From 54836c3ea8201c837e98e7e1791517c566787e32 Mon Sep 17 00:00:00 2001 From: robplee Date: Thu, 9 Nov 2023 17:07:27 +0000 Subject: [PATCH] address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change --- v3/lint/base.go | 2 +- .../subscriber_no_crl_distribution_points.pem | 36 +++++++++--------- ...ubscriber_with_crl_distribution_points.pem | 37 ++++++++++--------- .../without_subject_alternative_name.pem | 36 +++++++++--------- v3/util/oid.go | 2 + v3/util/san.go | 19 ++++++++++ 6 files changed, 79 insertions(+), 53 deletions(-) create mode 100644 v3/util/san.go diff --git a/v3/lint/base.go b/v3/lint/base.go index 1160f2fda..9753d9bea 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -221,7 +221,7 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } - if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { + if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { return &LintResult{Status: NA} } lint := l.Lint() diff --git a/v3/testdata/smime/subscriber_no_crl_distribution_points.pem b/v3/testdata/smime/subscriber_no_crl_distribution_points.pem index 164f0f33b..a9903eb7e 100644 --- a/v3/testdata/smime/subscriber_no_crl_distribution_points.pem +++ b/v3/testdata/smime/subscriber_no_crl_distribution_points.pem @@ -12,27 +12,29 @@ Certificate: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: - 04:b0:ea:1e:f1:18:fe:47:2c:63:90:84:55:31:84: - a9:7d:05:a9:53:01:21:6f:cf:c4:b3:08:33:d2:4c: - 0a:e0:39:40:d2:c8:05:e0:7a:a2:cf:14:04:9e:75: - c9:8a:41:b1:ce:6f:ea:6e:f2:5f:f7:0c:58:39:d5: - b3:b6:83:fc:79 + 04:59:8d:60:f6:dc:04:98:92:65:d8:4d:e9:45:da: + 1e:97:70:09:5a:af:cf:c7:e5:86:18:cd:32:8b:35: + c7:23:5c:b8:76:c7:65:f8:20:f1:fc:ab:3b:28:22: + a3:a9:9b:68:dc:7a:58:74:3b:f4:0b:b9:60:57:3f: + 46:21:e3:b8:11 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Extended Key Usage: E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.4.1 Signature Algorithm: ecdsa-with-SHA256 - Signature Value: - 30:45:02:21:00:9f:89:3b:b4:a6:ca:2f:d3:24:cf:5c:0f:d2: - b4:0c:a5:23:e2:77:ae:dc:4e:60:f9:fb:a5:d7:17:b6:eb:d7: - be:02:20:60:21:54:e0:ef:0c:eb:d7:7d:c0:f6:28:29:86:d2: - be:b1:3e:c7:a6:f5:23:84:37:18:68:af:cd:6d:fe:4d:b0 + 30:45:02:21:00:97:6e:8c:24:9c:5f:89:f4:92:29:d8:4d:eb: + c1:1b:bd:a6:31:d3:32:58:da:34:4b:fa:d3:f7:b2:c3:49:93: + a2:02:20:51:49:d7:29:8b:1d:28:2e:24:58:fb:e5:34:a1:5c: + c0:05:d8:8e:f3:ce:43:4e:3b:0a:b0:7c:ce:57:f7:42:1f -----BEGIN CERTIFICATE----- -MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP -OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASw6h7x -GP5HLGOQhFUxhKl9BalTASFvz8SzCDPSTArgOUDSyAXgeqLPFASedcmKQbHOb+pu -8l/3DFg51bO2g/x5oxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD -AgNIADBFAiEAn4k7tKbKL9Mkz1wP0rQMpSPid67cTmD5+6XXF7br174CIGAhVODv -DOvXfcD2KCmG0r6xPsem9SOENxhor81t/k2w ------END CERTIFICATE----- +MIIBHTCBxKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARZjWD2 +3ASYkmXYTelF2h6XcAlar8/H5YYYzTKLNccjXLh2x2X4IPH8qzsoIqOpm2jcelh0 +O/QLuWBXP0Yh47gRoy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL +MAkGB2eBDAEFBAEwCgYIKoZIzj0EAwIDSAAwRQIhAJdujCScX4n0kinYTevBG72m +MdMyWNo0S/rT97LDSZOiAiBRSdcpix0oLiRY++U0oVzABdiO885DTjsKsHzOV/dC +Hw== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/subscriber_with_crl_distribution_points.pem b/v3/testdata/smime/subscriber_with_crl_distribution_points.pem index 138da9ae7..a967e2d33 100644 --- a/v3/testdata/smime/subscriber_with_crl_distribution_points.pem +++ b/v3/testdata/smime/subscriber_with_crl_distribution_points.pem @@ -12,31 +12,32 @@ Certificate: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: - 04:77:fb:36:f7:93:14:be:12:85:91:d5:e5:ac:69: - d8:3e:53:62:67:69:31:da:d8:cb:b1:31:26:4a:c3: - 50:75:fa:8c:3b:a4:3c:28:f3:a9:b7:2f:6d:bb:92: - 9b:17:11:b0:f3:40:5f:07:d6:57:f6:ae:0a:42:1b: - a9:02:9e:d7:7c + 04:d7:a2:5e:9e:d9:54:7d:94:f9:0f:57:4f:af:c3: + 75:e4:bf:9a:57:0d:c1:ab:f2:d7:98:eb:24:a2:98: + 49:aa:60:90:41:55:96:60:8c:e5:ba:ac:6b:bd:20: + e1:00:c8:5d:26:60:9a:37:29:7b:a0:2c:61:09:24: + 53:7a:71:14:dd ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Extended Key Usage: E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 X509v3 CRL Distribution Points: Full Name: URI:atleastone.com Signature Algorithm: ecdsa-with-SHA256 - Signature Value: - 30:45:02:21:00:aa:1a:66:ac:5b:22:a9:e3:2d:b8:33:54:49: - fa:28:22:24:b1:11:49:44:46:6e:7d:55:13:fb:25:56:96:e1: - e1:02:20:60:b3:d6:eb:ff:34:2a:e7:0a:aa:0b:4b:4b:b3:32: - ba:96:7a:44:f5:f8:07:ff:86:86:89:ae:65:f0:6d:1b:00 + 30:45:02:21:00:8f:ff:de:4a:1b:56:89:31:8c:c5:bc:e5:8e: + 1a:95:c3:e4:bc:36:df:df:16:c4:71:74:28:c0:d0:72:44:b3: + 68:02:20:76:b4:f4:26:ac:07:7a:bc:a9:3a:c9:bb:e4:cf:f0: + dd:fc:85:58:35:b4:1c:ed:e3:ec:b2:9d:54:7f:47:44:cd -----BEGIN CERTIFICATE----- -MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP -OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3+zb3 -kxS+EoWR1eWsadg+U2JnaTHa2MuxMSZKw1B1+ow7pDwo86m3L227kpsXEbDzQF8H -1lf2rgpCG6kCntd8ozgwNjATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHR8EGDAW -MBSgEqAQhg5hdGxlYXN0b25lLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqhpmrFsi -qeMtuDNUSfooIiSxEUlERm59VRP7JVaW4eECIGCz1uv/NCrnCqoLS0uzMrqWekT1 -+Af/hoaJrmXwbRsA ------END CERTIFICATE----- +MIIBPjCB5aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATXol6e +2VR9lPkPV0+vw3Xkv5pXDcGr8teY6ySimEmqYJBBVZZgjOW6rGu9IOEAyF0mYJo3 +KXugLGEJJFN6cRTdo04wTDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL +MAkGB2eBDAEFAQIwHwYDVR0fBBgwFjAUoBKgEIYOYXRsZWFzdG9uZS5jb20wCgYI +KoZIzj0EAwIDSAAwRQIhAI//3kobVokxjMW85Y4alcPkvDbf3xbEcXQowNByRLNo +AiB2tPQmrAd6vKk6ybvkz/Dd/IVYNbQc7ePssp1Uf0dEzQ== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/without_subject_alternative_name.pem b/v3/testdata/smime/without_subject_alternative_name.pem index 67c187986..170e7783f 100644 --- a/v3/testdata/smime/without_subject_alternative_name.pem +++ b/v3/testdata/smime/without_subject_alternative_name.pem @@ -12,27 +12,29 @@ Certificate: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: - 04:8b:93:b2:84:b1:56:f4:cc:df:55:3f:f4:07:2b: - d1:5a:bc:52:10:41:aa:91:88:aa:25:ac:02:da:3e: - 0c:0e:af:3b:65:49:d5:22:f9:a5:80:f1:83:c6:bc: - bb:8e:cf:d1:a6:b5:92:5d:85:6f:91:5e:31:1a:af: - 69:04:62:31:86 + 04:b0:71:a1:e2:60:7f:f2:54:b0:73:7b:ad:34:19: + 81:36:30:9c:2b:24:92:75:9f:d3:2b:f9:7e:13:2f: + cf:6b:34:0e:cd:fd:16:39:8b:92:e8:de:e1:fa:81: + cc:cd:09:86:6b:93:1f:7c:05:0b:ca:dd:60:9f:85: + 8f:ac:b7:cd:e4 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Extended Key Usage: E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.4.1 Signature Algorithm: ecdsa-with-SHA256 - Signature Value: - 30:45:02:20:0f:4a:43:42:ff:8b:5a:b3:30:f0:c6:b2:63:1c: - 92:39:4d:17:5d:b0:15:70:e9:15:2e:9a:3f:a1:d6:12:c2:79: - 02:21:00:a6:91:19:20:11:17:8d:f1:65:e0:f1:33:89:38:42: - 24:a5:41:e5:33:6b:53:21:7f:1f:49:49:0f:57:d8:0a:f2 + 30:45:02:20:19:d9:4d:3d:b9:03:93:7d:ad:59:cc:d7:92:2c: + 01:a2:c6:be:71:7f:90:a4:0b:97:ad:84:f2:50:3f:ce:0b:20: + 02:21:00:d0:9a:e5:79:0d:e4:3c:2d:db:ab:31:dc:b2:13:55: + dc:2b:41:6e:db:94:23:26:a7:28:63:f9:08:20:e4:35:6b -----BEGIN CERTIFICATE----- -MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP -OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLk7KE -sVb0zN9VP/QHK9FavFIQQaqRiKolrALaPgwOrztlSdUi+aWA8YPGvLuOz9GmtZJd -hW+RXjEar2kEYjGGoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD -AgNIADBFAiAPSkNC/4taszDwxrJjHJI5TRddsBVw6RUumj+h1hLCeQIhAKaRGSAR -F43xZeDxM4k4QiSlQeUza1Mhfx9JSQ9X2Ary ------END CERTIFICATE----- +MIIBHTCBxKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASwcaHi +YH/yVLBze600GYE2MJwrJJJ1n9Mr+X4TL89rNA7N/RY5i5Lo3uH6gczNCYZrkx98 +BQvK3WCfhY+st83koy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL +MAkGB2eBDAEFBAEwCgYIKoZIzj0EAwIDSAAwRQIgGdlNPbkDk32tWczXkiwBosa+ +cX+QpAuXrYTyUD/OCyACIQDQmuV5DeQ8LdurMdyyE1XcK0Fu25QjJqcoY/kIIOQ1 +aw== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/util/oid.go b/v3/util/oid.go index 429bc9011..c5cacb18d 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -80,6 +80,8 @@ var ( BusinessOID = asn1.ObjectIdentifier{2, 5, 4, 15} PostalCodeOID = asn1.ObjectIdentifier{2, 5, 4, 17} GivenNameOID = asn1.ObjectIdentifier{2, 5, 4, 42} + // SAN otherNames + OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9} // Hash algorithms - see https://golang.org/src/crypto/x509/x509.go SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} diff --git a/v3/util/san.go b/v3/util/san.go new file mode 100644 index 000000000..d1f2f551a --- /dev/null +++ b/v3/util/san.go @@ -0,0 +1,19 @@ +package util + +import "github.com/zmap/zcrypto/x509" + +func HasEmailSAN(c *x509.Certificate) bool { + for _, san := range c.EmailAddresses { + if san != "" { + return true + } + } + + for _, name := range c.OtherNames { + if name.TypeID.Equal(OidIdOnSmtpUtf8Mailbox) && len(name.Value.Bytes) != 0 { + return true + } + } + + return false +}