresent{}
+}
+
+func (l *EvSanIpAddressPresent) CheckApplies(c *x509.Certificate) bool {
+	return util.IsEV(c.PolicyIdentifiers)
+}
+
+func (l *EvSanIpAddressPresent) Execute(c *x509.Certificate) *lint.LintResult {
+	if len(c.IPAddresses) > 0 {
+		return &lint.LintResult{Status: lint.Error}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_ev/lint_ev_san_ip_address_present_test.go b/v3/lints/cabf_ev/lint_ev_san_ip_address_present_test.go
@@ -0,0 +1,40 @@
+/*
+ * ZLint Copyright 2021 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestEvSanIpAddressPresent(t *testing.T) {
+	inputPath := "evSanIpAddressPresent.pem"
+	expected := lint.Error
+	out := test.TestLint("e_ev_san_ip_address_present", inputPath)
+	if out.Status != expected {
+		t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
+	}
+}
+
+func TestEvSanIpAddressNotPresent(t *testing.T) {
+	inputPath := "evAllGood.pem"
+	expected := lint.Pass
+	out := test.TestLint("e_ev_san_ip_address_present", inputPath)
+	if out.Status != expected {
+		t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
+	}
+}
diff --git a/v3/testdata/evSanIpAddressPresent.pem b/v3/testdata/evSanIpAddressPresent.pem
@@ -0,0 +1,42 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Jan  1 00:00:00 1 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: CN = example.com, O = Example Inc., ST = CA, C = US
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:11:44:2f:16:91:23:22:26:1f:a8:c9:15:70:e1:
+                    ec:f6:c7:73:b4:5f:c1:27:65:89:67:0d:c8:d9:a2:
+                    8d:15:80:bf:7a:d7:69:5b:c3:0a:c1:e6:9a:58:e0:
+                    4d:49:83:a4:22:af:fd:32:a9:35:19:ef:50:71:fa:
+                    08:2b:1e:48:d2
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:example.com, IP Address:198.51.100.1
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.1
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:48:81:e2:d8:b5:0c:d9:eb:68:66:2c:41:0a:90:
+         9b:3f:d0:21:f1:7c:aa:8b:81:45:24:3a:9b:f4:20:e8:d0:12:
+         02:20:56:18:fb:cd:f7:9a:b1:f4:1a:ae:6f:02:68:9b:f6:06:
+         5a:7b:6c:cc:98:da:36:6a:bb:ac:51:4d:9e:ba:07:57
+-----BEGIN CERTIFICATE-----
+MIIBbTCCARSgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCIYDzAwMDEwMTAxMDAwMDAw
+WhgPOTk5ODExMzAwMDAwMDBaMEcxFDASBgNVBAMTC2V4YW1wbGUuY29tMRUwEwYD
+VQQKEwxFeGFtcGxlIEluYy4xCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABBFELxaRIyImH6jJFXDh7PbHc7RfwSdliWcN
+yNmijRWAv3rXaVvDCsHmmljgTUmDpCKv/TKpNRnvUHH6CCseSNKjNDAyMBwGA1Ud
+EQQVMBOCC2V4YW1wbGUuY29thwTGM2QBMBIGA1UdIAQLMAkwBwYFZ4EMAQEwCgYI
+KoZIzj0EAwIDRwAwRAIgSIHi2LUM2etoZixBCpCbP9Ah8Xyqi4FFJDqb9CDo0BIC
+IFYY+833mrH0Gq5vAmib9gZae2zMmNo2arusUU2eugdX
+-----END CERTIFICATE-----