From 3da3eaf1824529610951f949b0fca0072a4c1896 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Wed, 2 Oct 2019 14:00:48 +0300 Subject: [PATCH 01/40] Lints: add new lints for Mozilla Root Store Policy. --- lints/base.go | 1 + lints/lint_mp_allowed_eku.go | 74 ++++++++ lints/lint_mp_allowed_eku_test.go | 59 +++++++ lints/lint_mp_allowed_rsa_keys.go | 67 ++++++++ lints/lint_mp_allowed_rsa_keys_test.go | 54 ++++++ ...int_mp_authority_key_identifier_correct.go | 79 +++++++++ ...p_authority_key_identifier_correct_test.go | 49 ++++++ lints/lint_mp_ecdsa_allowed_algorithm.go | 112 ++++++++++++ lints/lint_mp_ecdsa_allowed_algorithm_test.go | 54 ++++++ .../mpAuthorityKeyIdentifierCorrect.pem | 159 ++++++++++++++++++ .../mpAuthorityKeyIdentifierIncorrect.pem | 120 +++++++++++++ .../testCerts/mpECDSAAlgorithmsAllowed.pem | 72 ++++++++ .../mpECDSAAlgorithmsDisallowed1.pem | 70 ++++++++ .../mpECDSAAlgorithmsDisallowed2.pem | 70 ++++++++ testlint/testCerts/mpModulus1024.pem | 106 ++++++++++++ testlint/testCerts/mpModulus2048.pem | 118 +++++++++++++ testlint/testCerts/mpModulus4095.pem | 140 +++++++++++++++ testlint/testCerts/mpSubCAEKUAllowed.pem | 115 +++++++++++++ testlint/testCerts/mpSubCAEKUDisallowed1.pem | 112 ++++++++++++ testlint/testCerts/mpSubCAEKUDisallowed2.pem | 114 +++++++++++++ testlint/testCerts/mpSubCAEKUDisallowed3.pem | 115 +++++++++++++ util/time.go | 2 + 22 files changed, 1862 insertions(+) create mode 100644 lints/lint_mp_allowed_eku.go create mode 100644 lints/lint_mp_allowed_eku_test.go create mode 100644 lints/lint_mp_allowed_rsa_keys.go create mode 100644 lints/lint_mp_allowed_rsa_keys_test.go create mode 100644 lints/lint_mp_authority_key_identifier_correct.go create mode 100644 lints/lint_mp_authority_key_identifier_correct_test.go create mode 100644 lints/lint_mp_ecdsa_allowed_algorithm.go create mode 100644 lints/lint_mp_ecdsa_allowed_algorithm_test.go create mode 100644 testlint/testCerts/mpAuthorityKeyIdentifierCorrect.pem create mode 100644 testlint/testCerts/mpAuthorityKeyIdentifierIncorrect.pem create mode 100644 testlint/testCerts/mpECDSAAlgorithmsAllowed.pem create mode 100644 testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem create mode 100644 testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem create mode 100644 testlint/testCerts/mpModulus1024.pem create mode 100644 testlint/testCerts/mpModulus2048.pem create mode 100644 testlint/testCerts/mpModulus4095.pem create mode 100644 testlint/testCerts/mpSubCAEKUAllowed.pem create mode 100644 testlint/testCerts/mpSubCAEKUDisallowed1.pem create mode 100644 testlint/testCerts/mpSubCAEKUDisallowed2.pem create mode 100644 testlint/testCerts/mpSubCAEKUDisallowed3.pem diff --git a/lints/base.go b/lints/base.go index a7d453c99..ca1ac622a 100644 --- a/lints/base.go +++ b/lints/base.go @@ -57,6 +57,7 @@ const ( EtsiEsi // ETSI - Electronic Signatures and Infrastructures (ESI) CABFEVGuidelines AppleCTPolicy // https://support.apple.com/en-us/HT205280 + MozillaRootStorePolicy ) // A Lint struct represents a single lint, e.g. diff --git a/lints/lint_mp_allowed_eku.go b/lints/lint_mp_allowed_eku.go new file mode 100644 index 000000000..5f98dceb5 --- /dev/null +++ b/lints/lint_mp_allowed_eku.go @@ -0,0 +1,74 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.3 - Intermediate Certificates +Intermediate certificates created after January 1, 2019, with the exception +of cross-certificates that share a private key with a corresponding root +certificate: MUST contain an EKU extension; and, MUST NOT include the +anyExtendedKeyUsage KeyPurposeId; and, * MUST NOT include both the +id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds in the same +certificate. +Note that the lint cannot distinguish cross-certificates from other +intermediates. +********************************************************************/ + +package lints + +import ( + "time" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +func hasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { + for _, currentEku := range cert.ExtKeyUsage { + if currentEku == eku { + return true + } + } + + return false +} + +type allowedEKU struct{} + +func (l *allowedEKU) Initialize() error { + return nil +} + +func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { + return util.IsSubCA(c) +} + +func (l *allowedEKU) Execute(c *x509.Certificate) *LintResult { + if len(c.ExtKeyUsage) == 0 || hasEKU(c, x509.ExtKeyUsageAny) || + (hasEKU(c, x509.ExtKeyUsageEmailProtection) && hasEKU(c, x509.ExtKeyUsageServerAuth)) { + return &LintResult{Status: Error} + } + + return &LintResult{Status: Pass} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_allowed_eku", + Description: "Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds", + Citation: "Mozilla Root Store Policy / Section 5.3", + Source: MozillaRootStorePolicy, + EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), + Lint: &allowedEKU{}, + }) +} diff --git a/lints/lint_mp_allowed_eku_test.go b/lints/lint_mp_allowed_eku_test.go new file mode 100644 index 000000000..1e4b3b4e6 --- /dev/null +++ b/lints/lint_mp_allowed_eku_test.go @@ -0,0 +1,59 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestAllowedEKUs(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "SubCA with no EKU", + InputFilename: "mpSubCAEKUDisallowed1.pem", + ExpectedResult: Error, + }, + { + Name: "SubCA with anyExtendedKeyUsage", + InputFilename: "mpSubCAEKUDisallowed2.pem", + ExpectedResult: Error, + }, + { + Name: "SubCA with serverAuth and emailProtection", + InputFilename: "mpSubCAEKUDisallowed3.pem", + ExpectedResult: Error, + }, + { + Name: "SubCA with serverAuth EKU", + InputFilename: "mpSubCAEKUAllowed.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_allowed_eku"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/lints/lint_mp_allowed_rsa_keys.go b/lints/lint_mp_allowed_rsa_keys.go new file mode 100644 index 000000000..71f49bcae --- /dev/null +++ b/lints/lint_mp_allowed_rsa_keys.go @@ -0,0 +1,67 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.1 - Algorithms +RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. +Section 5.2 - Forbidden and Required Practices +CAs MUST NOT issue certificates that have: +- invalid public keys (e.g., RSA certificates with public exponent equal to 1); +********************************************************************/ + +package lints + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +type allowedRSAKey struct{} + +func (l *allowedRSAKey) Initialize() error { + return nil +} + +func (l *allowedRSAKey) CheckApplies(c *x509.Certificate) bool { + switch c.SignatureAlgorithm { + case x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA, x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS: + return true + } + + return false +} + +func (l *allowedRSAKey) Execute(c *x509.Certificate) *LintResult { + pubKey := c.PublicKey.(*rsa.PublicKey) + bitLen := pubKey.N.BitLen() + + if (bitLen%8) != 0 || bitLen < 2048 || pubKey.E == 1 { + return &LintResult{Status: Error} + } + + return &LintResult{Status: Pass} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_allowed_rsa_keys", + Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", + Citation: "Mozilla Root Store Policy / Section 5.3", + Source: MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + Lint: &allowedRSAKey{}, + }) +} diff --git a/lints/lint_mp_allowed_rsa_keys_test.go b/lints/lint_mp_allowed_rsa_keys_test.go new file mode 100644 index 000000000..9ede8b0e1 --- /dev/null +++ b/lints/lint_mp_allowed_rsa_keys_test.go @@ -0,0 +1,54 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestSerialEntropyBits(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "Certificate with less than 2048 bit rsa key modulus length", + InputFilename: "mpModulus1024.pem", + ExpectedResult: Error, + }, + { + Name: "Certificate with rsa key modulus length not divisible by 8", + InputFilename: "mpModulus4095.pem", + ExpectedResult: Error, + }, + { + Name: "Certificate with rsa key modulus length equal to 2048", + InputFilename: "mpModulus2048.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_allowed_rsa_keys"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/lints/lint_mp_authority_key_identifier_correct.go b/lints/lint_mp_authority_key_identifier_correct.go new file mode 100644 index 000000000..3dc68782d --- /dev/null +++ b/lints/lint_mp_authority_key_identifier_correct.go @@ -0,0 +1,79 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.2 - Forbidden and Required Practices +CAs MUST NOT issue certificates that have: +- incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs + that include both the key ID and the issuer’s issuer name and serial number); or +********************************************************************/ + +package lints + +import ( + "encoding/asn1" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +type keyIdentifier struct { + KeyIdentifier asn1.RawValue `asn1:"optional,tag:0"` + AuthorityCertIssuer asn1.RawValue `asn1:"optional,tag:1"` + AuthorityCertSerialNumber asn1.RawValue `asn1:"optional,tag:2"` +} + +type authorityKeyIdentifierCorrect struct{} + +func (l *authorityKeyIdentifierCorrect) Initialize() error { + return nil +} + +func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { + if !util.IsExtInCert(c, util.AuthkeyOID) { + return false + } + return true +} + +func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *LintResult { + var keyID keyIdentifier + + ext := util.GetExtFromCert(c, util.AuthkeyOID) + + if ext == nil { + return &LintResult{Status: Fatal} + } + if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { + return &LintResult{Status: Fatal} + } + + hasKeyID := len(keyID.KeyIdentifier.Bytes) > 0 + hasCertIssuer := len(keyID.AuthorityCertIssuer.Bytes) > 0 + if hasKeyID && hasCertIssuer { + return &LintResult{Status: Error} + } + return &LintResult{Status: Pass} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_authority_key_identifier_correct", + Description: "CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number", + Citation: "Mozilla Root Store Policy / Section 5.2", + Source: MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy22Date, + Lint: &authorityKeyIdentifierCorrect{}, + }) +} diff --git a/lints/lint_mp_authority_key_identifier_correct_test.go b/lints/lint_mp_authority_key_identifier_correct_test.go new file mode 100644 index 000000000..e93a3a57c --- /dev/null +++ b/lints/lint_mp_authority_key_identifier_correct_test.go @@ -0,0 +1,49 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestAuthorityKeyIdentifier(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "Authority key ID includes both the key ID and the issuer's name and serial", + InputFilename: "mpAuthorityKeyIdentifierIncorrect.pem", + ExpectedResult: Error, + }, + { + Name: "Authority key ID includes the key ID", + InputFilename: "mpAuthorityKeyIdentifierCorrect.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_authority_key_identifier_correct"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/lints/lint_mp_ecdsa_allowed_algorithm.go b/lints/lint_mp_ecdsa_allowed_algorithm.go new file mode 100644 index 000000000..104692de1 --- /dev/null +++ b/lints/lint_mp_ecdsa_allowed_algorithm.go @@ -0,0 +1,112 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.1 - Algorithms +ECDSA keys using one of the following curve-hash pairs: P‐256 with SHA-256, P‐384 with SHA-384 +********************************************************************/ + +package lints + +import ( + "encoding/asn1" + "errors" + "math/big" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +type ecdsaSignature struct { + R, S *big.Int +} + +func getSigningKeySize(cert *x509.Certificate) (int, error) { + sig := new(ecdsaSignature) + if _, err := asn1.Unmarshal(cert.Signature, sig); err != nil { + return -1, err + } + + rsize := sig.R.BitLen() + ssize := sig.S.BitLen() + + switch { + case rsize <= 112 && ssize <= 112: + return 112, nil + case rsize <= 128 && ssize <= 128: + return 128, nil + case rsize <= 160 && ssize <= 160: + return 160, nil + case rsize <= 192 && ssize <= 192: + return 192, nil + case rsize <= 224 && ssize <= 224: + return 224, nil + case rsize <= 239 && ssize <= 239: + return 239, nil + case rsize <= 256 && ssize <= 256: + return 256, nil + case rsize <= 320 && ssize <= 320: + return 320, nil + case rsize <= 384 && ssize <= 384: + return 384, nil + case rsize <= 512 && ssize <= 512: + return 512, nil + case rsize <= 521 && ssize <= 521: + return 521, nil + } + + return -1, errors.New("cannot identify signing ECDSA key length") +} + +type ecdsaAllowedAlgorithm struct{} + +func (l *ecdsaAllowedAlgorithm) Initialize() error { + return nil +} + +func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { + switch c.SignatureAlgorithm { + case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512: + return true + } + + return false +} + +func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *LintResult { + signKeySize, err := getSigningKeySize(c) + if err != nil { + return &LintResult{Status: Fatal} + } + + switch { + case c.SignatureAlgorithm == x509.ECDSAWithSHA256 && signKeySize == 256: + return &LintResult{Status: Pass} + case c.SignatureAlgorithm == x509.ECDSAWithSHA384 && signKeySize == 384: + return &LintResult{Status: Pass} + } + + return &LintResult{Status: Error} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_ecdsa_allowed_algorithm", + Description: "ECDSA keys using one of the following curve-hash pairs: P‐256 with SHA-256, P‐384 with SHA-384", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + Lint: &ecdsaAllowedAlgorithm{}, + }) +} diff --git a/lints/lint_mp_ecdsa_allowed_algorithm_test.go b/lints/lint_mp_ecdsa_allowed_algorithm_test.go new file mode 100644 index 000000000..b7232b0ce --- /dev/null +++ b/lints/lint_mp_ecdsa_allowed_algorithm_test.go @@ -0,0 +1,54 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestECDSAAlgorithms(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "Secp384r1 CA with ECDSAwithSHA256", + InputFilename: "mpECDSAAlgorithmsDisallowed1.pem", + ExpectedResult: Error, + }, + { + Name: "Secp256r1 CA with ECDSAwithSHA384", + InputFilename: "mpECDSAAlgorithmsDisallowed2.pem", + ExpectedResult: Error, + }, + { + Name: "Secp256r1 CA with ECDSAwithSHA256", + InputFilename: "mpECDSAAlgorithmsAllowed.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_ecdsa_allowed_algorithm"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/testlint/testCerts/mpAuthorityKeyIdentifierCorrect.pem b/testlint/testCerts/mpAuthorityKeyIdentifierCorrect.pem new file mode 100644 index 000000000..0d02a38ae --- /dev/null +++ b/testlint/testCerts/mpAuthorityKeyIdentifierCorrect.pem @@ -0,0 +1,159 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0a:06:30:42:7f:5b:bc:ed:69:57:39:65:93:b6:45:1f + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA + Validity + Not Before: May 8 00:00:00 2018 GMT + Not After : Jun 3 12:00:00 2020 GMT + Subject: businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = Delaware, serialNumber = 5157550, C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = github.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c6:3c:aa:f2:3c:97:0c:3a:c1:4f:28:ad:72:70: + 7d:d3:ce:b9:b5:60:73:a4:74:9b:8a:77:46:fd:7a: + 98:42:4c:c5:30:19:57:9a:a9:33:0b:e1:5d:4d:10: + 58:ca:77:99:c3:93:f3:f9:75:90:bc:bf:bb:e0:95: + ba:2e:c5:8d:73:61:05:d3:10:84:a8:b3:89:b8:2f: + 73:8c:f0:2a:6e:be:ee:ae:83:4b:82:11:b1:61:fd: + 77:61:da:9b:1b:9a:23:ff:8c:7e:a2:01:06:dd:d1: + 7f:53:96:08:c1:5a:fa:e7:c0:ca:c8:44:8c:57:a7: + a8:61:5f:66:0d:57:d3:b8:96:ac:b6:4a:9c:c1:ea: + e8:fb:96:40:29:f6:15:30:b5:04:b0:cc:05:b6:84: + c3:24:59:95:7f:a2:65:90:e5:b0:b3:1a:75:59:c4: + 3f:31:14:0a:d5:cc:aa:3a:85:05:52:06:32:96:07: + 61:df:27:82:0c:f7:85:db:60:31:f0:09:50:c5:b7: + 1a:23:e1:b0:7d:02:f5:14:1e:c9:cb:e8:7e:2a:33: + 04:f6:51:3f:52:98:15:e9:0b:76:47:5c:4d:4a:6b: + c5:08:15:ae:f8:d1:57:e9:ea:70:14:ff:c9:45:b9: + 0c:7c:bc:f4:6d:e6:05:52:f9:8c:80:bb:70:56:91: + 0f:4b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:3D:D3:50:A5:D6:A0:AD:EE:F3:4A:60:0A:65:D3:21:D4:F8:F8:D6:0F + + X509v3 Subject Key Identifier: + C9:C2:53:61:66:9D:5F:AB:25:F4:26:CD:0F:38:9A:A8:49:EA:48:A9 + X509v3 Subject Alternative Name: + DNS:github.com, DNS:www.github.com + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 CRL Distribution Points: + + Full Name: + URI:http://crl3.digicert.com/sha2-ev-server-g2.crl + + Full Name: + URI:http://crl4.digicert.com/sha2-ev-server-g2.crl + + X509v3 Certificate Policies: + Policy: 2.16.840.1.114412.2.1 + CPS: https://www.digicert.com/CPS + Policy: 2.23.140.1.1 + + Authority Information Access: + OCSP - URI:http://ocsp.digicert.com + CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt + + X509v3 Basic Constraints: critical + CA:FALSE + CT Precertificate SCTs: + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A: + 3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10 + Timestamp : May 8 20:12:39.562 2018 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:21:00:D1:66:9D:FC:71:35:AC:58:7D:86:74: + 1A:5E:FE:E3:D3:5A:7B:2E:FE:6E:01:10:2D:BE:74:87: + 2F:4B:29:19:62:02:20:08:FE:60:1A:FE:B2:CD:A6:B3: + C4:12:B6:37:01:9D:9A:6C:AE:10:53:52:83:6A:40:45: + B3:09:95:41:60:53:95 + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : 56:14:06:9A:2F:D7:C2:EC:D3:F5:E1:BD:44:B2:3E:C7: + 46:76:B9:BC:99:11:5C:C0:EF:94:98:55:D6:89:D0:DD + Timestamp : May 8 20:12:39.597 2018 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:21:00:A2:EE:89:94:BD:82:E6:D1:BD:8B:A1: + BB:44:79:10:18:9E:52:28:EE:7E:89:C5:B6:1D:AE:D6: + 1D:98:F5:16:25:02:20:56:0C:35:01:9E:75:BC:AF:44: + 36:29:C1:83:6D:85:3F:16:FC:D9:3B:CD:0C:ED:39:4F: + 5E:E1:C5:74:42:D8:86 + Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47: + 38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85 + Timestamp : May 8 20:12:39.775 2018 GMT + Extensions: none + Signature : ecdsa-with-SHA256 + 30:45:02:21:00:A1:CD:D4:CA:51:4D:8D:F9:77:2A:70: + AD:0E:25:8A:CD:F0:46:32:9E:5A:15:C6:1A:38:C8:F9: + 3A:0E:AD:C4:3E:02:20:74:D1:F9:BB:CA:C2:DD:47:2C: + 95:05:78:07:DA:34:6B:4C:36:D3:8A:26:0D:11:06:29: + 35:6E:12:9C:46:78:E4 + Signature Algorithm: sha256WithRSAEncryption + 70:0f:5a:96:a7:58:e5:bf:8a:9d:a8:27:98:2b:00:7f:26:a9: + 07:da:ba:7b:82:54:4f:af:69:cf:bc:f2:59:03:2b:f2:d5:74: + 58:25:d8:1e:a4:20:76:62:60:29:73:2a:d7:dc:cc:6f:77:85: + 6b:ca:6d:24:f8:35:13:47:3f:d2:e2:69:0a:9d:34:2d:7b:7b: + 9b:cd:1e:75:d5:50:6c:3e:cb:1c:a3:30:b1:aa:92:07:a9:3a: + 76:76:45:bd:78:91:c4:ce:1a:9e:22:e4:0b:89:ba:e6:8c:c1: + 79:82:a3:b8:d4:c0:fc:1f:2d:ed:4d:52:55:41:2a:a8:3a:2c: + ad:07:72:ae:0a:d2:c6:67:c4:4f:07:17:18:99:f7:65:a9:57: + 60:15:5a:34:4c:11:cf:f6:cf:6b:21:36:80:ef:c6:f1:54:63: + 26:35:39:ee:bb:c4:83:64:9b:24:0a:73:ec:a0:48:16:73:c8: + b9:d7:48:55:56:98:7a:f7:bb:97:5c:69:a4:06:18:04:78:da: + fe:98:76:be:22:2f:7f:07:77:87:4e:88:19:9a:f8:55:ec:5c: + 12:2a:59:48:db:49:3e:15:5e:67:5a:a2:5e:ee:cc:53:28:8c: + 0e:33:93:14:03:64:0b:c5:e5:78:09:94:01:5a:75:fc:92:9d: + af:ed:7a:29 +-----BEGIN CERTIFICATE----- +MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1 +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk +IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy +MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB +BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF +Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG +A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD +VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ +w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj +/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE +sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ +xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM +fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag +re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG +A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE +AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0 +oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy +LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy +dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB +FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF +BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS +BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0 +U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA +MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY +BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT +Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg +U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE +AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51 +vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV +CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN +8EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG +eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v +ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN +HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB +Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk +myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq +WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpAuthorityKeyIdentifierIncorrect.pem b/testlint/testCerts/mpAuthorityKeyIdentifierIncorrect.pem new file mode 100644 index 000000000..48d4b4bf7 --- /dev/null +++ b/testlint/testCerts/mpAuthorityKeyIdentifierIncorrect.pem @@ -0,0 +1,120 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Sep 27 14:59:23 2019 GMT + Not After : Sep 26 14:59:23 2021 GMT + Subject: CN = www.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:bf:98:2c:c1:0d:d8:7d:71:cc:d9:7f:d6:5b:c1: + 9a:ef:9f:9a:6b:3e:7f:a8:c3:08:57:cb:4b:9b:20: + c3:6a:64:0c:79:29:b2:90:63:5c:e0:55:d6:09:e8: + 9e:14:40:e2:e3:c4:4c:9b:ff:65:57:c5:13:7b:49: + 36:52:5e:00:a7:99:b5:de:43:3d:6e:69:df:6f:27: + 68:83:df:0d:9c:e1:60:2f:17:12:81:72:a6:27:45: + 11:84:9a:8b:2a:bb:3f:9e:9a:79:83:20:e1:3a:2a: + 5b:21:7e:ab:14:5d:15:6a:3a:d6:e2:80:e4:97:04: + f4:36:62:59:a6:7b:d6:1a:ee:75:be:5a:a2:1f:0c: + 6e:c8:d6:2c:ba:0f:fc:1a:f6:df:d4:e0:6d:7f:a1: + 6c:9c:20:38:db:8e:df:76:f7:fb:8c:85:7a:f8:29: + 15:b3:75:84:32:59:dd:c8:2e:e7:ef:35:c3:13:bf: + de:2c:9a:d4:2d:b2:60:c0:88:23:5e:e9:b3:5d:cc: + 7b:0e:cc:a6:4e:75:e0:1c:ed:07:bc:2f:ab:9d:bb: + 5c:10:51:b3:48:b4:27:4b:84:f2:43:72:e7:c6:a8: + a7:26:bc:87:ab:d0:70:4f:2a:b0:30:c5:d7:ea:bc: + 76:24:09:ac:18:d9:6f:a0:59:35:8c:36:11:f7:1f: + d9:53 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + BE:2A:17:7B:23:22:8F:79:26:DC:E9:D4:1B:E2:00:D3:11:75:EB:F6 + X509v3 Subject Alternative Name: + DNS:www.example.com + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + DirName:/C=US/ST=California/L=San Francisco/O=Bogus Inc./OU=Operations/CN=Zlint test certificates CA + serial:01 + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + Signature Algorithm: sha256WithRSAEncryption + 91:ee:0a:aa:82:7f:d6:d8:4b:f6:cf:eb:f9:9c:a8:b8:dd:3f: + 23:70:7d:57:d6:eb:36:95:51:2c:09:7f:3f:ee:86:e6:9e:8b: + e9:29:90:ea:6c:f9:73:41:9a:72:51:14:18:1e:7e:38:07:ec: + ab:07:e0:92:7e:fa:11:5c:83:0f:c5:d7:d3:aa:95:23:78:bb: + a3:ce:e8:41:7d:ec:06:08:42:53:bb:99:cd:cc:32:27:9b:85: + 26:d5:86:7e:ed:9c:63:5b:13:9b:4b:0c:46:43:c4:51:92:25: + df:87:ee:83:08:fa:63:ac:a2:36:d1:12:c9:aa:da:e6:0b:82: + 8f:5a:df:d0:e1:aa:69:51:2a:b4:d3:c8:41:4d:d5:77:ab:d8: + 2c:e9:68:b8:91:c9:5f:55:f7:d6:7a:30:38:75:8f:45:82:55: + 1e:51:bb:41:12:2d:58:a2:24:cc:d6:67:a2:f6:35:8c:5f:74: + c1:03:16:85:ad:78:95:2c:7f:11:dd:b4:86:ef:c6:a0:38:dd: + ad:da:f0:8e:d3:6c:6e:05:15:b3:2f:1f:af:e3:06:c8:75:89: + 10:04:38:a9:09:1e:2b:fd:9b:f1:0b:c7:bd:77:46:79:1d:d7: + 43:d2:b0:29:d3:e0:ab:a8:34:78:16:0c:4d:14:b2:45:05:7b: + f6:a4:c1:6f:13:20:e8:ae:cb:a4:15:f2:16:4e:b9:d5:d3:9a: + 99:f8:25:ea:03:6a:1a:c4:58:d3:df:07:0a:49:d9:9f:1b:c4: + 9c:0a:a2:56:1c:64:3d:fc:d0:7e:f4:f9:da:f5:24:61:88:28: + ef:ff:f7:bb:70:2c:73:91:05:42:e4:4e:9b:4c:22:a0:44:3b: + e8:88:e5:ff:29:f0:f1:d0:52:ab:40:f0:8e:dd:5b:1e:8a:1f: + 94:23:41:02:b4:fd:68:a2:28:94:e7:25:17:1d:6f:3a:c0:09: + 77:61:55:41:54:4b:cb:39:d0:9e:5e:f7:28:e0:c9:56:1f:9f: + 49:39:33:17:10:7c:7e:4f:39:f4:ff:43:52:98:e1:94:6e:43: + da:0c:f3:57:aa:b6:eb:df:0e:6f:3e:25:9c:b6:33:57:c9:e7: + f7:db:7c:59:8f:74:18:6f:3b:4c:90:d0:28:2e:c4:32:6c:8e: + dc:f4:29:9b:9c:ba:75:43:40:ec:53:73:8a:80:20:48:0e:e0: + e5:94:42:96:9e:49:e2:f7:f0:8e:6a:8c:b1:a6:2a:15:9e:ad: + 3e:bb:69:cb:44:20:19:7d:11:c8:39:3a:db:39:ec:50:81:62: + df:2b:ab:4f:2a:05:a8:d3:2d:af:2f:8c:2f:9e:60:cf:45:7e: + f2:cb:9a:40:de:8e:b0:f2 +-----BEGIN CERTIFICATE----- +MIIFwDCCA6igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MDkyNzE0NTkyM1oXDTIx +MDkyNjE0NTkyM1owGjEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5gswQ3YfXHM2X/WW8Ga75+aaz5/qMMI +V8tLmyDDamQMeSmykGNc4FXWCeieFEDi48RMm/9lV8UTe0k2Ul4Ap5m13kM9bmnf +bydog98NnOFgLxcSgXKmJ0URhJqLKrs/npp5gyDhOipbIX6rFF0VajrW4oDklwT0 +NmJZpnvWGu51vlqiHwxuyNYsug/8Gvbf1OBtf6FsnCA4247fdvf7jIV6+CkVs3WE +MlndyC7n7zXDE7/eLJrULbJgwIgjXumzXcx7DsymTnXgHO0HvC+rnbtcEFGzSLQn +S4TyQ3LnxqinJryHq9BwTyqwMMXX6rx2JAmsGNlvoFk1jDYR9x/ZUwIDAQABo4IB +nzCCAZswDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYB +BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBS+Khd7IyKPeSbc6dQb4gDTEXXr9jAa +BgNVHREEEzARgg93d3cuZXhhbXBsZS5jb20wgbYGA1UdIwSBrjCBq4AU9m5nSQLX +FXARnIwGhnTgMmEWxw6hgY+kgYwwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApD +YWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1 +cyBJbmMuMRMwEQYDVQQLDApPcGVyYXRpb25zMSMwIQYDVQQDDBpabGludCB0ZXN0 +IGNlcnRpZmljYXRlcyBDQYIBATA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAKG +Hmh0dHA6Ly9leGFtcGxlLmNvbS9jYS9yb290LmNydDAvBgNVHR8EKDAmMCSgIqAg +hh5odHRwOi8vZXhhbXBsZS5jb20vY2Evcm9vdC5jcmwwDQYJKoZIhvcNAQELBQAD +ggIBAJHuCqqCf9bYS/bP6/mcqLjdPyNwfVfW6zaVUSwJfz/uhuaei+kpkOps+XNB +mnJRFBgefjgH7KsH4JJ++hFcgw/F19OqlSN4u6PO6EF97AYIQlO7mc3MMiebhSbV +hn7tnGNbE5tLDEZDxFGSJd+H7oMI+mOsojbREsmq2uYLgo9a39DhqmlRKrTTyEFN +1Xer2CzpaLiRyV9V99Z6MDh1j0WCVR5Ru0ESLViiJMzWZ6L2NYxfdMEDFoWteJUs +fxHdtIbvxqA43a3a8I7TbG4FFbMvH6/jBsh1iRAEOKkJHiv9m/ELx713Rnkd10PS +sCnT4KuoNHgWDE0UskUFe/akwW8TIOiuy6QV8hZOudXTmpn4JeoDahrEWNPfBwpJ +2Z8bxJwKolYcZD380H70+dr1JGGIKO//97twLHORBULkTptMIqBEO+iI5f8p8PHQ +UqtA8I7dWx6KH5QjQQK0/WiiKJTnJRcdbzrACXdhVUFUS8s50J5e9yjgyVYfn0k5 +MxcQfH5POfT/Q1KY4ZRuQ9oM81eqtuvfDm8+JZy2M1fJ5/fbfFmPdBhvO0yQ0Cgu +xDJsjtz0KZucunVDQOxTc4qAIEgO4OWUQpaeSeL38I5qjLGmKhWerT67actEIBl9 +Ecg5Ots57FCBYt8rq08qBajTLa8vjC+eYM9FfvLLmkDejrDy +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpECDSAAlgorithmsAllowed.pem b/testlint/testCerts/mpECDSAAlgorithmsAllowed.pem new file mode 100644 index 000000000..abddefb6d --- /dev/null +++ b/testlint/testCerts/mpECDSAAlgorithmsAllowed.pem @@ -0,0 +1,72 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 11 (0xb) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates ECDSA CA + Validity + Not Before: Sep 30 13:03:28 2019 GMT + Not After : Sep 29 13:03:28 2021 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = ecdsa3.