Zlint incorrectly requires TorServiceDescriptors for onion V3 domains

[mimi89999]

Example cert: https://crt.sh/?id=6357116915

ZLint version: 3.3.0

[christopher-henderson]

Howdy @mimi89999

I believe that you are referring to Ballot SC27v3: Version 3 Onion Certificates, correct?

The wording here befuddles me a bit.

The Tor Service Descriptor Hash extension required in the EV Guidelines to contain the full hash of the keys related to the .onion address is no longer needed as this hash is part of the version 3 address.

...immediately followed by...

Older version 2 onion addresses are still in use, so this ballot does not remove the existing EV Guidelines requirements for onion names.

In my head, I read this as...

Version 3 addresses technically obviate the need for this extension, however due to the proliferation of V2 certificates in the wild this requirement remains in place for EV certificates.

Do you have any insight into this @sleevi?

---

(The lint line in question which is failing this cert)

zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go

Line 120 in 3be391b

if ext := util.GetExtFromCert(c, util.BRTorServiceDescriptor); ext == nil {

[mimi89999]

Initially I thought the same and opened https://bugzilla.mozilla.org/show_bug.cgi?id=1759122, but then I realized that the EV guidelines states:
Appendix F – Issuance of Certificates for .onion Domain Names

A CA may issue an EV Certificate with “onion” as the right‐most Domain Label of the
Domain Name provided that issuance complies with the requirements set forth in this
Appendix or Appendix C of the Baseline Requirements.

Since the APPENDIX B – Issuance of Certificates for .onion Domain Names (see cabforum/servercert#346) states that:

The Domain Name MUST contain at least two Domain Labels, where the right-most Domain Label is "onion", and the Domain Label immediately preceding the right-most "onion" Domain Label is a valid Version 3 Onion Address, as defined in Section 6 of the Tor Rendezvous Specification - Version 3 located at https://spec.torproject.org/rend-spec-v3.

I believe that CAs issuing EV certificates can follow either Appendix F of EV or APPENDIX B of BR for onion domains. Since the later is limited to v3 onion addresses, Appendix F of EV requirements would only apply to v2 addresses. This should math the statement:

Older version 2 onion addresses are still in use, so this ballot does not remove the existing EV Guidelines requirements for onion names.

[christopher-henderson]

It is taking every ounce of my willpower to not pun that the requirements themselves are an onion.

Interesting, so it seems to me that the change here would be to add an IsOnionV2 check to the CheckApplies procedure for the above lint (of course, I will have to research how to pick up on that - I'm not too familiar with onion addresses/protocol).

Does that sound right, @mimi89999?

[mimi89999]

Yes, that seems correct.

I will have to research how to pick up on that

That should be easy. https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt#n2160 specifies it. You only need to base32 decode the address and check the last byte. They are also 35 byte long.