Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix eku check for BRs #171

Merged
merged 3 commits into from
Sep 6, 2017
Merged

Fix eku check for BRs #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2caf99b
fix eku check for BRs
Sep 6, 2017
2fd1178
fix nits
Sep 6, 2017
cbf5317
update name
Sep 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions lints/base.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"time"

"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/util"
)

var (
Expand Down Expand Up @@ -90,13 +91,18 @@ func (l *Lint) CheckEffective(c *x509.Certificate) bool {
return false
}

// Execute runs the lint against a certificate. See LintInterface for details
// about the methods called. The ordering is as follows:
// Execute runs the lint against a certificate. For lints that are
// sourced from the CA/B Forum Baseline Requirements, we first determine
// if they are within the purview of the BRs. See LintInterface for details
// about the other methods called. The ordering is as follows:
//
// CheckApplies()
// CheckEffective()
// Execute()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you update the first paragraph of the above comment to describe the additional checks you just added, e.g. lints that are checking for BR compliance are only ran against certs that fall under the purview of the BR's.

func (l *Lint) Execute(cert *x509.Certificate) *LintResult {
if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
return &LintResult{Status: NA}
}
if !l.Lint.CheckApplies(cert) {
return &LintResult{Status: NA}
} else if !l.CheckEffective(cert) {
Expand Down
2 changes: 1 addition & 1 deletion lints/lint_sub_ca_eku_valid_fields_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ func TestSubCAEKUValidFields(t *testing.T) {

func TestSubCAEKUNotValidFields(t *testing.T) {
inputPath := "../testlint/testCerts/subCAEKUNotValidFields.pem"
expected := Notice
expected := NA
out := Lints["n_sub_ca_eku_not_technically_constrained"].Execute(ReadCertificate(inputPath))
if out.Status != expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
Expand Down
2 changes: 1 addition & 1 deletion lints/lint_sub_cert_eku_server_auth_client_auth_missing_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ import (

func TestEkuBothPres(t *testing.T) {
inputPath := "../testlint/testCerts/subExtKeyUsageCodeSign.pem"
expected := Error
expected := NA
out := Lints["e_sub_cert_eku_server_auth_client_auth_missing"].Execute(ReadCertificate(inputPath))
if out.Status != expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
Expand Down
12 changes: 12 additions & 0 deletions util/ca.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,15 @@ func IsSelfSigned(c *x509.Certificate) bool {
func IsSubscriberCert(c *x509.Certificate) bool {
return !IsCACert(c) && !IsSelfSigned(c)
}

func IsServerAuthCert(cert *x509.Certificate) bool {
if len(cert.ExtKeyUsage) == 0 {
return true
}
for _, eku := range cert.ExtKeyUsage {
if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageServerAuth {
return true
}
}
return false
}