Handle ips in aia internal names (#791)

* lint about the encoding of qcstatements for PSD2 * Revert "lint about the encoding of qcstatements for PSD2" This reverts commit 6c23670. * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC * always check and perform the operation in the execution * synchronised with project * synchronised with project * synchronised with project * synchronised with project * if the AIA contains an IP then pass instead of warn * fixed merge message * trying to resolve conflicts * enhancement; lint only if extension is present otherwise not applicable --------- Co-authored-by: mtg <git@mtg.de> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Christopher Henderson <chris@chenderson.org>
zmap · Feb 10, 2024 · fa85598 · fa85598
1 parent 82d733e
commit fa85598
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 1 deletion.
diff --git a/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go b/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go
@@ -15,6 +15,7 @@ package cabf_br
  */
 
 import (
+	"net"
 	"net/url"
 	"time"
 
@@ -53,7 +54,7 @@ func NewSubCertAIAInternalName() lint.LintInterface {
 }
 
 func (l *subCertAIAInternalName) CheckApplies(c *x509.Certificate) bool {
-	return util.IsSubscriberCert(c)
+	return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID)
 }
 
 func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult {
@@ -62,6 +63,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult {
 		if err != nil {
 			return &lint.LintResult{Status: lint.Error}
 		}
+
+		if net.ParseIP(purl.Host) != nil {
+			continue
+		}
+
 		if !util.HasValidTLD(purl.Hostname(), time.Now()) {
 			return &lint.LintResult{Status: lint.Warn}
 		}
@@ -71,6 +77,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult {
 		if err != nil {
 			return &lint.LintResult{Status: lint.Error}
 		}
+
+		if net.ParseIP(purl.Host) != nil {
+			continue
+		}
+
 		if !util.HasValidTLD(purl.Hostname(), time.Now()) {
 			return &lint.LintResult{Status: lint.Warn}
 		}

diff --git a/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names_test.go b/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names_test.go
@@ -23,6 +23,16 @@ func TestAIAInternalName(t *testing.T) {
 			InputFilename:  "aiaWithInternalNames.pem",
 			ExpectedResult: lint.Warn,
 		},
+		{
+			Name:           "pass - aia with an IP address",
+			InputFilename:  "aiaWithIP.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "na - aia is not present",
+			InputFilename:  "akiCritical.pem",
+			ExpectedResult: lint.NA,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.Name, func(t *testing.T) {

diff --git a/v3/testdata/aiaWithIP.pem b/v3/testdata/aiaWithIP.pem
@@ -0,0 +1,48 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            41:3a:cf:f0:21:c6:b7:4e:8a:52:bb:8f
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep  1 00:00:00 2023 GMT
+            Not After : Sep  1 00:00:00 2024 GMT
+        Subject: CN = Certificate, O = Lint, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:4e:40:12:56:a9:f2:b9:24:4b:90:a1:91:be:11:
+                    36:15:3e:d8:5b:03:92:1b:73:05:f7:52:e8:da:36:
+                    01:ad:9e:e2:aa:a7:44:f6:15:77:de:b8:a2:28:ac:
+                    b4:73:c6:3b:2f:61:7e:4d:8f:ba:89:cf:a0:f9:dc:
+                    d8:ca:ea:82:98
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:A8:25:78:6E:21:C4:67:13:2C:AB:40:4F:2D:1E:A5:72:AE:74:02:E4
+
+            X509v3 Subject Key Identifier: 
+                7C:C8:86:05:72:0B:B5:5A:EE:0E:47:CF:02:DE:D8:A4:D4:B9:7B:FF
+            Authority Information Access: 
+                OCSP - URI:http://198.51.100.42/ocsp
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:88:bc:ba:4c:9f:70:98:95:90:db:bc:16:18:
+         11:80:87:d3:ee:75:1d:8b:5f:57:13:d3:63:b5:35:ab:38:70:
+         ad:02:20:09:62:76:1b:4c:1f:92:da:54:4b:7f:f9:a4:6f:6c:
+         85:b9:07:80:98:11:02:2b:fc:42:d9:57:4a:9b:c3:da:99
+-----BEGIN CERTIFICATE-----
+MIIB0zCCAXmgAwIBAgIMQTrP8CHGt06KUruPMAoGCCqGSM49BAMCMC4xEDAOBgNV
+BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkw
+MTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowMjEUMBIGA1UEAwwLQ2VydGlmaWNhdGUx
+DTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAETkASVqnyuSRLkKGRvhE2FT7YWwOSG3MF91Lo2jYBrZ7iqqdE9hV33rii
+KKy0c8Y7L2F+TY+6ic+g+dzYyuqCmKN5MHcwHwYDVR0jBBgwFoAUqCV4biHEZxMs
+q0BPLR6lcq50AuQwHQYDVR0OBBYEFHzIhgVyC7Va7g5HzwLe2KTUuXv/MDUGCCsG
+AQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovLzE5OC41MS4xMDAuNDIvb2Nz
+cDAKBggqhkjOPQQDAgNIADBFAiEAiLy6TJ9wmJWQ27wWGBGAh9PudR2LX1cT02O1
+Nas4cK0CIAlidhtMH5LaVEt/+aRvbIW5B4CYEQIr/ELZV0qbw9qZ
+-----END CERTIFICATE-----