zmap · zakird · Jan 3, 2020 · Jan 3, 2020 · Jan 3, 2020 · Jan 3, 2020
diff --git a/gofmt_test.go b/gofmt_test.go
diff --git a/lint/base.go b/lint/base.go
@@ -46,6 +46,8 @@ type LintInterface interface {
 // An Enum to programmatically represent the source of a lint
 type LintSource int
 
+// NOTE(@cpu): If you are adding a new LintSource make sure you have considered
+// updating the Directory() function.
 const (
 	UnknownLintSource LintSource = iota
 	CABFBaselineRequirements
@@ -59,6 +61,38 @@ const (
 	AppleCTPolicy // https://support.apple.com/en-us/HT205280
 )
 
+// LintSources contains a list of the valid lint sources we expect to be used
+// by ZLint lints.
+var LintSources = []LintSource{
+	CABFBaselineRequirements,
+	CABFEVGuidelines,
+	RFC5280,
+	RFC5480,
+	RFC5891,
+	AppleCTPolicy,
+	EtsiEsi,
+	ZLint,
+	AWSLabs,
+}
+
+// Directory returns the directory name in `lints/` for the LintSource.
+func (l LintSource) Directory() string {
+	switch l {
+	case CABFBaselineRequirements:
+		return "cabf_br"
+	case CABFEVGuidelines:
+		return "cabf_ev"
+	case RFC5280, RFC5480, RFC5891:
+		return "rfc"
+	case AppleCTPolicy:
+		return "apple"
+	case EtsiEsi:
+		return "etsi"
+	default:
+		return "community"
+	}
+}
+
 // A Lint struct represents a single lint, e.g.
 // "e_basic_constraints_not_critical". It contains an implementation of LintInterface.
 type Lint struct {

diff --git a/lints/cabf_br/lint_invalid_certificate_version.go b/lints/cabf_br/lint_invalid_certificate_version.go
@@ -38,7 +38,6 @@ func (l *InvalidCertificateVersion) Execute(cert *x509.Certificate) *lint.LintRe
 	if cert.Version != 3 {
 		return &lint.LintResult{Status: lint.Error}
 	}
-	//else
 	return &lint.LintResult{Status: lint.Pass}
 }
 

diff --git a/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go b/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go
@@ -14,10 +14,6 @@ package cabf_br
  * permissions and limitations under the License.
  */
 
-/************************************************
-Change this to match source TEXT
-************************************************/
-
 import (
 	"crypto/rsa"
 

diff --git a/lints/cabf_br/lint_root_ca_extended_key_usage_present.go b/lints/cabf_br/lint_root_ca_extended_key_usage_present.go
@@ -36,7 +36,6 @@ func (l *rootCAContainsEKU) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *rootCAContainsEKU) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.EkuSynOid) {
 		return &lint.LintResult{Status: lint.Error}
 	} else {

diff --git a/lints/cabf_br/lint_root_ca_key_usage_present.go b/lints/cabf_br/lint_root_ca_key_usage_present.go
@@ -31,7 +31,6 @@ func (l *rootCAKeyUsagePresent) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *rootCAKeyUsagePresent) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.KeyUsageOID) {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

diff --git a/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go b/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go
@@ -14,10 +14,6 @@ package cabf_br
  * permissions and limitations under the License.
  */
 
-/************************************************
-Change this to match source TEXT
-************************************************/
-
 import (
 	"crypto/rsa"
 

diff --git a/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go b/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go
@@ -15,7 +15,14 @@ package cabf_br
  */
 
 /************************************************
-Change this to match source TEXT
+CA Brower Forum Baseline Requirements, Section 7.1.2.2:
+
+   f. nameConstraints (optional)
+If present, this extension SHOULD be marked critical*.
+
+* Non-critical Name Constraints are an exception to RFC 5280 (4.2.1.10), however, they MAY be used until the
+Name Constraints extension is supported by Application Software Suppliers whose software is used by a
+substantial portion of Relying Parties worldwide
 ************************************************/
 
 import (

diff --git a/lints/cabf_br/lint_sub_cert_cert_policy_empty.go b/lints/cabf_br/lint_sub_cert_cert_policy_empty.go
@@ -39,7 +39,6 @@ func (l *subCertPolicyEmpty) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCertPolicyEmpty) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.CertPolicyOID) && c.PolicyIdentifiers != nil {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

