Lint for 7.1.2.7.2 BR #810
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 6c23670.
util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC
christopher-henderson
requested changes
Mar 9, 2024
| func (l *dvSubjectInvalidValues) Execute(cert *x509.Certificate) *lint.LintResult { | ||
| names := util.GetTypesInName(&cert.Subject) | ||
| for _, n := range names { | ||
| if n.Equal(util.CountryNameOID) || n.Equal(util.CommonNameOID) { |
There was a problem hiding this comment.
Given that commonName is not recommended, would you be amenable to making this a warning?
&lint.LintResult{Status: lint.Warn, Details: "DV certificate contains a subject common name, this is not recommended."}
There was a problem hiding this comment.
@christopher-henderson Isn't the warning for commonName already covered by lint_subject_common_name_included_sc62.go? Adding a warning means that it will now be reported twice right?
There was a problem hiding this comment.
This is true. The contribution guidelines also cover this, specifying that a non-success status should match the lint's name prefix. I will create a PR for this if that is fine.
christopher-henderson
approved these changes
Mar 10, 2024
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds a lint for the presence of attributes other than CN and C in the subject of DV certificates. This work has been made in close cooperation with the D-Trust CA. We would be grateful if you could incorporate this PR in the main project.
Citation (https://cabforum.org/uploads/CA-Browser-Forum-BR-v2.0.0.pdf):
7.1.2.7.2 Domain Validated
The following table details the acceptable AttributeTypes that may appear within the type
field of an AttributeTypeAndValue, as well as the contents permitted within the value field.
Table 35: Domain Validated subject Attributes
countryName MAY The two-letter ISO 3166-1 country code for the country
associated with the Subject. Section 3.2.2.3
commonName NOT RECOMMENDED
If present, MUST contain a value derived from the
subjectAltName extension according to Section
7.1.4.3.
Any other attribute MUST NOT