Add lint to check that the countryName attribute (C) is in uppercase

v3/integration/config.json

@@ -970,6 +970,9 @@
     },
     "e_ca_invalid_eku": {
         "ErrCount": 1
-    }    
+    },
+    "e_subj_country_not_uppercase": {
+        "ErrCount": 1303
+    }
   }
 }

v3/lints/community/lint_subj_country_not_uppercase.go

@@ -0,0 +1,62 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package community
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"regexp"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_subj_country_not_uppercase",
+			Description:   "Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z",
+			Citation:      "ISO 3166-2:2020(E) section 5.1",
+			Source:        lint.Community,
+			EffectiveDate: util.ZeroDate,
+		},
+		Lint: NewSubjCountryNotUppercase,
+	})
+}
+
+type subjCountryNotUppercase struct{}
+
+func NewSubjCountryNotUppercase() lint.LintInterface {
+	return &subjCountryNotUppercase{}
+}
+
+func (l *subjCountryNotUppercase) CheckApplies(c *x509.Certificate) bool {
+	return true
+}
+
+var re = regexp.MustCompile("^[A-Z]+$")
+
+func (l *subjCountryNotUppercase) Execute(c *x509.Certificate) *lint.LintResult {
+	// There should be only one countryName attribute in the Subject, normally,
+	// but checking this is not our business here, so let's scan them all
+	for _, cc := range c.Subject.Country {
+		if !re.MatchString(cc) {
+			return &lint.LintResult{
+				Status:  lint.Error,
+				Details: "Country codes must be comprised of uppercase A-Z letters",
+			}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/community/lint_subj_country_not_uppercase_test.go

@@ -0,0 +1,65 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package community
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+/*
+ * Test cases:
+ *
+ *      country_not_upcase_ok1.pem      Normal
+ *      country_not_upcase_ko1.pem      Country code is in mixed case
+ *      country_not_upcase_ko2.pem      Country code is all lowercase
+ *      country_not_upcase_ko3.pem      Two country codes, one OK and one bad
+ */
+
+func TestSubjCountryNotUppercase(t *testing.T) {
+	type Data struct {
+		input string
+		want  lint.LintStatus
+	}
+	data := []Data{
+		{
+			input: "country_not_upcase_ok1.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "country_not_upcase_ko1.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "country_not_upcase_ko2.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "country_not_upcase_ko3.pem",
+			want:  lint.Error,
+		},
+	}
+	for _, testData := range data {
+		testData := testData
+		t.Run(testData.input, func(t *testing.T) {
+			out := test.TestLint("e_subj_country_not_uppercase", testData.input)
+			if out.Status != testData.want {
+				t.Errorf("expected %s, got %s", testData.want, out.Status)
+			}
+		})
+	}
+}

