Skip to content

Commit

Permalink
Convert all Lints to CertificateLints (#767)
Browse files Browse the repository at this point in the history
  • Loading branch information
aaomidi authored Nov 19, 2023
1 parent 43b6954 commit 45e6204
Show file tree
Hide file tree
Showing 316 changed files with 2,876 additions and 2,244 deletions.
16 changes: 9 additions & 7 deletions v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,15 @@ import (
type sctPolicyCount struct{}

func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_ct_sct_policy_count_unsatisfied",
Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy",
Citation: "https://support.apple.com/en-us/HT205280",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleCTPolicyDate,
Lint: NewSctPolicyCount,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "w_ct_sct_policy_count_unsatisfied",
Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy",
Citation: "https://support.apple.com/en-us/HT205280",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleCTPolicyDate,
},
Lint: NewSctPolicyCount,
})
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,16 @@ import (
type serverCertValidityTooLong struct{}

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_tls_server_cert_valid_time_longer_than_398_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC must not have a validity period greater than 398 days",
Citation: "https://support.apple.com/en-us/HT211025",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
Lint: NewServerCertValidityTooLong,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_tls_server_cert_valid_time_longer_than_398_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC must not have a validity period greater than 398 days",
Citation: "https://support.apple.com/en-us/HT211025",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
},
Lint: NewServerCertValidityTooLong,
})
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,16 @@ import (
type serverCertValidityAlmostTooLong struct{}

func init() {
lint.RegisterLint(&lint.Lint{
Name: "w_tls_server_cert_valid_time_longer_than_397_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC should not have a validity period greater than 397 days",
Citation: "https://support.apple.com/en-us/HT211025",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
Lint: NewServerCertValidityAlmostTooLong,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "w_tls_server_cert_valid_time_longer_than_397_days",
Description: "TLS server certificates issued on or after September 1, 2020 " +
"00:00 GMT/UTC should not have a validity period greater than 397 days",
Citation: "https://support.apple.com/en-us/HT211025",
Source: lint.AppleRootStorePolicy,
EffectiveDate: util.AppleReducedLifetimeDate,
},
Lint: NewServerCertValidityAlmostTooLong,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_common_name_missing.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,15 @@ import (
type caCommonNameMissing struct{}

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_common_name_missing",
Description: "CA Certificates common name MUST be included.",
Citation: "BRs: 7.1.4.3.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV148Date,
Lint: NewCaCommonNameMissing,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_common_name_missing",
Description: "CA Certificates common name MUST be included.",
Citation: "BRs: 7.1.4.3.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABV148Date,
},
Lint: NewCaCommonNameMissing,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_country_name_invalid.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,15 @@ in which the CA’s place of business is located.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_invalid",
Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaCountryNameInvalid,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_country_name_invalid",
Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaCountryNameInvalid,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_country_name_missing.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,15 @@ in which the CA’s place of business is located.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaCountryNameMissing,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_country_name_missing",
Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaCountryNameMissing,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_crl_sign_not_set.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,15 @@ signing OCSP responses, then the digitalSignature bit MUST be set.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_crl_sign_not_set",
Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaCRLSignNotSet,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_crl_sign_not_set",
Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaCRLSignNotSet,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_digital_signature_not_set.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "n_ca_digital_signature_not_set",
Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaDigSignNotSet,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "n_ca_digital_signature_not_set",
Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaDigSignNotSet,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_is_ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,15 @@ import (
type caIsCA struct{}

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_is_ca",
Description: "Root and Sub CA Certificate: The CA field MUST be set to true.",
Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaIsCA,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_is_ca",
Description: "Root and Sub CA Certificate: The CA field MUST be set to true.",
Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaIsCA,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_cert_sign_not_set",
Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaKeyCertSignNotSet,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_key_cert_sign_not_set",
Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaKeyCertSignNotSet,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_key_usage_missing.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,13 +31,15 @@ Conforming CAs MUST include this extension in certificates that
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_missing",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be present",
Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC3280Date,
Lint: NewCaKeyUsageMissing,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_key_usage_missing",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be present",
Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.RFC3280Date,
},
Lint: NewCaKeyUsageMissing,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_key_usage_not_critical.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_key_usage_not_critical",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaKeyUsageNotCrit,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_key_usage_not_critical",
Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaKeyUsageNotCrit,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_ca_organization_name_missing.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,15 @@ The Certificate Subject MUST contain the following: organizationName (OID 2.5.4.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_ca_organization_name_missing",
Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCaOrganizationNameMissing,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_ca_organization_name_missing",
Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information",
Citation: "BRs: 7.1.2.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCaOrganizationNameMissing,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,15 @@ import (
)

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_locality",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCertPolicyConflictsWithLocality,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_cab_dv_conflicts_with_locality",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.1",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCertPolicyConflictsWithLocality,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,15 @@ field.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_org",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCertPolicyConflictsWithOrg,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_cab_dv_conflicts_with_org",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCertPolicyConflictsWithOrg,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,15 @@ field.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_postal",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCertPolicyConflictsWithPostal,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_cab_dv_conflicts_with_postal",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCertPolicyConflictsWithPostal,
})
}

Expand Down
16 changes: 9 additions & 7 deletions v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,13 +33,15 @@ field.
************************************************/

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_cab_dv_conflicts_with_province",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
Lint: NewCertPolicyConflictsWithProvince,
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_cab_dv_conflicts_with_province",
Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject",
Citation: "BRs: 7.1.6.4",
Source: lint.CABFBaselineRequirements,
EffectiveDate: util.CABEffectiveDate,
},
Lint: NewCertPolicyConflictsWithProvince,
})
}

Expand Down
Loading

0 comments on commit 45e6204

Please sign in to comment.