Limit e_registration_scheme_id_matches_subject_country to no longer a…

…pply to LEI or INT organizationIdentifiers (#781) * fix issue where e_registration_scheme_id_matches_subject_country was applying to LEI and INT certs where not required by the SMIME BRs * fix execution of e_registration_scheme_id_matches_subject_country lint in case where some organizationIdentifiers are subject to the check and others are not --------- Co-authored-by: Christopher Henderson <chris@chenderson.org>
zmap · Jan 1, 2024 · be8dd6a · be8dd6a
1 parent dfb985b
commit be8dd6a
Show file tree

Hide file tree

Showing 5 changed files with 154 additions and 3 deletions.
diff --git a/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go b/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go
@@ -56,11 +56,18 @@ func (l *registrationSchemeIDMatchesSubjectCountry) CheckApplies(c *x509.Certifi
 		return false
 	}
 
+	orgIDsAreInternational := true
 	for _, id := range c.Subject.OrganizationIDs {
 		submatches := countryRegex.FindStringSubmatch(id)
 		if len(submatches) < 3 {
 			return false
 		}
+
+		orgIDsAreInternational = orgIDsAreInternational && (submatches[1] == "INT" || submatches[1] == "LEI")
+	}
+
+	if orgIDsAreInternational {
+		return false
 	}
 
 	return util.IsOrganizationValidatedCertificate(c) || util.IsSponsorValidatedCertificate(c)
@@ -81,6 +88,11 @@ func (l *registrationSchemeIDMatchesSubjectCountry) Execute(c *x509.Certificate)
 // verifySMIMEOrganizationIdentifierContainSubjectNameCountry verifies that the country code used in the subject:organizationIdentifier matches subject:countryName
 func verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id string, country string) error {
 	submatches := countryRegex.FindStringSubmatch(id)
+
+	if submatches[1] == "INT" || submatches[1] == "LEI" {
+		return nil
+	}
+
 	// Captures the country code from the organization identifier
 	// Note that this raw indexing into the second position is only safe
 	// due to a length check done in CheckApplies

diff --git a/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country_test.go b/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country_test.go
@@ -26,17 +26,32 @@ func TestRegistrationSchemeIDMatchesSubjectNameCountry(t *testing.T) {
 			ExpectedResult: lint.Pass,
 		},
 		{
-			Name:           "error - individual validated certificate",
+			Name:           "pass - certificate with one LEI and one GOV organization identifier",
+			InputFilename:  "smime/with_lei_and_gov_organizationidentifier.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "NA - individual validated certificate",
 			InputFilename:  "smime/individual_validated_with_matching_country.pem",
 			ExpectedResult: lint.NA,
 		},
 		{
-			Name:           "error - no country specified in certificate",
+			Name:           "NA - no country specified in certificate",
 			InputFilename:  "smime/organization_validatged_with_no_country_specified.pem",
 			ExpectedResult: lint.NA,
 		},
 		{
-			Name:           "error - organization validated certificate with subject:organizationIdentifier in incorrect format",
+			Name:           "NA - certificate with LEI organization identifier",
+			InputFilename:  "smime/with_single_lei_organizationidentifier.pem",
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:           "NA - certificate with INT organization identifier",
+			InputFilename:  "smime/with_single_int_organizationidentifier.pem",
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:           "NA - organization validated certificate with subject:organizationIdentifier in incorrect format",
 			InputFilename:  "smime/organization_validated_with_incorrect_format_identifier.pem",
 			ExpectedResult: lint.NA,
 		},