v3/testdata/country_not_upcase_ko1.pem

@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            9e:87:87:03:f4:da:fc:d1:1b:7a:87:12:31:89:5a:7a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Jun 17 12:54:36 2024 GMT
+            Not After : Jun 17 12:54:36 2025 GMT
+        Subject: C = de, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:d2:85:c1:2c:56:53:86:a8:67:fa:1b:79:0d:b0:
+                    21:ec:a5:d7:cf:34:ab:f8:eb:bb:e9:a6:b7:5c:3b:
+                    36:6a:ed:9f:1f:b2:75:f1:70:03:fb:ca:01:dc:fb:
+                    52:aa:8d:47:65:6b:f7:b2:76:a7:0b:2b:5e:70:82:
+                    f7:3e:58:1e:38:6e:f4:c5:e2:9b:b8:5d:9f:ad:b0:
+                    25:13:0f:e4:19:ac:08:12:cb:bd:1d:85:f6:11:d6:
+                    59:f8:db:a3:28:63:71:00:1d:19:38:d2:77:61:21:
+                    14:91:45:bc:a2:f9:e5:60:64:c8:4e:9a:f8:65:2c:
+                    09:86:77:20:ab:27:ee:b9:70:b0:35:0b:75:9b:7e:
+                    d5:4f:a1:d9:46:ce:56:88:a3:02:2e:45:c3:84:09:
+                    5b:b7:60:5c:83:ae:b3:d7:a7:78:b8:db:dd:e8:44:
+                    83:70:b8:11:c8:a7:b0:75:3d:0d:f7:f6:f6:47:77:
+                    1e:df:05:5f:fc:c7:9d:0c:cb:71:4e:e2:ad:1f:b1:
+                    ee:aa:36:87:5a:66:5b:c0:18:c6:8a:1d:95:11:66:
+                    10:dd:a2:12:96:7d:a8:6b:ae:06:7e:9e:2b:0e:d4:
+                    0c:ba:63:d7:06:c8:c5:57:38:7c:c8:8a:ac:1c:b3:
+                    a7:dc:a3:a7:4d:24:45:2a:03:98:9e:40:b7:cd:00:
+                    e1:79
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                14:9E:EF:23:D5:A1:C8:38:E9:DA:B8:A9:24:8A:DE:FA:A9:D9:1D:F6
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         a6:ef:ce:3a:34:72:d7:cb:55:26:fa:8f:34:3b:59:a7:c3:c5:
+         9d:85:be:b5:05:9e:09:e4:54:66:0e:57:4f:e8:1c:5c:c0:19:
+         f9:8c:f5:d4:b8:84:cc:eb:59:49:c3:db:e8:a5:e5:47:c5:35:
+         57:13:8e:0b:00:f2:05:c5:a3:0e:b3:87:f5:13:7f:26:79:90:
+         8a:46:65:57:c0:8d:3e:ab:65:cc:71:d0:b1:b4:6d:d1:63:51:
+         4a:ef:7b:d7:34:0c:67:52:93:c3:c7:e5:46:af:03:09:67:d3:
+         24:23:df:ee:cd:29:3f:a8:13:5e:8f:93:dc:8a:7d:78:39:94:
+         63:d9:bc:71:7b:08:1e:0f:22:61:50:9b:ad:4d:6e:26:33:6e:
+         83:eb:43:6d:e8:85:b7:2b:d5:40:9e:ed:36:3d:7a:f6:94:e1:
+         b0:c1:92:e8:e7:7f:80:2d:1a:d0:93:3c:0d:e8:39:64:ae:25:
+         9a:92:d7:44:06:cb:9f:4b:dd:80:fe:b6:d3:7a:ba:72:69:46:
+         92:4f:07:ed:4f:eb:d1:f8:b1:3e:01:26:26:a2:ba:4f:f7:11:
+         dd:b9:eb:36:6e:b5:02:3c:50:1e:1c:b1:c3:0d:39:5b:f7:af:
+         98:36:aa:02:0c:dc:c6:40:c5:6c:d8:ef:0d:87:ce:2f:9f:41:
+         33:2d:9d:5d
+-----BEGIN CERTIFICATE-----
+MIIEeTCCA2GgAwIBAgIRAJ6HhwP02vzRG3qHEjGJWnowDQYJKoZIhvcNAQELBQAw
+QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug
+Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE3MTI1NDM2WhcNMjUwNjE3MTI1
+NDM2WjB0MQswCQYDVQQGEwJkZTEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
+aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
+THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDShcEsVlOGqGf6G3kNsCHspdfPNKv467vpprdcOzZq7Z8fsnXx
+cAP7ygHc+1KqjUdla/eydqcLK15wgvc+WB44bvTF4pu4XZ+tsCUTD+QZrAgSy70d
+hfYR1ln426MoY3EAHRk40ndhIRSRRbyi+eVgZMhOmvhlLAmGdyCrJ+65cLA1C3Wb
+ftVPodlGzlaIowIuRcOECVu3YFyDrrPXp3i4293oRINwuBHIp7B1PQ339vZHdx7f
+BV/8x50My3FO4q0fse6qNodaZlvAGMaKHZURZhDdohKWfahrrgZ+nisO1Ay6Y9cG
+yMVXOHzIiqwcs6fco6dNJEUqA5ieQLfNAOF5AgMBAAGjggE1MIIBMTAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW
+BBQUnu8j1aHIOOnauKkkit76qdkd9jAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU
+fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z
+b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh
+LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK
+MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu
+Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCm7846NHLXy1Um+o80O1mnw8Wd
+hb61BZ4J5FRmDldP6BxcwBn5jPXUuITM61lJw9vopeVHxTVXE44LAPIFxaMOs4f1
+E38meZCKRmVXwI0+q2XMcdCxtG3RY1FK73vXNAxnUpPDx+VGrwMJZ9MkI9/uzSk/
+qBNej5Pcin14OZRj2bxxewgeDyJhUJutTW4mM26D60Nt6IW3K9VAnu02PXr2lOGw
+wZLo53+ALRrQkzwN6DlkriWaktdEBsufS92A/rbTerpyaUaSTwftT+vR+LE+ASYm
+orpP9xHdues2brUCPFAeHLHDDTlb96+YNqoCDNzGQMVs2O8Nh84vn0EzLZ1d
+-----END CERTIFICATE-----