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:01:54:86:b9:42:ee:8d:24:9c:3b:d0:c2:f0:83: + 58:47:25:b6:f7:83:7b:33:a9:a0:7b:66:35:f7:63: + 00:c4:18:52:dc:a3:d2:16:48:c0:0d:bb:a7:a8:cd: + 5c:9e:61:a8:e1:eb:51:67:7f:52:e3:cd:bf:c6:fa: + 61:27:e4:7a:64:94:7f:01:d6:a1:a1:e2:e5:5f:36: + 76:d5:61:f5:3e:eb:bb:4e:84:89:c4:b4:b1:61:bb: + fd:21:11:f9:4d:19:7f:84:bc:f0:2d:1e:ca:54:6a: + 4a:a8:0e:71:56:23:38:68:c6:59:23:2d:72:1c:d2: + e0:a2:a1:eb:61:41:86:a0:77:91:b7:3c:94 + ASN1 OID: secp521r1 + NIST CURVE: P-521 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + 3A:85:48:EB:A7:A0:FB:A9:47:A5:8A:35:FF:FE:F4:25:38:92:16:01 + X509v3 Subject Alternative Name: + DNS:ecdsa3.example.com + X509v3 Authority Key Identifier: + keyid:52:B1:37:DB:0D:A5:20:37:C7:C6:61:66:1E:D5:68:1C:A1:A4:D7:4F + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/rootecdsa.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/rootecdsa.crl + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:db:0b:41:72:a5:d5:d4:3d:e5:48:19:82:5d: + 0e:45:5b:cf:32:df:6c:6d:20:74:a5:77:a8:ce:b6:1c:2d:b0: + 6f:02:21:00:f3:ed:ef:6c:5e:78:a0:a7:f1:f7:af:37:ee:f8: + 95:2c:ef:b1:55:46:61:b3:60:de:c0:c1:2d:e7:31:16:66:86 +-----BEGIN CERTIFICATE----- +MIIDWzCCAwCgAwIBAgIBCzAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMxEzAR +BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNV +BAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxKTAnBgNVBAMMIFps +aW50IHRlc3QgY2VydGlmaWNhdGVzIEVDRFNBIENBMB4XDTE5MDkzMDEzMDMyOFoX +DTIxMDkyOTEzMDMyOFowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y +bmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMu +MRMwEQYDVQQLDApPcGVyYXRpb25zMRswGQYDVQQDDBJlY2RzYTMuZXhhbXBsZS5j +b20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAFUhrlC7o0knDvQwvCDWEcltveD +ezOpoHtmNfdjAMQYUtyj0hZIwA27p6jNXJ5hqOHrUWd/UuPNv8b6YSfkemSUfwHW +oaHi5V82dtVh9T7ru06EicS0sWG7/SER+U0Zf4S88C0eylRqSqgOcVYjOGjGWSMt +chzS4KKh62FBhqB3kbc8lKOCARQwggEQMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME +AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUOoVI +66eg+6lHpYo1//70JTiSFgEwHQYDVR0RBBYwFIISZWNkc2EzLmV4YW1wbGUuY29t +MB8GA1UdIwQYMBaAFFKxN9sNpSA3x8ZhZh7VaByhpNdPMD8GCCsGAQUFBwEBBDMw +MTAvBggrBgEFBQcwAoYjaHR0cDovL2V4YW1wbGUuY29tL2NhL3Jvb3RlY2RzYS5j +cnQwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2V4YW1wbGUuY29tL2NhL3Jvb3Rl +Y2RzYS5jcmwwCgYIKoZIzj0EAwIDSQAwRgIhANsLQXKl1dQ95UgZgl0ORVvPMt9s +bSB0pXeozrYcLbBvAiEA8+3vbF54oKfx96837viVLO+xVUZhs2DewMEt5zEWZoY= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem b/testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem new file mode 100644 index 000000000..adb22485a --- /dev/null +++ b/testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates ECDSA CA + Validity + Not Before: Sep 30 12:41:45 2019 GMT + Not After : Sep 29 12:41:45 2021 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = ecdsa1.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8e:de:b7:3e:89:5f:fc:4a:76:56:50:ec:cf:f1: + 7c:fa:46:b6:7f:66:53:17:7c:e7:44:89:c3:d0:26: + 97:64:37:87:15:d8:63:10:b9:de:71:55:b3:f1:68: + 46:77:6d:03:cd:a1:75:c4:2a:53:d1:a2:83:d9:5d: + 19:b3:6d:6c:ee + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + CD:A5:40:5A:2C:3D:B3:73:4E:78:C3:56:B7:CE:7A:AE:40:B4:2E:82 + X509v3 Subject Alternative Name: + DNS:ecdsa1.example.com + X509v3 Authority Key Identifier: + keyid:2B:F2:7B:12:FE:66:45:34:39:87:30:5D:90:BA:BA:C4:D7:68:02:AC + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/rootecdsa.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/rootecdsa.crl + + Signature Algorithm: ecdsa-with-SHA256 + 30:64:02:30:2c:40:ca:94:81:0b:69:b0:bc:1e:9b:d6:4a:34: + e7:00:95:a3:03:c9:c3:21:7e:e7:4b:3b:4f:46:ec:e7:4b:48: + 2f:07:8e:f9:12:15:dd:b4:cd:51:92:df:94:bc:52:aa:02:30: + 55:fe:37:62:74:89:46:3d:05:43:7f:15:16:73:66:4d:fe:ff: + 89:f2:63:51:30:b7:3d:25:5f:f7:e7:da:e1:78:04:06:0d:44: + bd:f0:2a:09:80:5c:79:ab:31:87:34:c6 +-----BEGIN CERTIFICATE----- +MIIDNjCCAr2gAwIBAgIBBTAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMxEzAR +BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNV +BAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxKTAnBgNVBAMMIFps +aW50IHRlc3QgY2VydGlmaWNhdGVzIEVDRFNBIENBMB4XDTE5MDkzMDEyNDE0NVoX +DTIxMDkyOTEyNDE0NVowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y +bmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMu +MRMwEQYDVQQLDApPcGVyYXRpb25zMRswGQYDVQQDDBJlY2RzYTEuZXhhbXBsZS5j +b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASO3rc+iV/8SnZWUOzP8Xz6RrZ/ +ZlMXfOdEicPQJpdkN4cV2GMQud5xVbPxaEZ3bQPNoXXEKlPRooPZXRmzbWzuo4IB +FDCCARAwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYB +BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTNpUBaLD2zc054w1a3znquQLQugjAd +BgNVHREEFjAUghJlY2RzYTEuZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUK/J7Ev5m +RTQ5hzBdkLq6xNdoAqwwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzAChiNodHRw +Oi8vZXhhbXBsZS5jb20vY2Evcm9vdGVjZHNhLmNydDA0BgNVHR8ELTArMCmgJ6Al +hiNodHRwOi8vZXhhbXBsZS5jb20vY2Evcm9vdGVjZHNhLmNybDAKBggqhkjOPQQD +AgNnADBkAjAsQMqUgQtpsLwem9ZKNOcAlaMDycMhfudLO09G7OdLSC8HjvkSFd20 +zVGS35S8UqoCMFX+N2J0iUY9BUN/FRZzZk3+/4nyY1Ewtz0lX/fn2uF4BAYNRL3w +KgmAXHmrMYc0xg== +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem b/testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem new file mode 100644 index 000000000..0df6623a9 --- /dev/null +++ b/testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem @@ -0,0 +1,70 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 10 (0xa) + Signature Algorithm: ecdsa-with-SHA384 + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates ECDSA CA + Validity + Not Before: Sep 30 12:47:01 2019 GMT + Not After : Sep 29 12:47:01 2021 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = ecdsa2.example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (384 bit) + pub: + 04:60:f7:bc:80:aa:05:9d:86:2a:66:f4:dc:cb:32: + ca:5f:de:b0:0f:3d:b1:69:37:70:ae:8a:6d:3b:c1: + 64:b0:3e:a9:c6:8f:cf:f1:4a:5a:36:39:0d:a5:30: + 9f:95:86:a2:bb:88:c6:13:72:7a:29:a2:14:01:84: + 39:3c:35:f4:a3:4a:c9:56:d3:4e:69:e4:af:39:7a: + 5f:f9:be:b9:b1:5d:31:0d:b8:86:9c:7e:10:2f:50: + 6b:05:a6:cd:89:c2:33 + ASN1 OID: secp384r1 + NIST CURVE: P-384 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + 26:D5:69:2D:68:B0:D0:E8:02:7C:21:F2:CA:13:69:87:EC:99:6E:68 + X509v3 Subject Alternative Name: + DNS:ecdsa2.example.com + X509v3 Authority Key Identifier: + keyid:52:B1:37:DB:0D:A5:20:37:C7:C6:61:66:1E:D5:68:1C:A1:A4:D7:4F + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/rootecdsa.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/rootecdsa.crl + + Signature Algorithm: ecdsa-with-SHA384 + 30:45:02:20:67:52:70:43:33:30:ee:49:20:ef:ba:2e:c6:74: + f3:e9:90:5e:41:6d:02:fa:4f:1d:12:8e:9c:b9:0b:d1:28:9a: + 02:21:00:e9:65:c9:d3:27:b4:98:a3:08:bc:f2:c2:1a:fa:e6: + 86:86:17:4e:11:06:b6:40:93:a6:d9:4d:db:35:d1:ec:5d +-----BEGIN CERTIFICATE----- +MIIDNDCCAtqgAwIBAgIBCjAKBggqhkjOPQQDAzCBjzELMAkGA1UEBhMCVVMxEzAR +BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNV +BAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxKTAnBgNVBAMMIFps +aW50IHRlc3QgY2VydGlmaWNhdGVzIEVDRFNBIENBMB4XDTE5MDkzMDEyNDcwMVoX +DTIxMDkyOTEyNDcwMVowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y +bmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMu +MRMwEQYDVQQLDApPcGVyYXRpb25zMRswGQYDVQQDDBJlY2RzYTIuZXhhbXBsZS5j +b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARg97yAqgWdhipm9NzLMspf3rAPPbFp +N3Cuim07wWSwPqnGj8/xSlo2OQ2lMJ+VhqK7iMYTcnopohQBhDk8NfSjSslW005p +5K85el/5vrmxXTENuIacfhAvUGsFps2JwjOjggEUMIIBEDAOBgNVHQ8BAf8EBAMC +BaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD +VR0OBBYEFCbVaS1osNDoAnwh8soTaYfsmW5oMB0GA1UdEQQWMBSCEmVjZHNhMi5l +eGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRSsTfbDaUgN8fGYWYe1WgcoaTXTzA/Bggr +BgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKGI2h0dHA6Ly9leGFtcGxlLmNvbS9jYS9y +b290ZWNkc2EuY3J0MDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9leGFtcGxlLmNv +bS9jYS9yb290ZWNkc2EuY3JsMAoGCCqGSM49BAMDA0gAMEUCIGdScEMzMO5JIO+6 +LsZ08+mQXkFtAvpPHRKOnLkL0SiaAiEA6WXJ0ye0mKMIvPLCGvrmhoYXThEGtkCT +ptlN2zXR7F0= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpModulus1024.pem b/testlint/testCerts/mpModulus1024.pem new file mode 100644 index 000000000..2486ed1ca --- /dev/null +++ b/testlint/testCerts/mpModulus1024.pem @@ -0,0 +1,106 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7 (0x7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 14:17:23 2019 GMT + Not After : Sep 30 14:17:23 2021 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = rsa1024.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (1024 bit) + Modulus: + 00:cd:79:a7:81:51:ca:26:c9:8f:c8:c9:ab:87:bd: + be:0e:e1:a2:b0:3f:ce:94:97:d2:7c:a9:17:d5:9a: + 82:d7:65:7c:fb:be:5d:3a:9d:5f:5e:60:b2:fd:fc: + 82:f9:87:9d:b6:08:67:ec:a9:c8:8f:09:bf:de:49: + 64:e2:8f:21:ac:cf:b0:3d:d6:2c:d4:1e:be:ea:dc: + 46:07:ed:98:bd:9a:57:d4:bf:b9:64:2d:c0:00:f2: + f2:17:f2:5f:ab:db:31:86:ca:ad:c1:ee:21:8a:56: + 95:e4:03:f8:d9:f2:ff:44:29:28:98:a3:d2:39:c3: + ae:73:96:9d:1b:ab:8d:f2:21 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + BD:00:20:E0:60:43:96:55:B9:0E:1A:6F:96:38:22:10:D2:BC:5C:E7 + X509v3 Subject Alternative Name: + DNS:rsa1024.example.com, DNS:rsa1024.example.com + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + Signature Algorithm: sha256WithRSAEncryption + 0b:a2:5b:48:5b:82:7c:16:47:11:ff:38:df:d0:72:ec:f2:1d: + e0:b6:1a:a6:cc:ea:29:c8:77:24:24:28:07:de:1e:a7:32:6f: + bb:f5:f1:a5:85:86:ac:b8:e5:6d:93:cd:12:11:3c:99:31:fd: + 8d:23:57:d5:52:85:f8:d3:14:9f:6d:0c:0d:e2:61:c4:64:c2: + 5d:50:60:e2:52:ec:e3:b4:18:16:be:32:51:48:50:6b:70:a2: + 21:b0:b7:79:92:2b:29:62:59:b2:df:b3:6b:3e:56:c2:a7:6f: + c0:9e:fa:5b:ae:aa:81:02:18:11:f7:94:bf:3f:4e:c0:52:27: + 23:a0:1f:9e:c6:00:07:02:8a:f3:cb:3d:e5:ad:52:9d:f4:ce: + 12:81:e5:23:22:d2:84:46:73:cb:d8:6e:e1:04:ca:14:f2:28: + 56:31:8f:fe:87:ad:46:c2:6f:34:7d:7b:94:f0:82:58:cf:14: + cc:60:ef:17:c7:ac:19:f4:26:77:6b:56:c1:4a:a2:18:63:95: + 75:05:e5:af:40:fc:7d:6f:d3:66:95:4b:2e:d6:50:da:0f:6e: + 01:1a:22:0b:29:a1:a4:22:05:02:fd:a1:37:46:4d:60:e2:ce: + a1:62:5e:1f:9a:8d:4d:9a:77:12:74:40:49:e7:3f:c0:c0:76: + 97:3f:26:f3:82:14:88:e9:b5:e5:c6:36:0a:07:88:34:b8:7d: + 3c:02:9a:04:d4:df:e3:ad:92:ea:88:9a:2f:9a:45:7f:b2:b2: + 20:a7:12:e4:90:e7:d6:c1:67:dc:48:0d:58:35:da:cf:0d:e9: + 3d:ed:5a:d2:57:53:e1:99:e4:9d:ba:24:9d:88:ac:65:a9:47: + d0:ad:96:86:eb:8e:3c:2f:60:29:05:af:62:47:38:d4:52:51: + 8f:5e:95:23:1c:e1:c9:ca:0b:80:c9:bf:bd:7d:8a:c0:cb:e8: + 36:f1:03:c0:75:91:f6:30:ae:97:41:47:7d:58:53:2a:fb:32: + 50:c8:96:b7:28:7f:d3:97:70:5a:8d:61:15:5c:c8:3b:59:48: + 6d:af:7b:b0:f1:27:59:15:a2:6e:69:85:52:9a:f3:4d:27:c4: + d0:6c:51:e6:52:3f:cb:15:8c:2e:4e:b2:2e:d9:54:df:1e:7b: + cd:5f:e0:23:25:f9:30:72:a4:d0:ef:be:af:04:6a:a6:a7:dc: + 08:e8:5a:24:73:c5:ee:ff:61:ce:0f:1e:bf:17:cc:5f:86:34: + 78:81:c8:3b:bd:45:70:41:6d:bb:6e:5d:ca:bd:48:38:79:2b: + d4:4e:5b:d9:cc:49:29:a3:5f:d5:39:e2:71:94:03:a8:28:27: + e8:36:1b:48:e0:b8:4e:04 +-----BEGIN CERTIFICATE----- +MIIFJjCCAw6gAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTE0MTcyM1oXDTIx +MDkzMDE0MTcyM1owgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRwwGgYDVQQDDBNyc2ExMDI0LmV4YW1wbGUuY29t +MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNeaeBUcomyY/IyauHvb4O4aKw +P86Ul9J8qRfVmoLXZXz7vl06nV9eYLL9/IL5h522CGfsqciPCb/eSWTijyGsz7A9 +1izUHr7q3EYH7Zi9mlfUv7lkLcAA8vIX8l+r2zGGyq3B7iGKVpXkA/jZ8v9EKSiY +o9I5w65zlp0bq43yIQIDAQABo4IBIDCCARwwDgYDVR0PAQH/BAQDAgWgMAkGA1Ud +EwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBS9 +ACDgYEOWVbkOGm+WOCIQ0rxc5zAzBgNVHREELDAqghNyc2ExMDI0LmV4YW1wbGUu +Y29tghNyc2ExMDI0LmV4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPZuZ0kC1xVwEZyM +BoZ04DJhFscOMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0cDovL2V4 +YW1wbGUuY29tL2NhL3Jvb3QuY3J0MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9l +eGFtcGxlLmNvbS9jYS9yb290LmNybDANBgkqhkiG9w0BAQsFAAOCAgEAC6JbSFuC +fBZHEf8439By7PId4LYapszqKch3JCQoB94epzJvu/XxpYWGrLjlbZPNEhE8mTH9 +jSNX1VKF+NMUn20MDeJhxGTCXVBg4lLs47QYFr4yUUhQa3CiIbC3eZIrKWJZst+z +az5WwqdvwJ76W66qgQIYEfeUvz9OwFInI6AfnsYABwKK88s95a1SnfTOEoHlIyLS +hEZzy9hu4QTKFPIoVjGP/oetRsJvNH17lPCCWM8UzGDvF8esGfQmd2tWwUqiGGOV +dQXlr0D8fW/TZpVLLtZQ2g9uARoiCymhpCIFAv2hN0ZNYOLOoWJeH5qNTZp3EnRA +Sec/wMB2lz8m84IUiOm15cY2CgeINLh9PAKaBNTf462S6oiaL5pFf7KyIKcS5JDn +1sFn3EgNWDXazw3pPe1a0ldT4ZnknboknYisZalH0K2WhuuOPC9gKQWvYkc41FJR +j16VIxzhycoLgMm/vX2KwMvoNvEDwHWR9jCul0FHfVhTKvsyUMiWtyh/05dwWo1h +FVzIO1lIba97sPEnWRWibmmFUprzTSfE0GxR5lI/yxWMLk6yLtlU3x57zV/gIyX5 +MHKk0O++rwRqpqfcCOhaJHPF7v9hzg8evxfMX4Y0eIHIO71FcEFtu25dyr1IOHkr +1E5b2cxJKaNf1TnicZQDqCgn6DYbSOC4TgQ= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpModulus2048.pem b/testlint/testCerts/mpModulus2048.pem new file mode 100644 index 000000000..1ba990e99 --- /dev/null +++ b/testlint/testCerts/mpModulus2048.pem @@ -0,0 +1,118 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9 (0x9) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 14:18:21 2019 GMT + Not After : Sep 30 14:18:21 2021 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = rsa2048.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c0:9b:47:8b:f3:d0:14:81:4d:0d:59:0b:71:ac: + 6b:9c:40:f3:4b:fc:3a:88:f6:0c:28:ce:16:28:97: + e9:bc:48:a6:e6:6b:8f:b7:35:b3:50:7b:36:08:aa: + 57:42:6f:86:0c:ce:97:ca:86:37:52:f0:25:a7:7c: + 5b:be:6f:a9:4f:11:34:e7:f3:82:df:d1:b7:92:64: + 6c:cf:17:67:f4:03:4b:af:47:2f:c8:d8:7f:9b:aa: + aa:de:c7:00:c9:2b:1d:16:db:e4:e3:56:b4:6c:04: + 10:88:98:5b:fa:ab:f8:b4:e2:d9:05:8a:d5:7b:53: + 43:27:38:4f:89:c3:f4:ad:64:f7:34:fa:10:6e:60: + 6a:35:30:ce:37:85:29:0c:79:7a:70:93:72:59:86: + df:e9:88:9a:0f:85:ef:08:9c:8e:61:ba:75:dd:03: + cb:53:4c:c3:d2:d8:3a:a9:e3:12:ee:42:40:5d:e5: + bb:c5:14:ff:3e:aa:dd:e8:fb:90:2f:4f:cf:12:5c: + a2:cc:f4:3e:ec:1e:b5:e4:10:b7:06:b1:21:3b:58: + f2:f4:97:2e:1d:e0:24:26:6e:f1:7f:08:c8:5e:02: + 03:36:bf:7f:fb:3c:e9:ab:49:e1:d7:18:4f:eb:b7: + 0b:0f:35:c5:af:c1:7d:e7:66:91:12:14:16:2a:67: + 0c:0b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + DC:61:9F:0E:E3:CB:51:30:D6:CF:E8:74:1B:E6:FA:A9:91:AC:13:0A + X509v3 Subject Alternative Name: + DNS:rsa2048.example.com, DNS:rsa2048.example.com + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + Signature Algorithm: sha256WithRSAEncryption + 93:fe:30:be:c8:9f:9a:1f:63:ab:66:da:99:c3:31:d7:bb:d9: + aa:a9:1c:48:10:00:e6:f7:c5:43:0c:35:c6:c7:7d:be:98:2c: + 8c:7f:cb:fd:90:ed:d5:89:a5:1d:de:41:38:70:aa:4e:d8:bc: + 0a:58:8e:67:48:25:06:cb:f9:2d:fc:fd:de:aa:e7:62:6e:69: + 52:80:56:05:6f:de:58:c6:ce:6f:05:1e:a3:d3:64:cd:19:76: + 77:6b:80:29:0c:1a:97:72:ad:0e:a0:64:40:28:28:15:f2:5f: + be:04:65:d2:f0:68:b6:f2:cc:0b:26:99:a5:fb:e1:9f:87:b3: + 2c:2d:90:74:24:37:f4:57:17:59:b8:c4:16:b6:b4:ef:51:e7: + f6:81:f9:c8:cb:91:72:ac:15:9f:c9:40:c7:d1:bf:94:83:bf: + d9:bf:9b:63:93:d6:98:23:93:36:e3:41:bf:34:fd:e7:a5:d9: + 0e:8c:f3:1c:26:28:17:48:38:5a:9c:e7:2d:30:28:bd:1d:ec: + f0:ef:29:d5:cf:b5:9d:8e:ee:01:69:94:60:00:bf:c9:f0:33: + 85:c2:66:ad:64:20:b9:97:c0:06:45:05:02:9b:75:68:32:99: + ec:b8:a3:b8:4f:27:8e:3d:b2:52:50:ff:22:e0:4f:ee:fa:2e: + ec:dd:bd:6f:4e:88:13:aa:68:36:f3:b4:cb:c7:fa:fb:fb:56: + 58:2e:22:68:1a:80:7f:17:e9:87:4f:ab:c6:fa:0c:84:08:23: + 1c:dc:7f:e0:35:21:e4:4f:a1:ad:1d:48:c4:bc:8f:37:2f:81: + f4:6d:1b:a0:cf:f5:f8:45:47:46:94:f1:fa:ff:31:b8:b7:09: + ef:39:c0:64:f5:04:c0:b1:a8:ec:bf:73:f9:cb:40:3e:fc:7c: + a8:9d:c0:0c:cf:6e:d0:37:b3:04:66:a5:60:8f:08:00:c1:89: + 20:42:d8:07:0e:13:fb:49:17:ec:75:8b:19:b3:5d:3a:d6:28: + 54:08:8a:54:85:2d:40:00:57:e2:16:58:59:86:c6:10:b8:ee: + 52:8f:b5:47:dc:b5:cf:ee:84:83:49:72:9c:18:4c:55:ae:5b: + b1:aa:f5:10:b1:1c:9c:2e:75:06:68:b2:00:e6:5a:1b:e8:2d: + 08:ae:5a:a9:53:ba:f7:b2:d2:b2:d7:f5:ee:db:84:e2:9a:f3: + 2a:bd:14:aa:7f:fe:37:74:4e:4c:a6:17:32:58:5d:b6:45:ec: + 58:05:06:7b:4e:64:41:e7:47:a8:59:49:11:cf:21:85:b0:32: + 35:6b:17:5e:b8:30:17:b2:b1:48:c9:c5:bf:57:25:d9:93:98: + 65:32:87:1b:ca:65:25:f9 +-----BEGIN CERTIFICATE----- +MIIFqjCCA5KgAwIBAgIBCTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTE0MTgyMVoXDTIx +MDkzMDE0MTgyMVowgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRwwGgYDVQQDDBNyc2EyMDQ4LmV4YW1wbGUuY29t +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJtHi/PQFIFNDVkLcaxr +nEDzS/w6iPYMKM4WKJfpvEim5muPtzWzUHs2CKpXQm+GDM6XyoY3UvAlp3xbvm+p +TxE05/OC39G3kmRszxdn9ANLr0cvyNh/m6qq3scAySsdFtvk41a0bAQQiJhb+qv4 +tOLZBYrVe1NDJzhPicP0rWT3NPoQbmBqNTDON4UpDHl6cJNyWYbf6YiaD4XvCJyO +Ybp13QPLU0zD0tg6qeMS7kJAXeW7xRT/Pqrd6PuQL0/PElyizPQ+7B615BC3BrEh +O1jy9JcuHeAkJm7xfwjIXgIDNr9/+zzpq0nh1xhP67cLDzXFr8F952aREhQWKmcM +CwIDAQABo4IBIDCCARwwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0l +BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTcYZ8O48tRMNbP6HQb +5vqpkawTCjAzBgNVHREELDAqghNyc2EyMDQ4LmV4YW1wbGUuY29tghNyc2EyMDQ4 +LmV4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPZuZ0kC1xVwEZyMBoZ04DJhFscOMDoG +CCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0cDovL2V4YW1wbGUuY29tL2Nh +L3Jvb3QuY3J0MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9leGFtcGxlLmNvbS9j +YS9yb290LmNybDANBgkqhkiG9w0BAQsFAAOCAgEAk/4wvsifmh9jq2bamcMx17vZ +qqkcSBAA5vfFQww1xsd9vpgsjH/L/ZDt1YmlHd5BOHCqTti8CliOZ0glBsv5Lfz9 +3qrnYm5pUoBWBW/eWMbObwUeo9NkzRl2d2uAKQwal3KtDqBkQCgoFfJfvgRl0vBo +tvLMCyaZpfvhn4ezLC2QdCQ39FcXWbjEFra071Hn9oH5yMuRcqwVn8lAx9G/lIO/ +2b+bY5PWmCOTNuNBvzT956XZDozzHCYoF0g4WpznLTAovR3s8O8p1c+1nY7uAWmU +YAC/yfAzhcJmrWQguZfABkUFApt1aDKZ7LijuE8njj2yUlD/IuBP7vou7N29b06I +E6poNvO0y8f6+/tWWC4iaBqAfxfph0+rxvoMhAgjHNx/4DUh5E+hrR1IxLyPNy+B +9G0boM/1+EVHRpTx+v8xuLcJ7znAZPUEwLGo7L9z+ctAPvx8qJ3ADM9u0DezBGal +YI8IAMGJIELYBw4T+0kX7HWLGbNdOtYoVAiKVIUtQABX4hZYWYbGELjuUo+1R9y1 +z+6Eg0lynBhMVa5bsar1ELEcnC51BmiyAOZaG+gtCK5aqVO697LSstf17tuE4prz +Kr0Uqn/+N3ROTKYXMlhdtkXsWAUGe05kQedHqFlJEc8hhbAyNWsXXrgwF7KxSMnF +v1cl2ZOYZTKHG8plJfk= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpModulus4095.pem b/testlint/testCerts/mpModulus4095.pem new file mode 100644 index 000000000..c8f9c7eb1 --- /dev/null +++ b/testlint/testCerts/mpModulus4095.pem @@ -0,0 +1,140 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8 (0x8) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 14:17:56 2019 GMT + Not After : Sep 30 14:17:56 2021 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = rsa4095.example.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (4095 bit) + Modulus: + 5f:8c:39:78:82:3b:cf:17:a5:d3:80:fe:81:eb:2f: + 91:bb:a3:68:da:c9:70:c9:e5:ff:bb:fd:83:c9:c7: + 99:d6:c2:27:aa:3c:7a:96:f1:8e:2f:8c:85:94:6b: + 60:8f:62:17:f5:f0:0d:cf:e6:7a:8f:ab:a6:fd:bd: + 56:87:2f:77:95:bc:26:b5:59:9b:f0:ca:ba:44:43: + 80:eb:14:75:1b:37:5e:91:00:94:34:74:fa:89:cd: + df:bc:e8:23:78:45:60:f3:5a:4a:2a:d7:53:66:43: + 3a:f9:2a:80:aa:ad:76:0a:35:1f:01:61:97:d2:92: + 42:40:fb:90:59:ea:5a:a9:36:9a:1b:b8:b4:7b:cb: + 2e:24:df:ab:ad:01:d0:84:6b:e3:1d:16:50:19:3e: + 9e:9a:b1:8a:67:5f:a0:2b:9a:d6:8e:4c:3a:49:5d: + 66:c4:ad:83:c7:da:60:58:fe:d6:6e:5d:18:bf:6e: + e2:b2:2b:b5:c5:39:17:4d:50:53:6b:af:4c:75:25: + 09:e8:54:9d:eb:c7:bd:9e:59:1b:c8:cd:e9:04:21: + dd:0b:d4:90:4c:d1:ef:71:5d:b1:9f:86:e9:21:81: + 31:bc:4c:f6:b7:21:49:84:4d:22:b0:ed:e5:8c:0e: + 40:b9:be:54:3e:47:50:3a:49:2b:b4:16:a2:7b:4e: + 07:35:7c:75:45:1c:71:ee:2d:39:ba:d0:4c:88:dc: + a9:68:40:b0:60:13:f1:a3:eb:96:5f:d1:da:40:71: + 61:3c:80:68:59:82:20:c0:00:75:54:b9:1f:7f:53: + 80:6e:45:46:77:c1:4d:4d:f6:8e:95:56:a0:0c:43: + f2:df:84:90:30:f4:fa:ba:68:ef:75:2f:06:d3:0f: + b3:d2:1b:f1:da:35:c1:c5:97:3f:57:f3:09:85:8f: + 50:07:1b:b5:ee:be:0e:f9:99:d3:49:f2:a7:38:e4: + a2:e9:b6:95:b5:8e:fe:20:47:33:20:11:17:c9:d2: + 0f:96:d7:e0:98:b0:36:67:af:ed:86:c5:7e:8e:de: + 0c:c7:1f:d3:91:44:d0:2f:32:9f:20:70:ac:41:f0: + 82:0e:66:72:09:98:dd:d5:50:5c:3c:b1:90:3a:7b: + 7e:a3:3e:5a:02:19:ca:0a:37:ab:3c:0f:7e:03:1b: + 50:e0:da:5d:c6:08:29:6b:12:91:90:e7:6d:b2:fe: + 1f:22:9a:58:98:63:c1:7c:f2:6f:91:49:37:ef:4a: + 79:92:2e:1f:27:09:ed:8b:f9:34:db:d6:ce:b2:5d: + 87:99:92:50:62:76:75:f2:32:9a:6f:34:61:18:66: + d6:3a:42:76:46:19:57:12:74:32:89:2c:93:40:49: + 8e:71 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Basic Constraints: + CA:FALSE + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + X509v3 Subject Key Identifier: + EB:4C:BB:D7:D9:FC:F0:6F:16:09:AD:9D:53:02:0E:DE:24:26:56:D7 + X509v3 Subject Alternative Name: + DNS:rsa4095.example.com, DNS:rsa4095.example.com + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + Signature Algorithm: sha256WithRSAEncryption + 4a:65:72:98:5f:a5:7a:f1:b9:e1:6b:c5:9a:f4:8c:6f:fe:f1: + ca:9a:4a:0e:05:b7:a4:aa:0b:74:79:7f:5d:43:ba:3e:c7:05: + 73:6f:1b:9a:1e:e9:78:c7:4b:50:d1:1b:df:09:1f:c1:4a:c6: + 3e:46:84:8c:20:32:72:e9:6c:c0:c1:d5:6d:64:f1:fb:6c:68: + 19:fb:de:b5:d0:5f:55:7b:ed:af:5c:d4:c7:ff:b0:5e:cf:20: + dd:ab:c4:90:75:f4:c8:85:c8:e0:85:da:ed:c4:15:c4:38:68: + c7:98:b0:0b:dd:fa:7e:66:8d:32:fa:aa:17:4f:7a:e2:f8:69: + 79:0d:65:26:63:1b:8a:18:d1:84:f4:33:26:f4:b1:e2:90:0c: + 15:6d:ab:71:79:b4:2d:38:c9:b9:65:fd:bd:44:8b:63:d4:db: + aa:ae:b4:58:8b:e2:1b:dd:38:ac:6e:02:41:bd:c8:4c:10:d6: + 8e:b4:1b:be:0f:1a:22:7d:3d:49:6b:05:d9:ee:de:64:0b:62: + 33:fe:89:b2:ac:d2:e2:f2:c0:2f:00:6d:3a:40:4d:02:a8:d3: + c6:31:6d:1f:4f:d7:c0:a3:36:57:09:b5:06:6c:e8:40:bc:a4: + 7e:07:fb:89:68:28:91:50:0b:2e:f0:95:3b:88:0a:73:2f:ec: + 79:a9:bb:d7:90:42:48:20:88:c4:80:27:09:b3:4a:35:07:b6: + cd:29:03:f4:04:99:7b:3c:9a:3b:94:87:42:cd:35:cd:58:d1: + d7:03:6c:52:24:88:54:ea:4d:8a:f9:02:95:f6:84:6b:d2:fb: + c0:80:05:9c:69:0e:4e:e7:8c:c6:3c:c3:43:90:fa:fa:e8:74: + fe:b3:3a:e1:35:9d:02:57:ea:a8:e4:a5:46:c7:0a:31:19:8b: + 4b:d1:b2:f5:29:1c:55:16:bd:8e:4b:06:b6:be:c3:f5:8a:46: + 50:ae:b2:3a:72:67:66:16:d8:40:40:cb:e4:1c:8d:82:79:4a: + a9:db:4b:dc:60:fb:4b:10:34:55:66:8a:85:61:24:e3:38:66: + 6d:8e:bf:c3:85:d0:3a:e1:47:7c:31:98:1f:6f:c0:c9:4b:7d: + d7:a8:12:cc:dc:f4:10:77:98:4d:5b:e8:53:2b:03:71:2e:2d: + 2b:cd:32:a7:c4:0c:f9:bc:31:4e:91:da:74:98:fb:57:60:53: + c0:1e:24:35:1e:fb:50:a1:ea:23:94:97:a6:4b:c5:49:7e:9a: + 51:c1:56:94:39:5c:a1:fb:78:6b:3a:a7:ac:68:08:3b:b3:25: + 69:e5:1c:34:81:b5:1f:d8:ad:f9:bf:38:95:cb:a1:e9:d1:05: + fb:56:12:7e:c9:e3:ce:e9 +-----BEGIN CERTIFICATE----- +MIIGqTCCBJGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTE0MTc1NloXDTIx +MDkzMDE0MTc1NlowgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRwwGgYDVQQDDBNyc2E0MDk1LmV4YW1wbGUuY29t +MIICITANBgkqhkiG9w0BAQEFAAOCAg4AMIICCQKCAgBfjDl4gjvPF6XTgP6B6y+R +u6No2slwyeX/u/2DyceZ1sInqjx6lvGOL4yFlGtgj2IX9fANz+Z6j6um/b1Why93 +lbwmtVmb8Mq6REOA6xR1GzdekQCUNHT6ic3fvOgjeEVg81pKKtdTZkM6+SqAqq12 +CjUfAWGX0pJCQPuQWepaqTaaG7i0e8suJN+rrQHQhGvjHRZQGT6emrGKZ1+gK5rW +jkw6SV1mxK2Dx9pgWP7Wbl0Yv27isiu1xTkXTVBTa69MdSUJ6FSd68e9nlkbyM3p +BCHdC9SQTNHvcV2xn4bpIYExvEz2tyFJhE0isO3ljA5Aub5UPkdQOkkrtBaie04H +NXx1RRxx7i05utBMiNypaECwYBPxo+uWX9HaQHFhPIBoWYIgwAB1VLkff1OAbkVG +d8FNTfaOlVagDEPy34SQMPT6umjvdS8G0w+z0hvx2jXBxZc/V/MJhY9QBxu17r4O ++ZnTSfKnOOSi6baVtY7+IEczIBEXydIPltfgmLA2Z6/thsV+jt4Mxx/TkUTQLzKf +IHCsQfCCDmZyCZjd1VBcPLGQOnt+oz5aAhnKCjerPA9+AxtQ4NpdxggpaxKRkOdt +sv4fIppYmGPBfPJvkUk370p5ki4fJwnti/k029bOsl2HmZJQYnZ18jKabzRhGGbW +OkJ2RhlXEnQyiSyTQEmOcQIDAQABo4IBIDCCARwwDgYDVR0PAQH/BAQDAgWgMAkG +A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW +BBTrTLvX2fzwbxYJrZ1TAg7eJCZW1zAzBgNVHREELDAqghNyc2E0MDk1LmV4YW1w +bGUuY29tghNyc2E0MDk1LmV4YW1wbGUuY29tMB8GA1UdIwQYMBaAFPZuZ0kC1xVw +EZyMBoZ04DJhFscOMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAoYeaHR0cDov +L2V4YW1wbGUuY29tL2NhL3Jvb3QuY3J0MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6 +Ly9leGFtcGxlLmNvbS9jYS9yb290LmNybDANBgkqhkiG9w0BAQsFAAOCAgEASmVy +mF+levG54WvFmvSMb/7xyppKDgW3pKoLdHl/XUO6PscFc28bmh7peMdLUNEb3wkf +wUrGPkaEjCAyculswMHVbWTx+2xoGfvetdBfVXvtr1zUx/+wXs8g3avEkHX0yIXI +4IXa7cQVxDhox5iwC936fmaNMvqqF0964vhpeQ1lJmMbihjRhPQzJvSx4pAMFW2r +cXm0LTjJuWX9vUSLY9Tbqq60WIviG904rG4CQb3ITBDWjrQbvg8aIn09SWsF2e7e +ZAtiM/6JsqzS4vLALwBtOkBNAqjTxjFtH0/XwKM2Vwm1BmzoQLykfgf7iWgokVAL +LvCVO4gKcy/seam715BCSCCIxIAnCbNKNQe2zSkD9ASZezyaO5SHQs01zVjR1wNs +UiSIVOpNivkClfaEa9L7wIAFnGkOTueMxjzDQ5D6+uh0/rM64TWdAlfqqOSlRscK +MRmLS9Gy9SkcVRa9jksGtr7D9YpGUK6yOnJnZhbYQEDL5ByNgnlKqdtL3GD7SxA0 +VWaKhWEk4zhmbY6/w4XQOuFHfDGYH2/AyUt916gSzNz0EHeYTVvoUysDcS4tK80y +p8QM+bwxTpHadJj7V2BTwB4kNR77UKHqI5SXpkvFSX6aUcFWlDlcoft4azqnrGgI +O7MlaeUcNIG1H9it+b84lcuh6dEF+1YSfsnjzuk= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpSubCAEKUAllowed.pem b/testlint/testCerts/mpSubCAEKUAllowed.pem new file mode 100644 index 000000000..d3ce5d042 --- /dev/null +++ b/testlint/testCerts/mpSubCAEKUAllowed.pem @@ -0,0 +1,115 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 09:04:17 2019 GMT + Not After : Sep 30 09:04:17 2029 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint EKU SubCA 4 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:9d:52:30:0c:f3:2e:c9:88:69:fe:3f:e1:4c: + 55:c7:b0:92:0c:ed:d6:4b:10:07:ae:53:54:d2:da: + 12:c0:6e:45:8d:65:61:b3:1e:ad:d7:52:c2:8f:37: + 68:35:32:2f:eb:9a:f5:3d:c1:47:89:dc:c7:47:84: + 5a:9d:12:ec:c8:1b:65:d1:16:57:17:7d:75:c5:57: + 0f:da:81:66:4c:d2:65:aa:27:80:4e:22:b1:c8:ac: + 81:20:c9:35:70:cf:4f:8f:5e:54:dc:24:82:4c:45: + d3:9e:c0:d5:62:22:9f:93:28:90:5c:91:b2:05:50: + 4a:37:2e:84:00:99:c2:1b:06:6d:6a:62:7f:0e:b3: + ea:31:28:1e:a6:4f:d5:be:ea:b7:e0:16:4f:49:8a: + 11:83:08:3a:cc:3c:59:33:5c:8b:28:87:23:27:69: + ed:e0:e7:75:0e:45:51:31:9c:6a:c5:73:b2:8a:84: + e8:40:54:be:57:da:1c:db:df:18:f5:8a:95:47:07: + f8:56:05:d5:ed:8a:5d:01:c7:c0:93:ab:8a:3f:ee: + 1c:46:b6:58:f7:4c:ef:f7:d7:5c:f7:6c:b5:30:be: + 2e:55:2b:c6:9e:8a:25:6a:96:d9:98:13:07:43:2b: + 9d:99:8b:b5:38:c7:2f:76:a0:14:3e:9d:28:0a:af: + a6:cf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Subject Key Identifier: + 70:0D:B0:3B:EC:A8:53:28:F4:47:00:57:5B:D9:55:5E:F0:D0:54:4F + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + X509v3 Extended Key Usage: + TLS Web Server Authentication + Signature Algorithm: sha256WithRSAEncryption + 00:6c:8e:9f:5d:bb:c1:83:0a:34:d3:93:80:d8:d7:df:48:60: + 4d:67:34:2d:d1:ce:98:2f:02:3d:d4:50:58:28:00:3b:a5:f7: + 50:87:74:b6:e7:25:c0:96:fc:dc:e4:fd:75:1f:28:91:28:7d: + c0:af:b3:fc:eb:e6:6f:1d:a1:00:a9:d1:bb:59:d5:bd:11:8a: + f9:74:30:2e:f9:d7:61:35:31:8b:16:25:93:39:cf:e5:24:1c: + e1:f8:4a:58:cb:78:41:57:f8:ab:fd:07:83:7f:2a:85:bd:df: + 8d:49:a0:73:5b:a3:19:ae:d3:13:8e:35:a3:af:8c:0e:da:d7: + 15:48:24:3c:da:fa:67:4e:12:38:d3:cf:12:19:37:b1:b3:71: + 93:17:76:8f:b4:ac:11:08:ce:08:22:54:02:1c:cd:ec:ae:e7: + d9:3a:03:dd:1e:91:1b:75:e0:34:4f:27:b5:6b:f0:f4:8f:17: + 09:7e:b9:4f:91:90:08:b2:5d:34:02:56:be:de:63:2d:3f:35: + 23:98:35:a6:1e:e4:60:b7:7a:18:7a:78:b7:d9:75:d1:19:0a: + c6:f9:d8:2e:2c:a5:1a:37:3d:0f:f7:1a:38:3e:af:55:e0:5e: + cf:bd:46:66:d2:8d:08:47:54:51:a8:49:93:af:52:e4:98:90: + d3:87:84:ae:7d:21:ad:0e:89:43:94:fa:ec:e8:a1:b8:21:96: + 88:4c:ad:7e:59:76:d9:ad:2d:a8:79:03:c6:de:f4:17:d5:05: + 38:ff:c9:01:56:c0:3d:02:a2:df:c2:a5:3d:c6:7f:eb:d0:1b: + 7e:88:37:9e:92:83:d8:2e:63:b6:61:48:46:62:dd:00:1e:58: + 5b:52:14:b9:77:db:8e:15:74:56:82:c2:f8:70:ae:20:26:aa: + e4:8d:de:27:df:fe:9e:4e:dc:77:00:39:1a:55:97:54:f4:43: + 4a:12:ea:db:44:14:dd:9a:9f:6d:ea:5b:a9:50:dd:f9:19:bb: + c2:76:ab:be:0d:b5:98:20:e7:c5:e6:d2:c7:2d:50:d2:7a:fb: + 26:12:39:ef:f0:f6:cf:d7:06:ab:99:0a:de:c1:88:95:86:39: + 54:2b:0a:06:9c:d5:fc:ca:0d:6e:20:ec:91:af:e3:08:25:7a: + 70:86:73:0e:56:e5:89:53:b0:25:95:99:82:30:af:45:5a:49: + 11:2f:24:39:9b:c0:f9:19:b8:8b:52:ad:c5:45:90:fe:c7:2d: + a5:ca:00:f5:8f:aa:27:69:f7:2d:5d:a9:2f:01:2c:66:78:ed: + b7:89:c6:f4:f1:f7:06:75:db:44:17:25:b8:10:a3:2e:9f:9d: + 0b:ab:c3:e1:b3:dc:91:e2 +-----BEGIN CERTIFICATE----- +MIIFcDCCA1igAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTA5MDQxN1oXDTI5 +MDkzMDA5MDQxN1owgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRowGAYDVQQDDBFabGludCBFS1UgU3ViQ0EgNDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMmdUjAM8y7JiGn+P+FMVcew +kgzt1ksQB65TVNLaEsBuRY1lYbMerddSwo83aDUyL+ua9T3BR4ncx0eEWp0S7Mgb +ZdEWVxd9dcVXD9qBZkzSZaongE4iscisgSDJNXDPT49eVNwkgkxF057A1WIin5Mo +kFyRsgVQSjcuhACZwhsGbWpifw6z6jEoHqZP1b7qt+AWT0mKEYMIOsw8WTNciyiH +Iydp7eDndQ5FUTGcasVzsoqE6EBUvlfaHNvfGPWKlUcH+FYF1e2KXQHHwJOrij/u +HEa2WPdM7/fXXPdstTC+LlUrxp6KJWqW2ZgTB0MrnZmLtTjHL3agFD6dKAqvps8C +AwEAAaOB6TCB5jAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAd +BgNVHQ4EFgQUcA2wO+yoUyj0RwBXW9lVXvDQVE8wHwYDVR0jBBgwFoAU9m5nSQLX +FXARnIwGhnTgMmEWxw4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAChh5odHRw +Oi8vZXhhbXBsZS5jb20vY2Evcm9vdC5jcnQwLwYDVR0fBCgwJjAkoCKgIIYeaHR0 +cDovL2V4YW1wbGUuY29tL2NhL3Jvb3QuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMB +MA0GCSqGSIb3DQEBCwUAA4ICAQAAbI6fXbvBgwo005OA2NffSGBNZzQt0c6YLwI9 +1FBYKAA7pfdQh3S25yXAlvzc5P11HyiRKH3Ar7P86+ZvHaEAqdG7WdW9EYr5dDAu ++ddhNTGLFiWTOc/lJBzh+EpYy3hBV/ir/QeDfyqFvd+NSaBzW6MZrtMTjjWjr4wO +2tcVSCQ82vpnThI4088SGTexs3GTF3aPtKwRCM4IIlQCHM3srufZOgPdHpEbdeA0 +Tye1a/D0jxcJfrlPkZAIsl00Ala+3mMtPzUjmDWmHuRgt3oYeni32XXRGQrG+dgu +LKUaNz0P9xo4Pq9V4F7PvUZm0o0IR1RRqEmTr1LkmJDTh4SufSGtDolDlPrs6KG4 +IZaITK1+WXbZrS2oeQPG3vQX1QU4/8kBVsA9AqLfwqU9xn/r0Bt+iDeekoPYLmO2 +YUhGYt0AHlhbUhS5d9uOFXRWgsL4cK4gJqrkjd4n3/6eTtx3ADkaVZdU9ENKEurb +RBTdmp9t6lupUN35GbvCdqu+DbWYIOfF5tLHLVDSevsmEjnv8PbP1warmQrewYiV +hjlUKwoGnNX8yg1uIOyRr+MIJXpwhnMOVuWJU7AllZmCMK9FWkkRLyQ5m8D5GbiL +Uq3FRZD+xy2lygD1j6onafctXakvASxmeO23icb08fcGddtEFyW4EKMun50Lq8Ph +s9yR4g== +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpSubCAEKUDisallowed1.pem b/testlint/testCerts/mpSubCAEKUDisallowed1.pem new file mode 100644 index 000000000..0b7fe7df9 --- /dev/null +++ b/testlint/testCerts/mpSubCAEKUDisallowed1.pem @@ -0,0 +1,112 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 09:01:11 2019 GMT + Not After : Sep 30 09:01:11 2029 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint EKU SubCA 1 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:df:d8:96:4a:af:76:2b:91:9e:d5:44:80:4b:45: + 19:38:76:9b:59:e2:bc:13:9a:dc:89:50:dc:88:33: + 79:3c:00:33:2c:8d:5f:2a:74:db:9c:60:79:b1:eb: + a4:02:99:b1:c0:9f:34:00:4f:78:46:89:4f:59:be: + d7:22:be:74:13:0d:77:b8:cb:6e:bc:b0:c6:2e:ed: + 22:2e:98:2e:91:8a:6e:c0:07:97:b8:bb:22:b8:5d: + 37:81:59:e2:22:18:17:71:cf:f7:c0:b7:ef:ce:aa: + ec:c1:c5:72:e2:d7:0b:a6:bd:e7:5f:4c:e2:11:ba: + 47:5c:37:6a:d3:5f:d0:29:42:af:d6:3c:27:be:cc: + 8f:26:c5:e4:a1:8e:93:b3:e8:87:80:18:cd:47:2d: + fc:63:f5:e5:6b:6a:e4:b1:58:b9:d6:60:38:82:41: + 9d:b2:19:19:dc:7c:6e:a7:b6:64:6a:82:23:90:44: + f9:59:bb:f1:c6:7c:73:0d:a1:0b:ac:dc:68:95:dd: + 13:f3:17:45:63:ce:fe:43:67:f8:3a:2f:5d:cb:7e: + d8:b8:36:59:56:9b:8b:19:50:4a:fb:45:fa:08:40: + 36:30:19:1b:60:53:99:8f:53:93:c2:5c:48:9c:05: + d6:8e:89:ac:bc:65:25:ee:10:4a:c6:0c:08:ac:a5: + d6:eb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Subject Key Identifier: + A6:1E:4B:45:81:FA:C2:41:C0:88:F7:62:C9:09:F8:BE:98:D7:F0:43 + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + Signature Algorithm: sha256WithRSAEncryption + 62:16:8f:8a:10:2a:f7:b3:ea:83:be:3d:7e:0e:aa:7f:f2:fa: + a8:f6:63:c2:3d:52:61:a1:9b:fb:bd:82:90:19:1a:97:fd:8b: + 0c:58:21:5e:06:67:37:7f:49:07:fb:35:fe:7e:06:d8:58:0c: + 6c:40:55:71:82:0c:1f:13:ca:fb:5b:76:60:b6:c5:cf:c1:ad: + e7:05:3f:c4:5c:ee:a6:29:62:25:50:be:f8:23:17:c4:70:3a: + c9:99:fa:5c:17:6c:27:d5:63:8c:2f:d4:af:c6:f9:d8:44:fd: + 34:b7:34:29:e7:b3:aa:f7:39:bf:53:a2:b7:ef:f0:9a:85:71: + 7d:e9:29:d7:43:b5:13:b3:41:48:fb:0a:60:3c:0b:b4:63:9e: + 3c:aa:4f:c5:49:c1:f0:aa:00:8f:59:f3:2c:bf:53:74:81:f2: + 7f:0e:f3:fc:81:a5:73:2f:0f:a4:68:31:74:4b:62:f8:8b:c4: + 65:44:32:a0:2d:50:92:31:6c:da:92:b6:43:0e:07:04:65:13: + 1b:5c:5c:86:38:9c:39:1a:16:2b:6f:b9:c3:21:71:79:53:d2: + 15:7d:9a:4d:c9:c5:b9:ee:1c:da:74:76:45:a7:2b:a0:7a:8d: + ea:82:16:da:a9:cd:2d:64:bd:6c:38:5b:d4:d5:43:38:28:e6: + 12:01:88:5f:cd:4d:04:a2:43:ea:64:3e:c1:d1:ae:6a:50:7e: + 05:b4:4e:e0:cc:ac:1d:89:36:c8:90:2f:9d:ab:f9:2b:cb:1f: + 39:0a:5d:db:3e:32:b0:7d:19:93:f4:3a:5d:2f:5f:1d:9a:1e: + 9d:71:ad:9d:f2:3e:91:10:53:6a:7a:08:fe:d9:e2:54:f6:b4: + 64:8d:5e:00:45:15:da:32:fd:c8:56:18:92:42:91:0a:04:93: + 4e:a8:35:e7:a7:7a:7c:24:e4:36:72:01:ea:84:3b:81:a9:a1: + 73:8b:9f:09:9e:b6:0f:58:26:22:16:60:71:83:be:df:b3:85: + b6:6b:74:f6:e0:52:11:37:89:7f:18:1c:8f:c7:69:e7:1d:9d: + 82:c4:18:05:a4:7c:e9:99:11:4f:af:b4:fd:de:35:c5:10:bf: + 72:3c:12:73:07:b2:af:b6:98:05:0a:65:cf:2d:b0:0d:db:a2: + 10:9f:e6:75:4b:9b:0f:fa:f0:fa:64:19:ba:7b:3f:e3:2e:88: + 31:9b:99:44:a6:d7:41:67:0c:62:43:31:af:11:40:75:58:23: + 77:87:66:8f:2a:ca:14:e1:39:29:be:de:c8:5a:b1:0b:bd:f8: + 43:34:c3:61:3c:83:bb:44:e4:1c:6d:ce:46:b6:46:ad:14:7a: + a4:cf:01:84:4e:75:ce:e4 +-----BEGIN CERTIFICATE----- +MIIFWzCCA0OgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTA5MDExMVoXDTI5 +MDkzMDA5MDExMVowgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRowGAYDVQQDDBFabGludCBFS1UgU3ViQ0EgMTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/YlkqvdiuRntVEgEtFGTh2 +m1nivBOa3IlQ3IgzeTwAMyyNXyp025xgebHrpAKZscCfNABPeEaJT1m+1yK+dBMN +d7jLbrywxi7tIi6YLpGKbsAHl7i7IrhdN4FZ4iIYF3HP98C3786q7MHFcuLXC6a9 +519M4hG6R1w3atNf0ClCr9Y8J77MjybF5KGOk7Poh4AYzUct/GP15Wtq5LFYudZg +OIJBnbIZGdx8bqe2ZGqCI5BE+Vm78cZ8cw2hC6zcaJXdE/MXRWPO/kNn+DovXct+ +2Lg2WVabixlQSvtF+ghANjAZG2BTmY9Tk8JcSJwF1o6JrLxlJe4QSsYMCKyl1usC +AwEAAaOB1DCB0TAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAd +BgNVHQ4EFgQUph5LRYH6wkHAiPdiyQn4vpjX8EMwHwYDVR0jBBgwFoAU9m5nSQLX +FXARnIwGhnTgMmEWxw4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAChh5odHRw +Oi8vZXhhbXBsZS5jb20vY2Evcm9vdC5jcnQwLwYDVR0fBCgwJjAkoCKgIIYeaHR0 +cDovL2V4YW1wbGUuY29tL2NhL3Jvb3QuY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQBi +Fo+KECr3s+qDvj1+Dqp/8vqo9mPCPVJhoZv7vYKQGRqX/YsMWCFeBmc3f0kH+zX+ +fgbYWAxsQFVxggwfE8r7W3ZgtsXPwa3nBT/EXO6mKWIlUL74IxfEcDrJmfpcF2wn +1WOML9SvxvnYRP00tzQp57Oq9zm/U6K37/CahXF96SnXQ7UTs0FI+wpgPAu0Y548 +qk/FScHwqgCPWfMsv1N0gfJ/DvP8gaVzLw+kaDF0S2L4i8RlRDKgLVCSMWzakrZD +DgcEZRMbXFyGOJw5GhYrb7nDIXF5U9IVfZpNycW57hzadHZFpyugeo3qghbaqc0t +ZL1sOFvU1UM4KOYSAYhfzU0EokPqZD7B0a5qUH4FtE7gzKwdiTbIkC+dq/kryx85 +Cl3bPjKwfRmT9DpdL18dmh6dca2d8j6REFNqegj+2eJU9rRkjV4ARRXaMv3IVhiS +QpEKBJNOqDXnp3p8JOQ2cgHqhDuBqaFzi58JnrYPWCYiFmBxg77fs4W2a3T24FIR +N4l/GByPx2nnHZ2CxBgFpHzpmRFPr7T93jXFEL9yPBJzB7KvtpgFCmXPLbAN26IQ +n+Z1S5sP+vD6ZBm6ez/jLogxm5lEptdBZwxiQzGvEUB1WCN3h2aPKsoU4Tkpvt7I +WrELvfhDNMNhPIO7ROQcbc5GtkatFHqkzwGETnXO5A== +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpSubCAEKUDisallowed2.pem b/testlint/testCerts/mpSubCAEKUDisallowed2.pem new file mode 100644 index 000000000..890aa6603 --- /dev/null +++ b/testlint/testCerts/mpSubCAEKUDisallowed2.pem @@ -0,0 +1,114 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 09:03:45 2019 GMT + Not After : Sep 30 09:03:45 2029 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint EKU SubCA 2 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:d4:be:2f:ae:48:93:84:94:c3:a9:b8:1f:15:99: + be:ff:fc:2b:f1:ad:0b:ae:a4:58:bd:07:14:01:d5: + 32:30:45:d0:96:a3:03:32:a0:8c:83:4d:ae:2a:b5: + 26:12:3f:94:b0:25:a2:19:9a:dd:00:11:6e:93:37: + da:59:f0:7b:e5:33:73:49:81:ad:08:e6:73:9c:f9: + 4e:1d:11:51:86:48:a2:bf:ad:a5:0f:17:3a:91:06: + d6:14:62:2e:3d:89:c4:da:30:a4:f6:21:b0:fe:77: + 3c:15:a7:2b:a5:d6:8c:2e:a5:56:50:2a:c5:98:6e: + 4e:9b:f9:c3:3e:04:72:a6:70:bb:71:88:0b:45:1a: + de:bb:f9:58:5e:94:6b:54:8b:0a:78:93:72:95:04: + 1c:2b:9d:0f:a2:83:b9:e6:cf:b2:bd:c2:4b:32:40: + 6f:55:3d:d6:ce:36:83:7b:64:3b:8e:e3:a1:86:ad: + 2f:77:fd:ed:d5:2b:b5:aa:47:24:13:0e:96:77:3b: + 1d:a7:f5:72:7c:58:12:96:0b:74:0d:2f:d2:7b:f9: + 8b:64:f1:9a:36:c1:6e:25:73:ed:ed:3b:b6:77:bd: + 5e:0c:9c:ea:22:5a:6c:5f:64:46:1d:a4:97:f6:d5: + 39:42:c4:7d:66:76:b3:f9:55:7a:2f:a8:8e:7a:99: + 51:9f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Subject Key Identifier: + 42:A6:32:B3:22:04:41:A3:7F:20:E6:63:0F:23:FC:5F:B8:64:C7:78 + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + X509v3 Extended Key Usage: + Any Extended Key Usage + Signature Algorithm: sha256WithRSAEncryption + 79:ef:ab:6f:1d:e3:72:06:62:4e:93:ee:e8:09:7d:6e:7b:51: + 34:54:5b:74:15:ec:76:83:f3:29:46:b0:42:4b:3b:02:0b:ae: + 64:0e:08:81:b3:14:07:50:1a:3d:73:58:55:32:6c:6f:70:65: + 74:78:d8:12:f0:46:ae:17:c4:c7:0f:34:7c:97:01:0b:4d:e8: + bd:50:bf:c3:81:9f:91:85:e6:2e:c7:57:8b:c0:0c:d4:15:6c: + 42:c1:0c:cb:d2:0f:c4:35:79:44:4b:af:84:1d:3a:ca:7f:50: + ff:50:7b:35:2f:7b:a0:53:dd:c3:7e:1f:e3:be:56:d0:80:fa: + 0b:76:a2:13:3f:1a:53:3a:a4:84:09:ea:15:18:61:4e:45:f1: + 9e:a5:2a:54:89:ff:1b:ea:f4:74:d3:c5:ec:b9:b5:73:f4:f5: + 33:47:19:cc:54:ef:95:fe:57:da:e6:72:27:2c:08:3e:11:af: + ee:09:19:17:31:08:05:6e:d5:1d:89:73:45:a9:7a:39:a0:ba: + 82:df:4c:23:db:de:f2:4c:c3:29:c1:02:f6:8b:df:d3:a6:15: + dd:2b:b4:3a:1f:ab:c0:fb:ed:25:ce:c9:b3:09:1e:2b:9b:1d: + be:b6:3f:7d:f6:42:f2:a9:da:c4:ab:45:da:2c:e9:f4:3e:39: + 6c:f2:f4:bf:d0:0d:9b:35:47:73:23:8a:4d:a1:f5:64:7f:72: + c7:d6:e0:31:9c:bf:fe:e5:01:50:f5:c6:06:df:4c:ee:18:88: + c3:b9:a6:b5:6c:df:54:c0:c4:ee:95:34:b1:37:83:95:7a:82: + fd:b7:cb:81:20:0b:93:f3:91:c3:77:8e:b1:b3:1f:99:26:91: + 9b:f3:01:84:de:11:b1:e7:37:35:ab:25:ea:78:3c:52:23:98: + 94:a8:bf:9c:af:8e:bc:9e:e8:18:3d:7a:8b:a0:9f:40:fa:6a: + c3:21:ef:b0:b2:ee:3d:0b:e6:53:88:91:70:c3:ca:89:78:5b: + 7f:85:3b:2a:42:a5:c0:b0:2b:85:cc:44:e3:36:bb:12:0f:12: + e9:f1:52:7e:f7:88:cd:dc:be:2f:ef:b8:1f:f3:01:e2:37:5c: + f1:98:49:12:fc:d9:67:01:08:e6:31:45:8b:4d:8f:dd:1d:53: + 68:5b:72:4b:6c:48:9e:c1:08:7f:c6:74:7d:59:72:8c:dd:bc: + 91:da:26:89:a8:89:3f:1d:57:df:4a:f5:1a:c7:f5:ff:b4:98: + 5d:56:8b:a0:d0:8c:7e:74:39:d0:57:10:65:6c:ce:26:a1:51: + b3:02:82:db:99:d1:f3:d7:8c:70:00:f2:27:f4:41:87:06:7a: + ac:14:2e:69:60:8c:45:ec +-----BEGIN CERTIFICATE----- +MIIFbDCCA1SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTA5MDM0NVoXDTI5 +MDkzMDA5MDM0NVowgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRowGAYDVQQDDBFabGludCBFS1UgU3ViQ0EgMjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANS+L65Ik4SUw6m4HxWZvv/8 +K/GtC66kWL0HFAHVMjBF0JajAzKgjINNriq1JhI/lLAlohma3QARbpM32lnwe+Uz +c0mBrQjmc5z5Th0RUYZIor+tpQ8XOpEG1hRiLj2JxNowpPYhsP53PBWnK6XWjC6l +VlAqxZhuTpv5wz4EcqZwu3GIC0Ua3rv5WF6Ua1SLCniTcpUEHCudD6KDuebPsr3C +SzJAb1U91s42g3tkO47joYatL3f97dUrtapHJBMOlnc7Haf1cnxYEpYLdA0v0nv5 +i2TxmjbBbiVz7e07tne9Xgyc6iJabF9kRh2kl/bVOULEfWZ2s/lVei+ojnqZUZ8C +AwEAAaOB5TCB4jAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAd +BgNVHQ4EFgQUQqYysyIEQaN/IOZjDyP8X7hkx3gwHwYDVR0jBBgwFoAU9m5nSQLX +FXARnIwGhnTgMmEWxw4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAChh5odHRw +Oi8vZXhhbXBsZS5jb20vY2Evcm9vdC5jcnQwLwYDVR0fBCgwJjAkoCKgIIYeaHR0 +cDovL2V4YW1wbGUuY29tL2NhL3Jvb3QuY3JsMA8GA1UdJQQIMAYGBFUdJQAwDQYJ +KoZIhvcNAQELBQADggIBAHnvq28d43IGYk6T7ugJfW57UTRUW3QV7HaD8ylGsEJL +OwILrmQOCIGzFAdQGj1zWFUybG9wZXR42BLwRq4XxMcPNHyXAQtN6L1Qv8OBn5GF +5i7HV4vADNQVbELBDMvSD8Q1eURLr4QdOsp/UP9QezUve6BT3cN+H+O+VtCA+gt2 +ohM/GlM6pIQJ6hUYYU5F8Z6lKlSJ/xvq9HTTxey5tXP09TNHGcxU75X+V9rmcics +CD4Rr+4JGRcxCAVu1R2Jc0WpejmguoLfTCPb3vJMwynBAvaL39OmFd0rtDofq8D7 +7SXOybMJHiubHb62P332QvKp2sSrRdos6fQ+OWzy9L/QDZs1R3Mjik2h9WR/csfW +4DGcv/7lAVD1xgbfTO4YiMO5prVs31TAxO6VNLE3g5V6gv23y4EgC5PzkcN3jrGz +H5kmkZvzAYTeEbHnNzWrJep4PFIjmJSov5yvjrye6Bg9eougn0D6asMh77Cy7j0L +5lOIkXDDyol4W3+FOypCpcCwK4XMROM2uxIPEunxUn73iM3cvi/vuB/zAeI3XPGY +SRL82WcBCOYxRYtNj90dU2hbcktsSJ7BCH/GdH1ZcozdvJHaJomoiT8dV99K9RrH +9f+0mF1Wi6DQjH50OdBXEGVsziahUbMCgtuZ0fPXjHAA8if0QYcGeqwULmlgjEXs +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpSubCAEKUDisallowed3.pem b/testlint/testCerts/mpSubCAEKUDisallowed3.pem new file mode 100644 index 000000000..36f302d5f --- /dev/null +++ b/testlint/testCerts/mpSubCAEKUDisallowed3.pem @@ -0,0 +1,115 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates CA + Validity + Not Before: Oct 1 09:04:03 2019 GMT + Not After : Sep 30 09:04:03 2029 GMT + Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint EKU SubCA 3 + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:ab:44:c0:c8:5f:89:54:2c:aa:49:bd:b4:18:be: + 5a:c4:f7:d4:d7:16:be:75:9b:94:0c:0d:ad:f4:99: + 2a:0a:8a:8b:db:e0:73:1d:23:87:b1:69:e1:7c:53: + 79:7b:50:33:89:6b:72:71:ec:8f:cc:d8:29:cf:5e: + ce:a7:25:7d:13:8e:e5:b0:35:f2:71:59:57:1a:73: + a3:e3:46:1d:d0:ed:d8:6f:f0:f2:a0:2b:1e:b4:f4: + 33:f0:b4:5a:6e:d6:87:01:f9:e2:fa:33:ac:ef:b6: + a8:df:41:d4:a8:50:59:1c:0e:c3:61:bb:f7:d4:d7: + ef:9d:ef:b8:bc:3b:ff:53:e3:e2:c3:04:06:fd:af: + be:13:ef:d2:35:fc:5b:b3:c8:2f:53:ec:4e:98:d2: + cd:cf:be:ca:32:af:48:96:f5:db:0a:aa:cb:8e:70: + a9:a1:48:94:d1:10:d4:90:03:55:ea:b1:a8:d2:a4: + 1f:05:fb:8d:05:f2:a8:17:4f:34:9b:c0:15:be:c6: + cd:3f:5a:e5:75:b9:13:b9:09:1f:f7:60:19:43:f0: + a8:96:f7:7e:cc:f5:31:4b:3c:aa:76:08:cc:b6:0a: + d8:62:49:f3:ad:0e:e1:87:d7:cd:fd:dd:c6:85:42: + f1:c5:49:ed:2c:c5:6a:33:56:bc:ba:37:20:b6:e2: + 38:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:0 + X509v3 Subject Key Identifier: + D7:F9:6F:09:42:A7:50:F3:C1:55:BD:C5:F3:DF:22:45:74:3A:24:07 + X509v3 Authority Key Identifier: + keyid:F6:6E:67:49:02:D7:15:70:11:9C:8C:06:86:74:E0:32:61:16:C7:0E + + Authority Information Access: + CA Issuers - URI:http://example.com/ca/root.crt + + X509v3 CRL Distribution Points: + + Full Name: + URI:http://example.com/ca/root.crl + + X509v3 Extended Key Usage: + TLS Web Server Authentication, E-mail Protection + Signature Algorithm: sha256WithRSAEncryption + 5e:9d:5e:4b:86:42:8b:f8:c1:34:42:8f:e3:dc:49:8a:3c:8a: + 19:56:22:38:bd:1d:83:7e:4e:31:95:cd:82:1c:fc:77:63:f6: + 69:54:60:21:2f:2d:00:b7:ee:d2:0e:a7:03:26:de:91:8c:ee: + a9:95:63:0a:4b:74:a6:92:06:ff:c0:14:70:d1:96:b7:3a:3f: + 32:51:33:9e:18:d5:c1:92:8d:12:d6:db:2b:ee:9e:76:76:ca: + 32:d0:5f:86:8e:31:bb:2e:19:cf:cd:ed:9f:72:88:54:e3:15: + 9a:fa:a4:24:9a:6d:1e:36:eb:23:06:cc:45:44:2d:f3:87:a0: + 2d:5c:4f:c0:a6:7c:5c:bc:14:a5:60:8e:ff:b3:35:01:7c:d8: + 5e:c7:1f:19:5f:bf:de:10:4d:bc:66:32:fc:04:25:7d:b6:4d: + 40:97:f8:d8:11:3d:c6:46:05:45:fe:00:9d:23:8f:56:04:74: + b6:a0:c6:51:28:6c:17:c0:a7:d1:60:4a:61:ac:3f:0a:b9:57: + 23:7c:b2:a8:e0:a8:30:f2:ed:95:1d:e8:ae:b2:93:a4:1f:0b: + 15:bf:e3:50:30:e7:ac:72:43:cd:3b:98:1d:1f:27:1e:de:50: + 35:80:ef:67:c1:a3:b7:b6:57:8b:62:01:84:d0:d1:5d:87:19: + 5b:09:9b:a1:7a:75:13:80:bf:89:c8:ef:ad:71:84:b4:f3:d6: + 5b:34:89:ed:3d:0b:ed:8c:d3:cc:2a:8e:08:64:fb:30:06:e7: + 3a:ed:9f:d6:2c:fc:23:9f:c4:5a:81:ad:22:19:40:17:84:09: + 3a:81:07:5f:88:82:bf:6e:4f:dd:f9:0b:71:4c:3a:94:9b:aa: + 69:2e:29:76:74:5e:c0:6a:45:0a:6e:c8:1b:8f:2d:9e:67:c3: + 60:80:21:5f:64:7b:87:bd:4a:97:40:25:d7:34:28:fe:bc:cd: + 94:51:eb:b0:d1:6e:27:bd:d5:aa:d4:ac:18:e1:67:06:aa:b7: + 91:02:ea:7d:ce:f3:a5:bf:7e:7f:99:6d:87:3e:7b:a0:4e:37: + ce:f0:9a:64:75:0a:9f:94:f8:94:46:77:4e:e5:61:74:bc:d1: + 57:f5:3e:d0:fe:11:c6:11:46:c2:4d:88:9f:37:87:d1:72:bd: + 2a:8c:14:41:37:8b:11:60:92:90:49:e9:82:00:71:d7:45:9e: + 5b:53:e8:68:59:c3:3f:c4:d3:ab:07:f0:81:e2:21:f9:a4:b5: + d1:76:c6:bf:7f:27:d3:e7:8e:14:e9:b9:0c:ec:f0:97:a5:5d: + 82:ff:78:68:e3:1c:a9:73:19:3b:28:54:4e:d9:3c:59:8f:bd: + 1e:ab:79:cb:57:72:1a:ba +-----BEGIN CERTIFICATE----- +MIIFejCCA2KgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIzAhBgNVBAMM +GlpsaW50IHRlc3QgY2VydGlmaWNhdGVzIENBMB4XDTE5MTAwMTA5MDQwM1oXDTI5 +MDkzMDA5MDQwM1owgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMw +EQYDVQQLDApPcGVyYXRpb25zMRowGAYDVQQDDBFabGludCBFS1UgU3ViQ0EgMzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtEwMhfiVQsqkm9tBi+WsT3 +1NcWvnWblAwNrfSZKgqKi9vgcx0jh7Fp4XxTeXtQM4lrcnHsj8zYKc9ezqclfROO +5bA18nFZVxpzo+NGHdDt2G/w8qArHrT0M/C0Wm7WhwH54vozrO+2qN9B1KhQWRwO +w2G799TX753vuLw7/1Pj4sMEBv2vvhPv0jX8W7PIL1PsTpjSzc++yjKvSJb12wqq +y45wqaFIlNEQ1JADVeqxqNKkHwX7jQXyqBdPNJvAFb7GzT9a5XW5E7kJH/dgGUPw +qJb3fsz1MUs8qnYIzLYK2GJJ860O4YfXzf3dxoVC8cVJ7SzFajNWvLo3ILbiOJUC +AwEAAaOB8zCB8DAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAd +BgNVHQ4EFgQU1/lvCUKnUPPBVb3F898iRXQ6JAcwHwYDVR0jBBgwFoAU9m5nSQLX +FXARnIwGhnTgMmEWxw4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzAChh5odHRw +Oi8vZXhhbXBsZS5jb20vY2Evcm9vdC5jcnQwLwYDVR0fBCgwJjAkoCKgIIYeaHR0 +cDovL2V4YW1wbGUuY29tL2NhL3Jvb3QuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMB +BggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAXp1eS4ZCi/jBNEKP49xJijyK +GVYiOL0dg35OMZXNghz8d2P2aVRgIS8tALfu0g6nAybekYzuqZVjCkt0ppIG/8AU +cNGWtzo/MlEznhjVwZKNEtbbK+6ednbKMtBfho4xuy4Zz83tn3KIVOMVmvqkJJpt +HjbrIwbMRUQt84egLVxPwKZ8XLwUpWCO/7M1AXzYXscfGV+/3hBNvGYy/AQlfbZN +QJf42BE9xkYFRf4AnSOPVgR0tqDGUShsF8Cn0WBKYaw/CrlXI3yyqOCoMPLtlR3o +rrKTpB8LFb/jUDDnrHJDzTuYHR8nHt5QNYDvZ8Gjt7ZXi2IBhNDRXYcZWwmboXp1 +E4C/icjvrXGEtPPWWzSJ7T0L7YzTzCqOCGT7MAbnOu2f1iz8I5/EWoGtIhlAF4QJ +OoEHX4iCv25P3fkLcUw6lJuqaS4pdnRewGpFCm7IG48tnmfDYIAhX2R7h71Kl0Al +1zQo/rzNlFHrsNFuJ73VqtSsGOFnBqq3kQLqfc7zpb9+f5lthz57oE43zvCaZHUK +n5T4lEZ3TuVhdLzRV/U+0P4RxhFGwk2InzeH0XK9KowUQTeLEWCSkEnpggBx10We +W1PoaFnDP8TTqwfwgeIh+aS10XbGv38n0+eOFOm5DOzwl6Vdgv94aOMcqXMZOyhU +Ttk8WY+9Hqt5y1dyGro= +-----END CERTIFICATE----- diff --git a/util/time.go b/util/time.go index f5e525969..dfbccbdb6 100644 --- a/util/time.go +++ b/util/time.go @@ -54,6 +54,8 @@ var ( OnionOnlyEVDate = time.Date(2015, time.May, 1, 0, 0, 0, 0, time.UTC) CABV201Date = time.Date(2017, time.July, 28, 0, 0, 0, 0, time.UTC) AppleCTPolicyDate = time.Date(2018, time.October, 15, 0, 0, 0, 0, time.UTC) + MozillaPolicy22Date = time.Date(2013, time.July, 26, 0, 0, 0, 0, time.UTC) + MozillaPolicy24Date = time.Date(2017, time.February, 28, 0, 0, 0, 0, time.UTC) ) func FindTimeType(firstDate, secondDate asn1.RawValue) (int, int) { From 2551ecc643080c016f21f9e20a7cf1c29be0f376 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 4 Oct 2019 18:12:25 +0300 Subject: [PATCH 02/40] Split Mozilla Root Store Policy RSA key lint Mozilla Root Store Policy contains multiple different requirements on RSA keys. All these were tested in a single lint. These split into two different lints based on the different requirement. --- lints/lint_mp_allowed_rsa_keys_exponent.go | 66 +++++++++++++++++++ .../lint_mp_allowed_rsa_keys_exponent_test.go | 49 ++++++++++++++ lints/lint_mp_allowed_rsa_keys_modulus.go | 66 +++++++++++++++++++ .../lint_mp_allowed_rsa_keys_modulus_test.go | 54 +++++++++++++++ testlint/testCerts/mpExponent1.pem | 23 +++++++ testlint/testCerts/mpExponent10001.pem | 24 +++++++ 6 files changed, 282 insertions(+) create mode 100644 lints/lint_mp_allowed_rsa_keys_exponent.go create mode 100644 lints/lint_mp_allowed_rsa_keys_exponent_test.go create mode 100644 lints/lint_mp_allowed_rsa_keys_modulus.go create mode 100644 lints/lint_mp_allowed_rsa_keys_modulus_test.go create mode 100644 testlint/testCerts/mpExponent1.pem create mode 100644 testlint/testCerts/mpExponent10001.pem diff --git a/lints/lint_mp_allowed_rsa_keys_exponent.go b/lints/lint_mp_allowed_rsa_keys_exponent.go new file mode 100644 index 000000000..d05a21b29 --- /dev/null +++ b/lints/lint_mp_allowed_rsa_keys_exponent.go @@ -0,0 +1,66 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.2 - Forbidden and Required Practices +CAs MUST NOT issue certificates that have: +- invalid public keys (e.g., RSA certificates with public exponent equal to 1); +********************************************************************/ + +package lints + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +type allowedRSAKeyExponent struct{} + +func (l *allowedRSAKeyExponent) Initialize() error { + return nil +} + +func (l *allowedRSAKeyExponent) CheckApplies(c *x509.Certificate) bool { + if c.PublicKeyAlgorithm == x509.RSA { + return true + } + + return false +} + +func (l *allowedRSAKeyExponent) Execute(c *x509.Certificate) *LintResult { + pubKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} + } + + if pubKey.E == 1 { + return &LintResult{Status: Error} + } + + return &LintResult{Status: Pass} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_allowed_rsa_keys_exponent", + Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", + Citation: "Mozilla Root Store Policy / Section 5.2", + Source: MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + Lint: &allowedRSAKeyExponent{}, + }) +} diff --git a/lints/lint_mp_allowed_rsa_keys_exponent_test.go b/lints/lint_mp_allowed_rsa_keys_exponent_test.go new file mode 100644 index 000000000..5abf19e87 --- /dev/null +++ b/lints/lint_mp_allowed_rsa_keys_exponent_test.go @@ -0,0 +1,49 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestAllowedRSAKeysExponent(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "Certificate with exponent equal to 0x1", + InputFilename: "mpExponent1.pem", + ExpectedResult: Error, + }, + { + Name: "Certificate with exponent equal to 0x10001", + InputFilename: "mpExponent10001.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_allowed_rsa_keys_exponent"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/lints/lint_mp_allowed_rsa_keys_modulus.go b/lints/lint_mp_allowed_rsa_keys_modulus.go new file mode 100644 index 000000000..90f57ab90 --- /dev/null +++ b/lints/lint_mp_allowed_rsa_keys_modulus.go @@ -0,0 +1,66 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.1 - Algorithms +RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. +********************************************************************/ + +package lints + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +type allowedRSAKeyModulus struct{} + +func (l *allowedRSAKeyModulus) Initialize() error { + return nil +} + +func (l *allowedRSAKeyModulus) CheckApplies(c *x509.Certificate) bool { + if c.PublicKeyAlgorithm == x509.RSA { + return true + } + + return false +} + +func (l *allowedRSAKeyModulus) Execute(c *x509.Certificate) *LintResult { + pubKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} + } + + bitLen := pubKey.N.BitLen() + if (bitLen%8) != 0 || bitLen < 2048 { + return &LintResult{Status: Error} + } + + return &LintResult{Status: Pass} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_allowed_rsa_keys_modulus", + Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + Lint: &allowedRSAKeyModulus{}, + }) +} diff --git a/lints/lint_mp_allowed_rsa_keys_modulus_test.go b/lints/lint_mp_allowed_rsa_keys_modulus_test.go new file mode 100644 index 000000000..5a575d82f --- /dev/null +++ b/lints/lint_mp_allowed_rsa_keys_modulus_test.go @@ -0,0 +1,54 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestAllowedRSAKeysModulus(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "Certificate with less than 2048 bit rsa key modulus length", + InputFilename: "mpModulus1024.pem", + ExpectedResult: Error, + }, + { + Name: "Certificate with rsa key modulus length not divisible by 8", + InputFilename: "mpModulus4095.pem", + ExpectedResult: Error, + }, + { + Name: "Certificate with rsa key modulus length equal to 2048", + InputFilename: "mpModulus2048.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_allowed_rsa_keys_modulus"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/testlint/testCerts/mpExponent1.pem b/testlint/testCerts/mpExponent1.pem new file mode 100644 index 000000000..538547870 --- /dev/null +++ b/testlint/testCerts/mpExponent1.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5TCCAs2gAwIBAgIUDKyOLaU8HAYWjBe2WB8tG31o8RswDQYJKoZIhvcNAQEL +BQAwgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH +DA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMwEQYDVQQLDApP +cGVyYXRpb25zMRwwGgYDVQQDDBNrZXlleHAxLmV4YW1wbGUuY29tMB4XDTE5MTAw +NDE1MDAzOFoXDTIxMTAwMzE1MDAzOFowgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApC +b2d1cyBJbmMuMRMwEQYDVQQLDApPcGVyYXRpb25zMRwwGgYDVQQDDBNrZXlleHAx +LmV4YW1wbGUuY29tMIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA8T2r +c5AwU18hBM7nUNQ+zJmA/5+aUKLV5fXp1+bHXAru672nAkb2iGfGvzzcQ7tyjNwx ++6hobYy0kj31oCdLkYu69uUhcuLqvJ9P7h1hlKAW7tbH/gbHK+iEvSTUd9xJswU+ +QawEIhODJffJIblNheddyOm74nVVTkNqnXzIM+FMGviWPiLT5XGZcOAEJYb7Knw5 +p+yEw84c0MsQ4+5kIwErYR9L7flNB/iuVImJsydRzSa0Upq3xk0oT0egqBLlbwOq +hy63auLia5+zb/LqB7ttFi391FTC5+NjrAIq/ixE342ZKF/imfOjrojTpBpbr68r +8AdnfvG9LwVP7T4U6QIBAaNTMFEwHQYDVR0OBBYEFDV5S3OuWF5YeUmz7KbCs2Gj +XcN5MB8GA1UdIwQYMBaAFDV5S3OuWF5YeUmz7KbCs2GjXcN5MA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAAB//////////////////////////// +//////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////// +//////////////////////////////////////////////////////////////// +/////////////////////////////////////////////////wAwMTANBglghkgB +ZQMEAgEFAAQgZ4pYVDFjo4NdONoeph7DjrZ6xn0jbFn5eJxdB9DmcxI= +-----END CERTIFICATE----- diff --git a/testlint/testCerts/mpExponent10001.pem b/testlint/testCerts/mpExponent10001.pem new file mode 100644 index 000000000..1d39a3e86 --- /dev/null +++ b/testlint/testCerts/mpExponent10001.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUM7l05reV18Tni//iw4u5rahrsq0wDQYJKoZIhvcNAQEL +BQAwgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH +DA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMwEQYDVQQLDApP +cGVyYXRpb25zMSAwHgYDVQQDDBdrZXlleHAxMDAwMS5leGFtcGxlLmNvbTAeFw0x +OTEwMDQxNTAwNTVaFw0yMTEwMDMxNTAwNTVaMIGGMQswCQYDVQQGEwJVUzETMBEG +A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UE +CgwKQm9ndXMgSW5jLjETMBEGA1UECwwKT3BlcmF0aW9uczEgMB4GA1UEAwwXa2V5 +ZXhwMTAwMDEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDTqSO6UjMkvzkxqcwBZT21hYYqfppDi31cYiklFSM+ELgCgfmzfzccdXJ7 ++ZL+3dlObVYwzuTNSAPkbCLVYZ1yHY9mT1/+HRj+8gvThLJnmtNADz3Vfeqg0hlB +GDIyvBgF3Bd43gjtzfPE2kMZ31fi1mxxY6ilsRaGVQkuOuCPbbuvMnRob+Q2UFas +e44WJITfXxkIzSoxjy7k/Adp8nhdGxhPSlx2Z4RMTPykBLoiRmvL5Ym9ERXAHgdf +uIhhpS5Mv3uiRqMnxY8q6v0wb0Ab+3xBrSoosiL2XU9r+EhPkA742L7RdLegcBjJ +deYMoDJFvUjPm+wIRUuitP+FwhthAgMBAAGjUzBRMB0GA1UdDgQWBBR5GAokmCRf +YgEvjOa34V0qcwWqTTAfBgNVHSMEGDAWgBR5GAokmCRfYgEvjOa34V0qcwWqTTAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC80/w4wJmNRSOAcNIF +Fw6VtQ9bQ4sHZhhrW1o+DsBB0/TCWYXHjqL4opEzx6neD9vpfLIpIJUsWoFU3iMP +MzWjHnytYO9VJAPWdDcNNz91rty9us7daJUNqrrJFuKSVSm2diSUPjTOO74F72Lz +3HVnn4xpW7MbMptRqL8j0bjEhynI61eLcwM72wOs/dBAcU0/0KCceGv4tf/whVoy +uuHGVXfSgLWqC3UhQnuuCa3sdLCynaHtbudAF5YXnMU34CHYxP14c8kt7aQQdFnQ +ZFg+xc/EdaC27HwFkDIfe87kHoQgzvaTzNWAgtlXrh9YsroKFM5II4Hr+5wJ5aNA +6G9x +-----END CERTIFICATE----- From b6822466448cfbb1bbf76ac1b291bc835f5ae579 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 4 Oct 2019 18:19:04 +0300 Subject: [PATCH 03/40] Deleted old Mozilla Root Store Policy RSA key lint. --- lints/lint_mp_allowed_rsa_keys.go | 67 -------------------------- lints/lint_mp_allowed_rsa_keys_test.go | 54 --------------------- 2 files changed, 121 deletions(-) delete mode 100644 lints/lint_mp_allowed_rsa_keys.go delete mode 100644 lints/lint_mp_allowed_rsa_keys_test.go diff --git a/lints/lint_mp_allowed_rsa_keys.go b/lints/lint_mp_allowed_rsa_keys.go deleted file mode 100644 index 71f49bcae..000000000 --- a/lints/lint_mp_allowed_rsa_keys.go +++ /dev/null @@ -1,67 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -Section 5.1 - Algorithms -RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. -Section 5.2 - Forbidden and Required Practices -CAs MUST NOT issue certificates that have: -- invalid public keys (e.g., RSA certificates with public exponent equal to 1); -********************************************************************/ - -package lints - -import ( - "crypto/rsa" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/util" -) - -type allowedRSAKey struct{} - -func (l *allowedRSAKey) Initialize() error { - return nil -} - -func (l *allowedRSAKey) CheckApplies(c *x509.Certificate) bool { - switch c.SignatureAlgorithm { - case x509.SHA1WithRSA, x509.SHA256WithRSA, x509.SHA384WithRSA, x509.SHA512WithRSA, x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS: - return true - } - - return false -} - -func (l *allowedRSAKey) Execute(c *x509.Certificate) *LintResult { - pubKey := c.PublicKey.