-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix .onion tests to only apply to EV certificates #449
Conversation
Before this change, ZLint would reject .onion names in non-EV certs via the `lint_san_dns_name_onion_not_ev_cert` lint, and if that was suppressed, then complain about the missing Tor Service Descriptor extension. As of CA/Browser Forum Ballot SC27, it's allowed for v3 onion names to appear in DV/OV/IV certificates, and the Tor Service Descriptor extension is neither required nor prohibited for these. This change corrects the Tor Service Descriptor tests to properly account for it being mandatory for EV, while optional for DV/OV/IV. This does not introduce new lints to ensure that the address is itself a well-formed V2 (if EV) or V3 (all types) address, which will come in a follow-up change. Closes zmap#440
Updated comment to reflect #440 still needs the new lint. I figured that would be more appropriate as a separate PR, but happy to fold it in here based on reviewer load. I thought this was already a big enough change to warrant separating as its own PR. |
@@ -57,6 +57,7 @@ var ( | |||
MozillaPolicy22Date = time.Date(2013, time.July, 26, 0, 0, 0, 0, time.UTC) | |||
MozillaPolicy24Date = time.Date(2017, time.February, 28, 0, 0, 0, 0, time.UTC) | |||
MozillaPolicy27Date = time.Date(2020, time.January, 1, 0, 0, 0, 0, time.UTC) | |||
CABFBRs_1_6_9_Date = time.Date(2020, time.March, 27, 0, 0, 0, 0, time.UTC) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One thing I debated: What to name this. The naming here for CAB related things is a bit weird. Up until CABV201Date, it seems like the naming for CABV actually tied to the version of the document (in which case, this should be CABV169Date
Except 201 was a ballot number, not a version number, since the EV Guidelines and the BRs are separately versioned.
I opted here to be explicit about document-and-version, in line with the ETSI date, but I could also see an argument for a descriptive date, like OnionV3Date
, so that folks don't have to constantly figure out what changed in BRs 1.6.9 vs 1.7.0.
Alternatively, naming the Ballots, e.g. as CABFSC27
, at least makes it easier to quickly look up what the diff was (and across documents).
Naming is hard, but I wanted to draw attention to this to see where folks felt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except 201 was a ballot number, not a version number, since the EV Guidelines and the BRs are separately versioned.
I think this one was my fault 😓 In retrospect I agree it seems better to match to the document version number instead of referencing a ballot here.
I opted here to be explicit about document-and-version,
That feels right for this case to me too 👍
// TorServiceDescriptorHash, so check if any of the onion subjects in the | ||
// certificate don't have a TorServiceDescriptorHash for the eTLD+1 in the | ||
// descriptorMap. | ||
// See also https://github.com/cabforum/documents/issues/190 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't really have any normative guidance on what to do if this extension appears in a non-EV cert. My interpretation is that despite it being unnecessary for V3 certs, because it's optional, it should be legal to include this for some but not all v3 onion names.
Similarly, if/when we fix it for EV, I imagine that it'll be required for V2 names, but optional for V3 names. While prohibited-for-v3 makes the linting slightly easier, I suspect it makes CAs' lives harder, so I doubt that'll happen in the EVGs.
@@ -16,7 +16,7 @@ func TestTorDescHashInvalid(t *testing.T) { | |||
}{ | |||
{ | |||
Name: "Onion subject, no service descriptor extension, before util.CABV201Date", | |||
InputFilename: "dnsNameOnionTLD.pem", | |||
InputFilename: "onionSANEVBefore201.pem", | |||
ExpectedResult: lint.NE, | |||
}, | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: onionSANMissingServDescHash.pem
is updated to be an EV certificate, which does mean that coverage for the optionality (for DV) certs is missed. I was torn on whether to add a DV cert (or, more aptly, restore the existing cert as a DV test and add a new cert as an EV test). I wasn't sure to what degree we wanted to cover this with testing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm comfortable with the coverage you have in branch. Thanks for calling this out 👍
@@ -16,7 +16,7 @@ func TestTorDescHashInvalid(t *testing.T) { | |||
}{ | |||
{ | |||
Name: "Onion subject, no service descriptor extension, before util.CABV201Date", | |||
InputFilename: "dnsNameOnionTLD.pem", | |||
InputFilename: "onionSANEVBefore201.pem", | |||
ExpectedResult: lint.NE, | |||
}, | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm comfortable with the coverage you have in branch. Thanks for calling this out 👍
@@ -57,6 +57,7 @@ var ( | |||
MozillaPolicy22Date = time.Date(2013, time.July, 26, 0, 0, 0, 0, time.UTC) | |||
MozillaPolicy24Date = time.Date(2017, time.February, 28, 0, 0, 0, 0, time.UTC) | |||
MozillaPolicy27Date = time.Date(2020, time.January, 1, 0, 0, 0, 0, time.UTC) | |||
CABFBRs_1_6_9_Date = time.Date(2020, time.March, 27, 0, 0, 0, 0, time.UTC) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except 201 was a ballot number, not a version number, since the EV Guidelines and the BRs are separately versioned.
I think this one was my fault 😓 In retrospect I agree it seems better to match to the document version number instead of referencing a ballot here.
I opted here to be explicit about document-and-version,
That feels right for this case to me too 👍
Before this change, ZLint would reject .onion names in non-EV certs
via the
lint_san_dns_name_onion_not_ev_cert
lint, and if thatwas suppressed, then complain about the missing Tor Service
Descriptor extension. As of CA/Browser Forum Ballot SC27, it's
allowed for v3 onion names to appear in DV/OV/IV certificates, and
the Tor Service Descriptor extension is neither required nor
prohibited for these.
This change corrects the Tor Service Descriptor tests to properly
account for it being mandatory for EV, while optional for DV/OV/IV.
This does not introduce new lints to ensure that the address is
itself a well-formed V2 (if EV) or V3 (all types) address, which
will come in a follow-up change.