Skip to content

Commit

Permalink
Add lint to check that Root CA and TLS SubCA certificates do not cont…
Browse files Browse the repository at this point in the history 
…ain the OU subject attribute (#864)

* Add files via upload

* Add files via upload

* Add files via upload

* Add files via upload

* Update lint_invalid_subject_rdn_order_test.go

Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment

* Update lint_invalid_subject_rdn_order.go

Fixed import block

* Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go

Fine to me.

Co-authored-by: Christopher Henderson <[email protected]>

* Update lint_invalid_subject_rdn_order.go

As per Chris Henderson's suggestion, to "improve readability".

* Update lint_invalid_subject_rdn_order_test.go

As per Chris Henderson's suggestion.

* Update time.go

Added CABFEV_Sec9_2_8_Date

* Add files via upload

* Add files via upload

* Revised according to Chris and Corey suggestions

* Add files via upload

* Add files via upload

* Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go

* Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go

* Delete v3/testdata/invalid_cps_uri_ko_01.pem

* Delete v3/testdata/invalid_cps_uri_ko_02.pem

* Delete v3/testdata/invalid_cps_uri_ko_03.pem

* Delete v3/testdata/invalid_cps_uri_ok_01.pem

* Delete v3/testdata/invalid_cps_uri_ok_02.pem

* Delete v3/testdata/invalid_cps_uri_ok_03.pem

* Add files via upload

* Add files via upload

* Update v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go

Co-authored-by: Christopher Henderson <[email protected]>

* Update v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go

Co-authored-by: Christopher Henderson <[email protected]>

---------

Co-authored-by: Christopher Henderson <[email protected]>
  • Loading branch information
@defacto64 @christopher-henderson
defacto64 and christopher-henderson authored Jul 14, 2024
1 parent 672100d commit 2440571
Show file tree
Hide file tree
Showing 7 changed files with 860 additions and 0 deletions.
69 changes: 69 additions & 0 deletions v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

/*
* Contributed by Adriano Santoni <[email protected]>
*/

package cabf_br

import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_subj_orgunit_in_ca_cert",
Description: "The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.",
Citation: "CABF BR §7.1.2.10.2 (CA Certificate Naming)",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABFBRs_2_0_0_Date,
},
Lint: NewSubjectOrgUnitInCACert,
})
}

type subjectOrgUnitInCACert struct {
CrossCert bool `comment:"Set this to true if the certificate to be linted is a cross-certificate"`
}

func NewSubjectOrgUnitInCACert() lint.LintInterface {
return &subjectOrgUnitInCACert{
CrossCert: false,
}
}

func (l *subjectOrgUnitInCACert) Configure() interface{} {
return l
}

func (l *subjectOrgUnitInCACert) CheckApplies(c *x509.Certificate) bool {
return util.IsCACert(c)
}

func (l *subjectOrgUnitInCACert) Execute(c *x509.Certificate) *lint.LintResult {
if c.Subject.OrganizationalUnit != nil {
if !l.CrossCert {
return &lint.LintResult{
Status: lint.Error,
Details: "The OU attribute in the Subject is prohibited in Root and TLS CA certificates",
}
}
}

return &lint.LintResult{Status: lint.Pass}
}
82 changes: 82 additions & 0 deletions v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

/*
* Test cases:
*
* Input file Config Want Description
* ========== ====== ==== ===========
* orgunit_in_ca_ok1.pem (none) NA Subscriber cert with OU, issued before effective date
* orgunit_in_ca_ok4.pem (none) NA Non-TLS CA cert with OU, issued before effective date
* orgunit_in_ca_ok2.pem (none) Pass TLS CA cert without OU
* orgunit_in_ca_ok3.pem (none) NE TLS CA cert with OU, issued before effective date
* orgunit_in_ca_ko1.pem (none) Error TLS CA cert with OU, issued after effective date
* orgunit_in_ca_ko1.pem CrossCert Pass TLS CA cert with OU, issued after effective date
*/

