Skip to content

Commit

Permalink
address smime lint applicability issue. regenerate test certificates …
Browse files Browse the repository at this point in the history 
…to fix unit tests broken by change (#764)

Co-authored-by: Christopher Henderson <chris@chenderson.org>
  • Loading branch information
@robplee @christopher-henderson
robplee and christopher-henderson committed Nov 12, 2023
1 parent e8c0c24 commit 43b6954
Show file tree
Hide file tree
Showing 6 changed files with 79 additions and 53 deletions.
2 changes: 1 addition & 1 deletion v3/lint/base.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,7 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
return &LintResult{Status: NA}
}
if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {
if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
return &LintResult{Status: NA}
}
lint := l.Lint()
Expand Down
36 changes: 19 additions & 17 deletions v3/testdata/smime/subscriber_no_crl_distribution_points.pem
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,27 +12,29 @@ Certificate:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b0:ea:1e:f1:18:fe:47:2c:63:90:84:55:31:84:
a9:7d:05:a9:53:01:21:6f:cf:c4:b3:08:33:d2:4c:
0a:e0:39:40:d2:c8:05:e0:7a:a2:cf:14:04:9e:75:
c9:8a:41:b1:ce:6f:ea:6e:f2:5f:f7:0c:58:39:d5:
b3:b6:83:fc:79
04:59:8d:60:f6:dc:04:98:92:65:d8:4d:e9:45:da:
1e:97:70:09:5a:af:cf:c7:e5:86:18:cd:32:8b:35:
c7:23:5c:b8:76:c7:65:f8:20:f1:fc:ab:3b:28:22:
a3:a9:9b:68:dc:7a:58:74:3b:f4:0b:b9:60:57:3f:
46:21:e3:b8:11
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Extended Key Usage:
E-mail Protection
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.4.1
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:21:00:9f:89:3b:b4:a6:ca:2f:d3:24:cf:5c:0f:d2:
b4:0c:a5:23:e2:77:ae:dc:4e:60:f9:fb:a5:d7:17:b6:eb:d7:
be:02:20:60:21:54:e0:ef:0c:eb:d7:7d:c0:f6:28:29:86:d2:
be:b1:3e:c7:a6:f5:23:84:37:18:68:af:cd:6d:fe:4d:b0
30:45:02:21:00:97:6e:8c:24:9c:5f:89:f4:92:29:d8:4d:eb:
c1:1b:bd:a6:31:d3:32:58:da:34:4b:fa:d3:f7:b2:c3:49:93:
a2:02:20:51:49:d7:29:8b:1d:28:2e:24:58:fb:e5:34:a1:5c:
c0:05:d8:8e:f3:ce:43:4e:3b:0a:b0:7c:ce:57:f7:42:1f
-----BEGIN CERTIFICATE-----
MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASw6h7x
GP5HLGOQhFUxhKl9BalTASFvz8SzCDPSTArgOUDSyAXgeqLPFASedcmKQbHOb+pu
8l/3DFg51bO2g/x5oxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
AgNIADBFAiEAn4k7tKbKL9Mkz1wP0rQMpSPid67cTmD5+6XXF7br174CIGAhVODv
DOvXfcD2KCmG0r6xPsem9SOENxhor81t/k2w
-----END CERTIFICATE-----
MIIBHTCBxKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARZjWD2
3ASYkmXYTelF2h6XcAlar8/H5YYYzTKLNccjXLh2x2X4IPH8qzsoIqOpm2jcelh0
O/QLuWBXP0Yh47gRoy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
MAkGB2eBDAEFBAEwCgYIKoZIzj0EAwIDSAAwRQIhAJdujCScX4n0kinYTevBG72m
MdMyWNo0S/rT97LDSZOiAiBRSdcpix0oLiRY++U0oVzABdiO885DTjsKsHzOV/dC
Hw==
-----END CERTIFICATE-----
37 changes: 19 additions & 18 deletions v3/testdata/smime/subscriber_with_crl_distribution_points.pem
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,31 +12,32 @@ Certificate:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:77:fb:36:f7:93:14:be:12:85:91:d5:e5:ac:69:
d8:3e:53:62:67:69:31:da:d8:cb:b1:31:26:4a:c3:
50:75:fa:8c:3b:a4:3c:28:f3:a9:b7:2f:6d:bb:92:
9b:17:11:b0:f3:40:5f:07:d6:57:f6:ae:0a:42:1b:
a9:02:9e:d7:7c
04:d7:a2:5e:9e:d9:54:7d:94:f9:0f:57:4f:af:c3:
75:e4:bf:9a:57:0d:c1:ab:f2:d7:98:eb:24:a2:98:
49:aa:60:90:41:55:96:60:8c:e5:ba:ac:6b:bd:20:
e1:00:c8:5d:26:60:9a:37:29:7b:a0:2c:61:09:24:
53:7a:71:14:dd
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Extended Key Usage:
E-mail Protection
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.1.2
X509v3 CRL Distribution Points:
Full Name:
URI:atleastone.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:21:00:aa:1a:66:ac:5b:22:a9:e3:2d:b8:33:54:49:
fa:28:22:24:b1:11:49:44:46:6e:7d:55:13:fb:25:56:96:e1:
e1:02:20:60:b3:d6:eb:ff:34:2a:e7:0a:aa:0b:4b:4b:b3:32:
ba:96:7a:44:f5:f8:07:ff:86:86:89:ae:65:f0:6d:1b:00
30:45:02:21:00:8f:ff:de:4a:1b:56:89:31:8c:c5:bc:e5:8e:
1a:95:c3:e4:bc:36:df:df:16:c4:71:74:28:c0:d0:72:44:b3:
68:02:20:76:b4:f4:26:ac:07:7a:bc:a9:3a:c9:bb:e4:cf:f0:
dd:fc:85:58:35:b4:1c:ed:e3:ec:b2:9d:54:7f:47:44:cd
-----BEGIN CERTIFICATE-----
MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3+zb3
kxS+EoWR1eWsadg+U2JnaTHa2MuxMSZKw1B1+ow7pDwo86m3L227kpsXEbDzQF8H
1lf2rgpCG6kCntd8ozgwNjATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHR8EGDAW
MBSgEqAQhg5hdGxlYXN0b25lLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqhpmrFsi
qeMtuDNUSfooIiSxEUlERm59VRP7JVaW4eECIGCz1uv/NCrnCqoLS0uzMrqWekT1
+Af/hoaJrmXwbRsA
-----END CERTIFICATE-----
MIIBPjCB5aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATXol6e
2VR9lPkPV0+vw3Xkv5pXDcGr8teY6ySimEmqYJBBVZZgjOW6rGu9IOEAyF0mYJo3
KXugLGEJJFN6cRTdo04wTDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
MAkGB2eBDAEFAQIwHwYDVR0fBBgwFjAUoBKgEIYOYXRsZWFzdG9uZS5jb20wCgYI
KoZIzj0EAwIDSAAwRQIhAI//3kobVokxjMW85Y4alcPkvDbf3xbEcXQowNByRLNo
AiB2tPQmrAd6vKk6ybvkz/Dd/IVYNbQc7ePssp1Uf0dEzQ==
-----END CERTIFICATE-----
36 changes: 19 additions & 17 deletions v3/testdata/smime/without_subject_alternative_name.pem
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,27 +12,29 @@ Certificate:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8b:93:b2:84:b1:56:f4:cc:df:55:3f:f4:07:2b:
d1:5a:bc:52:10:41:aa:91:88:aa:25:ac:02:da:3e:
0c:0e:af:3b:65:49:d5:22:f9:a5:80:f1:83:c6:bc:
bb:8e:cf:d1:a6:b5:92:5d:85:6f:91:5e:31:1a:af:
69:04:62:31:86
04:b0:71:a1:e2:60:7f:f2:54:b0:73:7b:ad:34:19:
81:36:30:9c:2b:24:92:75:9f:d3:2b:f9:7e:13:2f:
cf:6b:34:0e:cd:fd:16:39:8b:92:e8:de:e1:fa:81:
cc:cd:09:86:6b:93:1f:7c:05:0b:ca:dd:60:9f:85:
8f:ac:b7:cd:e4
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Extended Key Usage:
E-mail Protection
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.4.1
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:0f:4a:43:42:ff:8b:5a:b3:30:f0:c6:b2:63:1c:
92:39:4d:17:5d:b0:15:70:e9:15:2e:9a:3f:a1:d6:12:c2:79:
02:21:00:a6:91:19:20:11:17:8d:f1:65:e0:f1:33:89:38:42:
24:a5:41:e5:33:6b:53:21:7f:1f:49:49:0f:57:d8:0a:f2
30:45:02:20:19:d9:4d:3d:b9:03:93:7d:ad:59:cc:d7:92:2c:
01:a2:c6:be:71:7f:90:a4:0b:97:ad:84:f2:50:3f:ce:0b:20:
02:21:00:d0:9a:e5:79:0d:e4:3c:2d:db:ab:31:dc:b2:13:55:
dc:2b:41:6e:db:94:23:26:a7:28:63:f9:08:20:e4:35:6b
-----BEGIN CERTIFICATE-----
MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLk7KE
sVb0zN9VP/QHK9FavFIQQaqRiKolrALaPgwOrztlSdUi+aWA8YPGvLuOz9GmtZJd
hW+RXjEar2kEYjGGoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
AgNIADBFAiAPSkNC/4taszDwxrJjHJI5TRddsBVw6RUumj+h1hLCeQIhAKaRGSAR
F43xZeDxM4k4QiSlQeUza1Mhfx9JSQ9X2Ary
-----END CERTIFICATE-----
MIIBHTCBxKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP
OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASwcaHi
YH/yVLBze600GYE2MJwrJJJ1n9Mr+X4TL89rNA7N/RY5i5Lo3uH6gczNCYZrkx98
BQvK3WCfhY+st83koy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
MAkGB2eBDAEFBAEwCgYIKoZIzj0EAwIDSAAwRQIgGdlNPbkDk32tWczXkiwBosa+
cX+QpAuXrYTyUD/OCyACIQDQmuV5DeQ8LdurMdyyE1XcK0Fu25QjJqcoY/kIIOQ1
aw==
-----END CERTIFICATE-----
2 changes: 2 additions & 0 deletions v3/util/oid.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ var (
BusinessOID = asn1.ObjectIdentifier{2, 5, 4, 15}
PostalCodeOID = asn1.ObjectIdentifier{2, 5, 4, 17}
GivenNameOID = asn1.ObjectIdentifier{2, 5, 4, 42}
// SAN otherNames
OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9}
// Hash algorithms - see https://golang.org/src/crypto/x509/x509.go
SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1}
SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2}
Expand Down
19 changes: 19 additions & 0 deletions v3/util/san.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
package util

import "github.com/zmap/zcrypto/x509"

func HasEmailSAN(c *x509.Certificate) bool {
for _, san := range c.EmailAddresses {
if san != "" {
return true
}
}

for _, name := range c.OtherNames {
if name.TypeID.Equal(OidIdOnSmtpUtf8Mailbox) && len(name.Value.Bytes) != 0 {
return true
}
}

return false
}

0 comments on commit 43b6954

Please sign in to comment.