(*rsa.PublicKey) - bitLen := pubKey.N.BitLen() - - if (bitLen%8) != 0 || bitLen < 2048 || pubKey.E == 1 { - return &LintResult{Status: Error} - } - - return &LintResult{Status: Pass} -} - -func init() { - RegisterLint(&Lint{ - Name: "e_mp_allowed_rsa_keys", - Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", - Citation: "Mozilla Root Store Policy / Section 5.3", - Source: MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: &allowedRSAKey{}, - }) -} diff --git a/lints/lint_mp_allowed_rsa_keys_test.go b/lints/lint_mp_allowed_rsa_keys_test.go deleted file mode 100644 index 9ede8b0e1..000000000 --- a/lints/lint_mp_allowed_rsa_keys_test.go +++ /dev/null @@ -1,54 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "fmt" - "testing" -) - -func TestSerialEntropyBits(t *testing.T) { - testCases := []struct { - Name string - InputFilename string - ExpectedResult LintStatus - }{ - { - Name: "Certificate with less than 2048 bit rsa key modulus length", - InputFilename: "mpModulus1024.pem", - ExpectedResult: Error, - }, - { - Name: "Certificate with rsa key modulus length not divisible by 8", - InputFilename: "mpModulus4095.pem", - ExpectedResult: Error, - }, - { - Name: "Certificate with rsa key modulus length equal to 2048", - InputFilename: "mpModulus2048.pem", - ExpectedResult: Pass, - }, - } - - for _, tc := range testCases { - t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_allowed_rsa_keys"].Execute(ReadCertificate(inputPath)) - if result.Status != tc.ExpectedResult { - t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) - } - }) - } -} From 31bcd3f76fddfa5e1bc6e23fe7f4528bae1814bd Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 4 Oct 2019 18:19:26 +0300 Subject: [PATCH 04/40] Moved hasEKU() to util package. --- lints/lint_mp_allowed_eku.go | 14 ++------------ util/eku.go | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 12 deletions(-) create mode 100644 util/eku.go diff --git a/lints/lint_mp_allowed_eku.go b/lints/lint_mp_allowed_eku.go index 5f98dceb5..d4f85a8d4 100644 --- a/lints/lint_mp_allowed_eku.go +++ b/lints/lint_mp_allowed_eku.go @@ -33,16 +33,6 @@ import ( "github.com/zmap/zlint/util" ) -func hasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { - for _, currentEku := range cert.ExtKeyUsage { - if currentEku == eku { - return true - } - } - - return false -} - type allowedEKU struct{} func (l *allowedEKU) Initialize() error { @@ -54,8 +44,8 @@ func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { } func (l *allowedEKU) Execute(c *x509.Certificate) *LintResult { - if len(c.ExtKeyUsage) == 0 || hasEKU(c, x509.ExtKeyUsageAny) || - (hasEKU(c, x509.ExtKeyUsageEmailProtection) && hasEKU(c, x509.ExtKeyUsageServerAuth)) { + if len(c.ExtKeyUsage) == 0 || util.HasEKU(c, x509.ExtKeyUsageAny) || + (util.HasEKU(c, x509.ExtKeyUsageEmailProtection) && util.HasEKU(c, x509.ExtKeyUsageServerAuth)) { return &LintResult{Status: Error} } diff --git a/util/eku.go b/util/eku.go new file mode 100644 index 000000000..0f690808d --- /dev/null +++ b/util/eku.go @@ -0,0 +1,14 @@ +package util + +import "github.com/zmap/zcrypto/x509" + +// HasEKU tests whether an EKU is present in a certificate. +func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { + for _, currentEku := range cert.ExtKeyUsage { + if currentEku == eku { + return true + } + } + + return false +} From 549b6a9893a7b065ffde936a11e0624d4783e9ca Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 7 Oct 2019 17:37:44 +0300 Subject: [PATCH 05/40] Added fetching Mozilla Trust Store SPKIs. --- .../main.go | 211 ++++++++++++++++++ makefile | 7 +- util/mozilla_trusted_roots.go | 40 ++++ util/mozilla_trusted_roots_data.go | 172 ++++++++++++++ util/mozilla_trusted_roots_test.go | 130 +++++++++++ 5 files changed, 558 insertions(+), 2 deletions(-) create mode 100644 cmd/zlint-mozilla-trusted-roots-update/main.go create mode 100644 util/mozilla_trusted_roots.go create mode 100644 util/mozilla_trusted_roots_data.go create mode 100644 util/mozilla_trusted_roots_test.go diff --git a/cmd/zlint-mozilla-trusted-roots-update/main.go b/cmd/zlint-mozilla-trusted-roots-update/main.go new file mode 100644 index 000000000..b9934a07f --- /dev/null +++ b/cmd/zlint-mozilla-trusted-roots-update/main.go @@ -0,0 +1,211 @@ +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package main + +import ( + "bufio" + "bytes" + "crypto/sha256" + "encoding/hex" + "flag" + "fmt" + "go/format" + "io" + "net" + "net/http" + "os" + "strconv" + "strings" + "text/template" + "time" + + log "github.com/sirupsen/logrus" + "github.com/zmap/zcrypto/x509" +) + +const MOZILLA_CERTDATA = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1" + +var ( + // httpClient is a http.Client instance configured with timeouts. + httpClient = &http.Client{ + Transport: &http.Transport{ + Dial: (&net.Dialer{ + Timeout: 15 * time.Second, + KeepAlive: 15 * time.Second, + }).Dial, + TLSHandshakeTimeout: 5 * time.Second, + ResponseHeaderTimeout: 5 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + }, + } + // mozillaTrustedRootsTemplate is a template that produces a Golang source + // code file in the "util" package containing a single member variable, + // a slice of strings containing the hex encoded SPKIs of all roots + // trusted by Mozilla. + mozillaTrustedRootsTemplate = template.Must(template.New( + "mozillaTrustedRootsTemplate").Parse( + `// Code generated by go generate; DO NOT EDIT. +// This file was generated by zlint-mozilla-trusted-roots-update. + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package util + +var mozillaTrustedSPKIs = []string{ +{{- range . }} + "{{ . }}", +{{- end }} +} +`)) +) + +func getMozillaTrustedCerts() ([]*x509.Certificate, error) { + resp, err := httpClient.Get(MOZILLA_CERTDATA) + if err != nil { + return nil, fmt.Errorf("unable to fetch data from %q : %s", + MOZILLA_CERTDATA, err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("unexpected status code fetching data "+ + "from %q : expected status %d got %d", + MOZILLA_CERTDATA, http.StatusOK, resp.StatusCode) + } + + var trustedCertificates []*x509.Certificate + scanner := bufio.NewScanner(resp.Body) + for scanner.Scan() { + line := scanner.Text() + line = strings.ReplaceAll(line, "\r\n", "") + if line == "CKA_VALUE MULTILINE_OCTAL" { + var certdata []byte + + for scanner.Scan() { + line = scanner.Text() + line = strings.ReplaceAll(line, "\r\n", "") + + if line == "END" { + break + } + + bs := strings.Split(line, "\\") + for _, b := range bs { + if b == "" { + continue + } + i, err := strconv.ParseInt(b, 8, 0) + if err != nil { + return nil, fmt.Errorf( + "unexpected octal character : %s", err) + } + certdata = append(certdata, byte(i)) + } + } + + cert, err := x509.ParseCertificate(certdata) + if err != nil { + return nil, fmt.Errorf("unable to parse certificate : %s", err) + } + + trustedCertificates = append(trustedCertificates, cert) + } + } + + return trustedCertificates, nil +} + +func renderMozillaTrustedSPKIs(writer io.Writer) error { + trustedCerts, err := getMozillaTrustedCerts() + if err != nil { + return err + } + + var trustedSPKIs []string + for _, c := range trustedCerts { + spki := sha256.Sum256(c.RawSubjectPublicKeyInfo) + trustedSPKIs = append(trustedSPKIs, hex.EncodeToString(spki[:])) + } + + var buf bytes.Buffer + if err := mozillaTrustedRootsTemplate.Execute(&buf, trustedSPKIs); err != nil { + return err + } + + // format the buffer so it won't trip up the `gofmt_test.go` checks + formatted, err := format.Source(buf.Bytes()) + if err != nil { + return err + } + + // Write the formatted buffer to the writer + _, err = writer.Write(formatted) + if err != nil { + return err + } + return nil +} + +// init sets up command line flags +func init() { + flag.Usage = func() { + fmt.Fprintf(os.Stderr, "Usage: %s [flags]\n", os.Args[0]) + flag.PrintDefaults() + } + flag.Parse() + log.SetLevel(log.InfoLevel) +} + +// main handles rendering the mozilla trusted SPKIs to either standard out +// (when no argument is provided) or to the provided filename. If an error +// occurs it is printed to standard err and the program terminates with a +// non-zero exit status. +func main() { + errQuit := func(err error) { + fmt.Fprintf(os.Stderr, "error updating mozilla trusted SPKIs: %s\n", err) + os.Exit(1) + } + + // Default to writing to standard out + writer := os.Stdout + if flag.NArg() > 0 { + // If a filename is specified as a command line flag then open it (creating + // if needed), truncate the existing contents, and use the file as the + // writer instead of standard out + filename := flag.Args()[0] + f, err := os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0664) + if err != nil { + errQuit(err) + } + defer f.Close() + writer = f + } + + if err := renderMozillaTrustedSPKIs(writer); err != nil { + errQuit(err) + } +} diff --git a/makefile b/makefile index 2e72b5793..a70c6e7c0 100644 --- a/makefile +++ b/makefile @@ -4,7 +4,7 @@ PARALLELISM := 5 # Additional integration test flags (e.g. -force, -summary, -outputTick) INT_FLAGS := -CMDS = zlint zlint-gtld-update +CMDS = zlint zlint-gtld-update zlint-mozilla-trusted-roots-update CMD_PREFIX = ./cmd/ GO_ENV = GO111MODULE="on" GOFLAGS="-mod=vendor" BUILD = $(GO_ENV) go build @@ -19,6 +19,9 @@ zlint: zlint-gtld-update: $(BUILD) $(CMD_PREFIX)$(@) +zlint-mozilla-trusted-roots-update: + $(BUILD) $(CMD_PREFIX)$(@) + clean: rm -f $(CMDS) @@ -31,4 +34,4 @@ integration: format-check: diff <(find . -name '*.go' -not -path './vendor/*' -print | xargs -n1 gofmt -l) <(printf "") -.PHONY: clean zlint zlint-gtld-update test integration format-check +.PHONY: clean zlint zlint-gtld-update zlint-mozilla-trusted-roots-update test integration format-check diff --git a/util/mozilla_trusted_roots.go b/util/mozilla_trusted_roots.go new file mode 100644 index 000000000..641be1d42 --- /dev/null +++ b/util/mozilla_trusted_roots.go @@ -0,0 +1,40 @@ +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package util + +import ( + "crypto/sha256" + "encoding/hex" + + "github.com/zmap/zcrypto/x509" +) + +// This package uses the `zlint-mozilla-trusted-roots-update` command to +// generate a `mozillaTrustedSPKIs` slice. +//go:generate zlint-mozilla-trusted-roots-update ./mozilla_trusted_roots_data.go + +// IsSPKIMozillaTrusted checks whether the SPKI of a certificate is trusted +// by Mozilla. +func IsSPKIMozillaTrusted(cert *x509.Certificate) bool { + spki := sha256.Sum256(cert.RawSubjectPublicKeyInfo) + encSPKI := hex.EncodeToString(spki[:]) + for _, s := range mozillaTrustedSPKIs { + if s == encSPKI { + return true + } + } + + return false +} diff --git a/util/mozilla_trusted_roots_data.go b/util/mozilla_trusted_roots_data.go new file mode 100644 index 000000000..5c2c1712e --- /dev/null +++ b/util/mozilla_trusted_roots_data.go @@ -0,0 +1,172 @@ +// Code generated by go generate; DO NOT EDIT. +// This file was generated by zlint-mozilla-trusted-roots-update. + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package util + +var mozillaTrustedSPKIs = []string{ + "2bcee858158cf5465fc9d76f0dfa312fef25a4dca8501da9b46b67d1fbfa1b64", + "8a27b5557b4bec7cc0305fbf3d53d1f71cd3f34910c5d65e27ecddb82077ba3d", + "22076e5aef44bb9a416a28b7d1c44322d7059f60feffa5caf6c5be8447891303", + "7006a38311e58fb193484233218210c66125a0e4a826aed539ac561dfbfbd903", + "495a96ba6bad782407bd521a00bace657bb355555e4bb7f8146c71bba57e7ace", + "1ea3c5e43ed66c2da2983a42a4a79b1e906786ce9f1b58621419a00463a87d38", + "63d9af9b47b1064d49a10e7b7fd566dbc8caa399459bfc2829c571ad8c6ef34a", + "052b687107ec84e8730382452ec2a27451745d7485a57d6f464e0da7a1b6af2a", + "942a6916a6e4ae527711c5450247a2a74fb8e156a8254ca66e739a11493bb445", + "6dbfae00d37b9cd73f8fb47de65917af00e0dddf42dbceac20c17c0275ee2095", + "87af34d66fb3f2fdf36e09111e9aba2f6f44b207f3863f3d0b54b25023909aa5", + "9699225c5de52e56cdd32df2e96d1cfea5aa3ca0bb52cd8933c23b5c27443820", + "7caa03465124590c601e567e52148e952c0cffe89000530fe0d95b6d50eaae41", + "9736ac3b25d16c45a45418a964578156480a8cc434541ddc5dd59233229868de", + "bd153ed7b0434f6886b17bce8bbe84ed340c7132d702a8f4fa318f756ecbd6f3", + "be3db7b79bfe579dcf9b07ca4cad75aff16975568e5b45cfcae4d61fb63175a8", + "8fd112c3c8370f147d5ccd3a7d865eb8dd540783bac69fc60088e3743ff33378", + "0c7acaa710226720bbc940349ee2e6148652a89dbf406a232c895f6dc78ebb9a", + "2a4212605aa3e8aecb0fc19806cf3b40b53b95f1a34dbbd6e3ed27230324abb3", + "d2a5f32f0e01b910ef4e3b46bf84e5af5fb5689e7d1507e929e368ac88c6cc76", + "8a2affbd1a1c5d1bdccbb7f548ba995f966806b3fd0c3a00fae2e52f3c853989", + "4eada9b5311e718199d98ea82b95005cba93198ab1f97efcbe8dc6201628f8af", + "051cf9fa95e40e9b83edaeda6961f6168c7879c4660172479cdd51ab03cea62b", + "5632d97bfa775bf3c99ddea52fc2553410864016729c52dd6524c8a9c3b4489f", + "15f14ac45c9c7da233d3479164e8137fe35ee0f38ae858183f08410ea82ac4b4", + "a81293445db196a2030f9e455fe3c74a9a4f8317b02b01406027a8708174434c", + "23f2edff3ede90259a9e30f40af8f912a5e5b3694e6938440341f6060e014ffa", + "aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391", + "5a889647220e54d6bd8a16817224520bb5c78e58984bd570506388b9de0f075f", + "563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b", + "2a8bed32ae680d2d187b9a7afd171d83fd0b935eaf9e2c1b43e80278d2063e39", + "40fcfc28875dccbfebcbdf6cd7433312da63c4efcf3bd7b1b505c22020ae0274", + "9318226f8c83afe47f5f47c24f59ce12dba8c73b181bee6b2ea1f40a06bc1869", + "4905466623ab4178be92ac5cbd6584f7a1e17f27652d5a85af89504ea239aaaa", + "1d75d0831b9e0885394d32c7a1bfdb3dbc1c28e2b0e8391fb135981dbc5ba936", + "25b41b506e4930952823a6eb9f1d31def645ea38a5c6c6a96d71957e384df058", + "77290717614b25f12964ebdb38b5f83caadc0f6c36b0777f880fc6dee1d339cc", + "2596904dc4d699ae20c2cef4dce47f285937d77464ac370746f52dea76ba0c28", + "006d7be7555dd82026442c4f1a27a80e89a1989cb87b34448ed2194c18196d5e", + "32d180ed31c935589ec9dbbb722123b883b5fc2dc10f9fca3a95d77e1bfcb534", + "e7ca91bbfbb18788057b3a8070446ea5291160194102f7dcc3b9848c63cb9cd5", + "ce24eb0626defd8168c96a7701f09301600fe5dd0dbce58e9c97b830af02ef28", + "510d20e5c47f63cf666b20f61af62bc099a42ac824ffa443a2da7c90b1808a91", + "7e8782c150ce3952f802e636023a5d3e95bb5d68e33e85adb2ba178125cebf15", + "62554c17005543b237215f04268dcd2fd1c470240ad3c8660e25ae2c59630f55", + "dbc1e3a15238a0483bcdb8fdec616e03e705a48e2a501157cadf3b9c7311c5e5", + "ab98495276adf1ecaff28f35c53048781e5c1718dab9c8e67a504f4f6a51328f", + "67dc4f32fa10e7d01a79a073aa0c9e0212ec2ffc3d779e0aa7f9c0f0e1c2c893", + "1906c6124dbb438578d00e066d5054c6c37f0fa6028c05545e0994eddaec8629", + "bcfb44aab9ad021015706b4121ea761c81c9e88967590f6f94ae744dc88b78fb", + "967b0cd93fcef7f27ce2c245767ae9b05a776b0649f9965b6290968469686872", + "5192438ec369d7ee0ce71f5c6db75f941efbf72e58441715e99eab04c2c8acee", + "f48badd7df6a06690d0ae31373b12855f8dedb14517f362a313101cc98cc6b35", + "05e77ef1fdfe05e2dca522cae64d8379a041b7b4f16c7cae36067a7f72a14872", + "36c22314131a5fbf1b70ea4ccf4bc13a777d938ec65e1da24e3c2cfd01d3d163", + "bb4128ec9620f2d2a49ce8e2c4e257aebad93a0f11c56b5fa4b00e23759fa39d", + "616167201433aea6c8e5e3070afcaf6749188f814bd1abb179ae8dad3abf26ec", + "706bb1017c855c59169bad5c1781cf597f12d2cad2f63d1a4aa37493800ffb80", + "3b0d73b4be4a854adc3e51d7ef9fa48aefbb2cdd824d67bdc7d7d09a2abc2d43", + "952c2039c0243eb515dd73d83fc3643184874feb0862a9837731ed9b4742e17a", + "ced43902ab5fb57b442322dc0e172a4fb55f7178b808f94e780a6fd6cc6bd818", + "927a1b8562280576d048c50321ada43d8703d2d9521a18c28b8c46cc6aae4efd", + "2a8f2d8af0eb123898f74c866ac3fa669054e23c17bc7a95bd0234192dc635d0", + "808d68b3fab4884a5f971ace7d10550d7a95a163774f3ec36afffb213fbe4c74", + "2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92", + "6c464b9a5b233a5e874da765c26f045010d2ddcff45794f0b4c7e4aafa501495", + "94072ad3f58f70f93098e5a5f6c04c96c710bd849d83184919ae90eb890ae400", + "c7f43b4cf5b71568294f822b53762605f6ddd15cadece739e9e2c3cba61e9d67", + "3219b09114ff495a3eb6eb00c2efeab34002ae5f0a56c7679ea087a3fa037e4f", + "aa2630a7b617b04d0a294bab7a8caaa5016e6dbe604837a83a85719fab667eb5", + "92c46879626ef2cc1ecea50c72fb5e385844095f21cbf3b283cb82e6b9fc6a58", + "a903af8c07bb91b0d9e3f3a30c6d53339fc5bd47e5d6bdb476598860c068a024", + "7e7058ea35ad4359654159973f560187f16d19c514b939c5055672d1d2a518ac", + "3380709af3b096be3cc2a40548142c0a520028db09e2cb77ae2206616ab6cbb4", + "b21d2a743318712ba16f39919d961a4bafba3bca9a43a75b1fcfe22c5d70caba", + "1a7a3a1a68dd2361e3f3bb855f3b26fcd88b197d8dd4de06cf1b362ac89ec13b", + "25d4913cf587097414d29d26f6c1b1942cd6d64eaf45d0fcf81526adba96d324", + "a87443b3d896eb257ccce99b95ada9bc81b9db4e3142aa9a99af0942cb0a4a3a", + "5955ae291574a931342cf7450e16652ede1e0fb3097e1571dfac11c915601564", + "b03d87b056d08cc9d4e675ef19ca83ab53532168a8258598be72e6d85c7dd7c1", + "8d767764b3cbda08929d072a22a561f4dcdd1bc57d3cbddc948c47d2b47f9122", + "56174d3ad971a8944964b189811f3008493a6a90422e3c5804ec838d4f94f622", + "eca0f181402ce7a8652b31b4d036df247e3a30b7f41a50d91ec4f90b006b43a1", + "ff342fb6c4c8bd30a4706f73489539f19e6e48cc05f46254654f6610dbc540e9", + "702116ccd8bf23e16466f0e0dba0ed6a239a9c1cd6a8f5a66b39af3595020385", + "05570ae6eb0fceb4210e6db79486b7094caf200401e149b6677441b5f25e449b", + "c444b5b66ce5d71e1b5e40f27385c95cbfd24a05b56f70cac0992f0f50c3379c", + "10ba3485ca8bb6880ab9531a4063e4001555561c7f2e055165f49b2d74fc5f6b", + "c1ad1b1898ec395048df070bfa217e25c913bed8ca6b73de085528846a0103c1", + "6106c0e3a0a299831875127bd7d3cc1859803d511cac11eb6e0840dd166fc10e", + "e5ca37bc7b6c361979bc6b123ca9a1db019046d7ff5f57dfb854b19d10b0682f", + "86a68f050034126a540d39db2c5f917ef66a94fb9619fa1ecd827cea46ba0cb0", + "4a49edbd2f8f8230bd5592b313573fe1c172a45fa98011cc1eddbb36ade3fce5", + "f3438e23b3ce532522facf307923f58fd18608e9ba7addc30e952b43c49616c3", + "f1c6ba670cfc88e4df52973cae420f0a089dd474144fe5806c420064e1591229", + "15eed339594b304f8cf847b477371d8d6fec61f4db2b01af589e7c53b35cae4c", + "8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26", + "b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97", + "59df317bfa9f4f0ab7ca514d7772296aa2c765b87664d08b96e57399e364729c", + "82b5f84daf47a59c7ab521e4982aefa40a53406a3aec26039efa6b2e0e7244c1", + "c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde", + "2021917e98263945c859c43f1d73cb4139053c414fa03ca3bc7ee88614298f3b", + "08b3a6335fce5ef48f8f0e543986c07fd18a3b1226129f61864bbd5bdd1f1cc9", + "7e0ead76bb6819dc2f54511a84354f6e8b307b9dd82058ea6c004f01d9dda5df", + "4223894003a881c5df6bab163db235c221a18d54bf759945820e670da82e3f39", + "951ee046fa83316e6786c08c44f13b4ca2ead2d2644d63314391c0cc70887d0d", + "07e854f26a7cbd389927aa041bfef1b6cd21dd143818ad947dc655a9e587fe88", + "58dd61feb36ea7d258724371709149cb121337864cacb2d0999ad20739d06477", + "76ee8590374c715437bbca6bba6028eadde2dc6dbbb8c3f610e851f11d1ab7f5", + "fea2b7d645fba73d753c1ec9a7870c40e1f7b0c561e927b985bf711866e36f22", + "dd5ed1c090f9f448061baa94a6bb11017544e9eefaa20cc714ce6c633f5dc629", + "149f2ee63b9a5e5803240a770dc991fc2e3445e62831c245a49bc4f1f738ff9c", + "6e364b6133deefdcbb21273c5f445a20afbc05038d5b021c0c2153039016345b", + "6b3b57e9ec88d1bb3d01637ff33c7698b3c9758255e9f01ea9178f3e7f3b2b52", + "50cc86ba96db3263c79a43ead07553d9f56659e6907e72d8c026637a1cdc85dc", + "bb52086d0639e8db332775ac8f4e8435d92ceb00f4e24f28fc0eabe240772e80", + "0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3", + "2fc5667a4b9a2678ed6ac6ad25465fcbf6094bfcd9504097c7a8fa47ade5e888", + "fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2", + "7f4296fc5b6a4e3b35d3c369623e364ab1af381d8fa7121533c9d6c633ea2461", + "36abc32656acfc645c61b71613c4bf21c787f5cabbee48348d58597803d7abc9", + "f7ecded5c66047d28ed6466b543c40e0743abe81d109254dcf845d4c2c7853c5", + "b738290cc08547e79ac67f831ebb33547c4e7db4514e2d2988c23c441340eb41", + "d2f91a04e3a61d4ead7848c8d43b5e1152d885727489bc65738b67c0a22785a7", + "af207c61fd9c7cf92c2afe8154282dc3f2cbf32f75cd172814c52b03b7ebc258", + "31512680233f5f2a1f29437f56d4988cf0afc41cc6c5da6275928e9c0beade27", + "3027a298fa57314dc0e3dd1019411b8f404c43c3f934ce3bdf856512c80aa15c", + "d49c6f289cd056519492480f192f00a6fc7c1862dab2e7b5d8e05f6678fae141", + "55e00be277ceb0545299f24fd9f877e2acf32852db43ffcd29bca74b39b4c9fa", + "ceb19411c65052c757f941eb826c96941e4d08d096c7db7e7ea3c4f8c13f1a13", + "ea87f462deefffbd7775aa2a4b7e0fcb91c22eee6df69ed90100ccc73b311476", + "c63d68c648a18b77641c427a669d61c9768a55f4fcd0322eac96c57700299cf1", + "7afe4b071a2f1f46f8ba944a26d584d5960b92fb48c3ba1b7cab84905f32aacd", + "d1c45377ebdcd618cd1651dc2e02c21d751e5aa9fcd1b3431ff6ecf6a31348fa", + "a320f4d534d7be97c1ae8dd0499735bc895c323add2d388bfccf662c23d7f99a", + "7cd67c248f69d83fc2f9bb01dcb1f7ad67a363d046043796d0984c3a231f6bb0", + "348767cdad3bdd28b2b8dd5351aec30c68cec5cd69d276df3827dbc4f5806464", + "682747f8ba621b87cdd3bc295ed5cabce722a1c0c0363d1d68b38928d2787f1e", + "fd371bea9755ff60c8828c849b8e5215de532d61b009855fa0ad630d90eef82e", + "871a9194f4eed5b312ff40c84c1d524aed2f778bbff25f138cf81f680a7adc67", + "55f77de41c03792428f8d518c55104225be43a5598d926a528ad653e1ccec7bf", + "4179edd981ef747477b49626408af43daa2ca7ab7f9e082c1060f84096774348", + "9847e5653e5e9e847516e5cb818606aa7544a19be67fd7366d506988e8d84347", + "1255cabe8152fa64df942f7a47417e29f96c1ce11bf8c84ecbe2815cc1280810", + "5c41a73ab2c35dfcd771f6fd6e3e8fac9b469d386cadda56a95b646eb48cca34", + "8e8046ec4cac015a507ce0d2d0154a4b40e8e42b3165cfa546571435112d17e5", + "376a1a7082a593dccc20d561d119e9ab8d30f11cc321d0a37fa41f0df284e01c", + "8d417db2dd8bf5e3084d1e3f196d583849d81bdd4c00c70b9d39369e96b8c782", + "b7408b4d2be0238ba37004dd34e276c6019bd2f24c9db7d4980f5f6c359a4bcc", + "eabc185c4e82d942b1a5978ba3c0181487d6b3b9974e5c49f72f6d0bd9637150", + "2541e53ba5b3b07acbe7097ac4a03e040c11cf7a6d4a67cb213d558b50167a06", +} diff --git a/util/mozilla_trusted_roots_test.go b/util/mozilla_trusted_roots_test.go new file mode 100644 index 000000000..476310422 --- /dev/null +++ b/util/mozilla_trusted_roots_test.go @@ -0,0 +1,130 @@ +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package util + +import ( + "encoding/pem" + "fmt" + "testing" + + "github.com/zmap/zcrypto/x509" +) + +var testCertificates = []string{ + `-----BEGIN CERTIFICATE----- +MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw +TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh +cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 +WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu +ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc +h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ +0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U +A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW +T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH +B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC +B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv +KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn +OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn +jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw +qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI +rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq +hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL +ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ +3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK +NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 +ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur +TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC +jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc +oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq +4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA +mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d +emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= +-----END CERTIFICATE-----`, + `-----BEGIN CERTIFICATE----- +MIIF7DCCA9SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR +BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIDAeBgNVBAMM +F1psaW50IFVudHJ1c3RlZCBSb290IENBMB4XDTE5MTAwNjEwMjk0NFoXDTI5MTAw +NTEwMjk0NFowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw +FAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMwEQYD +VQQLDApPcGVyYXRpb25zMSAwHgYDVQQDDBdabGludCBVbnRydXN0ZWQgUm9vdCBD +QTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL8ZZwrK4M0GObP7q9gS +by+h2klwZaShOYaYpYUjbFv9nyrjZXUrEJvUFOhBOmjegtyYcL3rFkcRa4zUIXez +W+myfyThWM94SUAqiFS/hJ74y671+r5zd2T2dBwe04kQn52+q4qEXovkQGD5adT3 +CFVq9o8wc249h4Warz+yg9GcDGU+eOKFLOEDo64bU2UCggIGyVeL1dSviSuUhiG6 +IkoFCF1oURo3IqM6/zg9RDvYeBk0/qU4hXcLtqIZ4KX/RP1XVMSEzKcFWjo/jsyM +NFe1BtCFWQn66shHemJ4s6pzaUqdHeIk7hhHtgRWf12msCclGu3cTnTgK4n900Vf +vm+M81rtWMYggE5hEBqIdjhROYr2APmZ4Z0SVyqk1t45C5V5C6YKnXLJoQz94zSq +kfRM05245nr0xW9Vcs/pph5GoJ/tUoryJzxK4iKSvMWLc23tanDYhpiEkyIAUdCw +Qa+8X6dQ6ysk3E6p7jdhRn84Odl3vi8w8ntSqP4g2u9fIkkig39+LAiboeNCbAAD +3N7ZiarOsHobW/hl6ZpG3sPlW+bLVtrovWSIgH8hOAq75BhQjm+u8QqdgoyRBBfN +kUeqrWLK8vDr3H8yxMk9Le5gTHzHEwSFvH5jNcTgQg+GNceVRLCU+O2rz5Nnw1Pv +/RrddDvpZx6M/KmLrUwh+vzHAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNV +HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHSwHooW/FhypVIUYyddqdIL63VjAfBgNV +HSMEGDAWgBRHSwHooW/FhypVIUYyddqdIL63VjANBgkqhkiG9w0BAQsFAAOCAgEA +k9KYQ6yScTieoxMiQ8pe+ntygSb4HJx8rKGzOucY05UUkjaWSk1jiRY9dpp5qQak +ujsWY3I7/VWVSX1sc9U6eY7KcfhVyg7lyoxJeSBtQ8QhPoZuFnejxQ+dY4quOKHs +lSubs3dsLgj0I4G7OOMg+7EVvX/81lo0MTeuFgnDFNW8DxIGFXF48ceISAzMkoA+ +QG5tJwPPJx4zNaEXiWuC00S20JDD/w2iJ945uBIGCL6nnOlrrUGRCzIgpS+augvj +/2Lc2DS5vvOgMdbaQO+Jo+XTMPxwStAD54fvwzwoCU6MDcpyLFChgh3wtPm7RB6J +zvRTOec4gEx85L8dBFE52crpoCTEvzCpE0w86YLy0nYF+ccZB8BTvQ4sqRZL44r/ +SLvzaHl5bXnG77IEl4XLoe1oESgAuNqpuU9UkyLG9NnHdNVghBpnHo48OHhUUMKJ +RpVMY1GUCRFaUpX0SBkVp9T1sw060sh7XrNx+08xz34Ls93Q/dQPnVlxEYSayhsJ +9uPldQ8v0CjSkaqaFQ+aSHH7Kas0BtIRs/hQVcTXBkGxFbN0mqBYqCIWIQkyUEym +XzQHsEV8qYwwJwnV9JJYebapPSUBbIKaYruR76mK1Z7qzrTth6MxgWbHgXGdvcEo +2EEMCUl+Pbr3dd75Q/EYDJU5WMJzbnKSLaIuA4zMa/M= +-----END CERTIFICATE-----`, +} + +func TestTrustedRoots(t *testing.T) { + testCases := []struct { + Name string + Certificate string + ExpectedResult bool + }{ + { + Name: "Test trusted certificate", + Certificate: testCertificates[0], + ExpectedResult: true, + }, + { + Name: "Test untrusted certificate", + Certificate: testCertificates[1], + ExpectedResult: false, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + fmt.Println(tc.Certificate) + block, _ := pem.Decode([]byte(tc.Certificate)) + if block == nil { + t.Error("cannot decode test certificate") + return + } + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + t.Error("cannot parse test certificate") + return + } + result := IsSPKIMozillaTrusted(cert) + if result != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result) + } + }) + } +} From 076268ed6bb041ff79655c2d1740d42b556479c9 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 7 Oct 2019 17:38:12 +0300 Subject: [PATCH 06/40] Added cross-cert detection for MP EKU lint. --- lints/lint_mp_allowed_eku.go | 2 +- lints/lint_mp_allowed_eku_test.go | 5 +++++ testlint/testCerts/mpCrossCertNoEKU.pem | 30 +++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 testlint/testCerts/mpCrossCertNoEKU.pem diff --git a/lints/lint_mp_allowed_eku.go b/lints/lint_mp_allowed_eku.go index d4f85a8d4..e101068ce 100644 --- a/lints/lint_mp_allowed_eku.go +++ b/lints/lint_mp_allowed_eku.go @@ -40,7 +40,7 @@ func (l *allowedEKU) Initialize() error { } func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) + return util.IsSubCA(c) && !util.IsSPKIMozillaTrusted(c) } func (l *allowedEKU) Execute(c *x509.Certificate) *LintResult { diff --git a/lints/lint_mp_allowed_eku_test.go b/lints/lint_mp_allowed_eku_test.go index 1e4b3b4e6..64c53cad5 100644 --- a/lints/lint_mp_allowed_eku_test.go +++ b/lints/lint_mp_allowed_eku_test.go @@ -45,6 +45,11 @@ func TestAllowedEKUs(t *testing.T) { InputFilename: "mpSubCAEKUAllowed.pem", ExpectedResult: Pass, }, + { + Name: "Cross-Certificate with no EKU", + InputFilename: "mpCrossCertNoEKU.pem", + ExpectedResult: NA, + }, } for _, tc := range testCases { diff --git a/testlint/testCerts/mpCrossCertNoEKU.pem b/testlint/testCerts/mpCrossCertNoEKU.pem new file mode 100644 index 000000000..3adb05176 --- /dev/null +++ b/testlint/testCerts/mpCrossCertNoEKU.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFFTCCAv2gAwIBAgIIf6MrKLHJq2wwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNV +BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE +CgwPU1NMIENvcnBvcmF0aW9uMTcwNQYDVQQDDC5TU0wuY29tIEVWIFJvb3QgQ2Vy +dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyMB4XDTE5MDIxNDE4MDg1OFoXDTI3 +MDIxMjE4MDg1OFowfzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYD +VQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xNDAyBgNVBAMM +K1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBFQ0MwdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAASqEkeQmBv778NAB4MgTvEwgqIG0fKShmHy9iFo +ygDEx+pDAFSG3P0f3wC4QWJc3HAWMt4fmdTMxQfICB9hFgdRPX1cB1PjNTiM382f +2S4NSrYZLlpwWgbtvvChsMrQCSmjggE9MIIBOTAPBgNVHRMBAf8EBTADAQH/MB8G +A1UdIwQYMBaAFPlgu9Tj1TT2uPUGgCWnc9tGaaieMHwGCCsGAQUFBwEBBHAwbjBK +BggrBgEFBQcwAoY+aHR0cDovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkvU1NMY29t +LVJvb3RDQS1FVi1SU0EtNDA5Ni1SMi5jcnQwIAYIKwYBBQUHMAGGFGh0dHA6Ly9v +Y3Nwcy5zc2wuY29tMBEGA1UdIAQKMAgwBgYEVR0gADBFBgNVHR8EPjA8MDqgOKA2 +hjRodHRwOi8vY3Jscy5zc2wuY29tL1NTTGNvbS1Sb290Q0EtRVYtUlNBLTQwOTYt +UjIuY3JsMB0GA1UdDgQWBBRbyl7l3tKBqs2oLWRRttlym5fmTzAOBgNVHQ8BAf8E +BAMCAYYwDQYJKoZIhvcNAQELBQADggIBAEtbzx2YtVSveXwjAgO1JRrPoxRpnjOU +sxDIcy9Jcc9NeVv8poNXSmxb9M2giWJ1llgCJiLn7SIs+4FmE00bYIB3K/OnOPz4 +KjZQUVE1dP8Meds7rfRZiQxqDWMoIDGK1XI6Ug1gQx4Q82KxG0AVZW8m3AeD96OY +Wj9VXYAb5zdwqw/28xaSYgsoqUSETjFNCLePGy+Is14Am3MF5kRp0/8TktUmoLta +dY+F9MF9kG6e0IzjwxsUpJzBmQw+zLZUJW/dCs23dH4l+mMTu9udrewqHbJccXd4 +JpPSL4W+WcF9s9ymT8HJgQ+yNR7wlPiDJvksRZ0AAQYlcrViaaRnY7AfhmrS1Qp/ +VULhXQFxxOmQdAAcqSvXSACS8/gsYqKuETokm5Ws4FHOFyEtt0pDfIkbrD7opvaU +ksX4JPJDkjnyks9/EfiLcdZ88/MgZJw7xK5CaSsntORqWShQFaqKukdhWu3AdGG5 +Jp0NbZ+J3ws1ft8WMDc3zBXMKG8S9i8Oh77nr6KcvJhJ/EtBBdkhJ1qJ/bVxLAnn +jTMzwd8YqO1+UEmZFwtNLzCljpZ6tTWn1qY6ijn/CshHmL5HqnWzO8sFno4vgKpM +JbBok9Ol99KWY+eFSVm/IDkCJOIyOVOt0t/xrfYG74VO4RL2hfK0qbO6KhW+GaoC +l2Lxp74DbA3f +-----END CERTIFICATE----- From a60ffb3a6d46c2ee2e00b2e957faf975f58696d8 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 7 Oct 2019 17:42:22 +0300 Subject: [PATCH 07/40] Added fatal error details to MP AuthKeyID lint. --- lints/lint_mp_authority_key_identifier_correct.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/lints/lint_mp_authority_key_identifier_correct.go b/lints/lint_mp_authority_key_identifier_correct.go index 3dc68782d..0e30519aa 100644 --- a/lints/lint_mp_authority_key_identifier_correct.go +++ b/lints/lint_mp_authority_key_identifier_correct.go @@ -16,13 +16,14 @@ Section 5.2 - Forbidden and Required Practices CAs MUST NOT issue certificates that have: - incorrect extensions (e.g., SSL certificates that exclude SSL usage, or authority key IDs - that include both the key ID and the issuer’s issuer name and serial number); or + that include both the key ID and the issuer’s issuer name and serial number); ********************************************************************/ package lints import ( "encoding/asn1" + "fmt" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/util" @@ -51,12 +52,17 @@ func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *LintResult var keyID keyIdentifier ext := util.GetExtFromCert(c, util.AuthkeyOID) - if ext == nil { - return &LintResult{Status: Fatal} + return &LintResult{ + Status: Fatal, + Details: "certificate is missing Authority Key Identifier extension", + } } if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { - return &LintResult{Status: Fatal} + return &LintResult{ + Status: Fatal, + Details: fmt.Sprintf("error unmarshalling authority key identifier extension: %v", err), + } } hasKeyID := len(keyID.KeyIdentifier.Bytes) > 0 From 762bcc3b5362cedef04f811677d9da0a212a437b Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 7 Oct 2019 17:46:11 +0300 Subject: [PATCH 08/40] Minor style change. --- lints/lint_mp_ecdsa_allowed_algorithm.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lints/lint_mp_ecdsa_allowed_algorithm.go b/lints/lint_mp_ecdsa_allowed_algorithm.go index 104692de1..86805eb2b 100644 --- a/lints/lint_mp_ecdsa_allowed_algorithm.go +++ b/lints/lint_mp_ecdsa_allowed_algorithm.go @@ -76,8 +76,8 @@ func (l *ecdsaAllowedAlgorithm) Initialize() error { } func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { - switch c.SignatureAlgorithm { - case x509.ECDSAWithSHA1, x509.ECDSAWithSHA256, x509.ECDSAWithSHA384, x509.ECDSAWithSHA512: + if c.SignatureAlgorithm == x509.ECDSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA256 || + c.SignatureAlgorithm == x509.ECDSAWithSHA384 || c.SignatureAlgorithm == x509.ECDSAWithSHA512 { return true } From 43b0e8c61332351ab8654cd433a5fe3216f1a6e4 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 7 Oct 2019 17:50:04 +0300 Subject: [PATCH 09/40] Added error details to MP ECDSA lint. --- lints/lint_mp_ecdsa_allowed_algorithm.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/lints/lint_mp_ecdsa_allowed_algorithm.go b/lints/lint_mp_ecdsa_allowed_algorithm.go index 86805eb2b..7134b7469 100644 --- a/lints/lint_mp_ecdsa_allowed_algorithm.go +++ b/lints/lint_mp_ecdsa_allowed_algorithm.go @@ -87,14 +87,23 @@ func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *LintResult { signKeySize, err := getSigningKeySize(c) if err != nil { - return &LintResult{Status: Fatal} + return &LintResult{ + Status: Fatal, + Details: "cannot identify signing ECDSA key length", + } } switch { case c.SignatureAlgorithm == x509.ECDSAWithSHA256 && signKeySize == 256: - return &LintResult{Status: Pass} + return &LintResult{ + Status: Pass, + Details: "Detected ECDSAWithSHA256 and 256 bit signing key.", + } case c.SignatureAlgorithm == x509.ECDSAWithSHA384 && signKeySize == 384: - return &LintResult{Status: Pass} + return &LintResult{ + Status: Pass, + Details: "Detected ECDSAWithSHA384 and 384 bit signing key.", + } } return &LintResult{Status: Error} From 223ed00a6e07882d285a12a1a1953cdf9e8d7ca9 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Thu, 17 Oct 2019 09:34:53 +0300 Subject: [PATCH 10/40] Renamed lint_mp_allowed_rsa_keys_exponent to e_mp_exponent_cannot_be_one. --- ...exponent.go => lint_mp_exponent_cannot_be_one.go} | 12 ++++++------ ...est.go => lint_mp_exponent_cannot_be_one_test.go} | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) rename lints/{lint_mp_allowed_rsa_keys_exponent.go => lint_mp_exponent_cannot_be_one.go} (83%) rename lints/{lint_mp_allowed_rsa_keys_exponent_test.go => lint_mp_exponent_cannot_be_one_test.go} (90%) diff --git a/lints/lint_mp_allowed_rsa_keys_exponent.go b/lints/lint_mp_exponent_cannot_be_one.go similarity index 83% rename from lints/lint_mp_allowed_rsa_keys_exponent.go rename to lints/lint_mp_exponent_cannot_be_one.go index d05a21b29..b5cfe7bf2 100644 --- a/lints/lint_mp_allowed_rsa_keys_exponent.go +++ b/lints/lint_mp_exponent_cannot_be_one.go @@ -27,13 +27,13 @@ import ( "github.com/zmap/zlint/util" ) -type allowedRSAKeyExponent struct{} +type exponentCannotBeOne struct{} -func (l *allowedRSAKeyExponent) Initialize() error { +func (l *exponentCannotBeOne) Initialize() error { return nil } -func (l *allowedRSAKeyExponent) CheckApplies(c *x509.Certificate) bool { +func (l *exponentCannotBeOne) CheckApplies(c *x509.Certificate) bool { if c.PublicKeyAlgorithm == x509.RSA { return true } @@ -41,7 +41,7 @@ func (l *allowedRSAKeyExponent) CheckApplies(c *x509.Certificate) bool { return false } -func (l *allowedRSAKeyExponent) Execute(c *x509.Certificate) *LintResult { +func (l *exponentCannotBeOne) Execute(c *x509.Certificate) *LintResult { pubKey, ok := c.PublicKey.(*rsa.PublicKey) if !ok { return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} @@ -56,11 +56,11 @@ func (l *allowedRSAKeyExponent) Execute(c *x509.Certificate) *LintResult { func init() { RegisterLint(&Lint{ - Name: "e_mp_allowed_rsa_keys_exponent", + Name: "e_mp_exponent_cannot_be_one", Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", Citation: "Mozilla Root Store Policy / Section 5.2", Source: MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, - Lint: &allowedRSAKeyExponent{}, + Lint: &exponentCannotBeOne{}, }) } diff --git a/lints/lint_mp_allowed_rsa_keys_exponent_test.go b/lints/lint_mp_exponent_cannot_be_one_test.go similarity index 90% rename from lints/lint_mp_allowed_rsa_keys_exponent_test.go rename to lints/lint_mp_exponent_cannot_be_one_test.go index 5abf19e87..4ae173912 100644 --- a/lints/lint_mp_allowed_rsa_keys_exponent_test.go +++ b/lints/lint_mp_exponent_cannot_be_one_test.go @@ -19,7 +19,7 @@ import ( "testing" ) -func TestAllowedRSAKeysExponent(t *testing.T) { +func TestExponentCannotBeOne(t *testing.T) { testCases := []struct { Name string InputFilename string @@ -40,7 +40,7 @@ func TestAllowedRSAKeysExponent(t *testing.T) { for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_allowed_rsa_keys_exponent"].Execute(ReadCertificate(inputPath)) + result := Lints["e_mp_exponent_cannot_be_one"].Execute(ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } From 855427c70cf7929041791d5ecb43ed1ee55aa1df Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Thu, 17 Oct 2019 09:42:00 +0300 Subject: [PATCH 11/40] Split RSA modulus lints into two files. --- ...t_mp_modulus_must_be_2048_bits_or_more.go} | 14 ++-- ..._modulus_must_be_2048_bits_or_more_test.go | 49 ++++++++++++++ .../lint_mp_modulus_must_be_divisible_by_8.go | 66 +++++++++++++++++++ ...mp_modulus_must_be_divisible_by_8_test.go} | 7 +- 4 files changed, 123 insertions(+), 13 deletions(-) rename lints/{lint_mp_allowed_rsa_keys_modulus.go => lint_mp_modulus_must_be_2048_bits_or_more.go} (81%) create mode 100644 lints/lint_mp_modulus_must_be_2048_bits_or_more_test.go create mode 100644 lints/lint_mp_modulus_must_be_divisible_by_8.go rename lints/{lint_mp_allowed_rsa_keys_modulus_test.go => lint_mp_modulus_must_be_divisible_by_8_test.go} (85%) diff --git a/lints/lint_mp_allowed_rsa_keys_modulus.go b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go similarity index 81% rename from lints/lint_mp_allowed_rsa_keys_modulus.go rename to lints/lint_mp_modulus_must_be_2048_bits_or_more.go index 90f57ab90..f42edc8f0 100644 --- a/lints/lint_mp_allowed_rsa_keys_modulus.go +++ b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -26,13 +26,13 @@ import ( "github.com/zmap/zlint/util" ) -type allowedRSAKeyModulus struct{} +type modulus2048OrMore struct{} -func (l *allowedRSAKeyModulus) Initialize() error { +func (l *modulus2048OrMore) Initialize() error { return nil } -func (l *allowedRSAKeyModulus) CheckApplies(c *x509.Certificate) bool { +func (l *modulus2048OrMore) CheckApplies(c *x509.Certificate) bool { if c.PublicKeyAlgorithm == x509.RSA { return true } @@ -40,14 +40,14 @@ func (l *allowedRSAKeyModulus) CheckApplies(c *x509.Certificate) bool { return false } -func (l *allowedRSAKeyModulus) Execute(c *x509.Certificate) *LintResult { +func (l *modulus2048OrMore) Execute(c *x509.Certificate) *LintResult { pubKey, ok := c.PublicKey.(*rsa.PublicKey) if !ok { return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} } bitLen := pubKey.N.BitLen() - if (bitLen%8) != 0 || bitLen < 2048 { + if bitLen < 2048 { return &LintResult{Status: Error} } @@ -56,11 +56,11 @@ func (l *allowedRSAKeyModulus) Execute(c *x509.Certificate) *LintResult { func init() { RegisterLint(&Lint{ - Name: "e_mp_allowed_rsa_keys_modulus", + Name: "e_mp_modulus_must_be_2048_bits_or_more", Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", Citation: "Mozilla Root Store Policy / Section 5.1", Source: MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, - Lint: &allowedRSAKeyModulus{}, + Lint: &modulus2048OrMore{}, }) } diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more_test.go b/lints/lint_mp_modulus_must_be_2048_bits_or_more_test.go new file mode 100644 index 000000000..88de81f92 --- /dev/null +++ b/lints/lint_mp_modulus_must_be_2048_bits_or_more_test.go @@ -0,0 +1,49 @@ +package lints + +/* + * ZLint Copyright 2018 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "testing" +) + +func TestModulus2048OrMore(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult LintStatus + }{ + { + Name: "Certificate with less than 2048 bit rsa key modulus length", + InputFilename: "mpModulus1024.pem", + ExpectedResult: Error, + }, + { + Name: "Certificate with rsa key modulus length equal to 2048", + InputFilename: "mpModulus2048.pem", + ExpectedResult: Pass, + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) + result := Lints["e_mp_modulus_must_be_2048_bits_or_more"].Execute(ReadCertificate(inputPath)) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + }) + } +} diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8.go b/lints/lint_mp_modulus_must_be_divisible_by_8.go new file mode 100644 index 000000000..0cc39d796 --- /dev/null +++ b/lints/lint_mp_modulus_must_be_divisible_by_8.go @@ -0,0 +1,66 @@ +/* + * ZLint Copyright 2019 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/******************************************************************** +Section 5.1 - Algorithms +RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. +********************************************************************/ + +package lints + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/util" +) + +type modulusDivisibleBy8 struct{} + +func (l *modulusDivisibleBy8) Initialize() error { + return nil +} + +func (l *modulusDivisibleBy8) CheckApplies(c *x509.Certificate) bool { + if c.PublicKeyAlgorithm == x509.RSA { + return true + } + + return false +} + +func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *LintResult { + pubKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} + } + + bitLen := pubKey.N.BitLen() + if (bitLen % 8) != 0 { + return &LintResult{Status: Error} + } + + return &LintResult{Status: Pass} +} + +func init() { + RegisterLint(&Lint{ + Name: "e_mp_modulus_must_be_divisible_by_8", + Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + Lint: &modulusDivisibleBy8{}, + }) +} diff --git a/lints/lint_mp_allowed_rsa_keys_modulus_test.go b/lints/lint_mp_modulus_must_be_divisible_by_8_test.go similarity index 85% rename from lints/lint_mp_allowed_rsa_keys_modulus_test.go rename to lints/lint_mp_modulus_must_be_divisible_by_8_test.go index 5a575d82f..b9cafb327 100644 --- a/lints/lint_mp_allowed_rsa_keys_modulus_test.go +++ b/lints/lint_mp_modulus_must_be_divisible_by_8_test.go @@ -25,11 +25,6 @@ func TestAllowedRSAKeysModulus(t *testing.T) { InputFilename string ExpectedResult LintStatus }{ - { - Name: "Certificate with less than 2048 bit rsa key modulus length", - InputFilename: "mpModulus1024.pem", - ExpectedResult: Error, - }, { Name: "Certificate with rsa key modulus length not divisible by 8", InputFilename: "mpModulus4095.pem", @@ -45,7 +40,7 @@ func TestAllowedRSAKeysModulus(t *testing.T) { for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_allowed_rsa_keys_modulus"].Execute(ReadCertificate(inputPath)) + result := Lints["e_mp_modulus_must_be_divisible_by_8"].Execute(ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } From c95b61f9ddb0bef19f7250be7e8d7d8eaa7680f4 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Thu, 17 Oct 2019 09:43:53 +0300 Subject: [PATCH 12/40] Minor fix in test function name. --- lints/lint_mp_modulus_must_be_divisible_by_8_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8_test.go b/lints/lint_mp_modulus_must_be_divisible_by_8_test.go index b9cafb327..9d73d0ecd 100644 --- a/lints/lint_mp_modulus_must_be_divisible_by_8_test.go +++ b/lints/lint_mp_modulus_must_be_divisible_by_8_test.go @@ -19,7 +19,7 @@ import ( "testing" ) -func TestAllowedRSAKeysModulus(t *testing.T) { +func TestModulusDivisibleBy8(t *testing.T) { testCases := []struct { Name string InputFilename string From 6a156ff32d17452bc52396b5a3510732e987b9da Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:32:54 +0200 Subject: [PATCH 13/40] Update lints/lint_mp_modulus_must_be_divisible_by_8.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_modulus_must_be_divisible_by_8.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8.go b/lints/lint_mp_modulus_must_be_divisible_by_8.go index 0cc39d796..59d3aea04 100644 --- a/lints/lint_mp_modulus_must_be_divisible_by_8.go +++ b/lints/lint_mp_modulus_must_be_divisible_by_8.go @@ -57,7 +57,7 @@ func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *LintResult { func init() { RegisterLint(&Lint{ Name: "e_mp_modulus_must_be_divisible_by_8", - Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", + Description: "RSA keys must have a modulus size divisible by 8", Citation: "Mozilla Root Store Policy / Section 5.1", Source: MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, From aafe27182003a1b51bc3e6697878c5204192a3a6 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:33:28 +0200 Subject: [PATCH 14/40] Update lints/lint_mp_modulus_must_be_divisible_by_8.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_modulus_must_be_divisible_by_8.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8.go b/lints/lint_mp_modulus_must_be_divisible_by_8.go index 59d3aea04..5c9586262 100644 --- a/lints/lint_mp_modulus_must_be_divisible_by_8.go +++ b/lints/lint_mp_modulus_must_be_divisible_by_8.go @@ -47,7 +47,7 @@ func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *LintResult { } bitLen := pubKey.N.BitLen() - if (bitLen % 8) != 0 { + if bitLen := pubKey.N.BitLen(); (bitLen % 8) != 0 { return &LintResult{Status: Error} } From 3e0b24c964dbf77c25a8d4b436642da9ef7afeb3 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:33:44 +0200 Subject: [PATCH 15/40] Update lints/lint_mp_modulus_must_be_divisible_by_8.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_modulus_must_be_divisible_by_8.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8.go b/lints/lint_mp_modulus_must_be_divisible_by_8.go index 5c9586262..01865af2b 100644 --- a/lints/lint_mp_modulus_must_be_divisible_by_8.go +++ b/lints/lint_mp_modulus_must_be_divisible_by_8.go @@ -37,7 +37,7 @@ func (l *modulusDivisibleBy8) CheckApplies(c *x509.Certificate) bool { return true } - return false + return c.PublicKeyAlgorithm == x509.RSA } func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *LintResult { From 02e439fce2addcb22f7dc0999d322df700b253d3 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:33:59 +0200 Subject: [PATCH 16/40] Update lints/lint_mp_modulus_must_be_2048_bits_or_more.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_modulus_must_be_2048_bits_or_more.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go index f42edc8f0..1955afc38 100644 --- a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -47,7 +47,7 @@ func (l *modulus2048OrMore) Execute(c *x509.Certificate) *LintResult { } bitLen := pubKey.N.BitLen() - if bitLen < 2048 { + if bitLen:= pubKey.N.BitLen(); bitLen < 2048 { return &LintResult{Status: Error} } From fc98c127894f9046c8932bac00760e7f47859d54 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:34:13 +0200 Subject: [PATCH 17/40] Update lints/lint_mp_exponent_cannot_be_one.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_exponent_cannot_be_one.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_exponent_cannot_be_one.go b/lints/lint_mp_exponent_cannot_be_one.go index b5cfe7bf2..48cdfe023 100644 --- a/lints/lint_mp_exponent_cannot_be_one.go +++ b/lints/lint_mp_exponent_cannot_be_one.go @@ -38,7 +38,7 @@ func (l *exponentCannotBeOne) CheckApplies(c *x509.Certificate) bool { return true } - return false + return c.PublicKeyAlgorithm == x509.RSA } func (l *exponentCannotBeOne) Execute(c *x509.Certificate) *LintResult { From 64234ab7cf8fbe1536628145292b8ad19021f946 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:34:25 +0200 Subject: [PATCH 18/40] Update lints/lint_mp_modulus_must_be_2048_bits_or_more.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_modulus_must_be_2048_bits_or_more.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go index 1955afc38..b5623b635 100644 --- a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -37,7 +37,7 @@ func (l *modulus2048OrMore) CheckApplies(c *x509.Certificate) bool { return true } - return false + return c.PublicKeyAlgorithm == x509.RSA } func (l *modulus2048OrMore) Execute(c *x509.Certificate) *LintResult { From fdecdc227a978634452a6732bb64133c9eac4fa4 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Mon, 21 Oct 2019 17:35:13 +0200 Subject: [PATCH 19/40] Update lints/lint_mp_modulus_must_be_2048_bits_or_more.go Co-Authored-By: Daniel McCarney --- lints/lint_mp_modulus_must_be_2048_bits_or_more.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go index b5623b635..9d5fa07d3 100644 --- a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -57,7 +57,7 @@ func (l *modulus2048OrMore) Execute(c *x509.Certificate) *LintResult { func init() { RegisterLint(&Lint{ Name: "e_mp_modulus_must_be_2048_bits_or_more", - Description: "RSA keys whose modulus size in bits is divisible by 8, is at least 2048 and public exponent is not equal to 1", + Description: "RSA keys must have modulus size of at least 2048 bits", Citation: "Mozilla Root Store Policy / Section 5.1", Source: MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, From ba2c31b46ce8b9b1b65c30b38b6620c615f3b81b Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 8 Nov 2019 12:55:58 +0200 Subject: [PATCH 20/40] Fixed incorrect commits by github ui. --- lints/lint_mp_exponent_cannot_be_one.go | 4 ---- lints/lint_mp_modulus_must_be_2048_bits_or_more.go | 7 +------ lints/lint_mp_modulus_must_be_divisible_by_8.go | 5 ----- 3 files changed, 1 insertion(+), 15 deletions(-) diff --git a/lints/lint_mp_exponent_cannot_be_one.go b/lints/lint_mp_exponent_cannot_be_one.go index 48cdfe023..2a6060a82 100644 --- a/lints/lint_mp_exponent_cannot_be_one.go +++ b/lints/lint_mp_exponent_cannot_be_one.go @@ -34,10 +34,6 @@ func (l *exponentCannotBeOne) Initialize() error { } func (l *exponentCannotBeOne) CheckApplies(c *x509.Certificate) bool { - if c.PublicKeyAlgorithm == x509.RSA { - return true - } - return c.PublicKeyAlgorithm == x509.RSA } diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go index 9d5fa07d3..12122e388 100644 --- a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/lints/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -33,10 +33,6 @@ func (l *modulus2048OrMore) Initialize() error { } func (l *modulus2048OrMore) CheckApplies(c *x509.Certificate) bool { - if c.PublicKeyAlgorithm == x509.RSA { - return true - } - return c.PublicKeyAlgorithm == x509.RSA } @@ -46,8 +42,7 @@ func (l *modulus2048OrMore) Execute(c *x509.Certificate) *LintResult { return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} } - bitLen := pubKey.N.BitLen() - if bitLen:= pubKey.N.BitLen(); bitLen < 2048 { + if bitLen := pubKey.N.BitLen(); bitLen < 2048 { return &LintResult{Status: Error} } diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8.go b/lints/lint_mp_modulus_must_be_divisible_by_8.go index 01865af2b..f1420e617 100644 --- a/lints/lint_mp_modulus_must_be_divisible_by_8.go +++ b/lints/lint_mp_modulus_must_be_divisible_by_8.go @@ -33,10 +33,6 @@ func (l *modulusDivisibleBy8) Initialize() error { } func (l *modulusDivisibleBy8) CheckApplies(c *x509.Certificate) bool { - if c.PublicKeyAlgorithm == x509.RSA { - return true - } - return c.PublicKeyAlgorithm == x509.RSA } @@ -46,7 +42,6 @@ func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *LintResult { return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} } - bitLen := pubKey.N.BitLen() if bitLen := pubKey.N.BitLen(); (bitLen % 8) != 0 { return &LintResult{Status: Error} } From 3f9b825384d3fba4a4328d963ddb9f185d0e946c Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 8 Nov 2019 12:57:44 +0200 Subject: [PATCH 21/40] Minor syntax change. --- lints/lint_mp_authority_key_identifier_correct.