package cabf_br

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

func TestSubjectOrgUnitInCACert(t *testing.T) {
type Data struct {
input string
config string
want lint.LintStatus
}
data := []Data{
{
input: "orgunit_in_ca_ok1.pem",
want: lint.NA,
},
{
input: "orgunit_in_ca_ok2.pem",
want: lint.Pass,
},
{
input: "orgunit_in_ca_ok3.pem",
want: lint.NE,
},
{
input: "orgunit_in_ca_ok4.pem",
want: lint.NA,
},
{
input: "orgunit_in_ca_ko1.pem",
want: lint.Error,
},
{
input: "orgunit_in_ca_ko1.pem",
config: `
[e_subj_orgunit_in_ca_cert]
CrossCert = true
`,
want: lint.Pass,
},
}
for _, testData := range data {
testData := testData
t.Run(testData.input, func(t *testing.T) {
out := test.TestLintWithConfig("e_subj_orgunit_in_ca_cert", testData.input, testData.config)
if out.Status != testData.want {
t.Errorf("expected %s, got %s", testData.want, out.Status)
}
})
}
}
140 changes: 140 additions & 0 deletions v3/testdata/orgunit_in_ca_ko1.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
09:93:40:5a:5f:fb:60:58:3a:40:02:66:f3:2b:86:6a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = XX, O = Some CA, CN = Fake Root CA for zlint testing
Validity
Not Before: Nov 19 00:00:00 2023 GMT
Not After : Nov 17 00:00:00 2028 GMT
Subject: C = XX, ST = Some State, L = Some Locality, O = Some CA, OU = Some Department, CN = Fake CA for zlint testing
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:a6:64:24:58:93:e6:28:0f:bd:31:90:f6:6e:7d:
a2:43:8c:3a:87:d6:aa:72:e6:7c:83:99:e7:43:10:
70:2b:8b:cf:86:6b:c4:56:bd:d9:67:b0:49:c6:b9:
ee:ef:b6:32:c2:b4:4c:ea:dc:7e:40:05:72:3b:21:
95:a2:56:fc:27:4b:c6:c2:83:1b:16:c3:a4:06:45:
2a:af:54:80:9c:68:01:71:90:06:dd:91:ba:07:97:
b5:c9:7e:c7:73:a8:1c:02:d4:bb:1f:8a:b6:69:2d:
c9:b5:57:b1:48:5a:79:45:85:ad:80:38:5b:e1:67:
0e:a8:b2:64:97:64:c1:19:4c:9c:a1:31:58:4b:43:
81:5e:19:9a:ec:2a:17:fb:48:24:a0:d1:2e:34:d6:
5c:77:f9:33:6c:f2:84:11:72:be:24:c1:e2:ca:86:
90:41:cd:93:7c:73:c2:9a:cd:56:a1:72:1a:e5:39:
5d:74:3d:3a:76:b9:d0:c3:9b:ea:31:4c:e5:38:80:
45:8f:e3:d2:03:8d:5e:20:7d:d2:5a:2d:d6:35:6e:
bd:f1:46:f6:60:d3:00:76:53:c0:9f:01:d4:01:f7:
e0:13:eb:90:4c:d9:bf:9b:e0:8f:3c:f3:0e:04:b8:
9c:af:6f:49:4b:8e:84:06:08:af:cb:b0:21:32:fc:
c3:95:1c:71:d9:ef:09:fd:04:31:71:88:3c:b6:f6:
3e:7b:63:e5:21:9b:0f:00:da:05:fc:37:c6:ba:e4:
e6:c5:93:11:0e:29:f5:6f:a6:c9:e6:29:3a:9f:c0:
e4:f6:04:f3:a2:a8:07:d5:59:4b:b8:45:24:9c:c0:
9a:dc:48:e1:93:17:03:d0:57:b1:b4:c8:36:5b:f5:
98:66:9b:87:1b:3b:c4:74:b7:85:0a:80:ef:ad:ff:
48:aa:31:b8:ca:a4:f1:7c:92:a1:6f:c4:e1:55:ca:
6b:de:f9:7b:e7:2a:84:b7:57:f7:3f:de:80:96:2a:
ef:7e:9f:53:bd:53:a9:dd:86:83:cf:25:b6:7a:7b:
9d:e3:22:7a:12:ac:a1:8e:aa:64:86:ba:e7:ce:85:
bd:d3:f4:b1:d5:fe:aa:ed:b3:c3:84:09:c5:58:ed:
ff:a3:e3:8b:54:09:9e:ae:95:af:aa:19:1f:9c:ba:
2d:f6:73:20:5c:1d:49:cc:14:4e:50:75:69:8b:a9:
11:a5:a0:39:0d:f3:a4:12:6c:66:1f:a3:40:84:66:
cf:50:db:57:f1:fd:15:e8:94:1d:7b:44:67:48:1f:
37:1d:76:a6:8e:75:af:de:94:84:9f:0a:a6:a3:d8:
0b:1d:ce:c1:f7:6e:0f:f8:31:ec:65:7e:83:1b:62:
c3:37:69
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
35:70:F6:A7:CE:CA:05:79:F3:0E:20:12:00:07:EB:B3:58:06:5A:BD
X509v3 Authority Key Identifier:
keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E

