-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CABF SMIME BR Appendix A.1 - countryName matches registration scheme id #768
CABF SMIME BR Appendix A.1 - countryName matches registration scheme id #768
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing super major, but a couple of nits to address.
LintMetadata: lint.LintMetadata{ | ||
Name: "e_registration_scheme_id_matches_subject_country", | ||
Description: "The country code used in the Registration Scheme identifier SHALL match that of the subject:countryName in the Certificate as specified in Section 7.1.4.2.2", | ||
Citation: "Appendix A A.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Citation: "Appendix A A.1", | |
Citation: "Appendix A.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated
type registrationSchemeIDMatchesSubjectCountry struct{} | ||
|
||
// NewRegistrationSchemeIDMatchesSubjectCountry creates a new linter to enforce SHALL requirements for registration scheme identifiers matching subject:countryName | ||
func NewRegistrationSchemeIDMatchesSubjectCountry() lint.LintInterface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
func NewRegistrationSchemeIDMatchesSubjectCountry() lint.LintInterface { | |
func NewRegistrationSchemeIDMatchesSubjectCountry() lint.CertificateLintInterface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should have seen LintInterface was deprecated. Updated as suggested.
return ®istrationSchemeIDMatchesSubjectCountry{} | ||
} | ||
|
||
// CheckApplies returns true if the provided certificate contains subject:countryName and one-or-more of the following SMIME BR policy identifiers: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Firstly, this comment doesn't mention the update to need a partially valid subject.organizationID.
Secondly, I wonder if you could compress the list of policies by just saying "and the certificate contains an Organization or Sponsor Validated policy OID"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made comment more relevant to full content of CheckApplies
// - Sponsor Validated Multipurpose | ||
// - Sponsor Validated Legacy | ||
func (l *registrationSchemeIDMatchesSubjectCountry) CheckApplies(c *x509.Certificate) bool { | ||
if c.Subject.Country == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a bit picky but I wonder if this would be better if you also checked that there was a non-empty-string value (or make sure that there's at least one value that's two characters long?) in c.Subject.Country?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added subsequent check that c.Subject.Country[0] is 2 characters in length because as you raised in a different comment, the Execute function of this lint is assuming that the first countryName value is present and (at least could be) valid - e.g. ISO 3166 or XX
|
||
// Execute applies the requirements on matching subject:countryName with registration scheme identifiers | ||
func (l *registrationSchemeIDMatchesSubjectCountry) Execute(c *x509.Certificate) *lint.LintResult { | ||
country := c.Subject.Country[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder how well this combines with the CheckApplies. I have got a comment in this review suggesting you loop to find one countryName of length 2 but I wonder if you should be saying this lint applies if something like this is true:
c.Subject.Country[0] == <TWO CAPITAL LETTERS>
Given that the Execute function of this lint is assuming that the first countryName value is present and valid.
Sorry about this @eliot-gs, but there's currently some discussion about removing this requirement to have the country in the organizationIdentifier match the provided countryName attribute (will link the first email on the subject below). I wonder if we should wait for some additional clarity before merging this PR? I guess on the flip-side though, the change hasn't been made and as it's a substantive one I imagine it will be brought in in the future making this lint useful for certs issued since 20230901 (yyyymmdd). So, perhaps this could be merged with the caveat that we may need to add an ineffective date once there's a date for when any future changes are coming into force? SMIME WG email: https://lists.cabforum.org/pipermail/smcwg-public/2023-November/000863.html |
Hi @eliot-gs, I've been thinking about this PR a bit and I think we can merge it in. There is a decent chance that the rule you're enforcing with your lint is going to be removed, but that change is a substantive change to the BRs and should be made effective from a future date. Therefore, the requirement from appendix A1 is effective from 1st September 2023 until the TBC future date. My thinking is we should merge this in, keep our eyes open on the conversations around SMCWG and once that conversation is resolved we can do another PR to set the ineffective date for the lint in this PR. What do you think @christopher-henderson? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
for _, id := range c.Subject.OrganizationIDs { | ||
submatches := countryRegex.FindStringSubmatch(id) | ||
if len(submatches) < 3 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thankfully len(nil)
won't explode here 😄 (I had to double check this myself, it returns 0 which makes sense).
// verifySMIMEOrganizationIdentifierContainSubjectNameCountry verifies that the country code used in the subject:organizationIdentifier matches subject:countryName | ||
func verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id string, country string) error { | ||
submatches := countryRegex.FindStringSubmatch(id) | ||
// Captures the country code from the organization identifier |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Captures the country code from the organization identifier | |
// Captures the country code from the organization identifier | |
// Note that this raw indexing into the second position is only safe | |
// due to a length check done in CheckApplies |
I often find it useful for the poor unfortunate souls in the future to leave a note as to why an unchecked index/dereference is safe, just in case those safety guarantees are broken by someone in the future and now the cause has to be hunted down.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added this suggested comment.
Thanks @christopher-henderson, I have addressed the issues you raised. |
I'd like to highlight that the current requirement (and lint) effectively prevents the use of LEI and INT as registration schemes. The Subject:CountryName SHALL contain the country code associated with the location of the Subject verified, which cannot be XG, and so this lint would fail. Also, the existing lint e_subject_country_not_iso does not recognize XG as a valid country, so even if the Subject:CountryName would be set to XG, this lint would block it. |
Hi @chrisbn, thanks for the comment however the point you're raising is not a zlint problem. zlint exists to apply the rules as they are written and, to me, your comment sounds like the SMIME BRs are broken because of the inconsistency between the parts of the document you've highlighted. As you've pointed out, the 7.1.4.2.2 d note 2 text says that in some cases the country code in the organizationIdentifier should be "XG", Appendix A.1 says the country codes in the organizationIdentifier and countryName must match, and 7.1.4.2.2 n doesn't support the countryName being set to "XG". This is a failure of the SMIME BRs and should be fixed there before any changes to zlint are made. tl;dr |
Adding lint to check the 2 character countryName in the subject matches the countryName in the registration scheme id as per Appendix A.1: The country code used in the Registration Scheme identifier SHALL match that of the subject:countryName in the Certificate as specified in Section 7.1.4.2.2.