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lints/lint_mp_authority_key_identifier_correct.go b/lints/lint_mp_authority_key_identifier_correct.go index 0e30519aa..25223cfb6 100644 --- a/lints/lint_mp_authority_key_identifier_correct.go +++ b/lints/lint_mp_authority_key_identifier_correct.go @@ -42,10 +42,7 @@ func (l *authorityKeyIdentifierCorrect) Initialize() error { } func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { - if !util.IsExtInCert(c, util.AuthkeyOID) { - return false - } - return true + return util.IsExtInCert(c, util.AuthkeyOID) } func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *LintResult { From 53ba27b7eebb616f52e959bb4d1220013eac5899 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 8 Nov 2019 13:25:48 +0200 Subject: [PATCH 22/40] Removed zlint-mozilla-trusted-roots-update. --- .../main.go | 211 ------------------ makefile | 7 +- util/mozilla_trusted_roots.go | 4 - 3 files changed, 2 insertions(+), 220 deletions(-) delete mode 100644 cmd/zlint-mozilla-trusted-roots-update/main.go diff --git a/cmd/zlint-mozilla-trusted-roots-update/main.go b/cmd/zlint-mozilla-trusted-roots-update/main.go deleted file mode 100644 index b9934a07f..000000000 --- a/cmd/zlint-mozilla-trusted-roots-update/main.go +++ /dev/null @@ -1,211 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package main - -import ( - "bufio" - "bytes" - "crypto/sha256" - "encoding/hex" - "flag" - "fmt" - "go/format" - "io" - "net" - "net/http" - "os" - "strconv" - "strings" - "text/template" - "time" - - log "github.com/sirupsen/logrus" - "github.com/zmap/zcrypto/x509" -) - -const MOZILLA_CERTDATA = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1" - -var ( - // httpClient is a http.Client instance configured with timeouts. - httpClient = &http.Client{ - Transport: &http.Transport{ - Dial: (&net.Dialer{ - Timeout: 15 * time.Second, - KeepAlive: 15 * time.Second, - }).Dial, - TLSHandshakeTimeout: 5 * time.Second, - ResponseHeaderTimeout: 5 * time.Second, - ExpectContinueTimeout: 1 * time.Second, - }, - } - // mozillaTrustedRootsTemplate is a template that produces a Golang source - // code file in the "util" package containing a single member variable, - // a slice of strings containing the hex encoded SPKIs of all roots - // trusted by Mozilla. - mozillaTrustedRootsTemplate = template.Must(template.New( - "mozillaTrustedRootsTemplate").Parse( - `// Code generated by go generate; DO NOT EDIT. -// This file was generated by zlint-mozilla-trusted-roots-update. - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -var mozillaTrustedSPKIs = []string{ -{{- range . }} - "{{ . }}", -{{- end }} -} -`)) -) - -func getMozillaTrustedCerts() ([]*x509.Certificate, error) { - resp, err := httpClient.Get(MOZILLA_CERTDATA) - if err != nil { - return nil, fmt.Errorf("unable to fetch data from %q : %s", - MOZILLA_CERTDATA, err) - } - defer resp.Body.Close() - - if resp.StatusCode != http.StatusOK { - return nil, fmt.Errorf("unexpected status code fetching data "+ - "from %q : expected status %d got %d", - MOZILLA_CERTDATA, http.StatusOK, resp.StatusCode) - } - - var trustedCertificates []*x509.Certificate - scanner := bufio.NewScanner(resp.Body) - for scanner.Scan() { - line := scanner.Text() - line = strings.ReplaceAll(line, "\r\n", "") - if line == "CKA_VALUE MULTILINE_OCTAL" { - var certdata []byte - - for scanner.Scan() { - line = scanner.Text() - line = strings.ReplaceAll(line, "\r\n", "") - - if line == "END" { - break - } - - bs := strings.Split(line, "\\") - for _, b := range bs { - if b == "" { - continue - } - i, err := strconv.ParseInt(b, 8, 0) - if err != nil { - return nil, fmt.Errorf( - "unexpected octal character : %s", err) - } - certdata = append(certdata, byte(i)) - } - } - - cert, err := x509.ParseCertificate(certdata) - if err != nil { - return nil, fmt.Errorf("unable to parse certificate : %s", err) - } - - trustedCertificates = append(trustedCertificates, cert) - } - } - - return trustedCertificates, nil -} - -func renderMozillaTrustedSPKIs(writer io.Writer) error { - trustedCerts, err := getMozillaTrustedCerts() - if err != nil { - return err - } - - var trustedSPKIs []string - for _, c := range trustedCerts { - spki := sha256.Sum256(c.RawSubjectPublicKeyInfo) - trustedSPKIs = append(trustedSPKIs, hex.EncodeToString(spki[:])) - } - - var buf bytes.Buffer - if err := mozillaTrustedRootsTemplate.Execute(&buf, trustedSPKIs); err != nil { - return err - } - - // format the buffer so it won't trip up the `gofmt_test.go` checks - formatted, err := format.Source(buf.Bytes()) - if err != nil { - return err - } - - // Write the formatted buffer to the writer - _, err = writer.Write(formatted) - if err != nil { - return err - } - return nil -} - -// init sets up command line flags -func init() { - flag.Usage = func() { - fmt.Fprintf(os.Stderr, "Usage: %s [flags]\n", os.Args[0]) - flag.PrintDefaults() - } - flag.Parse() - log.SetLevel(log.InfoLevel) -} - -// main handles rendering the mozilla trusted SPKIs to either standard out -// (when no argument is provided) or to the provided filename. If an error -// occurs it is printed to standard err and the program terminates with a -// non-zero exit status. -func main() { - errQuit := func(err error) { - fmt.Fprintf(os.Stderr, "error updating mozilla trusted SPKIs: %s\n", err) - os.Exit(1) - } - - // Default to writing to standard out - writer := os.Stdout - if flag.NArg() > 0 { - // If a filename is specified as a command line flag then open it (creating - // if needed), truncate the existing contents, and use the file as the - // writer instead of standard out - filename := flag.Args()[0] - f, err := os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0664) - if err != nil { - errQuit(err) - } - defer f.Close() - writer = f - } - - if err := renderMozillaTrustedSPKIs(writer); err != nil { - errQuit(err) - } -} diff --git a/makefile b/makefile index a70c6e7c0..2e72b5793 100644 --- a/makefile +++ b/makefile @@ -4,7 +4,7 @@ PARALLELISM := 5 # Additional integration test flags (e.g. -force, -summary, -outputTick) INT_FLAGS := -CMDS = zlint zlint-gtld-update zlint-mozilla-trusted-roots-update +CMDS = zlint zlint-gtld-update CMD_PREFIX = ./cmd/ GO_ENV = GO111MODULE="on" GOFLAGS="-mod=vendor" BUILD = $(GO_ENV) go build @@ -19,9 +19,6 @@ zlint: zlint-gtld-update: $(BUILD) $(CMD_PREFIX)$(@) -zlint-mozilla-trusted-roots-update: - $(BUILD) $(CMD_PREFIX)$(@) - clean: rm -f $(CMDS) @@ -34,4 +31,4 @@ integration: format-check: diff <(find . -name '*.go' -not -path './vendor/*' -print | xargs -n1 gofmt -l) <(printf "") -.PHONY: clean zlint zlint-gtld-update zlint-mozilla-trusted-roots-update test integration format-check +.PHONY: clean zlint zlint-gtld-update test integration format-check diff --git a/util/mozilla_trusted_roots.go b/util/mozilla_trusted_roots.go index 641be1d42..61ee0a243 100644 --- a/util/mozilla_trusted_roots.go +++ b/util/mozilla_trusted_roots.go @@ -21,10 +21,6 @@ import ( "github.com/zmap/zcrypto/x509" ) -// This package uses the `zlint-mozilla-trusted-roots-update` command to -// generate a `mozillaTrustedSPKIs` slice. -//go:generate zlint-mozilla-trusted-roots-update ./mozilla_trusted_roots_data.go - // IsSPKIMozillaTrusted checks whether the SPKI of a certificate is trusted // by Mozilla. func IsSPKIMozillaTrusted(cert *x509.Certificate) bool { From 0b6d7ebfed2c0aa8a97da26255d5c6e4bec8e027 Mon Sep 17 00:00:00 2001 From: Fotis Loukos Date: Fri, 8 Nov 2019 16:52:46 +0200 Subject: [PATCH 23/40] Renamed IsSPKIMozillaTrusted() to IsInMozillaRootStore(). --- lints/lint_mp_allowed_eku.go | 2 +- util/mozilla_trusted_roots.go | 4 ++-- util/mozilla_trusted_roots_test.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lints/lint_mp_allowed_eku.go b/lints/lint_mp_allowed_eku.go index e101068ce..d237942c9 100644 --- a/lints/lint_mp_allowed_eku.go +++ b/lints/lint_mp_allowed_eku.go @@ -40,7 +40,7 @@ func (l *allowedEKU) Initialize() error { } func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && !util.IsSPKIMozillaTrusted(c) + return util.IsSubCA(c) && !util.IsInMozillaRootStore(c) } func (l *allowedEKU) Execute(c *x509.Certificate) *LintResult { diff --git a/util/mozilla_trusted_roots.go b/util/mozilla_trusted_roots.go index 61ee0a243..60713aa7a 100644 --- a/util/mozilla_trusted_roots.go +++ b/util/mozilla_trusted_roots.go @@ -21,9 +21,9 @@ import ( "github.com/zmap/zcrypto/x509" ) -// IsSPKIMozillaTrusted checks whether the SPKI of a certificate is trusted +// IsInMozillaRootStore checks whether the SPKI of a certificate is trusted // by Mozilla. -func IsSPKIMozillaTrusted(cert *x509.Certificate) bool { +func IsInMozillaRootStore(cert *x509.Certificate) bool { spki := sha256.Sum256(cert.RawSubjectPublicKeyInfo) encSPKI := hex.EncodeToString(spki[:]) for _, s := range mozillaTrustedSPKIs { diff --git a/util/mozilla_trusted_roots_test.go b/util/mozilla_trusted_roots_test.go index 476310422..9e192894a 100644 --- a/util/mozilla_trusted_roots_test.go +++ b/util/mozilla_trusted_roots_test.go @@ -121,7 +121,7 @@ func TestTrustedRoots(t *testing.T) { t.Error("cannot parse test certificate") return } - result := IsSPKIMozillaTrusted(cert) + result := IsInMozillaRootStore(cert) if result != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result) } From 8f0bb74c8f918aa46f272e4b62a12caca08c7360 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 16:27:53 -0500 Subject: [PATCH 24/40] lints: move lint_mp_* to lints/mozilla --- lints/{ => mozilla}/lint_mp_allowed_eku.go | 0 lints/{ => mozilla}/lint_mp_allowed_eku_test.go | 0 lints/{ => mozilla}/lint_mp_authority_key_identifier_correct.go | 0 .../lint_mp_authority_key_identifier_correct_test.go | 0 lints/{ => mozilla}/lint_mp_ecdsa_allowed_algorithm.go | 0 lints/{ => mozilla}/lint_mp_ecdsa_allowed_algorithm_test.go | 0 lints/{ => mozilla}/lint_mp_exponent_cannot_be_one.go | 0 lints/{ => mozilla}/lint_mp_exponent_cannot_be_one_test.go | 0 lints/{ => mozilla}/lint_mp_modulus_must_be_2048_bits_or_more.go | 0 .../lint_mp_modulus_must_be_2048_bits_or_more_test.go | 0 lints/{ => mozilla}/lint_mp_modulus_must_be_divisible_by_8.go | 0 .../{ => mozilla}/lint_mp_modulus_must_be_divisible_by_8_test.go | 0 12 files changed, 0 insertions(+), 0 deletions(-) rename lints/{ => mozilla}/lint_mp_allowed_eku.go (100%) rename lints/{ => mozilla}/lint_mp_allowed_eku_test.go (100%) rename lints/{ => mozilla}/lint_mp_authority_key_identifier_correct.go (100%) rename lints/{ => mozilla}/lint_mp_authority_key_identifier_correct_test.go (100%) rename lints/{ => mozilla}/lint_mp_ecdsa_allowed_algorithm.go (100%) rename lints/{ => mozilla}/lint_mp_ecdsa_allowed_algorithm_test.go (100%) rename lints/{ => mozilla}/lint_mp_exponent_cannot_be_one.go (100%) rename lints/{ => mozilla}/lint_mp_exponent_cannot_be_one_test.go (100%) rename lints/{ => mozilla}/lint_mp_modulus_must_be_2048_bits_or_more.go (100%) rename lints/{ => mozilla}/lint_mp_modulus_must_be_2048_bits_or_more_test.go (100%) rename lints/{ => mozilla}/lint_mp_modulus_must_be_divisible_by_8.go (100%) rename lints/{ => mozilla}/lint_mp_modulus_must_be_divisible_by_8_test.go (100%) diff --git a/lints/lint_mp_allowed_eku.go b/lints/mozilla/lint_mp_allowed_eku.go similarity index 100% rename from lints/lint_mp_allowed_eku.go rename to lints/mozilla/lint_mp_allowed_eku.go diff --git a/lints/lint_mp_allowed_eku_test.go b/lints/mozilla/lint_mp_allowed_eku_test.go similarity index 100% rename from lints/lint_mp_allowed_eku_test.go rename to lints/mozilla/lint_mp_allowed_eku_test.go diff --git a/lints/lint_mp_authority_key_identifier_correct.go b/lints/mozilla/lint_mp_authority_key_identifier_correct.go similarity index 100% rename from lints/lint_mp_authority_key_identifier_correct.go rename to lints/mozilla/lint_mp_authority_key_identifier_correct.go diff --git a/lints/lint_mp_authority_key_identifier_correct_test.go b/lints/mozilla/lint_mp_authority_key_identifier_correct_test.go similarity index 100% rename from lints/lint_mp_authority_key_identifier_correct_test.go rename to lints/mozilla/lint_mp_authority_key_identifier_correct_test.go diff --git a/lints/lint_mp_ecdsa_allowed_algorithm.go b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go similarity index 100% rename from lints/lint_mp_ecdsa_allowed_algorithm.go rename to lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go diff --git a/lints/lint_mp_ecdsa_allowed_algorithm_test.go b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go similarity index 100% rename from lints/lint_mp_ecdsa_allowed_algorithm_test.go rename to lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go diff --git a/lints/lint_mp_exponent_cannot_be_one.go b/lints/mozilla/lint_mp_exponent_cannot_be_one.go similarity index 100% rename from lints/lint_mp_exponent_cannot_be_one.go rename to lints/mozilla/lint_mp_exponent_cannot_be_one.go diff --git a/lints/lint_mp_exponent_cannot_be_one_test.go b/lints/mozilla/lint_mp_exponent_cannot_be_one_test.go similarity index 100% rename from lints/lint_mp_exponent_cannot_be_one_test.go rename to lints/mozilla/lint_mp_exponent_cannot_be_one_test.go diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more.go b/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go similarity index 100% rename from lints/lint_mp_modulus_must_be_2048_bits_or_more.go rename to lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go diff --git a/lints/lint_mp_modulus_must_be_2048_bits_or_more_test.go b/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more_test.go similarity index 100% rename from lints/lint_mp_modulus_must_be_2048_bits_or_more_test.go rename to lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more_test.go diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8.go b/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go similarity index 100% rename from lints/lint_mp_modulus_must_be_divisible_by_8.go rename to lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go diff --git a/lints/lint_mp_modulus_must_be_divisible_by_8_test.go b/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8_test.go similarity index 100% rename from lints/lint_mp_modulus_must_be_divisible_by_8_test.go rename to lints/mozilla/lint_mp_modulus_must_be_divisible_by_8_test.go From d4e68e6c23c8bd77f652b508da8867344dcc5a93 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 16:29:12 -0500 Subject: [PATCH 25/40] lints: remove unneeded .gitinclude --- lints/mozilla/.gitinclude | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 lints/mozilla/.gitinclude diff --git a/lints/mozilla/.gitinclude b/lints/mozilla/.gitinclude deleted file mode 100644 index e69de29bb..000000000 From 214a9275440b33d6b081273ad9a8ed1a334f5c47 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 16:49:11 -0500 Subject: [PATCH 26/40] lints/mozilla: fix build breakages from refactoring in master --- lints/mozilla/lint_mp_allowed_eku.go | 11 +++++----- lints/mozilla/lint_mp_allowed_eku_test.go | 19 ++++++++++------- ...int_mp_authority_key_identifier_correct.go | 19 +++++++++-------- ...p_authority_key_identifier_correct_test.go | 13 +++++++----- .../lint_mp_ecdsa_allowed_algorithm.go | 21 ++++++++++--------- .../lint_mp_ecdsa_allowed_algorithm_test.go | 15 +++++++------ .../mozilla/lint_mp_exponent_cannot_be_one.go | 16 ++++++++------ .../lint_mp_exponent_cannot_be_one_test.go | 13 +++++++----- ...nt_mp_modulus_must_be_2048_bits_or_more.go | 16 ++++++++------ ..._modulus_must_be_2048_bits_or_more_test.go | 13 +++++++----- .../lint_mp_modulus_must_be_divisible_by_8.go | 16 ++++++++------ ..._mp_modulus_must_be_divisible_by_8_test.go | 13 +++++++----- 12 files changed, 109 insertions(+), 76 deletions(-) diff --git a/lints/mozilla/lint_mp_allowed_eku.go b/lints/mozilla/lint_mp_allowed_eku.go index d237942c9..4669adfa9 100644 --- a/lints/mozilla/lint_mp_allowed_eku.go +++ b/lints/mozilla/lint_mp_allowed_eku.go @@ -30,6 +30,7 @@ import ( "time" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/lint" "github.com/zmap/zlint/util" ) @@ -43,21 +44,21 @@ func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { return util.IsSubCA(c) && !util.IsInMozillaRootStore(c) } -func (l *allowedEKU) Execute(c *x509.Certificate) *LintResult { +func (l *allowedEKU) Execute(c *x509.Certificate) *lint.LintResult { if len(c.ExtKeyUsage) == 0 || util.HasEKU(c, x509.ExtKeyUsageAny) || (util.HasEKU(c, x509.ExtKeyUsageEmailProtection) && util.HasEKU(c, x509.ExtKeyUsageServerAuth)) { - return &LintResult{Status: Error} + return &lint.LintResult{Status: lint.Error} } - return &LintResult{Status: Pass} + return &lint.LintResult{Status: lint.Pass} } func init() { - RegisterLint(&Lint{ + lint.RegisterLint(&lint.Lint{ Name: "e_mp_allowed_eku", Description: "Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds", Citation: "Mozilla Root Store Policy / Section 5.3", - Source: MozillaRootStorePolicy, + Source: lint.MozillaRootStorePolicy, EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), Lint: &allowedEKU{}, }) diff --git a/lints/mozilla/lint_mp_allowed_eku_test.go b/lints/mozilla/lint_mp_allowed_eku_test.go index 64c53cad5..1a713d3ce 100644 --- a/lints/mozilla/lint_mp_allowed_eku_test.go +++ b/lints/mozilla/lint_mp_allowed_eku_test.go @@ -17,45 +17,48 @@ package lints import ( "fmt" "testing" + + "github.com/zmap/zlint/lint" + "github.com/zmap/zlint/util" ) func TestAllowedEKUs(t *testing.T) { testCases := []struct { Name string InputFilename string - ExpectedResult LintStatus + ExpectedResult lint.LintStatus }{ { Name: "SubCA with no EKU", InputFilename: "mpSubCAEKUDisallowed1.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "SubCA with anyExtendedKeyUsage", InputFilename: "mpSubCAEKUDisallowed2.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "SubCA with serverAuth and emailProtection", InputFilename: "mpSubCAEKUDisallowed3.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "SubCA with serverAuth EKU", InputFilename: "mpSubCAEKUAllowed.pem", - ExpectedResult: Pass, + ExpectedResult: lint.Pass, }, { Name: "Cross-Certificate with no EKU", InputFilename: "mpCrossCertNoEKU.pem", - ExpectedResult: NA, + ExpectedResult: lint.NA, }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_allowed_eku"].Execute(ReadCertificate(inputPath)) + inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) + result := lint.Lints["e_mp_allowed_eku"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } diff --git a/lints/mozilla/lint_mp_authority_key_identifier_correct.go b/lints/mozilla/lint_mp_authority_key_identifier_correct.go index 25223cfb6..f03b1abb5 100644 --- a/lints/mozilla/lint_mp_authority_key_identifier_correct.go +++ b/lints/mozilla/lint_mp_authority_key_identifier_correct.go @@ -26,6 +26,7 @@ import ( "fmt" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/lint" "github.com/zmap/zlint/util" ) @@ -45,19 +46,19 @@ func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { return util.IsExtInCert(c, util.AuthkeyOID) } -func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *LintResult { +func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *lint.LintResult { var keyID keyIdentifier ext := util.GetExtFromCert(c, util.AuthkeyOID) if ext == nil { - return &LintResult{ - Status: Fatal, + return &lint.LintResult{ + Status: lint.Fatal, Details: "certificate is missing Authority Key Identifier extension", } } if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { - return &LintResult{ - Status: Fatal, + return &lint.LintResult{ + Status: lint.Fatal, Details: fmt.Sprintf("error unmarshalling authority key identifier extension: %v", err), } } @@ -65,17 +66,17 @@ func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *LintResult hasKeyID := len(keyID.KeyIdentifier.Bytes) > 0 hasCertIssuer := len(keyID.AuthorityCertIssuer.Bytes) > 0 if hasKeyID && hasCertIssuer { - return &LintResult{Status: Error} + return &lint.LintResult{Status: lint.Error} } - return &LintResult{Status: Pass} + return &lint.LintResult{Status: lint.Pass} } func init() { - RegisterLint(&Lint{ + lint.RegisterLint(&lint.Lint{ Name: "e_mp_authority_key_identifier_correct", Description: "CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number", Citation: "Mozilla Root Store Policy / Section 5.2", - Source: MozillaRootStorePolicy, + Source: lint.MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy22Date, Lint: &authorityKeyIdentifierCorrect{}, }) diff --git a/lints/mozilla/lint_mp_authority_key_identifier_correct_test.go b/lints/mozilla/lint_mp_authority_key_identifier_correct_test.go index e93a3a57c..057d4827e 100644 --- a/lints/mozilla/lint_mp_authority_key_identifier_correct_test.go +++ b/lints/mozilla/lint_mp_authority_key_identifier_correct_test.go @@ -17,30 +17,33 @@ package lints import ( "fmt" "testing" + + "github.com/zmap/zlint/lint" + "github.com/zmap/zlint/util" ) func TestAuthorityKeyIdentifier(t *testing.T) { testCases := []struct { Name string InputFilename string - ExpectedResult LintStatus + ExpectedResult lint.LintStatus }{ { Name: "Authority key ID includes both the key ID and the issuer's name and serial", InputFilename: "mpAuthorityKeyIdentifierIncorrect.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "Authority key ID includes the key ID", InputFilename: "mpAuthorityKeyIdentifierCorrect.pem", - ExpectedResult: Pass, + ExpectedResult: lint.Pass, }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_authority_key_identifier_correct"].Execute(ReadCertificate(inputPath)) + inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) + result := lint.Lints["e_mp_authority_key_identifier_correct"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go index 7134b7469..c5b33b027 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go @@ -25,6 +25,7 @@ import ( "math/big" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/lint" "github.com/zmap/zlint/util" ) @@ -84,37 +85,37 @@ func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { return false } -func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *LintResult { +func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *lint.LintResult { signKeySize, err := getSigningKeySize(c) if err != nil { - return &LintResult{ - Status: Fatal, + return &lint.LintResult{ + Status: lint.Fatal, Details: "cannot identify signing ECDSA key length", } } switch { case c.SignatureAlgorithm == x509.ECDSAWithSHA256 && signKeySize == 256: - return &LintResult{ - Status: Pass, + return &lint.LintResult{ + Status: lint.Pass, Details: "Detected ECDSAWithSHA256 and 256 bit signing key.", } case c.SignatureAlgorithm == x509.ECDSAWithSHA384 && signKeySize == 384: - return &LintResult{ - Status: Pass, + return &lint.LintResult{ + Status: lint.Pass, Details: "Detected ECDSAWithSHA384 and 384 bit signing key.", } } - return &LintResult{Status: Error} + return &lint.LintResult{Status: lint.Error} } func init() { - RegisterLint(&Lint{ + lint.RegisterLint(&lint.Lint{ Name: "e_mp_ecdsa_allowed_algorithm", Description: "ECDSA keys using one of the following curve-hash pairs: P‐256 with SHA-256, P‐384 with SHA-384", Citation: "Mozilla Root Store Policy / Section 5.1", - Source: MozillaRootStorePolicy, + Source: lint.MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, Lint: &ecdsaAllowedAlgorithm{}, }) diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go index b7232b0ce..8f6b2e4fa 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go @@ -17,35 +17,38 @@ package lints import ( "fmt" "testing" + + "github.com/zmap/zlint/lint" + "github.com/zmap/zlint/util" ) func TestECDSAAlgorithms(t *testing.T) { testCases := []struct { Name string InputFilename string - ExpectedResult LintStatus + ExpectedResult lint.LintStatus }{ { Name: "Secp384r1 CA with ECDSAwithSHA256", InputFilename: "mpECDSAAlgorithmsDisallowed1.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "Secp256r1 CA with ECDSAwithSHA384", InputFilename: "mpECDSAAlgorithmsDisallowed2.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "Secp256r1 CA with ECDSAwithSHA256", InputFilename: "mpECDSAAlgorithmsAllowed.pem", - ExpectedResult: Pass, + ExpectedResult: lint.Pass, }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_ecdsa_allowed_algorithm"].Execute(ReadCertificate(inputPath)) + inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) + result := lint.Lints["e_mp_ecdsa_allowed_algorithm"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } diff --git a/lints/mozilla/lint_mp_exponent_cannot_be_one.go b/lints/mozilla/lint_mp_exponent_cannot_be_one.go index 2a6060a82..b3e6438e0 100644 --- a/lints/mozilla/lint_mp_exponent_cannot_be_one.go +++ b/lints/mozilla/lint_mp_exponent_cannot_be_one.go @@ -24,6 +24,7 @@ import ( "crypto/rsa" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/lint" "github.com/zmap/zlint/util" ) @@ -37,25 +38,28 @@ func (l *exponentCannotBeOne) CheckApplies(c *x509.Certificate) bool { return c.PublicKeyAlgorithm == x509.RSA } -func (l *exponentCannotBeOne) Execute(c *x509.Certificate) *LintResult { +func (l *exponentCannotBeOne) Execute(c *x509.Certificate) *lint.LintResult { pubKey, ok := c.PublicKey.(*rsa.PublicKey) if !ok { - return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} + return &lint.LintResult{ + Status: lint.Fatal, + Details: "certificate public key was not an RSA public key", + } } if pubKey.E == 1 { - return &LintResult{Status: Error} + return &lint.LintResult{Status: lint.Error} } - return &LintResult{Status: Pass} + return &lint.LintResult{Status: lint.Pass} } func init() { - RegisterLint(&Lint{ + lint.RegisterLint(&lint.Lint{ Name: "e_mp_exponent_cannot_be_one", Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", Citation: "Mozilla Root Store Policy / Section 5.2", - Source: MozillaRootStorePolicy, + Source: lint.MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, Lint: &exponentCannotBeOne{}, }) diff --git a/lints/mozilla/lint_mp_exponent_cannot_be_one_test.go b/lints/mozilla/lint_mp_exponent_cannot_be_one_test.go index 4ae173912..62b28302b 100644 --- a/lints/mozilla/lint_mp_exponent_cannot_be_one_test.go +++ b/lints/mozilla/lint_mp_exponent_cannot_be_one_test.go @@ -17,30 +17,33 @@ package lints import ( "fmt" "testing" + + "github.com/zmap/zlint/lint" + "github.com/zmap/zlint/util" ) func TestExponentCannotBeOne(t *testing.T) { testCases := []struct { Name string InputFilename string - ExpectedResult LintStatus + ExpectedResult lint.LintStatus }{ { Name: "Certificate with exponent equal to 0x1", InputFilename: "mpExponent1.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "Certificate with exponent equal to 0x10001", InputFilename: "mpExponent10001.pem", - ExpectedResult: Pass, + ExpectedResult: lint.Pass, }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_exponent_cannot_be_one"].Execute(ReadCertificate(inputPath)) + inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) + result := lint.Lints["e_mp_exponent_cannot_be_one"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } diff --git a/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go b/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go index 12122e388..6fd5da06d 100644 --- a/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -23,6 +23,7 @@ import ( "crypto/rsa" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/lint" "github.com/zmap/zlint/util" ) @@ -36,25 +37,28 @@ func (l *modulus2048OrMore) CheckApplies(c *x509.Certificate) bool { return c.PublicKeyAlgorithm == x509.RSA } -func (l *modulus2048OrMore) Execute(c *x509.Certificate) *LintResult { +func (l *modulus2048OrMore) Execute(c *x509.Certificate) *lint.LintResult { pubKey, ok := c.PublicKey.