zmap · christopher-henderson · Nov 12, 2023 · Nov 9, 2023 · Nov 12, 2023
diff --git a/v3/lint/base.go b/v3/lint/base.go
@@ -221,7 +221,7 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
 	if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
 		return &LintResult{Status: NA}
 	}
-	if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {
+	if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
 		return &LintResult{Status: NA}
 	}
 	lint := l.Lint()

diff --git a/v3/testdata/smime/subscriber_no_crl_distribution_points.pem b/v3/testdata/smime/subscriber_no_crl_distribution_points.pem
@@ -12,27 +12,29 @@ Certificate:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:b0:ea:1e:f1:18:fe:47:2c:63:90:84:55:31:84:
-                    a9:7d:05:a9:53:01:21:6f:cf:c4:b3:08:33:d2:4c:
-                    0a:e0:39:40:d2:c8:05:e0:7a:a2:cf:14:04:9e:75:
-                    c9:8a:41:b1:ce:6f:ea:6e:f2:5f:f7:0c:58:39:d5:
-                    b3:b6:83:fc:79
+                    04:59:8d:60:f6:dc:04:98:92:65:d8:4d:e9:45:da:
+                    1e:97:70:09:5a:af:cf:c7:e5:86:18:cd:32:8b:35:
+                    c7:23:5c:b8:76:c7:65:f8:20:f1:fc:ab:3b:28:22:
+                    a3:a9:9b:68:dc:7a:58:74:3b:f4:0b:b9:60:57:3f:
+                    46:21:e3:b8:11
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
             X509v3 Extended Key Usage: 
                 E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.4.1
     Signature Algorithm: ecdsa-with-SHA256
-    Signature Value:
-        30:45:02:21:00:9f:89:3b:b4:a6:ca:2f:d3:24:cf:5c:0f:d2:
-        b4:0c:a5:23:e2:77:ae:dc:4e:60:f9:fb:a5:d7:17:b6:eb:d7:
-        be:02:20:60:21:54:e0:ef:0c:eb:d7:7d:c0:f6:28:29:86:d2:
-        be:b1:3e:c7:a6:f5:23:84:37:18:68:af:cd:6d:fe:4d:b0
+         30:45:02:21:00:97:6e:8c:24:9c:5f:89:f4:92:29:d8:4d:eb:
+         c1:1b:bd:a6:31:d3:32:58:da:34:4b:fa:d3:f7:b2:c3:49:93:
+         a2:02:20:51:49:d7:29:8b:1d:28:2e:24:58:fb:e5:34:a1:5c:
+         c0:05:d8:8e:f3:ce:43:4e:3b:0a:b0:7c:ce:57:f7:42:1f
 -----BEGIN CERTIFICATE-----
-MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP
-OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASw6h7x
-GP5HLGOQhFUxhKl9BalTASFvz8SzCDPSTArgOUDSyAXgeqLPFASedcmKQbHOb+pu
-8l/3DFg51bO2g/x5oxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
-AgNIADBFAiEAn4k7tKbKL9Mkz1wP0rQMpSPid67cTmD5+6XXF7br174CIGAhVODv
-DOvXfcD2KCmG0r6xPsem9SOENxhor81t/k2w
------END CERTIFICATE-----
+MIIBHTCBxKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARZjWD2
+3ASYkmXYTelF2h6XcAlar8/H5YYYzTKLNccjXLh2x2X4IPH8qzsoIqOpm2jcelh0
+O/QLuWBXP0Yh47gRoy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFBAEwCgYIKoZIzj0EAwIDSAAwRQIhAJdujCScX4n0kinYTevBG72m
+MdMyWNo0S/rT97LDSZOiAiBRSdcpix0oLiRY++U0oVzABdiO885DTjsKsHzOV/dC
+Hw==
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/subscriber_with_crl_distribution_points.pem b/v3/testdata/smime/subscriber_with_crl_distribution_points.pem
