Lint for 7.1.2.7.2 BR (#810)

* lint about the encoding of qcstatements for PSD2 * Revert "lint about the encoding of qcstatements for PSD2" This reverts commit 6c23670. * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC * always check and perform the operation in the execution * synchronised with project * synchronised with project * synchronised with project * synchronised with project * added lint to check values of subjectDN in DV certificates * fixed errors * fixed merge error * addressing review comment --------- Co-authored-by: mtg <git@mtg.de> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Christopher Henderson <chris@chenderson.org>
zmap · Mar 10, 2024 · 8d2c579 · 8d2c579
1 parent e76cc77
commit 8d2c579
Show file tree

Hide file tree

Showing 9 changed files with 396 additions and 0 deletions.
diff --git a/v3/integration/config.json b/v3/integration/config.json
@@ -816,6 +816,7 @@
     "e_wrong_time_format_pre2050": {
       "ErrCount": 23
     },
+    "e_cab_dv_subject_invalid_values": {},
     "n_ca_digital_signature_not_set": {
       "NoticeCount": 1409
     },

diff --git a/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go b/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go
@@ -0,0 +1,86 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type dvSubjectInvalidValues struct{}
+
+/************************************************
+7.1.2.7.2 Domain Validated
+
+The following table details the acceptable AttributeTypes that may appear within the type
+field of an AttributeTypeAndValue, as well as the contents permitted within the value field.
+
+Table 35: Domain Validated subject Attributes
+
+countryName MAY The two‐letter ISO 3166‐1 country code for the country
+associated with the Subject. Section 3.2.2.3
+
+commonName NOT RECOMMENDED
+If present, MUST contain a value derived from the
+subjectAltName extension according to Section
+7.1.4.3.
+
+Any other attribute MUST NOT
+************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_cab_dv_subject_invalid_values",
+			Description:   "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.",
+			Citation:      "BRs: 7.1.2.7.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewDvSubjectInvalidValues,
+	})
+}
+
+func NewDvSubjectInvalidValues() lint.LintInterface {
+	return &dvSubjectInvalidValues{}
+}
+
+func (l *dvSubjectInvalidValues) CheckApplies(cert *x509.Certificate) bool {
+	return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && util.IsSubscriberCert(cert)
+}
+
+func (l *dvSubjectInvalidValues) Execute(cert *x509.Certificate) *lint.LintResult {
+	names := util.GetTypesInName(&cert.Subject)
+	var cnFound = false
+	for _, n := range names {
+		if n.Equal(util.CommonNameOID) {
+			cnFound = true
+			continue
+		}
+		if n.Equal(util.CountryNameOID) {
+			continue
+		}
+		return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("DV certificate contains the invalid attribute type %s", n)}
+	}
+
+	if cnFound {
+		return &lint.LintResult{Status: lint.Warn, Details: "DV certificate contains a subject common name, this is not recommended."}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values_test.go b/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values_test.go
@@ -0,0 +1,81 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestNewDvSubjectInvalidValues(t *testing.T) {
+	testCases := []struct {
+		Name            string
+		InputFilename   string
+		ExpectedResult  lint.LintStatus
+		ExpectedDetails string
+	}{
+		{
+			Name:           "ne - DV with valid values in subjectDN, before SC62",
+			InputFilename:  "domainValGoodSubject.pem",
+			ExpectedResult: lint.NE,
+		},
+		{
+			Name:            "error - DV with organization in subjectDN, on SC62",