(*rsa.PublicKey) if !ok { - return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} + return &lint.LintResult{ + Status: lint.Fatal, + Details: "certificate public key was not an RSA public key", + } } if bitLen := pubKey.N.BitLen(); bitLen < 2048 { - return &LintResult{Status: Error} + return &lint.LintResult{Status: lint.Error} } - return &LintResult{Status: Pass} + return &lint.LintResult{Status: lint.Pass} } func init() { - RegisterLint(&Lint{ + lint.RegisterLint(&lint.Lint{ Name: "e_mp_modulus_must_be_2048_bits_or_more", Description: "RSA keys must have modulus size of at least 2048 bits", Citation: "Mozilla Root Store Policy / Section 5.1", - Source: MozillaRootStorePolicy, + Source: lint.MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, Lint: &modulus2048OrMore{}, }) diff --git a/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more_test.go b/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more_test.go index 88de81f92..8e455b6d8 100644 --- a/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more_test.go +++ b/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more_test.go @@ -17,30 +17,33 @@ package lints import ( "fmt" "testing" + + "github.com/zmap/zlint/lint" + "github.com/zmap/zlint/util" ) func TestModulus2048OrMore(t *testing.T) { testCases := []struct { Name string InputFilename string - ExpectedResult LintStatus + ExpectedResult lint.LintStatus }{ { Name: "Certificate with less than 2048 bit rsa key modulus length", InputFilename: "mpModulus1024.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "Certificate with rsa key modulus length equal to 2048", InputFilename: "mpModulus2048.pem", - ExpectedResult: Pass, + ExpectedResult: lint.Pass, }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_modulus_must_be_2048_bits_or_more"].Execute(ReadCertificate(inputPath)) + inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) + result := lint.Lints["e_mp_modulus_must_be_2048_bits_or_more"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } diff --git a/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go b/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go index f1420e617..391c90ffe 100644 --- a/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go +++ b/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go @@ -23,6 +23,7 @@ import ( "crypto/rsa" "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/lint" "github.com/zmap/zlint/util" ) @@ -36,25 +37,28 @@ func (l *modulusDivisibleBy8) CheckApplies(c *x509.Certificate) bool { return c.PublicKeyAlgorithm == x509.RSA } -func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *LintResult { +func (l *modulusDivisibleBy8) Execute(c *x509.Certificate) *lint.LintResult { pubKey, ok := c.PublicKey.(*rsa.PublicKey) if !ok { - return &LintResult{Status: Fatal, Details: "certificate public key was not an RSA public key"} + return &lint.LintResult{ + Status: lint.Fatal, + Details: "certificate public key was not an RSA public key", + } } if bitLen := pubKey.N.BitLen(); (bitLen % 8) != 0 { - return &LintResult{Status: Error} + return &lint.LintResult{Status: lint.Error} } - return &LintResult{Status: Pass} + return &lint.LintResult{Status: lint.Pass} } func init() { - RegisterLint(&Lint{ + lint.RegisterLint(&lint.Lint{ Name: "e_mp_modulus_must_be_divisible_by_8", Description: "RSA keys must have a modulus size divisible by 8", Citation: "Mozilla Root Store Policy / Section 5.1", - Source: MozillaRootStorePolicy, + Source: lint.MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, Lint: &modulusDivisibleBy8{}, }) diff --git a/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8_test.go b/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8_test.go index 9d73d0ecd..72b25f8ca 100644 --- a/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8_test.go +++ b/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8_test.go @@ -17,30 +17,33 @@ package lints import ( "fmt" "testing" + + "github.com/zmap/zlint/lint" + "github.com/zmap/zlint/util" ) func TestModulusDivisibleBy8(t *testing.T) { testCases := []struct { Name string InputFilename string - ExpectedResult LintStatus + ExpectedResult lint.LintStatus }{ { Name: "Certificate with rsa key modulus length not divisible by 8", InputFilename: "mpModulus4095.pem", - ExpectedResult: Error, + ExpectedResult: lint.Error, }, { Name: "Certificate with rsa key modulus length equal to 2048", InputFilename: "mpModulus2048.pem", - ExpectedResult: Pass, + ExpectedResult: lint.Pass, }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", testCaseDir, tc.InputFilename) - result := Lints["e_mp_modulus_must_be_divisible_by_8"].Execute(ReadCertificate(inputPath)) + inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) + result := lint.Lints["e_mp_modulus_must_be_divisible_by_8"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } From 727ef34dcca655f9618e51f3d0c33e4c5b2801ea Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:04:33 -0500 Subject: [PATCH 27/40] lint: add src link for MozillaRootStorePolicy --- lint/base.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lint/base.go b/lint/base.go index c8eef1477..06a78313e 100644 --- a/lint/base.go +++ b/lint/base.go @@ -58,8 +58,8 @@ const ( AWSLabs EtsiEsi // ETSI - Electronic Signatures and Infrastructures (ESI) CABFEVGuidelines - AppleCTPolicy // https://support.apple.com/en-us/HT205280 - MozillaRootStorePolicy + AppleCTPolicy // https://support.apple.com/en-us/HT205280 + MozillaRootStorePolicy // https://github.com/mozilla/pkipolicy ) // LintSources contains a list of the valid lint sources we expect to be used From aa1390e451394034b0f1296e330c2a2d296f461c Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:06:09 -0500 Subject: [PATCH 28/40] zlint: run Mozilla lints --- zlint.go | 1 + 1 file changed, 1 insertion(+) diff --git a/zlint.go b/zlint.go index 199b1dd85..1bc74f3c8 100644 --- a/zlint.go +++ b/zlint.go @@ -29,6 +29,7 @@ import ( _ "github.com/zmap/zlint/lints/cabf_ev" _ "github.com/zmap/zlint/lints/community" _ "github.com/zmap/zlint/lints/etsi" + _ "github.com/zmap/zlint/lints/mozilla" _ "github.com/zmap/zlint/lints/rfc" ) From 99d713d5f883afcb48dd6c3b0de1445bddc276c0 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:14:11 -0500 Subject: [PATCH 29/40] util: remove IsInMozillaRootStore and assoc. data. We'll return to this requirement in a subsequent PR when the tooling to generate the data can be reviewed and automated. --- util/mozilla_trusted_roots.go | 36 ------ util/mozilla_trusted_roots_data.go | 172 ----------------------------- util/mozilla_trusted_roots_test.go | 130 ---------------------- 3 files changed, 338 deletions(-) delete mode 100644 util/mozilla_trusted_roots.go delete mode 100644 util/mozilla_trusted_roots_data.go delete mode 100644 util/mozilla_trusted_roots_test.go diff --git a/util/mozilla_trusted_roots.go b/util/mozilla_trusted_roots.go deleted file mode 100644 index 60713aa7a..000000000 --- a/util/mozilla_trusted_roots.go +++ /dev/null @@ -1,36 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "crypto/sha256" - "encoding/hex" - - "github.com/zmap/zcrypto/x509" -) - -// IsInMozillaRootStore checks whether the SPKI of a certificate is trusted -// by Mozilla. -func IsInMozillaRootStore(cert *x509.Certificate) bool { - spki := sha256.Sum256(cert.RawSubjectPublicKeyInfo) - encSPKI := hex.EncodeToString(spki[:]) - for _, s := range mozillaTrustedSPKIs { - if s == encSPKI { - return true - } - } - - return false -} diff --git a/util/mozilla_trusted_roots_data.go b/util/mozilla_trusted_roots_data.go deleted file mode 100644 index 5c2c1712e..000000000 --- a/util/mozilla_trusted_roots_data.go +++ /dev/null @@ -1,172 +0,0 @@ -// Code generated by go generate; DO NOT EDIT. -// This file was generated by zlint-mozilla-trusted-roots-update. - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -var mozillaTrustedSPKIs = []string{ - "2bcee858158cf5465fc9d76f0dfa312fef25a4dca8501da9b46b67d1fbfa1b64", - "8a27b5557b4bec7cc0305fbf3d53d1f71cd3f34910c5d65e27ecddb82077ba3d", - "22076e5aef44bb9a416a28b7d1c44322d7059f60feffa5caf6c5be8447891303", - "7006a38311e58fb193484233218210c66125a0e4a826aed539ac561dfbfbd903", - "495a96ba6bad782407bd521a00bace657bb355555e4bb7f8146c71bba57e7ace", - "1ea3c5e43ed66c2da2983a42a4a79b1e906786ce9f1b58621419a00463a87d38", - "63d9af9b47b1064d49a10e7b7fd566dbc8caa399459bfc2829c571ad8c6ef34a", - "052b687107ec84e8730382452ec2a27451745d7485a57d6f464e0da7a1b6af2a", - "942a6916a6e4ae527711c5450247a2a74fb8e156a8254ca66e739a11493bb445", - "6dbfae00d37b9cd73f8fb47de65917af00e0dddf42dbceac20c17c0275ee2095", - "87af34d66fb3f2fdf36e09111e9aba2f6f44b207f3863f3d0b54b25023909aa5", - "9699225c5de52e56cdd32df2e96d1cfea5aa3ca0bb52cd8933c23b5c27443820", - "7caa03465124590c601e567e52148e952c0cffe89000530fe0d95b6d50eaae41", - "9736ac3b25d16c45a45418a964578156480a8cc434541ddc5dd59233229868de", - "bd153ed7b0434f6886b17bce8bbe84ed340c7132d702a8f4fa318f756ecbd6f3", - "be3db7b79bfe579dcf9b07ca4cad75aff16975568e5b45cfcae4d61fb63175a8", - "8fd112c3c8370f147d5ccd3a7d865eb8dd540783bac69fc60088e3743ff33378", - "0c7acaa710226720bbc940349ee2e6148652a89dbf406a232c895f6dc78ebb9a", - "2a4212605aa3e8aecb0fc19806cf3b40b53b95f1a34dbbd6e3ed27230324abb3", - "d2a5f32f0e01b910ef4e3b46bf84e5af5fb5689e7d1507e929e368ac88c6cc76", - "8a2affbd1a1c5d1bdccbb7f548ba995f966806b3fd0c3a00fae2e52f3c853989", - "4eada9b5311e718199d98ea82b95005cba93198ab1f97efcbe8dc6201628f8af", - "051cf9fa95e40e9b83edaeda6961f6168c7879c4660172479cdd51ab03cea62b", - "5632d97bfa775bf3c99ddea52fc2553410864016729c52dd6524c8a9c3b4489f", - "15f14ac45c9c7da233d3479164e8137fe35ee0f38ae858183f08410ea82ac4b4", - "a81293445db196a2030f9e455fe3c74a9a4f8317b02b01406027a8708174434c", - "23f2edff3ede90259a9e30f40af8f912a5e5b3694e6938440341f6060e014ffa", - "aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391", - "5a889647220e54d6bd8a16817224520bb5c78e58984bd570506388b9de0f075f", - "563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b", - "2a8bed32ae680d2d187b9a7afd171d83fd0b935eaf9e2c1b43e80278d2063e39", - "40fcfc28875dccbfebcbdf6cd7433312da63c4efcf3bd7b1b505c22020ae0274", - "9318226f8c83afe47f5f47c24f59ce12dba8c73b181bee6b2ea1f40a06bc1869", - "4905466623ab4178be92ac5cbd6584f7a1e17f27652d5a85af89504ea239aaaa", - "1d75d0831b9e0885394d32c7a1bfdb3dbc1c28e2b0e8391fb135981dbc5ba936", - "25b41b506e4930952823a6eb9f1d31def645ea38a5c6c6a96d71957e384df058", - "77290717614b25f12964ebdb38b5f83caadc0f6c36b0777f880fc6dee1d339cc", - "2596904dc4d699ae20c2cef4dce47f285937d77464ac370746f52dea76ba0c28", - "006d7be7555dd82026442c4f1a27a80e89a1989cb87b34448ed2194c18196d5e", - "32d180ed31c935589ec9dbbb722123b883b5fc2dc10f9fca3a95d77e1bfcb534", - "e7ca91bbfbb18788057b3a8070446ea5291160194102f7dcc3b9848c63cb9cd5", - "ce24eb0626defd8168c96a7701f09301600fe5dd0dbce58e9c97b830af02ef28", - "510d20e5c47f63cf666b20f61af62bc099a42ac824ffa443a2da7c90b1808a91", - "7e8782c150ce3952f802e636023a5d3e95bb5d68e33e85adb2ba178125cebf15", - "62554c17005543b237215f04268dcd2fd1c470240ad3c8660e25ae2c59630f55", - "dbc1e3a15238a0483bcdb8fdec616e03e705a48e2a501157cadf3b9c7311c5e5", - "ab98495276adf1ecaff28f35c53048781e5c1718dab9c8e67a504f4f6a51328f", - "67dc4f32fa10e7d01a79a073aa0c9e0212ec2ffc3d779e0aa7f9c0f0e1c2c893", - "1906c6124dbb438578d00e066d5054c6c37f0fa6028c05545e0994eddaec8629", - "bcfb44aab9ad021015706b4121ea761c81c9e88967590f6f94ae744dc88b78fb", - "967b0cd93fcef7f27ce2c245767ae9b05a776b0649f9965b6290968469686872", - "5192438ec369d7ee0ce71f5c6db75f941efbf72e58441715e99eab04c2c8acee", - "f48badd7df6a06690d0ae31373b12855f8dedb14517f362a313101cc98cc6b35", - "05e77ef1fdfe05e2dca522cae64d8379a041b7b4f16c7cae36067a7f72a14872", - "36c22314131a5fbf1b70ea4ccf4bc13a777d938ec65e1da24e3c2cfd01d3d163", - "bb4128ec9620f2d2a49ce8e2c4e257aebad93a0f11c56b5fa4b00e23759fa39d", - "616167201433aea6c8e5e3070afcaf6749188f814bd1abb179ae8dad3abf26ec", - "706bb1017c855c59169bad5c1781cf597f12d2cad2f63d1a4aa37493800ffb80", - "3b0d73b4be4a854adc3e51d7ef9fa48aefbb2cdd824d67bdc7d7d09a2abc2d43", - "952c2039c0243eb515dd73d83fc3643184874feb0862a9837731ed9b4742e17a", - "ced43902ab5fb57b442322dc0e172a4fb55f7178b808f94e780a6fd6cc6bd818", - "927a1b8562280576d048c50321ada43d8703d2d9521a18c28b8c46cc6aae4efd", - "2a8f2d8af0eb123898f74c866ac3fa669054e23c17bc7a95bd0234192dc635d0", - "808d68b3fab4884a5f971ace7d10550d7a95a163774f3ec36afffb213fbe4c74", - "2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92", - "6c464b9a5b233a5e874da765c26f045010d2ddcff45794f0b4c7e4aafa501495", - "94072ad3f58f70f93098e5a5f6c04c96c710bd849d83184919ae90eb890ae400", - "c7f43b4cf5b71568294f822b53762605f6ddd15cadece739e9e2c3cba61e9d67", - "3219b09114ff495a3eb6eb00c2efeab34002ae5f0a56c7679ea087a3fa037e4f", - "aa2630a7b617b04d0a294bab7a8caaa5016e6dbe604837a83a85719fab667eb5", - "92c46879626ef2cc1ecea50c72fb5e385844095f21cbf3b283cb82e6b9fc6a58", - "a903af8c07bb91b0d9e3f3a30c6d53339fc5bd47e5d6bdb476598860c068a024", - "7e7058ea35ad4359654159973f560187f16d19c514b939c5055672d1d2a518ac", - "3380709af3b096be3cc2a40548142c0a520028db09e2cb77ae2206616ab6cbb4", - "b21d2a743318712ba16f39919d961a4bafba3bca9a43a75b1fcfe22c5d70caba", - "1a7a3a1a68dd2361e3f3bb855f3b26fcd88b197d8dd4de06cf1b362ac89ec13b", - "25d4913cf587097414d29d26f6c1b1942cd6d64eaf45d0fcf81526adba96d324", - "a87443b3d896eb257ccce99b95ada9bc81b9db4e3142aa9a99af0942cb0a4a3a", - "5955ae291574a931342cf7450e16652ede1e0fb3097e1571dfac11c915601564", - "b03d87b056d08cc9d4e675ef19ca83ab53532168a8258598be72e6d85c7dd7c1", - "8d767764b3cbda08929d072a22a561f4dcdd1bc57d3cbddc948c47d2b47f9122", - "56174d3ad971a8944964b189811f3008493a6a90422e3c5804ec838d4f94f622", - "eca0f181402ce7a8652b31b4d036df247e3a30b7f41a50d91ec4f90b006b43a1", - "ff342fb6c4c8bd30a4706f73489539f19e6e48cc05f46254654f6610dbc540e9", - "702116ccd8bf23e16466f0e0dba0ed6a239a9c1cd6a8f5a66b39af3595020385", - "05570ae6eb0fceb4210e6db79486b7094caf200401e149b6677441b5f25e449b", - "c444b5b66ce5d71e1b5e40f27385c95cbfd24a05b56f70cac0992f0f50c3379c", - "10ba3485ca8bb6880ab9531a4063e4001555561c7f2e055165f49b2d74fc5f6b", - "c1ad1b1898ec395048df070bfa217e25c913bed8ca6b73de085528846a0103c1", - "6106c0e3a0a299831875127bd7d3cc1859803d511cac11eb6e0840dd166fc10e", - "e5ca37bc7b6c361979bc6b123ca9a1db019046d7ff5f57dfb854b19d10b0682f", - "86a68f050034126a540d39db2c5f917ef66a94fb9619fa1ecd827cea46ba0cb0", - "4a49edbd2f8f8230bd5592b313573fe1c172a45fa98011cc1eddbb36ade3fce5", - "f3438e23b3ce532522facf307923f58fd18608e9ba7addc30e952b43c49616c3", - "f1c6ba670cfc88e4df52973cae420f0a089dd474144fe5806c420064e1591229", - "15eed339594b304f8cf847b477371d8d6fec61f4db2b01af589e7c53b35cae4c", - "8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26", - "b94c198300cec5c057ad0727b70bbe91816992256439a7b32f4598119dda9c97", - "59df317bfa9f4f0ab7ca514d7772296aa2c765b87664d08b96e57399e364729c", - "82b5f84daf47a59c7ab521e4982aefa40a53406a3aec26039efa6b2e0e7244c1", - "c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde", - "2021917e98263945c859c43f1d73cb4139053c414fa03ca3bc7ee88614298f3b", - "08b3a6335fce5ef48f8f0e543986c07fd18a3b1226129f61864bbd5bdd1f1cc9", - "7e0ead76bb6819dc2f54511a84354f6e8b307b9dd82058ea6c004f01d9dda5df", - "4223894003a881c5df6bab163db235c221a18d54bf759945820e670da82e3f39", - "951ee046fa83316e6786c08c44f13b4ca2ead2d2644d63314391c0cc70887d0d", - "07e854f26a7cbd389927aa041bfef1b6cd21dd143818ad947dc655a9e587fe88", - "58dd61feb36ea7d258724371709149cb121337864cacb2d0999ad20739d06477", - "76ee8590374c715437bbca6bba6028eadde2dc6dbbb8c3f610e851f11d1ab7f5", - "fea2b7d645fba73d753c1ec9a7870c40e1f7b0c561e927b985bf711866e36f22", - "dd5ed1c090f9f448061baa94a6bb11017544e9eefaa20cc714ce6c633f5dc629", - "149f2ee63b9a5e5803240a770dc991fc2e3445e62831c245a49bc4f1f738ff9c", - "6e364b6133deefdcbb21273c5f445a20afbc05038d5b021c0c2153039016345b", - "6b3b57e9ec88d1bb3d01637ff33c7698b3c9758255e9f01ea9178f3e7f3b2b52", - "50cc86ba96db3263c79a43ead07553d9f56659e6907e72d8c026637a1cdc85dc", - "bb52086d0639e8db332775ac8f4e8435d92ceb00f4e24f28fc0eabe240772e80", - "0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3", - "2fc5667a4b9a2678ed6ac6ad25465fcbf6094bfcd9504097c7a8fa47ade5e888", - "fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2", - "7f4296fc5b6a4e3b35d3c369623e364ab1af381d8fa7121533c9d6c633ea2461", - "36abc32656acfc645c61b71613c4bf21c787f5cabbee48348d58597803d7abc9", - "f7ecded5c66047d28ed6466b543c40e0743abe81d109254dcf845d4c2c7853c5", - "b738290cc08547e79ac67f831ebb33547c4e7db4514e2d2988c23c441340eb41", - "d2f91a04e3a61d4ead7848c8d43b5e1152d885727489bc65738b67c0a22785a7", - "af207c61fd9c7cf92c2afe8154282dc3f2cbf32f75cd172814c52b03b7ebc258", - "31512680233f5f2a1f29437f56d4988cf0afc41cc6c5da6275928e9c0beade27", - "3027a298fa57314dc0e3dd1019411b8f404c43c3f934ce3bdf856512c80aa15c", - "d49c6f289cd056519492480f192f00a6fc7c1862dab2e7b5d8e05f6678fae141", - "55e00be277ceb0545299f24fd9f877e2acf32852db43ffcd29bca74b39b4c9fa", - "ceb19411c65052c757f941eb826c96941e4d08d096c7db7e7ea3c4f8c13f1a13", - "ea87f462deefffbd7775aa2a4b7e0fcb91c22eee6df69ed90100ccc73b311476", - "c63d68c648a18b77641c427a669d61c9768a55f4fcd0322eac96c57700299cf1", - "7afe4b071a2f1f46f8ba944a26d584d5960b92fb48c3ba1b7cab84905f32aacd", - "d1c45377ebdcd618cd1651dc2e02c21d751e5aa9fcd1b3431ff6ecf6a31348fa", - "a320f4d534d7be97c1ae8dd0499735bc895c323add2d388bfccf662c23d7f99a", - "7cd67c248f69d83fc2f9bb01dcb1f7ad67a363d046043796d0984c3a231f6bb0", - "348767cdad3bdd28b2b8dd5351aec30c68cec5cd69d276df3827dbc4f5806464", - "682747f8ba621b87cdd3bc295ed5cabce722a1c0c0363d1d68b38928d2787f1e", - "fd371bea9755ff60c8828c849b8e5215de532d61b009855fa0ad630d90eef82e", - "871a9194f4eed5b312ff40c84c1d524aed2f778bbff25f138cf81f680a7adc67", - "55f77de41c03792428f8d518c55104225be43a5598d926a528ad653e1ccec7bf", - "4179edd981ef747477b49626408af43daa2ca7ab7f9e082c1060f84096774348", - "9847e5653e5e9e847516e5cb818606aa7544a19be67fd7366d506988e8d84347", - "1255cabe8152fa64df942f7a47417e29f96c1ce11bf8c84ecbe2815cc1280810", - "5c41a73ab2c35dfcd771f6fd6e3e8fac9b469d386cadda56a95b646eb48cca34", - "8e8046ec4cac015a507ce0d2d0154a4b40e8e42b3165cfa546571435112d17e5", - "376a1a7082a593dccc20d561d119e9ab8d30f11cc321d0a37fa41f0df284e01c", - "8d417db2dd8bf5e3084d1e3f196d583849d81bdd4c00c70b9d39369e96b8c782", - "b7408b4d2be0238ba37004dd34e276c6019bd2f24c9db7d4980f5f6c359a4bcc", - "eabc185c4e82d942b1a5978ba3c0181487d6b3b9974e5c49f72f6d0bd9637150", - "2541e53ba5b3b07acbe7097ac4a03e040c11cf7a6d4a67cb213d558b50167a06", -} diff --git a/util/mozilla_trusted_roots_test.go b/util/mozilla_trusted_roots_test.go deleted file mode 100644 index 9e192894a..000000000 --- a/util/mozilla_trusted_roots_test.go +++ /dev/null @@ -1,130 +0,0 @@ -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -package util - -import ( - "encoding/pem" - "fmt" - "testing" - - "github.com/zmap/zcrypto/x509" -) - -var testCertificates = []string{ - `-----BEGIN CERTIFICATE----- -MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 -WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu -ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY -MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc -h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ -0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U -A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW -T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH -B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC -B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv -KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn -OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn -jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw -qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI -rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq -hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL -ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ -3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK -NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 -ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur -TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC -jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc -oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq -4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA -mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d -emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= ------END CERTIFICATE-----`, - `-----BEGIN CERTIFICATE----- -MIIF7DCCA9SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhjELMAkGA1UEBhMCVVMx -EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzAR -BgNVBAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxIDAeBgNVBAMM -F1psaW50IFVudHJ1c3RlZCBSb290IENBMB4XDTE5MTAwNjEwMjk0NFoXDTI5MTAw -NTEwMjk0NFowgYYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw -FAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMuMRMwEQYD -VQQLDApPcGVyYXRpb25zMSAwHgYDVQQDDBdabGludCBVbnRydXN0ZWQgUm9vdCBD -QTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL8ZZwrK4M0GObP7q9gS -by+h2klwZaShOYaYpYUjbFv9nyrjZXUrEJvUFOhBOmjegtyYcL3rFkcRa4zUIXez -W+myfyThWM94SUAqiFS/hJ74y671+r5zd2T2dBwe04kQn52+q4qEXovkQGD5adT3 -CFVq9o8wc249h4Warz+yg9GcDGU+eOKFLOEDo64bU2UCggIGyVeL1dSviSuUhiG6 -IkoFCF1oURo3IqM6/zg9RDvYeBk0/qU4hXcLtqIZ4KX/RP1XVMSEzKcFWjo/jsyM -NFe1BtCFWQn66shHemJ4s6pzaUqdHeIk7hhHtgRWf12msCclGu3cTnTgK4n900Vf -vm+M81rtWMYggE5hEBqIdjhROYr2APmZ4Z0SVyqk1t45C5V5C6YKnXLJoQz94zSq -kfRM05245nr0xW9Vcs/pph5GoJ/tUoryJzxK4iKSvMWLc23tanDYhpiEkyIAUdCw -Qa+8X6dQ6ysk3E6p7jdhRn84Odl3vi8w8ntSqP4g2u9fIkkig39+LAiboeNCbAAD -3N7ZiarOsHobW/hl6ZpG3sPlW+bLVtrovWSIgH8hOAq75BhQjm+u8QqdgoyRBBfN -kUeqrWLK8vDr3H8yxMk9Le5gTHzHEwSFvH5jNcTgQg+GNceVRLCU+O2rz5Nnw1Pv -/RrddDvpZx6M/KmLrUwh+vzHAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNV -HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHSwHooW/FhypVIUYyddqdIL63VjAfBgNV -HSMEGDAWgBRHSwHooW/FhypVIUYyddqdIL63VjANBgkqhkiG9w0BAQsFAAOCAgEA -k9KYQ6yScTieoxMiQ8pe+ntygSb4HJx8rKGzOucY05UUkjaWSk1jiRY9dpp5qQak -ujsWY3I7/VWVSX1sc9U6eY7KcfhVyg7lyoxJeSBtQ8QhPoZuFnejxQ+dY4quOKHs -lSubs3dsLgj0I4G7OOMg+7EVvX/81lo0MTeuFgnDFNW8DxIGFXF48ceISAzMkoA+ -QG5tJwPPJx4zNaEXiWuC00S20JDD/w2iJ945uBIGCL6nnOlrrUGRCzIgpS+augvj -/2Lc2DS5vvOgMdbaQO+Jo+XTMPxwStAD54fvwzwoCU6MDcpyLFChgh3wtPm7RB6J -zvRTOec4gEx85L8dBFE52crpoCTEvzCpE0w86YLy0nYF+ccZB8BTvQ4sqRZL44r/ -SLvzaHl5bXnG77IEl4XLoe1oESgAuNqpuU9UkyLG9NnHdNVghBpnHo48OHhUUMKJ -RpVMY1GUCRFaUpX0SBkVp9T1sw060sh7XrNx+08xz34Ls93Q/dQPnVlxEYSayhsJ -9uPldQ8v0CjSkaqaFQ+aSHH7Kas0BtIRs/hQVcTXBkGxFbN0mqBYqCIWIQkyUEym -XzQHsEV8qYwwJwnV9JJYebapPSUBbIKaYruR76mK1Z7qzrTth6MxgWbHgXGdvcEo -2EEMCUl+Pbr3dd75Q/EYDJU5WMJzbnKSLaIuA4zMa/M= ------END CERTIFICATE-----`, -} - -func TestTrustedRoots(t *testing.T) { - testCases := []struct { - Name string - Certificate string - ExpectedResult bool - }{ - { - Name: "Test trusted certificate", - Certificate: testCertificates[0], - ExpectedResult: true, - }, - { - Name: "Test untrusted certificate", - Certificate: testCertificates[1], - ExpectedResult: false, - }, - } - - for _, tc := range testCases { - t.Run(tc.Name, func(t *testing.T) { - fmt.Println(tc.Certificate) - block, _ := pem.Decode([]byte(tc.Certificate)) - if block == nil { - t.Error("cannot decode test certificate") - return - } - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - t.Error("cannot parse test certificate") - return - } - result := IsInMozillaRootStore(cert) - if result != tc.ExpectedResult { - t.Errorf("expected result %v was %v", tc.ExpectedResult, result) - } - }) - } -} From 72b1fec3bcf2b04a06d5dda67a062e18beb8a7e0 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:19:06 -0500 Subject: [PATCH 30/40] lints/mozilla: demote lint_mp_allowed_eku to notice --- lints/mozilla/lint_mp_allowed_eku.go | 18 ++++++++++++++---- lints/mozilla/lint_mp_allowed_eku_test.go | 14 ++++++++------ 2 files changed, 22 insertions(+), 10 deletions(-) diff --git a/lints/mozilla/lint_mp_allowed_eku.go b/lints/mozilla/lint_mp_allowed_eku.go index 4669adfa9..11038af85 100644 --- a/lints/mozilla/lint_mp_allowed_eku.go +++ b/lints/mozilla/lint_mp_allowed_eku.go @@ -41,13 +41,23 @@ func (l *allowedEKU) Initialize() error { } func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { - return util.IsSubCA(c) && !util.IsInMozillaRootStore(c) + // TODO(@cpu): This lint should be limited to SubCAs that do not share + // a private key with a corresponding root certificate in the Mozilla root + // store. See XXX + return util.IsSubCA(c) } func (l *allowedEKU) Execute(c *x509.Certificate) *lint.LintResult { - if len(c.ExtKeyUsage) == 0 || util.HasEKU(c, x509.ExtKeyUsageAny) || - (util.HasEKU(c, x509.ExtKeyUsageEmailProtection) && util.HasEKU(c, x509.ExtKeyUsageServerAuth)) { - return &lint.LintResult{Status: lint.Error} + noEKU := len(c.ExtKeyUsage) == 0 + anyEKU := util.HasEKU(c, x509.ExtKeyUsageAny) + emailAndServerAuthEKU := + util.HasEKU(c, x509.ExtKeyUsageEmailProtection) && + util.HasEKU(c, x509.ExtKeyUsageServerAuth) + + if noEKU || anyEKU || emailAndServerAuthEKU { + // NOTE(@cpu): When this lint's scope is improved (see CheckApplies TODO) + // this should be a lint.Error result instead of lint.Notice. See XXX + return &lint.LintResult{Status: lint.Notice} } return &lint.LintResult{Status: lint.Pass} diff --git a/lints/mozilla/lint_mp_allowed_eku_test.go b/lints/mozilla/lint_mp_allowed_eku_test.go index 1a713d3ce..bba7e593b 100644 --- a/lints/mozilla/lint_mp_allowed_eku_test.go +++ b/lints/mozilla/lint_mp_allowed_eku_test.go @@ -31,17 +31,17 @@ func TestAllowedEKUs(t *testing.T) { { Name: "SubCA with no EKU", InputFilename: "mpSubCAEKUDisallowed1.pem", - ExpectedResult: lint.Error, + ExpectedResult: lint.Notice, }, { Name: "SubCA with anyExtendedKeyUsage", InputFilename: "mpSubCAEKUDisallowed2.pem", - ExpectedResult: lint.Error, + ExpectedResult: lint.Notice, }, { Name: "SubCA with serverAuth and emailProtection", InputFilename: "mpSubCAEKUDisallowed3.pem", - ExpectedResult: lint.Error, + ExpectedResult: lint.Notice, }, { Name: "SubCA with serverAuth EKU", @@ -49,9 +49,11 @@ func TestAllowedEKUs(t *testing.T) { ExpectedResult: lint.Pass, }, { - Name: "Cross-Certificate with no EKU", - InputFilename: "mpCrossCertNoEKU.pem", - ExpectedResult: lint.NA, + Name: "Cross-Certificate with no EKU", + InputFilename: "mpCrossCertNoEKU.pem", + // NOTE(@cpu): This should be a lint.Pass. It is a false positive that + // would be addressed by tracking Mozilla trusted roots. See XXX. + ExpectedResult: lint.Notice, }, } From 94045905cc98df2a21bde76d6d8984f8f697e977 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:23:57 -0500 Subject: [PATCH 31/40] lints/mozilla; simplify lint_mp_ecdsa_allowed_algo CheckApplies. --- lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go index c5b33b027..c1894f27b 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go @@ -76,13 +76,15 @@ func (l *ecdsaAllowedAlgorithm) Initialize() error { return nil } -func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { - if c.SignatureAlgorithm == x509.ECDSAWithSHA1 || c.SignatureAlgorithm == x509.ECDSAWithSHA256 || - c.SignatureAlgorithm == x509.ECDSAWithSHA384 || c.SignatureAlgorithm == x509.ECDSAWithSHA512 { - return true - } +var applicableSigAlgs = map[x509.SignatureAlgorithm]bool{ + x509.ECDSAWithSHA1: true, + x509.ECDSAWithSHA256: true, + x509.ECDSAWithSHA384: true, + x509.ECDSAWithSHA512: true, +} - return false +func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { + return applicableSigAlgs[c.SignatureAlgorithm] } func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *lint.LintResult { From d506af766090760f6b6d4132101f49e88055e6c3 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:31:12 -0500 Subject: [PATCH 32/40] lints/mozilla: rename ecdsa_allowed_algorithm -> ecdsa_allowed_curve_hash_pair. --- ...ed_algorithm.go => lint_mp_ecdsa_allowed_curve_hash_pair.go} | 2 +- ...hm_test.go => lint_mp_ecdsa_allowed_curve_hash_pair_test.go} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename lints/mozilla/{lint_mp_ecdsa_allowed_algorithm.go => lint_mp_ecdsa_allowed_curve_hash_pair.go} (98%) rename lints/mozilla/{lint_mp_ecdsa_allowed_algorithm_test.go => lint_mp_ecdsa_allowed_curve_hash_pair_test.go} (93%) diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go similarity index 98% rename from lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go rename to lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go index c1894f27b..765e4e765 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go @@ -114,7 +114,7 @@ func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *lint.LintResult { func init() { lint.RegisterLint(&lint.Lint{ - Name: "e_mp_ecdsa_allowed_algorithm", + Name: "e_mp_ecdsa_allowed_curve_hash_pair", Description: "ECDSA keys using one of the following curve-hash pairs: P‐256 with SHA-256, P‐384 with SHA-384", Citation: "Mozilla Root Store Policy / Section 5.1", Source: lint.MozillaRootStorePolicy, diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go similarity index 93% rename from lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go rename to lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go index 8f6b2e4fa..3d7f39f6e 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_algorithm_test.