Merge branch 'master' into mattm-EVGs-9_7

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
           workdir: v3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

v3/cmd/genTestCerts/go.mod

@@ -11,7 +11,7 @@ require (
 
 require (
 	github.com/weppos/publicsuffix-go v0.30.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 )

v3/cmd/genTestCerts/go.sum

@@ -48,8 +48,9 @@ golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -63,8 +64,9 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

v3/go.mod

@@ -7,12 +7,12 @@ require (
 	github.com/pelletier/go-toml v1.9.3
 	github.com/sirupsen/logrus v1.9.0
 	github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300
-	golang.org/x/crypto v0.17.0
-	golang.org/x/net v0.17.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/net v0.23.0
 	golang.org/x/text v0.14.0
 )
 
 require (
 	github.com/weppos/publicsuffix-go v0.30.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 )

v3/go.sum

@@ -51,8 +51,8 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -65,8 +65,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -83,8 +83,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

v3/integration/config.json

@@ -345,7 +345,7 @@
       "ErrCount": 1
     },
     "e_ca_key_usage_missing": {
-      "ErrCount": 13
+      "ErrCount": 9
     },
     "e_ca_key_usage_not_critical": {
       "ErrCount": 40
@@ -383,7 +383,7 @@
     "e_cert_unique_identifier_version_not_2_or_3": {},
     "e_distribution_point_incomplete": {},
     "e_dnsname_bad_character_in_label": {
-      "ErrCount": 55927
+      "ErrCount": 55930
     },
     "e_dnsname_contains_bare_iana_suffix": {
       "ErrCount": 8
@@ -400,7 +400,7 @@
       "ErrCount": 17
     },
     "e_dnsname_not_valid_tld": {
-      "ErrCount": 86371
+      "ErrCount": 86374
     },
     "e_dnsname_underscore_in_sld": {
       "ErrCount": 5
@@ -426,6 +426,9 @@
       "ErrCount": 2
     },
     "e_ev_country_name_missing": {},
+    "e_ev_invalid_business_category": {
+      "ErrCount": 10957
+    },
     "e_ev_not_wildcard": {
       "ErrCount": 1
     },
@@ -491,7 +494,7 @@
       "ErrCount": 2
     },
     "e_ext_san_missing": {
-      "ErrCount": 52385
+      "ErrCount": 52388
     },
     "e_ext_san_no_entries": {
       "ErrCount": 3
@@ -576,7 +579,7 @@
       "ErrCount": 370
     },
     "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth": {
-      "ErrCount": 93
+      "ErrCount": 95
     },
     "e_old_root_ca_rsa_mod_less_than_2048_bits": {
       "ErrCount": 1
@@ -677,7 +680,7 @@
       "ErrCount": 292
     },
     "e_sub_ca_certificate_policies_missing": {
-      "ErrCount": 59
+      "ErrCount": 50
     },
     "e_sub_ca_crl_distribution_points_does_not_contain_url": {
       "ErrCount": 2
@@ -711,7 +714,7 @@
       "ErrCount": 81098
     },
     "e_sub_cert_eku_server_auth_client_auth_missing": {
-      "ErrCount": 4934
+      "ErrCount": 4943
     },
     "e_sub_cert_given_name_surname_contains_correct_policy": {
       "ErrCount": 1793
@@ -751,7 +754,7 @@
       "ErrCount": 2
     },
     "e_subject_common_name_not_from_san": {
-      "ErrCount": 94976
+      "ErrCount": 94978
     },
     "e_subject_contains_noninformational_value": {
       "ErrCount": 338
@@ -817,8 +820,11 @@
       "ErrCount": 23
     },
     "e_cab_dv_subject_invalid_values": {},
+    "e_aia_must_contain_permitted_access_method": {},
+    "e_aia_ocsp_must_have_http_only": {},
+    "e_aia_unique_access_locations": {},
     "n_ca_digital_signature_not_set": {
-      "NoticeCount": 1409
+      "NoticeCount": 1405
     },
     "n_contains_redacted_dnsname": {
       "NoticeCount": 464
@@ -845,10 +851,10 @@
       "NoticeCount": 1415
     },
     "n_sub_ca_eku_not_technically_constrained": {
-      "NoticeCount": 10
+      "NoticeCount": 2
     },
     "n_subject_common_name_included": {
-      "NoticeCount": 712639
+      "NoticeCount": 712865
     },
     "w_ct_sct_policy_count_unsatisfied": {
       "NoticeCount": 5003
@@ -925,27 +931,27 @@
     "w_san_should_not_be_critical": {},
     "w_smime_aia_contains_internal_names": {},
     "w_sub_ca_aia_does_not_contain_issuing_ca_url": {
-      "WarnCount": 990
+      "WarnCount": 989
     },
     "w_sub_ca_aia_missing": {
       "WarnCount": 4
     },
     "w_sub_ca_certificate_policies_marked_critical": {},
     "w_sub_ca_eku_critical": {
-      "WarnCount": 9
+      "WarnCount": 0
     },
     "w_sub_ca_name_constraints_not_critical": {
-      "WarnCount": 115
+      "WarnCount": 116
     },
     "w_sub_cert_aia_contains_internal_names": {
       "WarnCount": 210
     },
     "w_sub_cert_aia_does_not_contain_issuing_ca_url": {
-      "WarnCount": 48465
+      "WarnCount": 48469
     },
     "w_sub_cert_certificate_policies_marked_critical": {},
     "w_sub_cert_eku_extra_values": {
-      "WarnCount": 25405
+      "WarnCount": 25412
     },
     "w_sub_cert_sha1_expiration_too_long": {
       "WarnCount": 11058
@@ -964,6 +970,12 @@
     "w_subject_surname_recommended_max_length": {},
     "w_tls_server_cert_valid_time_longer_than_397_days": {
       "WarnCount": 223
+    },
+    "e_ca_invalid_eku": {
+        "ErrCount": 1
+    },
+    "e_subj_country_not_uppercase": {
+        "ErrCount": 1303
     }
   }
-}
+}

