-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add lints for S/MIME BR 7.1.2.3.b #779
Changes from all commits
ee42c94
3550653
be223b7
c5cfb81
6209bc2
a5abd1b
46e01a7
56e6648
e6f6974
6b152fe
fb6be25
5aa47f6
d8caca0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
/* | ||
* ZLint Copyright 2023 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
package cabf_smime_br | ||
|
||
import ( | ||
"net/url" | ||
|
||
"github.com/zmap/zcrypto/x509" | ||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/util" | ||
) | ||
|
||
func init() { | ||
lint.RegisterCertificateLint(&lint.CertificateLint{ | ||
LintMetadata: lint.LintMetadata{ | ||
Name: "e_subscribers_crl_distribution_points_are_http", | ||
Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", | ||
Citation: "7.1.2.3.b", | ||
Source: lint.CABFSMIMEBaselineRequirements, | ||
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, | ||
}, | ||
Lint: NewSubscriberCrlDistributionPointsHTTP, | ||
}) | ||
} | ||
|
||
type subscriberCrlDistributionPointsHTTP struct{} | ||
|
||
func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { | ||
return &subscriberCrlDistributionPointsHTTP{} | ||
} | ||
|
||
func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { | ||
return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) | ||
} | ||
|
||
func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { | ||
httpCount := 0 | ||
for _, dp := range c.CRLDistributionPoints { | ||
parsed, err := url.Parse(dp) | ||
if err != nil { | ||
return &lint.LintResult{ | ||
Status: lint.Error, | ||
Details: "SMIME certificate contains invalid CRL distribution point", | ||
} | ||
} | ||
if parsed.Scheme == "http" { | ||
httpCount++ | ||
} | ||
} | ||
|
||
if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) { | ||
return &lint.LintResult{ | ||
Status: lint.Error, | ||
Details: "SMIME certificate contains invalid URI scheme in CRL distribution point", | ||
} | ||
} | ||
if util.IsLegacySMIMECertificate(c) && httpCount == 0 { | ||
return &lint.LintResult{ | ||
Status: lint.Error, | ||
Details: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", | ||
} | ||
} | ||
|
||
return &lint.LintResult{Status: lint.Pass} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
package cabf_smime_br | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/test" | ||
) | ||
|
||
func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { | ||
testCases := []struct { | ||
Name string | ||
InputFilename string | ||
ExpectedResult lint.LintStatus | ||
ExpectedDetails string | ||
}{ | ||
{ | ||
Name: "pass - strict cert with only HTTP CRL distribution points", | ||
InputFilename: "smime/strict_subscriber_with_http_crl_distribution_point.pem", | ||
ExpectedResult: lint.Pass, | ||
}, | ||
{ | ||
Name: "error - strict cert with a non-HTTP CRL distribution point", | ||
InputFilename: "smime/strict_subscriber_with_non_http_crl_distribution_point.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "SMIME certificate contains invalid URI scheme in CRL distribution point", | ||
}, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you add an expected details check to ensure the lint is failing for the right reasons in your test cases? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. Thanks for the review. |
||
{ | ||
Name: "error - legacy cert with no HTTP CRL distribution points", | ||
InputFilename: "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", | ||
}, | ||
{ | ||
Name: "pass - legacy cert with HTTP and non-HTTP CRL distribution points", | ||
InputFilename: "smime/legacy_subscriber_with_mixed_crl_distribution_points.pem", | ||
ExpectedResult: lint.Pass, | ||
}, | ||
{ | ||
Name: "error - strict cert with HTTP and non-HTTP CRL distribution points", | ||
InputFilename: "smime/strict_subscriber_with_mixed_crl_distribution_points.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "SMIME certificate contains invalid URI scheme in CRL distribution point", | ||
}, | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you also add a test case for a legacy certificate with one http CRL distribution point and one non-HTTP distribution point? It wouldn't hurt to add a failing case on non-legacy with the same setup although it's not strictly required it would show that your lint is effectively covering it's multipurpose(s) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I commented "Done" on your other comment twice when I meant to comment it on both comments (including this one). I'm still kinda new to GitHub. |