Authority Information Access:
OCSP - URI:http://ca.someca-inc.com/ocsp
CA Issuers - URI:http://ca.someca-inc.com/root

X509v3 Certificate Policies:
Policy: X509v3 Any Policy

X509v3 CRL Distribution Points:

Full Name:
URI:http://ca.someca-inc.com/crl

Signature Algorithm: sha256WithRSAEncryption
5f:ae:77:aa:9f:41:b1:e4:9d:56:ea:1b:1e:22:0f:d3:f3:61:
e7:71:4a:06:1b:bf:bb:41:8d:cf:ad:c9:26:42:b3:c7:8d:08:
6b:2c:84:0b:18:6a:da:ba:0d:12:bc:fe:34:8a:8d:3e:de:7c:
a5:15:ca:8b:89:05:97:3a:77:01:ea:60:19:9d:72:db:74:1d:
81:e8:8d:3d:35:ae:5d:04:bc:9f:c9:df:5c:7f:9d:f4:51:e1:
f1:37:cd:f0:c7:ed:cf:8f:a2:af:48:ec:3e:b1:1c:86:88:4b:
bf:30:21:b4:ca:99:b3:28:31:39:41:10:b8:09:96:60:fb:12:
8d:fb:9d:cb:37:ed:52:d9:ad:2c:47:0a:89:06:cf:2a:d5:2b:
3f:bc:b5:c6:5e:90:fd:d9:92:1b:db:2b:62:37:08:ed:f8:39:
73:28:55:e7:7b:f1:e4:1d:29:4e:37:86:40:17:9b:67:43:ed:
04:91:58:f4:53:89:c0:67:c9:4a:51:a5:10:a8:e5:27:91:5b:
07:a6:c5:df:d0:2a:34:bd:6d:00:f5:95:5e:a6:21:99:30:8c:
a7:54:d1:7b:b7:40:aa:7e:be:45:b2:a7:46:03:d1:56:17:2b:
6d:73:1f:f7:20:39:9b:25:5d:0f:5c:be:13:d3:90:59:5c:fb:
61:86:b4:85:59:ca:5e:55:a8:73:38:3e:39:c9:a3:5c:c0:02:
61:af:65:37:4e:6e:85:e1:58:01:1e:da:30:80:80:38:ac:91:
f0:1d:2c:df:8a:98:1f:b5:9e:c4:b2:3e:e4:df:fb:d6:84:7d:
65:87:40:ae:38:6b:af:1b:fb:88:b8:51:d1:f5:8b:38:ac:6a:
cd:30:c7:11:95:b0:e4:75:ee:9a:2a:19:70:3a:49:8f:fb:04:
79:8a:14:52:81:b0:7c:58:21:a4:50:b6:be:de:23:46:f5:b4:
72:2a:04:a5:02:5b:04:d3:a7:c1:f9:9b:b5:a7:0b:14:28:73:
a5:3f:12:d4:bd:6c:30:a2:8e:d2:bf:74:03:6d:e4:f7:7d:38:
c9:07:51:8c:c5:9d:a9:d6:c4:00:b2:67:42:dd:83:ef:87:f2:
a7:a2:57:e5:a3:9f:00:ae:41:b5:1f:a4:db:91:55:aa:3f:62:
83:9d:27:ca:58:57:dd:09:c5:ff:6d:d0:be:8e:bb:4a:77:20:
80:03:11:86:e5:7c:ee:d7:a3:3e:0b:ca:e5:73:34:b9:46:40:
91:64:a5:8b:00:9f:a3:45:f0:79:b1:d1:f4:d6:2e:ee:1d:5c:
e4:2c:ba:20:b1:07:7f:b3:c7:6a:20:a6:75:86:ad:a9:75:34:
f6:20:bf:ea:1b:ff:82:50
-----BEGIN CERTIFICATE-----
MIIGbDCCBFSgAwIBAgIQCZNAWl/7YFg6QAJm8yuGajANBgkqhkiG9w0BAQsFADBI
MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEnMCUGA1UEAxMeRmFrZSBS
b290IENBIGZvciB6bGludCB0ZXN0aW5nMB4XDTIzMTExOTAwMDAwMFoXDTI4MTEx
NzAwMDAwMFowgYoxCzAJBgNVBAYTAlhYMRMwEQYDVQQIEwpTb21lIFN0YXRlMRYw