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go @@ -48,7 +48,7 @@ func TestECDSAAlgorithms(t *testing.T) { for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) - result := lint.Lints["e_mp_ecdsa_allowed_algorithm"].Execute(util.ReadCertificate(inputPath)) + result := lint.Lints["e_mp_ecdsa_allowed_curve_hash_pair"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } From 26fddcb5eea69fc891db8bbb47dae05bc1dbcb3f Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 14 Jan 2020 17:34:52 -0500 Subject: [PATCH 33/40] lints/mozilla: add ecdsa curve/hash pair err detail. --- .../lint_mp_ecdsa_allowed_curve_hash_pair.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go index 765e4e765..e5c7d71d5 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go @@ -22,6 +22,7 @@ package lints import ( "encoding/asn1" "errors" + "fmt" "math/big" "github.com/zmap/zcrypto/x509" @@ -100,22 +101,28 @@ func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *lint.LintResult { case c.SignatureAlgorithm == x509.ECDSAWithSHA256 && signKeySize == 256: return &lint.LintResult{ Status: lint.Pass, - Details: "Detected ECDSAWithSHA256 and 256 bit signing key.", + Details: "ECDSAWithSHA256 and 256 bit signing key.", } case c.SignatureAlgorithm == x509.ECDSAWithSHA384 && signKeySize == 384: return &lint.LintResult{ Status: lint.Pass, - Details: "Detected ECDSAWithSHA384 and 384 bit signing key.", + Details: "ECDSAWithSHA384 and 384 bit signing key.", } } - return &lint.LintResult{Status: lint.Error} + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf( + "Signing key size (%d) did not match sig. alg curve/hash pair specified (%d)", + signKeySize, + c.SignatureAlgorithm), + } } func init() { lint.RegisterLint(&lint.Lint{ Name: "e_mp_ecdsa_allowed_curve_hash_pair", - Description: "ECDSA keys using one of the following curve-hash pairs: P‐256 with SHA-256, P‐384 with SHA-384", + Description: "ECDSA keys using one of the following curve/hash pairs: P‐256 with SHA-256, P‐384 with SHA-384", Citation: "Mozilla Root Store Policy / Section 5.1", Source: lint.MozillaRootStorePolicy, EffectiveDate: util.MozillaPolicy24Date, From 353ee3a15b020633d276fa73181ef9397cd4c97d Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 15 Jan 2020 09:52:09 -0500 Subject: [PATCH 34/40] lints/mozilla: ref trusted roots data issue num --- lints/mozilla/lint_mp_allowed_eku.go | 2 +- lints/mozilla/lint_mp_allowed_eku_test.go | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lints/mozilla/lint_mp_allowed_eku.go b/lints/mozilla/lint_mp_allowed_eku.go index 11038af85..134c9a9da 100644 --- a/lints/mozilla/lint_mp_allowed_eku.go +++ b/lints/mozilla/lint_mp_allowed_eku.go @@ -43,7 +43,7 @@ func (l *allowedEKU) Initialize() error { func (l *allowedEKU) CheckApplies(c *x509.Certificate) bool { // TODO(@cpu): This lint should be limited to SubCAs that do not share // a private key with a corresponding root certificate in the Mozilla root - // store. See XXX + // store. See https://github.com/zmap/zlint/issues/352 return util.IsSubCA(c) } diff --git a/lints/mozilla/lint_mp_allowed_eku_test.go b/lints/mozilla/lint_mp_allowed_eku_test.go index bba7e593b..042608ece 100644 --- a/lints/mozilla/lint_mp_allowed_eku_test.go +++ b/lints/mozilla/lint_mp_allowed_eku_test.go @@ -52,7 +52,8 @@ func TestAllowedEKUs(t *testing.T) { Name: "Cross-Certificate with no EKU", InputFilename: "mpCrossCertNoEKU.pem", // NOTE(@cpu): This should be a lint.Pass. It is a false positive that - // would be addressed by tracking Mozilla trusted roots. See XXX. + // would be addressed by tracking Mozilla trusted roots. See + // https://github.com/zmap/zlint/issues/352 ExpectedResult: lint.Notice, }, } From efc84c605bac87057a5b30ee24458fcbc722c187 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 15 Jan 2020 10:02:49 -0500 Subject: [PATCH 35/40] lints/mozilla: fix mp_allowed_eku lint name --- lints/mozilla/lint_mp_allowed_eku.go | 5 +++-- lints/mozilla/lint_mp_allowed_eku_test.go | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lints/mozilla/lint_mp_allowed_eku.go b/lints/mozilla/lint_mp_allowed_eku.go index 134c9a9da..48e3cb680 100644 --- a/lints/mozilla/lint_mp_allowed_eku.go +++ b/lints/mozilla/lint_mp_allowed_eku.go @@ -56,7 +56,8 @@ func (l *allowedEKU) Execute(c *x509.Certificate) *lint.LintResult { if noEKU || anyEKU || emailAndServerAuthEKU { // NOTE(@cpu): When this lint's scope is improved (see CheckApplies TODO) - // this should be a lint.Error result instead of lint.Notice. See XXX + // this should be a lint.Error result instead of lint.Notice. See + // https://github.com/zmap/zlint/issues/352 return &lint.LintResult{Status: lint.Notice} } @@ -65,7 +66,7 @@ func (l *allowedEKU) Execute(c *x509.Certificate) *lint.LintResult { func init() { lint.RegisterLint(&lint.Lint{ - Name: "e_mp_allowed_eku", + Name: "n_mp_allowed_eku", Description: "Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds", Citation: "Mozilla Root Store Policy / Section 5.3", Source: lint.MozillaRootStorePolicy, diff --git a/lints/mozilla/lint_mp_allowed_eku_test.go b/lints/mozilla/lint_mp_allowed_eku_test.go index 042608ece..f9f2a4109 100644 --- a/lints/mozilla/lint_mp_allowed_eku_test.go +++ b/lints/mozilla/lint_mp_allowed_eku_test.go @@ -61,7 +61,7 @@ func TestAllowedEKUs(t *testing.T) { for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) - result := lint.Lints["e_mp_allowed_eku"].Execute(util.ReadCertificate(inputPath)) + result := lint.Lints["n_mp_allowed_eku"].Execute(util.ReadCertificate(inputPath)) if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) } From 63295c4736b90c6e9778ca4459e961d8c7fc56e0 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 15 Jan 2020 11:18:57 -0500 Subject: [PATCH 36/40] lints/mozilla: clarify allowed_eku desc --- lints/mozilla/lint_mp_allowed_eku.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lints/mozilla/lint_mp_allowed_eku.go b/lints/mozilla/lint_mp_allowed_eku.go index 48e3cb680..e3f0448a2 100644 --- a/lints/mozilla/lint_mp_allowed_eku.go +++ b/lints/mozilla/lint_mp_allowed_eku.go @@ -67,7 +67,7 @@ func (l *allowedEKU) Execute(c *x509.Certificate) *lint.LintResult { func init() { lint.RegisterLint(&lint.Lint{ Name: "n_mp_allowed_eku", - Description: "Separation of id-kp-serverAuth and id-kp-emailProtection KeyPurposeIds", + Description: "A SubCA certificate must not have key usage that allows for both server auth and email protection, and must not use anyKeyUsage", Citation: "Mozilla Root Store Policy / Section 5.3", Source: lint.MozillaRootStorePolicy, EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), From 0828819d89316e86ca13e38d0812e277ddfa8a55 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 15 Jan 2020 11:27:48 -0500 Subject: [PATCH 37/40] lints/mozilla: use 0 for err return from getSigningKeySize --- lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go index e5c7d71d5..2e1d1f476 100644 --- a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go +++ b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go @@ -37,7 +37,7 @@ type ecdsaSignature struct { func getSigningKeySize(cert *x509.Certificate) (int, error) { sig := new(ecdsaSignature) if _, err := asn1.Unmarshal(cert.Signature, sig); err != nil { - return -1, err + return 0, err } rsize := sig.R.BitLen() @@ -68,7 +68,7 @@ func getSigningKeySize(cert *x509.Certificate) (int, error) { return 521, nil } - return -1, errors.New("cannot identify signing ECDSA key length") + return 0, errors.New("cannot identify signing ECDSA key length") } type ecdsaAllowedAlgorithm struct{} From 0f8571d3c9df6d755180b3cb1bb932ad0a07ee11 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 15 Jan 2020 11:36:09 -0500 Subject: [PATCH 38/40] lints/mozilla: assume CheckApplies works --- lints/mozilla/lint_mp_authority_key_identifier_correct.go | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lints/mozilla/lint_mp_authority_key_identifier_correct.go b/lints/mozilla/lint_mp_authority_key_identifier_correct.go index f03b1abb5..f51a4388d 100644 --- a/lints/mozilla/lint_mp_authority_key_identifier_correct.go +++ b/lints/mozilla/lint_mp_authority_key_identifier_correct.go @@ -49,13 +49,8 @@ func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *lint.LintResult { var keyID keyIdentifier + // ext is assumed not-nil based on CheckApplies. ext := util.GetExtFromCert(c, util.AuthkeyOID) - if ext == nil { - return &lint.LintResult{ - Status: lint.Fatal, - Details: "certificate is missing Authority Key Identifier extension", - } - } if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { return &lint.LintResult{ Status: lint.Fatal, From 69fdd4e35caaad6af1dce6f73767711a779155c4 Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 15 Jan 2020 11:46:11 -0500 Subject: [PATCH 39/40] lints/mozilla: remove `e_mp_ecdsa_allowed_curve_hash_pair`. --- .../lint_mp_ecdsa_allowed_curve_hash_pair.go | 131 ------------------ ...t_mp_ecdsa_allowed_curve_hash_pair_test.go | 57 -------- .../testCerts/mpECDSAAlgorithmsAllowed.pem | 72 ---------- .../mpECDSAAlgorithmsDisallowed1.pem | 70 ---------- .../mpECDSAAlgorithmsDisallowed2.pem | 70 ---------- 5 files changed, 400 deletions(-) delete mode 100644 lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go delete mode 100644 lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go delete mode 100644 testlint/testCerts/mpECDSAAlgorithmsAllowed.pem delete mode 100644 testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem delete mode 100644 testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go deleted file mode 100644 index 2e1d1f476..000000000 --- a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair.go +++ /dev/null @@ -1,131 +0,0 @@ -/* - * ZLint Copyright 2019 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -/******************************************************************** -Section 5.1 - Algorithms -ECDSA keys using one of the following curve-hash pairs: P‐256 with SHA-256, P‐384 with SHA-384 -********************************************************************/ - -package lints - -import ( - "encoding/asn1" - "errors" - "fmt" - "math/big" - - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/lint" - "github.com/zmap/zlint/util" -) - -type ecdsaSignature struct { - R, S *big.Int -} - -func getSigningKeySize(cert *x509.Certificate) (int, error) { - sig := new(ecdsaSignature) - if _, err := asn1.Unmarshal(cert.Signature, sig); err != nil { - return 0, err - } - - rsize := sig.R.BitLen() - ssize := sig.S.BitLen() - - switch { - case rsize <= 112 && ssize <= 112: - return 112, nil - case rsize <= 128 && ssize <= 128: - return 128, nil - case rsize <= 160 && ssize <= 160: - return 160, nil - case rsize <= 192 && ssize <= 192: - return 192, nil - case rsize <= 224 && ssize <= 224: - return 224, nil - case rsize <= 239 && ssize <= 239: - return 239, nil - case rsize <= 256 && ssize <= 256: - return 256, nil - case rsize <= 320 && ssize <= 320: - return 320, nil - case rsize <= 384 && ssize <= 384: - return 384, nil - case rsize <= 512 && ssize <= 512: - return 512, nil - case rsize <= 521 && ssize <= 521: - return 521, nil - } - - return 0, errors.New("cannot identify signing ECDSA key length") -} - -type ecdsaAllowedAlgorithm struct{} - -func (l *ecdsaAllowedAlgorithm) Initialize() error { - return nil -} - -var applicableSigAlgs = map[x509.SignatureAlgorithm]bool{ - x509.ECDSAWithSHA1: true, - x509.ECDSAWithSHA256: true, - x509.ECDSAWithSHA384: true, - x509.ECDSAWithSHA512: true, -} - -func (l *ecdsaAllowedAlgorithm) CheckApplies(c *x509.Certificate) bool { - return applicableSigAlgs[c.SignatureAlgorithm] -} - -func (l *ecdsaAllowedAlgorithm) Execute(c *x509.Certificate) *lint.LintResult { - signKeySize, err := getSigningKeySize(c) - if err != nil { - return &lint.LintResult{ - Status: lint.Fatal, - Details: "cannot identify signing ECDSA key length", - } - } - - switch { - case c.SignatureAlgorithm == x509.ECDSAWithSHA256 && signKeySize == 256: - return &lint.LintResult{ - Status: lint.Pass, - Details: "ECDSAWithSHA256 and 256 bit signing key.", - } - case c.SignatureAlgorithm == x509.ECDSAWithSHA384 && signKeySize == 384: - return &lint.LintResult{ - Status: lint.Pass, - Details: "ECDSAWithSHA384 and 384 bit signing key.", - } - } - - return &lint.LintResult{ - Status: lint.Error, - Details: fmt.Sprintf( - "Signing key size (%d) did not match sig. alg curve/hash pair specified (%d)", - signKeySize, - c.SignatureAlgorithm), - } -} - -func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_ecdsa_allowed_curve_hash_pair", - Description: "ECDSA keys using one of the following curve/hash pairs: P‐256 with SHA-256, P‐384 with SHA-384", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: &ecdsaAllowedAlgorithm{}, - }) -} diff --git a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go b/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go deleted file mode 100644 index 3d7f39f6e..000000000 --- a/lints/mozilla/lint_mp_ecdsa_allowed_curve_hash_pair_test.go +++ /dev/null @@ -1,57 +0,0 @@ -package lints - -/* - * ZLint Copyright 2018 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "fmt" - "testing" - - "github.com/zmap/zlint/lint" - "github.com/zmap/zlint/util" -) - -func TestECDSAAlgorithms(t *testing.T) { - testCases := []struct { - Name string - InputFilename string - ExpectedResult lint.LintStatus - }{ - { - Name: "Secp384r1 CA with ECDSAwithSHA256", - InputFilename: "mpECDSAAlgorithmsDisallowed1.pem", - ExpectedResult: lint.Error, - }, - { - Name: "Secp256r1 CA with ECDSAwithSHA384", - InputFilename: "mpECDSAAlgorithmsDisallowed2.pem", - ExpectedResult: lint.Error, - }, - { - Name: "Secp256r1 CA with ECDSAwithSHA256", - InputFilename: "mpECDSAAlgorithmsAllowed.pem", - ExpectedResult: lint.Pass, - }, - } - - for _, tc := range testCases { - t.Run(tc.Name, func(t *testing.T) { - inputPath := fmt.Sprintf("%s%s", util.TestCaseDir, tc.InputFilename) - result := lint.Lints["e_mp_ecdsa_allowed_curve_hash_pair"].Execute(util.ReadCertificate(inputPath)) - if result.Status != tc.ExpectedResult { - t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) - } - }) - } -} diff --git a/testlint/testCerts/mpECDSAAlgorithmsAllowed.pem b/testlint/testCerts/mpECDSAAlgorithmsAllowed.pem deleted file mode 100644 index abddefb6d..000000000 --- a/testlint/testCerts/mpECDSAAlgorithmsAllowed.pem +++ /dev/null @@ -1,72 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 11 (0xb) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates ECDSA CA - Validity - Not Before: Sep 30 13:03:28 2019 GMT - Not After : Sep 29 13:03:28 2021 GMT - Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = ecdsa3.example.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (521 bit) - pub: - 04:01:54:86:b9:42:ee:8d:24:9c:3b:d0:c2:f0:83: - 58:47:25:b6:f7:83:7b:33:a9:a0:7b:66:35:f7:63: - 00:c4:18:52:dc:a3:d2:16:48:c0:0d:bb:a7:a8:cd: - 5c:9e:61:a8:e1:eb:51:67:7f:52:e3:cd:bf:c6:fa: - 61:27:e4:7a:64:94:7f:01:d6:a1:a1:e2:e5:5f:36: - 76:d5:61:f5:3e:eb:bb:4e:84:89:c4:b4:b1:61:bb: - fd:21:11:f9:4d:19:7f:84:bc:f0:2d:1e:ca:54:6a: - 4a:a8:0e:71:56:23:38:68:c6:59:23:2d:72:1c:d2: - e0:a2:a1:eb:61:41:86:a0:77:91:b7:3c:94 - ASN1 OID: secp521r1 - NIST CURVE: P-521 - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Basic Constraints: - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Key Identifier: - 3A:85:48:EB:A7:A0:FB:A9:47:A5:8A:35:FF:FE:F4:25:38:92:16:01 - X509v3 Subject Alternative Name: - DNS:ecdsa3.example.com - X509v3 Authority Key Identifier: - keyid:52:B1:37:DB:0D:A5:20:37:C7:C6:61:66:1E:D5:68:1C:A1:A4:D7:4F - - Authority Information Access: - CA Issuers - URI:http://example.com/ca/rootecdsa.crt - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://example.com/ca/rootecdsa.crl - - Signature Algorithm: ecdsa-with-SHA256 - 30:46:02:21:00:db:0b:41:72:a5:d5:d4:3d:e5:48:19:82:5d: - 0e:45:5b:cf:32:df:6c:6d:20:74:a5:77:a8:ce:b6:1c:2d:b0: - 6f:02:21:00:f3:ed:ef:6c:5e:78:a0:a7:f1:f7:af:37:ee:f8: - 95:2c:ef:b1:55:46:61:b3:60:de:c0:c1:2d:e7:31:16:66:86 ------BEGIN CERTIFICATE----- -MIIDWzCCAwCgAwIBAgIBCzAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMxEzAR -BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNV -BAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxKTAnBgNVBAMMIFps -aW50IHRlc3QgY2VydGlmaWNhdGVzIEVDRFNBIENBMB4XDTE5MDkzMDEzMDMyOFoX -DTIxMDkyOTEzMDMyOFowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y -bmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMu -MRMwEQYDVQQLDApPcGVyYXRpb25zMRswGQYDVQQDDBJlY2RzYTMuZXhhbXBsZS5j -b20wgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABAFUhrlC7o0knDvQwvCDWEcltveD -ezOpoHtmNfdjAMQYUtyj0hZIwA27p6jNXJ5hqOHrUWd/UuPNv8b6YSfkemSUfwHW -oaHi5V82dtVh9T7ru06EicS0sWG7/SER+U0Zf4S88C0eylRqSqgOcVYjOGjGWSMt -chzS4KKh62FBhqB3kbc8lKOCARQwggEQMA4GA1UdDwEB/wQEAwIFoDAJBgNVHRME -AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUOoVI -66eg+6lHpYo1//70JTiSFgEwHQYDVR0RBBYwFIISZWNkc2EzLmV4YW1wbGUuY29t -MB8GA1UdIwQYMBaAFFKxN9sNpSA3x8ZhZh7VaByhpNdPMD8GCCsGAQUFBwEBBDMw -MTAvBggrBgEFBQcwAoYjaHR0cDovL2V4YW1wbGUuY29tL2NhL3Jvb3RlY2RzYS5j -cnQwNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2V4YW1wbGUuY29tL2NhL3Jvb3Rl -Y2RzYS5jcmwwCgYIKoZIzj0EAwIDSQAwRgIhANsLQXKl1dQ95UgZgl0ORVvPMt9s -bSB0pXeozrYcLbBvAiEA8+3vbF54oKfx96837viVLO+xVUZhs2DewMEt5zEWZoY= ------END CERTIFICATE----- diff --git a/testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem b/testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem deleted file mode 100644 index adb22485a..000000000 --- a/testlint/testCerts/mpECDSAAlgorithmsDisallowed1.pem +++ /dev/null @@ -1,70 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 5 (0x5) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates ECDSA CA - Validity - Not Before: Sep 30 12:41:45 2019 GMT - Not After : Sep 29 12:41:45 2021 GMT - Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = ecdsa1.example.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:8e:de:b7:3e:89:5f:fc:4a:76:56:50:ec:cf:f1: - 7c:fa:46:b6:7f:66:53:17:7c:e7:44:89:c3:d0:26: - 97:64:37:87:15:d8:63:10:b9:de:71:55:b3:f1:68: - 46:77:6d:03:cd:a1:75:c4:2a:53:d1:a2:83:d9:5d: - 19:b3:6d:6c:ee - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Basic Constraints: - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Key Identifier: - CD:A5:40:5A:2C:3D:B3:73:4E:78:C3:56:B7:CE:7A:AE:40:B4:2E:82 - X509v3 Subject Alternative Name: - DNS:ecdsa1.example.com - X509v3 Authority Key Identifier: - keyid:2B:F2:7B:12:FE:66:45:34:39:87:30:5D:90:BA:BA:C4:D7:68:02:AC - - Authority Information Access: - CA Issuers - URI:http://example.com/ca/rootecdsa.crt - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://example.com/ca/rootecdsa.crl - - Signature Algorithm: ecdsa-with-SHA256 - 30:64:02:30:2c:40:ca:94:81:0b:69:b0:bc:1e:9b:d6:4a:34: - e7:00:95:a3:03:c9:c3:21:7e:e7:4b:3b:4f:46:ec:e7:4b:48: - 2f:07:8e:f9:12:15:dd:b4:cd:51:92:df:94:bc:52:aa:02:30: - 55:fe:37:62:74:89:46:3d:05:43:7f:15:16:73:66:4d:fe:ff: - 89:f2:63:51:30:b7:3d:25:5f:f7:e7:da:e1:78:04:06:0d:44: - bd:f0:2a:09:80:5c:79:ab:31:87:34:c6 ------BEGIN CERTIFICATE----- -MIIDNjCCAr2gAwIBAgIBBTAKBggqhkjOPQQDAjCBjzELMAkGA1UEBhMCVVMxEzAR -BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNV -BAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxKTAnBgNVBAMMIFps -aW50IHRlc3QgY2VydGlmaWNhdGVzIEVDRFNBIENBMB4XDTE5MDkzMDEyNDE0NVoX -DTIxMDkyOTEyNDE0NVowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y -bmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMu -MRMwEQYDVQQLDApPcGVyYXRpb25zMRswGQYDVQQDDBJlY2RzYTEuZXhhbXBsZS5j -b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASO3rc+iV/8SnZWUOzP8Xz6RrZ/ -ZlMXfOdEicPQJpdkN4cV2GMQud5xVbPxaEZ3bQPNoXXEKlPRooPZXRmzbWzuo4IB -FDCCARAwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYB -BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTNpUBaLD2zc054w1a3znquQLQugjAd -BgNVHREEFjAUghJlY2RzYTEuZXhhbXBsZS5jb20wHwYDVR0jBBgwFoAUK/J7Ev5m -RTQ5hzBdkLq6xNdoAqwwPwYIKwYBBQUHAQEEMzAxMC8GCCsGAQUFBzAChiNodHRw -Oi8vZXhhbXBsZS5jb20vY2Evcm9vdGVjZHNhLmNydDA0BgNVHR8ELTArMCmgJ6Al -hiNodHRwOi8vZXhhbXBsZS5jb20vY2Evcm9vdGVjZHNhLmNybDAKBggqhkjOPQQD -AgNnADBkAjAsQMqUgQtpsLwem9ZKNOcAlaMDycMhfudLO09G7OdLSC8HjvkSFd20 -zVGS35S8UqoCMFX+N2J0iUY9BUN/FRZzZk3+/4nyY1Ewtz0lX/fn2uF4BAYNRL3w -KgmAXHmrMYc0xg== ------END CERTIFICATE----- diff --git a/testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem b/testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem deleted file mode 100644 index 0df6623a9..000000000 --- a/testlint/testCerts/mpECDSAAlgorithmsDisallowed2.pem +++ /dev/null @@ -1,70 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 10 (0xa) - Signature Algorithm: ecdsa-with-SHA384 - Issuer: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = Zlint test certificates ECDSA CA - Validity - Not Before: Sep 30 12:47:01 2019 GMT - Not After : Sep 29 12:47:01 2021 GMT - Subject: C = US, ST = California, L = San Francisco, O = Bogus Inc., OU = Operations, CN = ecdsa2.example.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (384 bit) - pub: - 04:60:f7:bc:80:aa:05:9d:86:2a:66:f4:dc:cb:32: - ca:5f:de:b0:0f:3d:b1:69:37:70:ae:8a:6d:3b:c1: - 64:b0:3e:a9:c6:8f:cf:f1:4a:5a:36:39:0d:a5:30: - 9f:95:86:a2:bb:88:c6:13:72:7a:29:a2:14:01:84: - 39:3c:35:f4:a3:4a:c9:56:d3:4e:69:e4:af:39:7a: - 5f:f9:be:b9:b1:5d:31:0d:b8:86:9c:7e:10:2f:50: - 6b:05:a6:cd:89:c2:33 - ASN1 OID: secp384r1 - NIST CURVE: P-384 - X509v3 extensions: - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Basic Constraints: - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Subject Key Identifier: - 26:D5:69:2D:68:B0:D0:E8:02:7C:21:F2:CA:13:69:87:EC:99:6E:68 - X509v3 Subject Alternative Name: - DNS:ecdsa2.example.com - X509v3 Authority Key Identifier: - keyid:52:B1:37:DB:0D:A5:20:37:C7:C6:61:66:1E:D5:68:1C:A1:A4:D7:4F - - Authority Information Access: - CA Issuers - URI:http://example.com/ca/rootecdsa.crt - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://example.com/ca/rootecdsa.crl - - Signature Algorithm: ecdsa-with-SHA384 - 30:45:02:20:67:52:70:43:33:30:ee:49:20:ef:ba:2e:c6:74: - f3:e9:90:5e:41:6d:02:fa:4f:1d:12:8e:9c:b9:0b:d1:28:9a: - 02:21:00:e9:65:c9:d3:27:b4:98:a3:08:bc:f2:c2:1a:fa:e6: - 86:86:17:4e:11:06:b6:40:93:a6:d9:4d:db:35:d1:ec:5d ------BEGIN CERTIFICATE----- -MIIDNDCCAtqgAwIBAgIBCjAKBggqhkjOPQQDAzCBjzELMAkGA1UEBhMCVVMxEzAR -BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNV -BAoMCkJvZ3VzIEluYy4xEzARBgNVBAsMCk9wZXJhdGlvbnMxKTAnBgNVBAMMIFps -aW50IHRlc3QgY2VydGlmaWNhdGVzIEVDRFNBIENBMB4XDTE5MDkzMDEyNDcwMVoX -DTIxMDkyOTEyNDcwMVowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9y -bmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApCb2d1cyBJbmMu -MRMwEQYDVQQLDApPcGVyYXRpb25zMRswGQYDVQQDDBJlY2RzYTIuZXhhbXBsZS5j -b20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARg97yAqgWdhipm9NzLMspf3rAPPbFp -N3Cuim07wWSwPqnGj8/xSlo2OQ2lMJ+VhqK7iMYTcnopohQBhDk8NfSjSslW005p -5K85el/5vrmxXTENuIacfhAvUGsFps2JwjOjggEUMIIBEDAOBgNVHQ8BAf8EBAMC -BaAwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD -VR0OBBYEFCbVaS1osNDoAnwh8soTaYfsmW5oMB0GA1UdEQQWMBSCEmVjZHNhMi5l -eGFtcGxlLmNvbTAfBgNVHSMEGDAWgBRSsTfbDaUgN8fGYWYe1WgcoaTXTzA/Bggr -BgEFBQcBAQQzMDEwLwYIKwYBBQUHMAKGI2h0dHA6Ly9leGFtcGxlLmNvbS9jYS9y -b290ZWNkc2EuY3J0MDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9leGFtcGxlLmNv -bS9jYS9yb290ZWNkc2EuY3JsMAoGCCqGSM49BAMDA0gAMEUCIGdScEMzMO5JIO+6 -LsZ08+mQXkFtAvpPHRKOnLkL0SiaAiEA6WXJ0ye0mKMIvPLCGvrmhoYXThEGtkCT -ptlN2zXR7F0= ------END CERTIFICATE----- From 44d85576ffe59cd929a5c8bdb0f435ea62fffc1b Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 16 Jan 2020 10:58:31 -0500 Subject: [PATCH 40/40] integration: add vetted expected results for Moz. lints --- integration/config.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/integration/config.json b/integration/config.json index 7a56cba86..44dc6eb00 100644 --- a/integration/config.json +++ b/integration/config.json @@ -419,6 +419,16 @@ "e_invalid_certificate_version": {}, "e_issuer_dn_country_not_printable_string": {}, "e_issuer_field_empty": {}, + "e_mp_authority_key_identifier_correct": { + "ErrCount": 135 + }, + "e_mp_exponent_cannot_be_one": {}, + "e_mp_modulus_must_be_2048_bits_or_more": { + "ErrCount": 1 + }, + "e_mp_modulus_must_be_divisible_by_8": { + "ErrCount": 21 + }, "e_name_constraint_empty": {}, "e_name_constraint_maximum_not_absent": {}, "e_name_constraint_minimum_non_zero": {}, @@ -616,6 +626,9 @@ "n_ecdsa_ee_invalid_ku": { "NoticeCount": 29 }, + "n_mp_allowed_eku": { + "NoticeCount": 14 + }, "n_multiple_subject_rdn": {}, "n_san_dns_name_duplicate": { "NoticeCount": 193