||
for _, tc := range testCases { | ||
t.Run(tc.Name, func(t *testing.T) { | ||
result := test.TestLint("e_subscribers_crl_distribution_points_are_http", tc.InputFilename) | ||
if result.Status != tc.ExpectedResult { | ||
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) | ||
} | ||
|
||
if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details { | ||
t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details) | ||
} | ||
}) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Feb 13 19:15:27 2024 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:df:e4:01:1a:7b:25:62:45:ce:af:1a:0c:f6:34: | ||
35:ca:c6:25:a8:7a:b2:de:2e:13:6c:8e:82:96:57: | ||
1e:7b:a4:ab:b4:42:4b:25:8a:ec:13:2b:77:67:96: | ||
fe:b4:c5:32:c4:e3:8f:9f:17:fd:3c:a4:e1:fb:2f: | ||
f4:f5:b7:fe:99 | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Extended Key Usage: | ||
E-mail Protection | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.1 | ||
X509v3 CRL Distribution Points: | ||
Full Name: | ||
URI:ldap://example.com | ||
Full Name: | ||
URI:http://example.com | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Signature Value: | ||
30:45:02:21:00:e1:7e:f6:31:49:1b:5d:ca:70:cc:b4:a7:3a: | ||
50:57:21:1f:77:ee:d1:49:c1:06:51:1d:a3:ce:fd:30:47:a8: | ||
5d:02:20:51:b7:49:53:5f:4d:2e:87:d3:0d:c0:ea:51:64:0e: | ||
7c:46:e2:30:18:1a:ac:80:4a:2a:9f:2d:3b:0f:7f:a5:67 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBXTCCAQOgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTI0MDIxMzE5MTUyN1oY | ||
Dzk5OTgxMTMwMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3+QB | ||
GnslYkXOrxoM9jQ1ysYlqHqy3i4TbI6Cllcee6SrtEJLJYrsEyt3Z5b+tMUyxOOP | ||
nxf9PKTh+y/09bf+maNsMGowEwYDVR0lBAwwCgYIKwYBBQUHAwQwFAYDVR0gBA0w | ||
CzAJBgdngQwBBQEBMD0GA1UdHwQ2MDQwGKAWoBSGEmxkYXA6Ly9leGFtcGxlLmNv | ||
bTAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDh | ||
fvYxSRtdynDMtKc6UFchH3fu0UnBBlEdo879MEeoXQIgUbdJU19NLofTDcDqUWQO | ||
fEbiMBgarIBKKp8tOw9/pWc= | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Dec 19 17:22:50 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:4c:6f:d1:2b:55:07:e8:4c:93:9f:89:29:eb:c5: | ||
3f:e1:d5:61:14:43:39:5f:ac:f7:db:af:3c:68:37: | ||
ca:b4:94:d9:b6:06:da:d8:39:4e:d3:58:19:29:60: | ||
5a:32:f3:9e:20:df:2a:51:e8:c1:ca:1d:d0:be:c5: | ||
77:06:b5:09:6c | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Extended Key Usage: | ||
E-mail Protection | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.1 | ||
X509v3 CRL Distribution Points: | ||
Full Name: | ||
URI:ldap://example.com | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Signature Value: | ||
30:44:02:20:37:8f:bc:61:b8:09:d3:bb:6e:c0:b6:ae:2a:64: | ||
1e:8e:02:60:dc:28:4a:74:88:bd:fb:a9:6f:e2:a8:3d:a1:b4: | ||
02:20:4e:db:12:05:79:b3:09:17:9b:66:b3:a3:d6:6b:45:52: | ||
7f:df:9b:58:93:36:13:1c:73:fb:78:95:4e:7f:ee:56 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBQTCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjE5MTcyMjUwWhgP | ||
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARMb9Er | ||
VQfoTJOfiSnrxT/h1WEUQzlfrPfbrzxoN8q0lNm2BtrYOU7TWBkpYFoy854g3ypR | ||
6MHKHdC+xXcGtQlso1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL | ||
MAkGB2eBDAEFAQEwIwYDVR0fBBwwGjAYoBagFIYSbGRhcDovL2V4YW1wbGUuY29t | ||
MAoGCCqGSM49BAMCA0cAMEQCIDePvGG4CdO7bsC2ripkHo4CYNwoSnSIvfupb+Ko | ||
PaG0AiBO2xIFebMJF5tms6PWa0VSf9+bWJM2Exxz+3iVTn/uVg== | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Dec 13 22:18:21 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:c8:dc:df:60:b9:e2:c3:90:c7:c6:03:32:04:e1: | ||
4a:de:08:08:24:4c:0c:97:ed:3a:31:0f:7b:ed:47: | ||
a0:a9:af:df:04:9d:eb:7c:df:64:87:ab:2d:f2:60: | ||
42:2d:65:3e:18:4d:cb:12:2e:fb:74:ef:7f:3b:ae: | ||
0a:e3:f3:56:d3 | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Extended Key Usage: | ||
E-mail Protection | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.3 | ||
X509v3 CRL Distribution Points: | ||
Full Name: | ||
URI:http://example.com | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Signature Value: | ||