FAYDVQQHEw1Tb21lIExvY2FsaXR5MRAwDgYDVQQKEwdTb21lIENBMRgwFgYDVQQL
Ew9Tb21lIERlcGFydG1lbnQxIjAgBgNVBAMTGUZha2UgQ0EgZm9yIHpsaW50IHRl
c3RpbmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCmZCRYk+YoD70x
kPZufaJDjDqH1qpy5nyDmedDEHAri8+Ga8RWvdlnsEnGue7vtjLCtEzq3H5ABXI7
IZWiVvwnS8bCgxsWw6QGRSqvVICcaAFxkAbdkboHl7XJfsdzqBwC1LsfirZpLcm1
V7FIWnlFha2AOFvhZw6osmSXZMEZTJyhMVhLQ4FeGZrsKhf7SCSg0S401lx3+TNs
8oQRcr4kweLKhpBBzZN8c8KazVahchrlOV10PTp2udDDm+oxTOU4gEWP49IDjV4g
fdJaLdY1br3xRvZg0wB2U8CfAdQB9+AT65BM2b+b4I888w4EuJyvb0lLjoQGCK/L
sCEy/MOVHHHZ7wn9BDFxiDy29j57Y+Uhmw8A2gX8N8a65ObFkxEOKfVvpsnmKTqf
wOT2BPOiqAfVWUu4RSScwJrcSOGTFwPQV7G0yDZb9Zhmm4cbO8R0t4UKgO+t/0iq
MbjKpPF8kqFvxOFVymve+XvnKoS3V/c/3oCWKu9+n1O9U6ndhoPPJbZ6e53jInoS
rKGOqmSGuufOhb3T9LHV/qrts8OECcVY7f+j44tUCZ6ula+qGR+cui32cyBcHUnM
FE5QdWmLqRGloDkN86QSbGYfo0CEZs9Q21fx/RXolB17RGdIHzcddqaOda/elISf
Cqaj2AsdzsH3bg/4MexlfoMbYsM3aQIDAQABo4IBDTCCAQkwDgYDVR0PAQH/BAQD
AgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDVw9qfOygV58w4gEgAH67NY
Blq9MB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUFBwEB
BFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29jc3Aw
KQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBEGA1Ud
IAQKMAgwBgYEVR0gADAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNh
LWluYy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQBfrneqn0Gx5J1W6hseIg/T
82HncUoGG7+7QY3PrckmQrPHjQhrLIQLGGraug0SvP40io0+3nylFcqLiQWXOncB
6mAZnXLbdB2B6I09Na5dBLyfyd9cf530UeHxN83wx+3Pj6KvSOw+sRyGiEu/MCG0
ypmzKDE5QRC4CZZg+xKN+53LN+1S2a0sRwqJBs8q1Ss/vLXGXpD92ZIb2ytiNwjt
+DlzKFXne/HkHSlON4ZAF5tnQ+0EkVj0U4nAZ8lKUaUQqOUnkVsHpsXf0Co0vW0A
9ZVepiGZMIynVNF7t0Cqfr5FsqdGA9FWFyttcx/3IDmbJV0PXL4T05BZXPthhrSF
WcpeVahzOD45yaNcwAJhr2U3Tm6F4VgBHtowgIA4rJHwHSzfipgftZ7Esj7k3/vW
hH1lh0CuOGuvG/uIuFHR9Ys4rGrNMMcRlbDkde6aKhlwOkmP+wR5ihRSgbB8WCGk
ULa+3iNG9bRyKgSlAlsE06fB+Zu1pwsUKHOlPxLUvWwwoo7Sv3QDbeT3fTjJB1GM
xZ2p1sQAsmdC3YPvh/Knolflo58ArkG1H6TbkVWqP2KDnSfKWFfdCcX/bdC+jrtK
dyCAAxGG5Xzu16M+C8rlczS5RkCRZKWLAJ+jRfB5sdH01i7uHVzkLLogsQd/s8dq
IKZ1hq2pdTT2IL/qG/+CUA==
-----END CERTIFICATE-----
Loading

0 comments on commit 2440571

Please sign in to comment.