From 2caf99bdc64da040f4877cebff2f199a17f59253 Mon Sep 17 00:00:00 2001 From: Deepak Kumar Date: Wed, 6 Sep 2017 11:20:02 -0500 Subject: [PATCH 1/3] fix eku check for BRs --- lints/base.go | 4 ++++ lints/lint_sub_ca_eku_valid_fields_test.go | 2 +- ..._eku_server_auth_client_auth_missing_test.go | 2 +- util/eku.go | 17 +++++++++++++++++ 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 util/eku.go diff --git a/lints/base.go b/lints/base.go index d16460212..540e91898 100644 --- a/lints/base.go +++ b/lints/base.go @@ -18,6 +18,7 @@ import ( "time" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" ) var ( @@ -97,6 +98,9 @@ func (l *Lint) CheckEffective(c *x509.Certificate) bool { // CheckEffective() // Execute() func (l *Lint) Execute(cert *x509.Certificate) *LintResult { + if l.Source == CABFBaselineRequirements && !util.IsTestableBRCertificate(cert) { + return &LintResult{Status: NA} + } if !l.Lint.CheckApplies(cert) { return &LintResult{Status: NA} } else if !l.CheckEffective(cert) { diff --git a/lints/lint_sub_ca_eku_valid_fields_test.go b/lints/lint_sub_ca_eku_valid_fields_test.go index 63b26d40b..8b9d09c22 100644 --- a/lints/lint_sub_ca_eku_valid_fields_test.go +++ b/lints/lint_sub_ca_eku_valid_fields_test.go @@ -16,7 +16,7 @@ func TestSubCAEKUValidFields(t *testing.T) { func TestSubCAEKUNotValidFields(t *testing.T) { inputPath := "../testlint/testCerts/subCAEKUNotValidFields.pem" - expected := Notice + expected := NA out := Lints["n_sub_ca_eku_not_technically_constrained"].Execute(ReadCertificate(inputPath)) if out.Status != expected { t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) diff --git a/lints/lint_sub_cert_eku_server_auth_client_auth_missing_test.go b/lints/lint_sub_cert_eku_server_auth_client_auth_missing_test.go index cb1b69297..0ee81c169 100644 --- a/lints/lint_sub_cert_eku_server_auth_client_auth_missing_test.go +++ b/lints/lint_sub_cert_eku_server_auth_client_auth_missing_test.go @@ -7,7 +7,7 @@ import ( func TestEkuBothPres(t *testing.T) { inputPath := "../testlint/testCerts/subExtKeyUsageCodeSign.pem" - expected := Error + expected := NA out := Lints["e_sub_cert_eku_server_auth_client_auth_missing"].Execute(ReadCertificate(inputPath)) if out.Status != expected { t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) diff --git a/util/eku.go b/util/eku.go new file mode 100644 index 000000000..77c605077 --- /dev/null +++ b/util/eku.go @@ -0,0 +1,17 @@ +package util + +import ( + "github.com/zmap/zcrypto/x509" +) + +func IsTestableBRCertificate(cert *x509.Certificate) bool { + if len(cert.ExtKeyUsage) == 0 { + return true + } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageServerAuth { + return true + } + } + return false +} From 2fd1178dfef74ff7b4e49f8b5f01e43ca638654a Mon Sep 17 00:00:00 2001 From: Deepak Kumar Date: Wed, 6 Sep 2017 12:54:15 -0500 Subject: [PATCH 2/3] fix nits --- lints/base.go | 6 ++++-- util/ca.go | 12 ++++++++++++ util/eku.go | 17 ----------------- 3 files changed, 16 insertions(+), 19 deletions(-) delete mode 100644 util/eku.go diff --git a/lints/base.go b/lints/base.go index 540e91898..b0d17c93f 100644 --- a/lints/base.go +++ b/lints/base.go @@ -91,8 +91,10 @@ func (l *Lint) CheckEffective(c *x509.Certificate) bool { return false } -// Execute runs the lint against a certificate. See LintInterface for details -// about the methods called. The ordering is as follows: +// Execute runs the lint against a certificate. For lints that are +// sourced from the CA/B Forum Baseline Requirements, we first determine +// if they are within the purview of the BRs. See LintInterface for details +// about the other methods called. The ordering is as follows: // // CheckApplies() // CheckEffective() diff --git a/util/ca.go b/util/ca.go index 793c90371..6416d9f0d 100644 --- a/util/ca.go +++ b/util/ca.go @@ -29,3 +29,15 @@ func IsSelfSigned(c *x509.Certificate) bool { func IsSubscriberCert(c *x509.Certificate) bool { return !IsCACert(c) && !IsSelfSigned(c) } + +func IsTestableBRCertificate(cert *x509.Certificate) bool { + if len(cert.ExtKeyUsage) == 0 { + return true + } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageServerAuth { + return true + } + } + return false +} diff --git a/util/eku.go b/util/eku.go deleted file mode 100644 index 77c605077..000000000 --- a/util/eku.go +++ /dev/null @@ -1,17 +0,0 @@ -package util - -import ( - "github.com/zmap/zcrypto/x509" -) - -func IsTestableBRCertificate(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { - return true - } - for _, eku := range cert.ExtKeyUsage { - if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageServerAuth { - return true - } - } - return false -} From cbf5317554644e6a1863642eceddac4281eb7412 Mon Sep 17 00:00:00 2001 From: Deepak Kumar Date: Wed, 6 Sep 2017 13:23:40 -0500 Subject: [PATCH 3/3] update name --- lints/base.go | 2 +- util/ca.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lints/base.go b/lints/base.go index b0d17c93f..55de687bd 100644 --- a/lints/base.go +++ b/lints/base.go @@ -100,7 +100,7 @@ func (l *Lint) CheckEffective(c *x509.Certificate) bool { // CheckEffective() // Execute() func (l *Lint) Execute(cert *x509.Certificate) *LintResult { - if l.Source == CABFBaselineRequirements && !util.IsTestableBRCertificate(cert) { + if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } if !l.Lint.CheckApplies(cert) { diff --git a/util/ca.go b/util/ca.go index 6416d9f0d..ff80a88ea 100644 --- a/util/ca.go +++ b/util/ca.go @@ -30,7 +30,7 @@ func IsSubscriberCert(c *x509.Certificate) bool { return !IsCACert(c) && !IsSelfSigned(c) } -func IsTestableBRCertificate(cert *x509.Certificate) bool { +func IsServerAuthCert(cert *x509.Certificate) bool { if len(cert.ExtKeyUsage) == 0 { return true }