+			InputFilename:   "dvWithOrganization.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "DV certificate contains the invalid attribute type 2.5.4.10",
+		},
+		{
+			Name:            "error - DV with serialNumber in subjectDN, on SC62",
+			InputFilename:   "dvWithSerialNumber.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "DV certificate contains the invalid attribute type 2.5.4.5",
+		},
+		{
+			Name:            "warn - DV with valid values in subjectDN, with CN, on SC62",
+			InputFilename:   "dvWithCNAndCountry.pem",
+			ExpectedResult:  lint.Warn,
+			ExpectedDetails: "DV certificate contains a subject common name, this is not recommended",
+		},
+		{
+			Name:           "pass - DV with valid values in subjectDN, country only, on SC62",
+			InputFilename:  "dvCountry.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "pass - DV with empty subjectDN, on SC62",
+			InputFilename:  "dvEmptySubject.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "na - EV certificate",
+			InputFilename:  "evAllGood.pem",
+			ExpectedResult: lint.NA,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_cab_dv_subject_invalid_values", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+			if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details {
+				t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/dvCountry.pem b/v3/testdata/dvCountry.pem
@@ -0,0 +1,43 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            47:bd:93:31:c3:50:f8:8d:c6:74:07:68
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:54:ae:c0:80:e5:dd:5e:59:ea:85:0e:1d:db:88:
+                    29:19:72:a3:41:e4:d9:1c:b9:d6:e9:8c:d1:a5:8f:
+                    82:c0:fc:49:47:9c:c2:35:79:e6:cb:3e:5a:78:92:
+                    39:b0:fd:94:ab:3a:5a:81:75:e0:45:15:df:01:d1:
+                    99:36:40:1b:30
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                B3:8E:9C:AF:03:B9:83:6B:7D:F5:F4:DC:32:A5:73:88:48:58:4E:8E
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:22:d4:dd:cc:74:0c:e6:ca:fa:3c:8e:40:52:f4:
+        8a:db:14:22:90:b8:08:48:71:9a:51:5b:20:73:ff:3b:00:d7:
+        02:21:00:c1:ab:a2:6c:c7:77:d3:20:af:2a:f0:04:1d:64:14:
+        7b:3b:40:c9:1c:44:3c:4d:75:9f:ab:fe:89:88:94:f6:41
+-----BEGIN CERTIFICATE-----
+MIIBbTCCAROgAwIBAgIMR72TMcNQ+I3GdAdoMAoGCCqGSM49BAMCMC4xEDAOBgNV
+BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx
+NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowDTELMAkGA1UEBhMCREUwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAARUrsCA5d1eWeqFDh3biCkZcqNB5NkcudbpjNGlj4LA
+/ElHnMI1eebLPlp4kjmw/ZSrOlqBdeBFFd8B0Zk2QBswozgwNjAfBgNVHSMEGDAW
+gBSzjpyvA7mDa3319NwypXOISFhOjjATBgNVHSAEDDAKMAgGBmeBDAECATAKBggq
+hkjOPQQDAgNIADBFAiAi1N3MdAzmyvo8jkBS9IrbFCKQuAhIcZpRWyBz/zsA1wIh
+AMGromzHd9MgryrwBB1kFHs7QMkcRDxNdZ+r/omIlPZB
+-----END CERTIFICATE-----
diff --git a/v3/testdata/dvEmptySubject.pem b/v3/testdata/dvEmptySubject.pem
@@ -0,0 +1,43 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            32:eb:47:ff:01:13:5d:24:1e:bd:fe:88
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:b4:c0:74:a1:a4:7e:42:d3:b6:7c:40:5b:95:fd:
+                    82:d5:ed:e8:19:62:a8:e7:16:be:54:e7:c0:bf:25:
+                    41:46:7e:36:25:03:27:c0:3a:c6:52:e2:37:84:cc:
+                    53:34:6d:ef:c2:93:bf:50:56:fb:9c:88:4f:53:75:
+                    35:81:75:cc:c0
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                B3:8E:9C:AF:03:B9:83:6B:7D:F5:F4:DC:32:A5:73:88:48:58:4E:8E
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:46:02:21:00:b9:d1:1d:bd:e7:7f:b6:48:d0:72:08:42:58:
+        5c:72:12:c8:92:5d:73:3d:32:67:84:dd:12:e1:2d:dc:65:03:
+        4b:02:21:00:ed:82:a3:6c:09:64:60:e2:d8:37:32:8b:54:18:
+        f3:f5:40:29:e8:70:53:67:79:16:88:52:02:44:9b:07:57:31
+-----BEGIN CERTIFICATE-----
+MIIBYTCCAQagAwIBAgIMMutH/wETXSQevf6IMAoGCCqGSM49BAMCMC4xEDAOBgNV
+BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkx
+NTAwMDAwMFoXDTI0MDkxNTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLTAdKGkfkLTtnxAW5X9gtXt6BliqOcWvlTnwL8lQUZ+NiUDJ8A6xlLiN4TM
+UzRt78KTv1BW+5yIT1N1NYF1zMCjODA2MB8GA1UdIwQYMBaAFLOOnK8DuYNrffX0
+3DKlc4hIWE6OMBMGA1UdIAQMMAowCAYGZ4EMAQIBMAoGCCqGSM49BAMCA0kAMEYC
+IQC50R2953+2SNByCEJYXHISyJJdcz0yZ4TdEuEt3GUDSwIhAO2Co2wJZGDi2Dcy
+i1QY8/VAKehwU2d5FohSAkSbB1cx
+-----END CERTIFICATE-----
diff --git a/v3/testdata/dvWithCNAndCountry.pem b/v3/testdata/dvWithCNAndCountry.pem
@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            81:bd:5a:5d:43:40:fe:61:d3:d8:ac:a3
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: CN = Lint, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:9e:ad:b4:94:d7:d5:1e:ed:56:7d:31:7a:a9:fd:
+                    44:ab:73:dd:30:bc:d1:6d:57:46:36:39:22:02:c9:
+                    a1:45:f9:d1:0a:5b:43:37:35:bf:17:7b:ba:ed:e2:
+                    ae:13:28:6f:e1:4a:31:f5:6c:29:dd:7f:f1:7d:2b:
+                    5f:20:91:60:3f
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:85:80:D7:8A:69:8E:22:61:06:49:28:4E:4E:2B:EB:1F:34:B9:0D:CB
+
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:50:82:33:f9:c0:43:6c:88:57:29:af:94:88:dd:
+         41:3a:64:c4:b0:82:77:24:92:d9:6d:6b:29:d8:68:df:97:e5:
+         02:20:56:9b:a2:9d:e6:01:3d:c1:fc:0d:29:15:39:87:96:33:
+         5c:19:68:31:94:06:74:f9:0f:84:4e:91:fe:41:07:d0
+-----BEGIN CERTIFICATE-----
+MIIBfDCCASOgAwIBAgINAIG9Wl1DQP5h09isozAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMBwxDTALBgNVBAMMBExpbnQxCzAJBgNV
+BAYTAkRFMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnq20lNfVHu1WfTF6qf1E
+q3PdMLzRbVdGNjkiAsmhRfnRCltDNzW/F3u67eKuEyhv4Uox9Wwp3X/xfStfIJFg
+P6M4MDYwHwYDVR0jBBgwFoAUhYDXimmOImEGSShOTivrHzS5DcswEwYDVR0gBAww
+CjAIBgZngQwBAgEwCgYIKoZIzj0EAwIDRwAwRAIgUIIz+cBDbIhXKa+UiN1BOmTE
+sIJ3JJLZbWsp2Gjfl+UCIFabop3mAT3B/A0pFTmHljNcGWgxlAZ0+Q+ETpH+QQfQ
+-----END CERTIFICATE-----
diff --git a/v3/testdata/dvWithOrganization.pem b/v3/testdata/dvWithOrganization.pem
@@ -0,0 +1,45 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            a2:1f:2f:e0:07:65:24:ee:ff:c3:39:bb
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: CN = Lint, O = ZLint, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:a8:64:aa:4e:ee:84:e8:6d:f5:60:af:b6:59:c7:
+                    29:20:8b:41:45:bc:1b:c8:ce:bc:83:4c:ec:56:ec:
+                    29:73:d7:d8:c3:f5:db:3c:54:ad:f8:22:10:a2:97:
+                    48:7a:b1:d7:2e:a7:aa:6b:ca:6f:dd:6e:27:4c:28:
+                    51:d2:fb:87:89
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:85:80:D7:8A:69:8E:22:61:06:49:28:4E:4E:2B:EB:1F:34:B9:0D:CB
+
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:da:34:ad:88:35:50:f4:b7:07:5d:e5:09:f1:
+         05:ae:31:ff:39:35:06:58:6e:f3:c1:dc:f5:74:92:4b:29:22:
+         44:02:21:00:b4:ea:ed:19:b4:82:0a:64:a6:0d:d8:89:44:a9:
+         e8:f2:b3:1c:64:17:b4:08:41:08:30:bc:9e:f7:3f:93:97:01
+-----BEGIN CERTIFICATE-----
+MIIBjjCCATOgAwIBAgINAKIfL+AHZSTu/8M5uzAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMCwxDTALBgNVBAMMBExpbnQxDjAMBgNV
+BAoMBVpMaW50MQswCQYDVQQGEwJERTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BKhkqk7uhOht9WCvtlnHKSCLQUW8G8jOvINM7FbsKXPX2MP12zxUrfgiEKKXSHqx
+1y6nqmvKb91uJ0woUdL7h4mjODA2MB8GA1UdIwQYMBaAFIWA14ppjiJhBkkoTk4r
+6x80uQ3LMBMGA1UdIAQMMAowCAYGZ4EMAQIBMAoGCCqGSM49BAMCA0kAMEYCIQDa
+NK2INVD0twdd5QnxBa4x/zk1Blhu88Hc9XSSSykiRAIhALTq7Rm0ggpkpg3YiUSp
+6PKzHGQXtAhBCDC8nvc/k5cB
+-----END CERTIFICATE-----