diff --git a/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go b/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go
@@ -37,7 +37,6 @@ func (l *subCertPolicy) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCertPolicy) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.CertPolicyOID) {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

diff --git a/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go b/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go
@@ -40,7 +40,6 @@ func (l *subCRLDistNoURL) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCRLDistNoURL) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	for _, s := range c.CRLDistributionPoints {
 		if strings.HasPrefix(s, "http://") {
 			return &lint.LintResult{Status: lint.Pass}

diff --git a/lints/cabf_br/lint_sub_cert_eku_extra_values.go b/lints/cabf_br/lint_sub_cert_eku_extra_values.go
@@ -37,7 +37,6 @@ func (l *subExtKeyUsageLegalUsage) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subExtKeyUsageLegalUsage) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	for _, kp := range c.ExtKeyUsage {
 		if kp == x509.ExtKeyUsageServerAuth ||
 			kp == x509.ExtKeyUsageClientAuth ||

diff --git a/lints/cabf_br/lint_sub_cert_eku_missing.go b/lints/cabf_br/lint_sub_cert_eku_missing.go
@@ -37,7 +37,6 @@ func (l *subExtKeyUsage) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subExtKeyUsage) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if util.IsExtInCert(c, util.EkuSynOid) {
 		return &lint.LintResult{Status: lint.Pass}
 	} else {

diff --git a/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go b/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go
@@ -37,7 +37,6 @@ func (l *subExtKeyUsageClientOrServer) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subExtKeyUsageClientOrServer) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	for _, kp := range c.ExtKeyUsage {
 		if kp == x509.ExtKeyUsageServerAuth || kp == x509.ExtKeyUsageClientAuth {
 			// If we find either of ServerAuth or ClientAuth, lint.Pass

diff --git a/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go b/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go
@@ -37,7 +37,6 @@ func (l *subCertKeyUsageBitSet) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCertKeyUsageBitSet) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if (c.KeyUsage & x509.KeyUsageCertSign) == x509.KeyUsageCertSign {
 		return &lint.LintResult{Status: lint.Error}
 	} else { //key usage doesn't allow cert signing or isn't present

diff --git a/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go b/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go
@@ -37,7 +37,6 @@ func (l *subCrlSignAllowed) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *subCrlSignAllowed) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if (c.KeyUsage & x509.KeyUsageCRLSign) == x509.KeyUsageCRLSign {
 		return &lint.LintResult{Status: lint.Error}
 	} else { //key usage doesn't allow cert signing or isn't present

diff --git a/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go b/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go
@@ -16,7 +16,7 @@ package cabf_br
 
 /**************************************************************************************************
 BRs: 7.1.3
-SHA‐1	MAY	be	used	with	RSA	keys	in	accordance	with	the	criteria	defined	in	Section	7.1.3.
+SHA‐1 MAY be used with RSA keys in accordance with the criteria defined in Section 7.1.3.
 **************************************************************************************************/
 
 import (

diff --git a/lints/rfc/lint_ian_bare_wildcard.go → lints/community/lint_ian_bare_wildcard.go b/lints/rfc/lint_ian_bare_wildcard.go → lints/community/lint_ian_bare_wildcard.go
@@ -1,4 +1,4 @@
-package rfc
+package community
 
 /*
  * ZLint Copyright 2020 Regents of the University of Michigan
@@ -44,9 +44,9 @@ func (l *brIANBareWildcard) Execute(c *x509.Certificate) *lint.LintResult {
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_ian_bare_wildcard",
-		Description:   "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)",
-		Citation:      "RFC5280",
-		Source:        lint.RFC5280,
+		Description:   "A wildcard MUST be accompanied by other data to its right (Only checks IANDNSNames)",
+		Citation:      "awslabs certlint",
+		Source:        lint.AWSLabs,
 		EffectiveDate: util.ZeroDate,
 		Lint:          &brIANBareWildcard{},
 	})

diff --git a/lints/rfc/lint_ian_bare_wildcard_test.go → .../community/lint_ian_bare_wildcard_test.go b/lints/rfc/lint_ian_bare_wildcard_test.go → .../community/lint_ian_bare_wildcard_test.go
@@ -1,4 +1,4 @@
-package rfc
+package community
 