v3/integration/small.config.json

@@ -329,6 +329,9 @@
     "n_ca_digital_signature_not_set": {
       "NoticeCount": 29
     },
+    "e_aia_must_contain_permitted_access_method": {},
+    "e_aia_ocsp_must_have_http_only": {},
+    "e_aia_unique_access_locations": {},
     "n_contains_redacted_dnsname": {
       "NoticeCount": 8
     },
@@ -349,7 +352,7 @@
     },
     "n_sub_ca_eku_not_technically_constrained": {},
     "n_subject_common_name_included": {
-      "NoticeCount": 19776
+      "NoticeCount": 19785
     },
     "w_ct_sct_policy_count_unsatisfied": {
       "NoticeCount": 176

v3/lint/base.go

@@ -221,7 +221,7 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
 	if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
 		return &LintResult{Status: NA}
 	}
-	if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
+	if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {
 		return &LintResult{Status: NA}
 	}
 	lint := l.Lint()

v3/lint/registration_test.go

@@ -131,6 +131,17 @@ func TestRegister(t *testing.T) {
 			expectNames:   []string{"goodLint", egLint.Name},
 			expectSources: SourceList{egLint.Source, MozillaRootStorePolicy},
 		},
+		{
+			name: "new lint source category",
+			lint: &Lint{
+				Name:   "sct",
+				Lint:   func() LintInterface { return &mockLint{} },
+				Source: RFC6962,
+			},
+			registry:      dupeReg,
+			expectNames:   []string{"goodLint", egLint.Name, "sct"},
+			expectSources: SourceList{egLint.Source, MozillaRootStorePolicy, RFC6962},
+		},
 	}
 
 	for _, tc := range testCases {

v3/lint/source.go

@@ -32,6 +32,7 @@ const (
 	RFC5280                       LintSource = "RFC5280"
 	RFC5480                       LintSource = "RFC5480"
 	RFC5891                       LintSource = "RFC5891"
+	RFC6962                       LintSource = "RFC6962"
 	RFC8813                       LintSource = "RFC8813"
 	CABFBaselineRequirements      LintSource = "CABF_BR"
 	CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR"
@@ -51,7 +52,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error {
 	}
 
 	switch LintSource(throwAway) {
-	case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi:
+	case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi, RFC6962:
 		*s = LintSource(throwAway)
 		return nil
 	default:
@@ -87,6 +88,8 @@ func (s *LintSource) FromString(src string) {
 		*s = AppleRootStorePolicy
 	case Community:
 		*s = Community
+	case RFC6962:
+		*s = RFC6962
 	case EtsiEsi:
 		*s = EtsiEsi
 	}

v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go

@@ -0,0 +1,78 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIACAIssuersHasHTTPOnly struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+id-ad-caIssuers
+1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD  A HTTP URL of the
+Issuing CA’s certificate
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_ca_issuers_must_have_http_only",
+			Description:   "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIACAIssuersHasHTTPOnly,
+	})
+}
+
+func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface {
+	return &bRAIACAIssuersHasHTTPOnly{}
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
+	return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c)
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, u := range c.IssuingCertificateURL {
+		purl, err := url.Parse(u)
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."}
+		}
+		if purl.Scheme != "http" {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}