30:45:02:20:0c:0b:81:2d:9c:12:c2:86:59:1a:cd:1f:46:3c: | ||
b4:22:a0:91:0c:33:3f:ad:f4:4d:a7:64:34:d8:37:ab:53:eb: | ||
02:21:00:c7:d4:f1:98:29:55:db:fe:3e:21:1e:0e:db:58:57: | ||
c1:04:20:2f:d8:6f:53:74:05:ce:ec:f0:c4:63:0e:4d:09 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBQjCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjEzMjIxODIxWhgP | ||
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATI3N9g | ||
ueLDkMfGAzIE4UreCAgkTAyX7ToxD3vtR6Cpr98Enet832SHqy3yYEItZT4YTcsS | ||
Lvt07387rgrj81bTo1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL | ||
MAkGB2eBDAEFAQMwIwYDVR0fBBwwGjAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29t | ||
MAoGCCqGSM49BAMCA0gAMEUCIAwLgS2cEsKGWRrNH0Y8tCKgkQwzP630TadkNNg3 | ||
q1PrAiEAx9TxmClV2/4+IR4O21hXwQQgL9hvU3QFzuzwxGMOTQk= | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Feb 13 19:20:31 2024 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:7d:26:16:25:1e:57:16:05:f0:e2:95:77:56:b8: | ||
f6:66:c0:ba:1a:35:fd:6c:57:3d:07:16:c7:fc:44: | ||
67:32:41:b9:f6:1e:94:91:ad:37:90:28:34:45:70: | ||
32:c0:9e:64:e8:9a:14:55:41:ff:19:87:fb:43:0b: | ||
25:c2:8d:3d:f5 | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Extended Key Usage: | ||
E-mail Protection | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.3 | ||
X509v3 CRL Distribution Points: | ||
Full Name: | ||
URI:ldap://example.com | ||
Full Name: | ||
URI:http://example.com | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Signature Value: | ||
30:45:02:21:00:eb:f3:1b:63:15:c8:38:41:05:24:c1:29:51: | ||
12:23:99:d6:aa:86:a2:5e:37:eb:48:13:8b:51:19:33:97:f4: | ||
c1:02:20:7b:02:fd:c7:4f:7d:ff:fd:1b:b2:7e:66:f8:b9:d5: | ||
e5:be:8b:18:8a:f2:3e:55:33:84:dd:cb:ae:19:ad:c8:c0 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBXTCCAQOgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTI0MDIxMzE5MjAzMVoY | ||
Dzk5OTgxMTMwMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfSYW | ||
JR5XFgXw4pV3Vrj2ZsC6GjX9bFc9BxbH/ERnMkG59h6Uka03kCg0RXAywJ5k6JoU | ||
VUH/GYf7Qwslwo099aNsMGowEwYDVR0lBAwwCgYIKwYBBQUHAwQwFAYDVR0gBA0w | ||
CzAJBgdngQwBBQEDMD0GA1UdHwQ2MDQwGKAWoBSGEmxkYXA6Ly9leGFtcGxlLmNv | ||
bTAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDr | ||
8xtjFcg4QQUkwSlREiOZ1qqGol4360gTi1EZM5f0wQIgewL9x099//0bsn5m+LnV | ||
5b6LGIryPlUzhN3LrhmtyMA= | ||
-----END CERTIFICATE----- |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Dec 13 22:06:27 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:55:ab:f1:eb:ba:b6:de:14:c5:9f:02:33:86:2d: | ||
85:61:4a:b1:21:cf:3f:7e:95:37:fc:98:8d:21:a5: | ||
a5:26:df:51:f4:97:9d:ec:b5:d0:c4:2b:41:66:52: | ||
e0:a6:c4:a6:3f:0a:f3:fd:90:6a:2e:0a:b9:33:27: | ||
c2:56:df:ae:19 | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Extended Key Usage: | ||
E-mail Protection | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.3 | ||
X509v3 CRL Distribution Points: | ||
Full Name: | ||
URI:ldap://example.com | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Signature Value: | ||
30:45:02:20:05:60:ca:c3:8c:12:a6:58:6f:d3:7f:e9:82:cc: | ||
38:ec:1e:dc:51:88:a1:45:f2:37:64:47:d4:96:1f:9c:1e:ef: | ||
02:21:00:93:d1:b3:6a:b5:32:69:e0:14:be:8f:70:d9:1c:54: | ||
7d:1a:cd:7f:5a:a5:d2:30:ad:a2:9c:fa:37:66:8a:31:61 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBQjCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjEzMjIwNjI3WhgP | ||
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVq/Hr | ||
urbeFMWfAjOGLYVhSrEhzz9+lTf8mI0hpaUm31H0l53stdDEK0FmUuCmxKY/CvP9 | ||
kGouCrkzJ8JW364Zo1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL | ||
MAkGB2eBDAEFAQMwIwYDVR0fBBwwGjAYoBagFIYSbGRhcDovL2V4YW1wbGUuY29t | ||
MAoGCCqGSM49BAMCA0gAMEUCIAVgysOMEqZYb9N/6YLMOOwe3FGIoUXyN2RH1JYf | ||
nB7vAiEAk9GzarUyaeAUvo9w2RxUfRrNf1ql0jCtopz6N2aKMWE= | ||
-----END CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like it passes if a CRL distribution point is not present.
I realize this requirement doesn't perfectly match the lint name, but it is part of 7.1.2.3.b. Is the intention to follow this up with another PR that finishes 7.1.2.3.b?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is covered separately in #742.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The rest of 7.1.2.3.b is handled by #742.