Add lint to detect invalid cps uri #828
Conversation
Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment
Fixed import block
Fine to me. Co-authored-by: Christopher Henderson <chris@chenderson.org>
As per Chris Henderson's suggestion, to "improve readability".
As per Chris Henderson's suggestion.
Added CABFEV_Sec9_2_8_Date
|
It seems like there is some leakage between this PR and #830... was that intentional? |
|
Thank you @cardonator, I have fixed that. |
| } | ||
|
|
||
| func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { | ||
| // There should normally be just one CPS URI, but one never knows... |
There was a problem hiding this comment.
It may make sense to raise a warning if there is more than one but not outright fail the lint
There was a problem hiding this comment.
Generally, we try to have lints only raise a single severity level. If we want, we could certainly create a second lint though.
There was a problem hiding this comment.
Mainly trying to reconcile between this and #815
There was a problem hiding this comment.
On the first point: it seems to me that the CABF BRs do not forbid including more than one CPS URI in a certificate, and although it's uncommon and "ugly" (to me) I can imagine some more or less valid reasons for doing that, so I do not think there is a reason for raising a warning if there is more than one CPS URI.
On the second point: my lint checks than a CPS URI is valid according to the CABF BRs (which applies to any kind of certificate in the TLS context, both EV and non EV), while PR #815 seems to be specific for EV certs.
Please add this lint to check that any CPS URIs (hopefully just one) found in the certificates is a valid HTTP or HTTPS URL as per CABF BR 7.1.2 (several subsections thereof).