 /*
  * ZLint Copyright 2020 Regents of the University of Michigan

diff --git a/lints/community/lint_ian_wildcard_not_first.go b/lints/community/lint_ian_wildcard_not_first.go
@@ -44,7 +44,7 @@ func (l *brIANWildcardFirst) Execute(c *x509.Certificate) *lint.LintResult {
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_ian_wildcard_not_first",
-		Description:   "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)",
+		Description:   "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks IANDNSNames)",
 		Citation:      "awslabs certlint",
 		Source:        lint.AWSLabs,
 		EffectiveDate: util.ZeroDate,

diff --git a/lints/community/lint_rsa_exp_negative_test.go b/lints/community/lint_rsa_exp_negative_test.go
@@ -21,18 +21,7 @@ import (
 	"github.com/zmap/zlint/util"
 )
 
-// func TestRsaExpNegative(t *testing.T) {
-// 	inputPath := "../../testlint/testCerts/rsaExpNegative.pem"
-// 	expected := lint.Error
-// 	out := lint.Lints["rsa_exp_negative"].ExecuteTest(util.ReadCertificate(inputPath))
-// 	if out.Result != expected {
-// 		t.Error(
-// 			"For", inputPath,
-// 			"expected", expected,
-// 			"got", out.Result,
-// 		)
-// 	}
-// }
+// TODO: There should be a test for negative RSA exp.
 
 func TestRsaExpPositive(t *testing.T) {
 	inputPath := "../../testlint/testCerts/IANURIValid.pem"

diff --git a/lints/community/lint_validity_time_not_positive.go b/lints/community/lint_validity_time_not_positive.go
@@ -14,10 +14,6 @@ package community
  * permissions and limitations under the License.
  */
 
-/************************************************
-Change this to match source TEXT
-************************************************/
-
 import (
 	"github.com/zmap/zcrypto/x509"
 	"github.com/zmap/zlint/lint"

diff --git a/lints/rfc/lint_basic_constraints_not_critical.go b/lints/rfc/lint_basic_constraints_not_critical.go
@@ -43,7 +43,6 @@ func (l *basicConstCrit) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *basicConstCrit) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil {
 		if e.Critical {
 			return &lint.LintResult{Status: lint.Pass}

diff --git a/lints/rfc/lint_cert_contains_unique_identifier.go b/lints/rfc/lint_cert_contains_unique_identifier.go
@@ -46,7 +46,7 @@ func (l *CertContainsUniqueIdentifier) CheckApplies(cert *x509.Certificate) bool
 func (l *CertContainsUniqueIdentifier) Execute(cert *x509.Certificate) *lint.LintResult {
 	if cert.IssuerUniqueId.Bytes == nil && cert.SubjectUniqueId.Bytes == nil {
 		return &lint.LintResult{Status: lint.Pass}
-	} //else
+	}
 	return &lint.LintResult{Status: lint.Error}
 }
 

diff --git a/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go b/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go
@@ -43,7 +43,7 @@ func (l *keyUsageCertSignNoCa) CheckApplies(c *x509.Certificate) bool {
 
 func (l *keyUsageCertSignNoCa) Execute(c *x509.Certificate) *lint.LintResult {
 	if (c.KeyUsage & x509.KeyUsageCertSign) != 0 {
-		if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certtificate signing usage
+		if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certificate signing usage
 			return &lint.LintResult{Status: lint.Pass}
 		} else {
 			return &lint.LintResult{Status: lint.Error}

diff --git a/lints/rfc/lint_ext_key_usage_not_critical.go b/lints/rfc/lint_ext_key_usage_not_critical.go
@@ -33,7 +33,6 @@ func (l *checkKeyUsageCritical) CheckApplies(c *x509.Certificate) bool {
 }
 
 func (l *checkKeyUsageCritical) Execute(c *x509.Certificate) *lint.LintResult {
-	// Add actual lint here
 	keyUsage := util.GetExtFromCert(c, util.KeyUsageOID)
 	if keyUsage == nil {
 		return &lint.LintResult{Status: lint.NA}