diff --git a/v3/testdata/smime/with_lei_and_gov_organizationidentifier.pem b/v3/testdata/smime/with_lei_and_gov_organizationidentifier.pem
@@ -0,0 +1,42 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep  2 00:00:00 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: C = US, organizationIdentifier = GOVUS-123456 + organizationIdentifier = INTXG-123456
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:b6:9c:51:00:de:27:43:20:55:3c:96:2a:05:fd:
+                    99:42:ad:e5:46:ab:a1:0d:e3:fb:26:d1:58:9f:16:
+                    86:b6:62:93:6c:b5:a4:84:0d:29:e8:88:d2:17:81:
+                    a9:f9:50:a3:0c:a7:4f:df:45:26:1b:cf:d9:20:b2:
+                    fb:b4:90:40:41
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.2.2
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:d5:2b:31:f1:2a:3f:7f:63:21:44:00:78:a2:
+         84:fc:d2:61:7f:a3:55:ef:82:fd:6c:43:42:f5:6d:3e:42:bf:
+         da:02:20:58:92:a4:b3:2c:54:f6:d8:49:00:0c:8c:9b:21:13:
+         e2:c5:8f:ed:f2:d0:18:09:80:e5:a3:8b:66:57:e5:57:8a
+-----BEGIN CERTIFICATE-----
+MIIBVjCB/aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
+OTk5ODExMzAwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMSowEwYDVQRhEwxHT1ZVUy0x
+MjM0NTYwEwYDVQRhEwxJTlRYRy0xMjM0NTYwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAS2nFEA3idDIFU8lioF/ZlCreVGq6EN4/sm0VifFoa2YpNstaSEDSnoiNIX
+gan5UKMMp0/fRSYbz9kgsvu0kEBBoy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAU
+BgNVHSAEDTALMAkGB2eBDAEFAgIwCgYIKoZIzj0EAwIDSAAwRQIhANUrMfEqP39j
+IUQAeKKE/NJhf6NV74L9bENC9W0+Qr/aAiBYkqSzLFT22EkADIybIRPixY/t8tAY
+CYDlo4tmV+VXig==
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/with_single_int_organizationidentifier.pem b/v3/testdata/smime/with_single_int_organizationidentifier.pem
@@ -0,0 +1,41 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep  2 00:00:00 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: C = US, organizationIdentifier = INTXG-123456
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:d4:1a:f1:ff:48:7a:88:b3:d0:ce:f5:b0:2d:9d:
+                    05:dc:c8:cc:5b:1f:58:2c:e0:ab:96:69:72:cc:24:
+                    61:a1:2a:c0:97:9a:b0:cb:65:ea:21:c9:e2:12:76:
+                    8e:64:ca:f0:1a:87:1b:aa:b9:02:55:7a:f5:a3:88:
+                    13:35:be:3f:23
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.2
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:74:c1:24:d1:11:81:5d:90:ac:4f:e2:04:ce:a5:
+         fd:1d:ca:d2:05:e4:e6:3e:5d:5f:02:aa:2a:52:9e:df:d8:69:
+         02:21:00:dd:07:38:33:87:1b:2e:e8:bd:16:0a:d7:35:fe:62:
+         38:97:f4:3a:ab:0e:2d:a2:c8:97:0b:f7:7b:b5:03:89:d9
+-----BEGIN CERTIFICATE-----
+MIIBQTCB6KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
+OTk5ODExMzAwMDAwMDBaMCQxCzAJBgNVBAYTAlVTMRUwEwYDVQRhEwxJTlRYRy0x
+MjM0NTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATUGvH/SHqIs9DO9bAtnQXc
+yMxbH1gs4KuWaXLMJGGhKsCXmrDLZeohyeISdo5kyvAahxuquQJVevWjiBM1vj8j
+oy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTALMAkGB2eBDAEFAQIw
+CgYIKoZIzj0EAwIDSAAwRQIgdMEk0RGBXZCsT+IEzqX9HcrSBeTmPl1fAqoqUp7f
+2GkCIQDdBzgzhxsu6L0WCtc1/mI4l/Q6qw4tosiXC/d7tQOJ2Q==
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/with_single_lei_organizationidentifier.pem b/v3/testdata/smime/with_single_lei_organizationidentifier.pem
@@ -0,0 +1,41 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep  2 00:00:00 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: C = US, organizationIdentifier = LEIXG-123456
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:6e:c8:fe:a0:70:20:62:13:49:a8:18:bb:81:fa:
+                    0c:ea:8d:38:f5:23:4c:d2:89:55:d1:ee:61:2c:33:
+                    61:a7:dc:4a:c4:81:93:6e:b7:4c:2a:32:2b:5b:28:
+                    0d:94:29:8f:0e:d4:31:0d:fe:a0:65:03:30:6d:aa:
+                    74:de:ff:f3:27
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.2
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:53:c9:60:bb:f5:3e:25:2e:c5:ea:35:7f:71:37:
+         c5:8c:8d:f8:fa:c3:1b:cb:ce:af:1a:36:80:64:44:09:8c:ce:
+         02:20:69:e5:fe:fc:ad:fc:4c:3f:ae:10:ab:22:0b:ae:09:5c:
+         f4:cc:25:18:b3:fa:45:ba:04:41:6f:95:c6:5e:e0:fb
+-----BEGIN CERTIFICATE-----
+MIIBQDCB6KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
+OTk5ODExMzAwMDAwMDBaMCQxCzAJBgNVBAYTAlVTMRUwEwYDVQRhEwxMRUlYRy0x
+MjM0NTYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARuyP6gcCBiE0moGLuB+gzq
+jTj1I0zSiVXR7mEsM2Gn3ErEgZNut0wqMitbKA2UKY8O1DEN/qBlAzBtqnTe//Mn
+oy0wKzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTALMAkGB2eBDAEFAQIw
+CgYIKoZIzj0EAwIDRwAwRAIgU8lgu/U+JS7F6jV/cTfFjI34+sMby86vGjaAZEQJ
+jM4CIGnl/vyt/Ew/rhCrIguuCVz0zCUYs/pFugRBb5XGXuD7
+-----END CERTIFICATE-----