v3/testdata/country_not_upcase_ko2.pem

@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ff:3b:e5:b4:87:c4:99:76:ec:d5:a6:83:eb:10:78:02
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Jun 17 12:58:42 2024 GMT
+            Not After : Jun 17 12:58:42 2025 GMT
+        Subject: C = Es, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:a9:a4:f9:fb:b5:ae:9f:61:c5:7c:af:67:b3:ae:
+                    06:7d:0f:1e:49:f8:c8:1c:fa:52:8b:57:5d:b7:a8:
+                    a8:bc:39:f9:89:0b:fa:e4:f1:8a:45:bc:25:e6:b7:
+                    9b:c6:e4:95:9e:a3:59:01:1b:d7:f6:f3:b2:3f:14:
+                    e0:2a:88:68:00:5a:29:00:9f:6a:5a:f8:b6:14:56:
+                    9b:5b:f6:2f:2a:ac:04:d3:e2:b7:1e:b0:92:b3:56:
+                    ce:34:75:19:76:50:fd:4e:51:53:d5:83:76:09:d5:
+                    24:54:de:7c:20:3e:60:2c:c8:4f:8d:6e:a7:50:71:
+                    ca:15:27:5e:fe:f2:f0:ca:a0:6a:c1:9e:03:f3:05:
+                    16:69:37:cf:84:60:8c:2b:10:53:af:bc:c9:0b:d3:
+                    78:c6:e6:3e:2e:48:a6:95:11:6e:78:ba:c3:61:3e:
+                    f3:40:09:6d:b4:f0:9f:f0:f4:02:8f:84:fc:5d:cf:
+                    c3:80:0b:22:0f:95:8a:7b:3e:d1:a1:b5:56:b6:9f:
+                    05:e0:99:1c:6d:a6:c9:9f:f8:82:aa:3e:27:02:bc:
+                    38:66:0f:20:07:cd:95:13:fe:d1:5a:99:e9:ff:b5:
+                    9a:d4:b4:d3:66:a1:ee:16:dd:f2:18:ae:d2:dc:0a:
+                    f4:54:b7:30:69:39:8b:c7:c3:77:9b:b3:1a:69:96:
+                    78:a5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                B4:94:A3:B1:62:87:63:D7:7A:77:35:EA:52:FF:FA:49:2F:F3:76:71
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         26:f1:47:a3:cc:f9:cf:c2:b6:83:c4:f5:1e:74:f5:46:f5:d8:
+         4a:75:e5:20:cd:f2:b1:3b:f7:b7:f7:39:ff:78:09:d4:bc:c8:
+         4a:2b:45:8a:08:95:67:b7:9c:ca:61:65:f6:22:62:78:bd:1b:
+         3d:6c:2a:2f:09:4d:f1:61:6a:d2:64:a1:59:87:c2:24:74:7f:
+         6c:ad:f1:da:53:a7:3c:6a:2c:88:78:00:88:aa:33:51:d1:08:
+         19:a4:7e:37:ee:85:a6:77:7d:15:83:a1:f8:b4:2f:26:fd:b4:
+         f4:d0:9b:7b:15:c0:ec:7a:20:ea:fb:49:ec:7c:32:86:38:51:
+         c6:6b:91:9a:c8:3a:a3:15:bc:0d:b2:ac:f7:b5:f6:9b:37:94:
+         4d:71:2b:5a:b8:63:98:87:de:3e:a3:9a:8a:a3:12:d2:8a:f0:
+         30:95:d1:33:09:99:67:e9:ec:a4:4f:19:ca:7f:f1:03:42:79:
+         3c:52:19:b1:41:ab:b6:72:5b:2a:66:50:2c:13:dc:49:c3:26:
+         39:7a:36:f0:1c:d2:3e:c1:43:da:bc:52:cc:4d:c6:bd:13:01:
+         7e:f9:bf:d1:e5:0e:04:c8:0a:68:93:cb:f5:41:26:d3:f3:a0:
+         c4:65:9f:8a:e7:28:b6:11:b8:2e:b3:6c:0f:41:81:5c:26:c4:
+         d8:0f:fc:91
+-----BEGIN CERTIFICATE-----
+MIIEeTCCA2GgAwIBAgIRAP875bSHxJl27NWmg+sQeAIwDQYJKoZIhvcNAQELBQAw
+QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug
+Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE3MTI1ODQyWhcNMjUwNjE3MTI1
+ODQyWjB0MQswCQYDVQQGEwJFczEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
+aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
+THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCppPn7ta6fYcV8r2ezrgZ9Dx5J+Mgc+lKLV123qKi8OfmJC/rk
+8YpFvCXmt5vG5JWeo1kBG9f287I/FOAqiGgAWikAn2pa+LYUVptb9i8qrATT4rce
+sJKzVs40dRl2UP1OUVPVg3YJ1SRU3nwgPmAsyE+NbqdQccoVJ17+8vDKoGrBngPz
+BRZpN8+EYIwrEFOvvMkL03jG5j4uSKaVEW54usNhPvNACW208J/w9AKPhPxdz8OA
+CyIPlYp7PtGhtVa2nwXgmRxtpsmf+IKqPicCvDhmDyAHzZUT/tFamen/tZrUtNNm
+oe4W3fIYrtLcCvRUtzBpOYvHw3ebsxpplnilAgMBAAGjggE1MIIBMTAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW
+BBS0lKOxYodj13p3NepS//pJL/N2cTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU
+fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z
+b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh
+LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK
+MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu
+Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAm8UejzPnPwraDxPUedPVG9dhK
+deUgzfKxO/e39zn/eAnUvMhKK0WKCJVnt5zKYWX2ImJ4vRs9bCovCU3xYWrSZKFZ
+h8IkdH9srfHaU6c8aiyIeACIqjNR0QgZpH437oWmd30Vg6H4tC8m/bT00Jt7FcDs
+eiDq+0nsfDKGOFHGa5GayDqjFbwNsqz3tfabN5RNcStauGOYh94+o5qKoxLSivAw
+ldEzCZln6eykTxnKf/EDQnk8UhmxQau2clsqZlAsE9xJwyY5ejbwHNI+wUPavFLM
+Tca9EwF++b/R5Q4EyApok8v1QSbT86DEZZ+K5yi2Ebgus2wPQYFcJsTYD/yR
+-----END CERTIFICATE-----