diff --git a/lints/rfc/lint_inhibit_any_policy_not_critical.go b/lints/rfc/lint_inhibit_any_policy_not_critical.go
@@ -48,7 +48,7 @@ func (l *InhibitAnyPolicyNotCritical) CheckApplies(cert *x509.Certificate) bool
 func (l *InhibitAnyPolicyNotCritical) Execute(cert *x509.Certificate) *lint.LintResult {
 	if anyPol := util.GetExtFromCert(cert, util.InhibitAnyPolicyOID); !anyPol.Critical {
 		return &lint.LintResult{Status: lint.Error}
-	} //else
+	}
 	return &lint.LintResult{Status: lint.Pass}
 }
 

diff --git a/lints/rfc/lint_subject_common_name_max_length.go b/lints/rfc/lint_subject_common_name_max_length.go
@@ -50,7 +50,7 @@ func (l *subjectCommonNameMaxLength) Execute(c *x509.Certificate) *lint.LintResu
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_common_name_max_length",
-		Description:   "The commonName field of the subject MUST be less than 64 characters",
+		Description:   "The commonName field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

diff --git a/lints/rfc/lint_subject_dn_serial_number_max_length.go b/lints/rfc/lint_subject_dn_serial_number_max_length.go
@@ -42,7 +42,7 @@ func (l *SubjectDNSerialNumberMaxLength) Execute(c *x509.Certificate) *lint.Lint
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_dn_serial_number_max_length",
-		Description:   "The 'Serial Number' field of the subject MUST be less than 64 characters",
+		Description:   "The 'Serial Number' field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: Appendix A",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.ZeroDate,

diff --git a/lints/rfc/lint_subject_email_max_length.go b/lints/rfc/lint_subject_email_max_length.go
@@ -59,7 +59,7 @@ func (l *subjectEmailMaxLength) Execute(c *x509.Certificate) *lint.LintResult {
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_email_max_length",
-		Description:   "The 'Email' field of the subject MUST be less than 255 characters",
+		Description:   "The 'Email' field of the subject MUST be less than 256 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

diff --git a/lints/rfc/lint_subject_locality_name_max_length.go b/lints/rfc/lint_subject_locality_name_max_length.go
@@ -52,7 +52,7 @@ func (l *subjectLocalityNameMaxLength) Execute(c *x509.Certificate) *lint.LintRe
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_locality_name_max_length",
-		Description:   "The 'Locality Name' field of the subject MUST be less than 128 characters",
+		Description:   "The 'Locality Name' field of the subject MUST be less than 129 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

diff --git a/lints/rfc/lint_subject_organization_name_max_length.go b/lints/rfc/lint_subject_organization_name_max_length.go
@@ -52,7 +52,7 @@ func (l *subjectOrganizationNameMaxLength) Execute(c *x509.Certificate) *lint.Li
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_organization_name_max_length",
-		Description:   "The 'Organization Name' field of the subject MUST be less than 64 characters",
+		Description:   "The 'Organization Name' field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

diff --git a/lints/rfc/lint_subject_organizational_unit_name_max_length.go b/lints/rfc/lint_subject_organizational_unit_name_max_length.go
@@ -52,7 +52,7 @@ func (l *subjectOrganizationalUnitNameMaxLength) Execute(c *x509.Certificate) *l
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_organizational_unit_name_max_length",
-		Description:   "The 'Organizational Unit Name' field of the subject MUST be less than 64 characters",
+		Description:   "The 'Organizational Unit Name' field of the subject MUST be less than 65 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,

diff --git a/lints/rfc/lint_subject_state_name_max_length.go b/lints/rfc/lint_subject_state_name_max_length.go
@@ -52,7 +52,7 @@ func (l *subjectStateNameMaxLength) Execute(c *x509.Certificate) *lint.LintResul
 func init() {
 	lint.RegisterLint(&lint.Lint{
 		Name:          "e_subject_state_name_max_length",
-		Description:   "The 'State Name' field of the subject MUST be less than 128 characters",
+		Description:   "The 'State Name' field of the subject MUST be less than 129 characters",
 		Citation:      "RFC 5280: A.1",
 		Source:        lint.RFC5280,
 		EffectiveDate: util.RFC2459Date,
-Original file line number
+Diff line change
@@ Expand Up @@
     	if cert.Version != 3 {
     		return &lint.LintResult{Status: lint.Error}
     	}
-    	//else
     	return &lint.LintResult{Status: lint.Pass}
     }
@@ Expand Down @@