@@ -12,31 +12,32 @@ Certificate:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:77:fb:36:f7:93:14:be:12:85:91:d5:e5:ac:69:
-                    d8:3e:53:62:67:69:31:da:d8:cb:b1:31:26:4a:c3:
-                    50:75:fa:8c:3b:a4:3c:28:f3:a9:b7:2f:6d:bb:92:
-                    9b:17:11:b0:f3:40:5f:07:d6:57:f6:ae:0a:42:1b:
-                    a9:02:9e:d7:7c
+                    04:d7:a2:5e:9e:d9:54:7d:94:f9:0f:57:4f:af:c3:
+                    75:e4:bf:9a:57:0d:c1:ab:f2:d7:98:eb:24:a2:98:
+                    49:aa:60:90:41:55:96:60:8c:e5:ba:ac:6b:bd:20:
+                    e1:00:c8:5d:26:60:9a:37:29:7b:a0:2c:61:09:24:
+                    53:7a:71:14:dd
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
             X509v3 Extended Key Usage: 
                 E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.2
             X509v3 CRL Distribution Points: 
                 Full Name:
                   URI:atleastone.com
     Signature Algorithm: ecdsa-with-SHA256
-    Signature Value:
-        30:45:02:21:00:aa:1a:66:ac:5b:22:a9:e3:2d:b8:33:54:49:
-        fa:28:22:24:b1:11:49:44:46:6e:7d:55:13:fb:25:56:96:e1:
-        e1:02:20:60:b3:d6:eb:ff:34:2a:e7:0a:aa:0b:4b:4b:b3:32:
-        ba:96:7a:44:f5:f8:07:ff:86:86:89:ae:65:f0:6d:1b:00
+         30:45:02:21:00:8f:ff:de:4a:1b:56:89:31:8c:c5:bc:e5:8e:
+         1a:95:c3:e4:bc:36:df:df:16:c4:71:74:28:c0:d0:72:44:b3:
+         68:02:20:76:b4:f4:26:ac:07:7a:bc:a9:3a:c9:bb:e4:cf:f0:
+         dd:fc:85:58:35:b4:1c:ed:e3:ec:b2:9d:54:7f:47:44:cd
 -----BEGIN CERTIFICATE-----
-MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP
-OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3+zb3
-kxS+EoWR1eWsadg+U2JnaTHa2MuxMSZKw1B1+ow7pDwo86m3L227kpsXEbDzQF8H
-1lf2rgpCG6kCntd8ozgwNjATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHR8EGDAW
-MBSgEqAQhg5hdGxlYXN0b25lLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqhpmrFsi
-qeMtuDNUSfooIiSxEUlERm59VRP7JVaW4eECIGCz1uv/NCrnCqoLS0uzMrqWekT1
-+Af/hoaJrmXwbRsA
------END CERTIFICATE-----
+MIIBPjCB5aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATXol6e
+2VR9lPkPV0+vw3Xkv5pXDcGr8teY6ySimEmqYJBBVZZgjOW6rGu9IOEAyF0mYJo3
+KXugLGEJJFN6cRTdo04wTDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAQIwHwYDVR0fBBgwFjAUoBKgEIYOYXRsZWFzdG9uZS5jb20wCgYI
+KoZIzj0EAwIDSAAwRQIhAI//3kobVokxjMW85Y4alcPkvDbf3xbEcXQowNByRLNo
+AiB2tPQmrAd6vKk6ybvkz/Dd/IVYNbQc7ePssp1Uf0dEzQ==
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/without_subject_alternative_name.pem b/v3/testdata/smime/without_subject_alternative_name.pem
@@ -12,27 +12,29 @@ Certificate:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:8b:93:b2:84:b1:56:f4:cc:df:55:3f:f4:07:2b:
-                    d1:5a:bc:52:10:41:aa:91:88:aa:25:ac:02:da:3e:
-                    0c:0e:af:3b:65:49:d5:22:f9:a5:80:f1:83:c6:bc:
-                    bb:8e:cf:d1:a6:b5:92:5d:85:6f:91:5e:31:1a:af:
-                    69:04:62:31:86
+                    04:b0:71:a1:e2:60:7f:f2:54:b0:73:7b:ad:34:19:
+                    81:36:30:9c:2b:24:92:75:9f:d3:2b:f9:7e:13:2f:
+                    cf:6b:34:0e:cd:fd:16:39:8b:92:e8:de:e1:fa:81:
+                    cc:cd:09:86:6b:93:1f:7c:05:0b:ca:dd:60:9f:85:
+                    8f:ac:b7:cd:e4
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
             X509v3 Extended Key Usage: 
                 E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.4.1
     Signature Algorithm: ecdsa-with-SHA256
-    Signature Value:
-        30:45:02:20:0f:4a:43:42:ff:8b:5a:b3:30:f0:c6:b2:63:1c:
-        92:39:4d:17:5d:b0:15:70:e9:15:2e:9a:3f:a1:d6:12:c2:79:
-        02:21:00:a6:91:19:20:11:17:8d:f1:65:e0:f1:33:89:38:42:
-        24:a5:41:e5:33:6b:53:21:7f:1f:49:49:0f:57:d8:0a:f2
+         30:45:02:20:19:d9:4d:3d:b9:03:93:7d:ad:59:cc:d7:92:2c:
+         01:a2:c6:be:71:7f:90:a4:0b:97:ad:84:f2:50:3f:ce:0b:20:
+         02:21:00:d0:9a:e5:79:0d:e4:3c:2d:db:ab:31:dc:b2:13:55:
+         dc:2b:41:6e:db:94:23:26:a7:28:63:f9:08:20:e4:35:6b
 -----BEGIN CERTIFICATE-----
-MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP
-OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLk7KE
-sVb0zN9VP/QHK9FavFIQQaqRiKolrALaPgwOrztlSdUi+aWA8YPGvLuOz9GmtZJd
-hW+RXjEar2kEYjGGoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
-AgNIADBFAiAPSkNC/4taszDwxrJjHJI5TRddsBVw6RUumj+h1hLCeQIhAKaRGSAR
-F43xZeDxM4k4QiSlQeUza1Mhfx9JSQ9X2Ary
------END CERTIFICATE-----
+MIIBHTCBxKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASwcaHi
+YH/yVLBze600GYE2MJwrJJJ1n9Mr+X4TL89rNA7N/RY5i5Lo3uH6gczNCYZrkx98
+BQvK3WCfhY+st83koy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFBAEwCgYIKoZIzj0EAwIDSAAwRQIgGdlNPbkDk32tWczXkiwBosa+
+cX+QpAuXrYTyUD/OCyACIQDQmuV5DeQ8LdurMdyyE1XcK0Fu25QjJqcoY/kIIOQ1
+aw==
+-----END CERTIFICATE-----
diff --git a/v3/util/oid.go b/v3/util/oid.go
@@ -80,6 +80,8 @@ var (
 	BusinessOID               = asn1.ObjectIdentifier{2, 5, 4, 15}
 	PostalCodeOID             = asn1.ObjectIdentifier{2, 5, 4, 17}
 	GivenNameOID              = asn1.ObjectIdentifier{2, 5, 4, 42}
+	// SAN otherNames
+	OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9}
 	// Hash algorithms - see https://golang.org/src/crypto/x509/x509.go
 	SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
 	SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}

diff --git a/v3/util/san.go b/v3/util/san.go
@@ -0,0 +1,19 @@
+package util
+
+import "github.com/zmap/zcrypto/x509"
+
+func HasEmailSAN(c *x509.Certificate) bool {
+	for _, san := range c.EmailAddresses {
+		if san != "" {
+			return true
+		}
+	}
+
+	for _, name := range c.OtherNames {
+		if name.TypeID.Equal(OidIdOnSmtpUtf8Mailbox) && len(name.Value.Bytes) != 0 {
+			return true
+		}
+	}
+
+	return false
+}