zmap · christopher-henderson · Oct 17, 2021 · Oct 16, 2021 · Oct 16, 2021 · Oct 16, 2021
diff --git a/v3/integration/config.json b/v3/integration/config.json
@@ -636,6 +636,9 @@
     "e_wrong_time_format_pre2050": {
       "ErrCount": 19
     },
+    "e_ev_not_wildcard": {
+      "ErrCount": 1
+    },
     "n_ca_digital_signature_not_set": {
       "NoticeCount": 724
     },

diff --git a/v3/lints/cabf_ev/lint_ev_not_wildcard.go b/v3/lints/cabf_ev/lint_ev_not_wildcard.go
@@ -0,0 +1,58 @@
+/*
+ * ZLint Copyright 2021 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterLint(&lint.Lint{
+		Name:          "e_ev_not_wildcard",
+		Description:   "Wildcard certificates are not allowed for EV Certificates except for those with .onion as the TLD.",
+		Citation:      "CABF EV Guidelines 1.7.8 Section 9.8.1",
+		Source:        lint.CABFEVGuidelines,
+		EffectiveDate: util.OnionOnlyEVDate,
+		Lint:          NewEvNotWildCard,
+	})
+}
+
+type EvNotWildCard struct{}
+
+func NewEvNotWildCard() lint.LintInterface {
+	return &EvNotWildCard{}
+}
+
+func (l *EvNotWildCard) CheckApplies(c *x509.Certificate) bool {
+	return util.IsEV(c.PolicyIdentifiers)
+}
+
+func (l *EvNotWildCard) Execute(c *x509.Certificate) *lint.LintResult {
+	names := append(c.GetParsedDNSNames(false), c.GetParsedSubjectCommonName(false))
+	for _, name := range names {
+		if name.ParseError != nil {
+			continue
+		}
+		if strings.Contains(name.DomainString, "*") && !strings.HasSuffix(name.DomainString, util.OnionTLD) {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("'%s' appears to be a wildcard domain", name.DomainString)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_ev/lint_ev_not_wildcard_test.go b/v3/lints/cabf_ev/lint_ev_not_wildcard_test.go
@@ -0,0 +1,39 @@
+/*
+ * ZLint Copyright 2021 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestSmoke(t *testing.T) {
+	var tests = map[string]lint.LintStatus{
+		"evWildcard.pem":                lint.Error,
+		"evSubscriberNotWildCard.pem":   lint.Pass,
+		"evSubscriberWildcardOnion.pem": lint.Pass,
+	}
+	for file, want := range tests {
+		t.Run(file, func(t *testing.T) {
+			t.Parallel()
+			got := test.TestLint("e_ev_not_wildcard", file).Status
+			if got != want {
+				t.Errorf("want %s, got %s", want, got)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/evSubscriberNotWildCard.pem b/v3/testdata/evSubscriberNotWildCard.pem
@@ -0,0 +1,39 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer:
+        Validity
+            Not Before: Oct 16 19:59:29 2021 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: CN = not.a.wildcard
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:6a:cb:59:95:26:97:c2:2b:dd:d1:41:f0:f0:7c:
+                    d5:b2:1d:35:87:76:e6:c2:43:cd:11:e0:e8:78:b4:
+                    7f:3d:45:32:81:78:5f:bd:5d:f5:f2:0b:ed:fb:41:
+                    e8:af:ce:8f:b7:65:06:e0:08:ac:98:1c:16:f7:90:
+                    14:79:f3:48:59
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies:
+                Policy: 2.16.840.1.114413.1.7.23.3
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:f3:1c:29:5e:77:e8:34:2e:08:2b:a9:16:15:
+         3c:e3:bb:68:13:4d:67:49:3b:44:8d:14:fa:ad:de:c3:7f:81:
+         0f:02:21:00:ff:b1:8b:39:e7:83:a7:76:ed:0f:93:43:6d:06:
+         cf:fc:91:92:9f:b2:8c:eb:70:33:f2:6c:16:b1:51:94:68:53
+-----BEGIN CERTIFICATE-----
+MIIBJjCBzKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjExMDE2MTk1OTI5WhgP
+OTk5ODExMzAwMDAwMDBaMBkxFzAVBgNVBAMTDm5vdC5hLndpbGRjYXJkMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEastZlSaXwivd0UHw8HzVsh01h3bmwkPNEeDo
+eLR/PUUygXhfvV318gvt+0Hor86Pt2UG4AismBwW95AUefNIWaMcMBowGAYDVR0g
+BBEwDzANBgtghkgBhv1tAQcXAzAKBggqhkjOPQQDAgNJADBGAiEA8xwpXnfoNC4I
+K6kWFTzju2gTTWdJO0SNFPqt3sN/gQ8CIQD/sYs554Ondu0Pk0NtBs/8kZKfsozr
+cDPybBaxUZRoUw==
+-----END CERTIFICATE-----
diff --git a/v3/testdata/evSubscriberWildcardOnion.pem b/v3/testdata/evSubscriberWildcardOnion.pem
@@ -0,0 +1,39 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer:
+        Validity
+            Not Before: Oct 16 20:00:12 2021 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: CN = a.wildcard.but.with.onion
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:ce:05:6b:c9:18:a9:42:22:ee:91:e7:49:05:01:
+                    89:96:6e:49:c8:79:05:4a:6e:67:9e:98:e7:2f:6c:
+                    ba:73:cf:f4:1b:60:9a:2b:c7:93:a7:6d:6a:10:51:
+                    23:b3:b1:ce:49:a5:12:04:fe:f6:06:f6:3e:d3:46:
+                    c3:9a:b1:b3:b0
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies:
+                Policy: 2.16.840.1.114413.1.7.23.3
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:00:ce:97:c9:9b:50:f9:a8:bc:ac:04:dc:a6:1b:
+         cb:f3:64:70:a9:0e:0a:e8:6e:72:57:6a:2b:e2:e4:56:f3:69:
+         02:21:00:ff:e3:d2:4b:07:58:58:7a:45:79:f6:06:a8:70:6f:
+         0d:7c:62:92:94:8a:7a:ca:c7:76:62:fc:7a:7f:b9:b0:84
+-----BEGIN CERTIFICATE-----
+MIIBMDCB16ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjExMDE2MjAwMDEyWhgP
+OTk5ODExMzAwMDAwMDBaMCQxIjAgBgNVBAMTGWEud2lsZGNhcmQuYnV0LndpdGgu
+b25pb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATOBWvJGKlCIu6R50kFAYmW
+bknIeQVKbmeemOcvbLpzz/QbYJorx5OnbWoQUSOzsc5JpRIE/vYG9j7TRsOasbOw
+oxwwGjAYBgNVHSAEETAPMA0GC2CGSAGG/W0BBxcDMAoGCCqGSM49BAMCA0gAMEUC
+IADOl8mbUPmovKwE3KYby/NkcKkOCuhucldqK+LkVvNpAiEA/+PSSwdYWHpFefYG
+qHBvDXxikpSKesrHdmL8en+5sIQ=
+-----END CERTIFICATE-----
diff --git a/v3/testdata/evWildcard.pem b/v3/testdata/evWildcard.pem
@@ -0,0 +1,113 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4960815646032428674 (0x44d85b8be9f67e82)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
+        Validity
+            Not Before: Sep 17 01:07:16 2021 GMT
+            Not After : Oct 19 01:07:16 2022 GMT
+        Subject: jurisdictionC = US, jurisdictionST = Arizona, businessCategory = Private Organization, serialNumber = F20244620, C = US, ST = Arizona, L = Tempe, O = GoDaddy Inc., CN = *.backup.velia.net
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ae:75:fe:d2:8d:3e:41:b5:ec:17:ac:8e:73:c6:
+                    86:e4:85:5d:49:99:23:70:aa:4f:b0:e7:ad:c7:51:
+                    ba:c4:b1:f7:cf:bf:30:2a:00:89:fb:86:1c:47:61:
+                    67:69:83:41:f7:5d:85:4b:b6:e0:5d:eb:b0:b8:98:
+                    bc:13:24:02:32:a4:d9:db:9b:30:b7:d2:86:5a:ac:
+                    a2:de:af:77:87:0a:2b:1d:f5:cc:00:7d:04:c1:45:
+                    ec:19:cd:0a:f5:d7:75:ee:92:9b:a5:fa:e3:74:64:
+                    1e:9f:87:60:ec:55:61:83:9e:73:d4:11:1a:bd:85:
+                    27:5d:fe:a2:5d:a1:cd:c8:b0:ea:76:16:fc:fc:c0:
+                    0d:46:1a:6d:ad:00:37:30:c3:52:69:fd:68:3e:51:
+                    22:8e:b8:53:8e:e4:21:6b:49:06:5e:e3:81:7e:c4:
+                    ab:c0:58:f5:16:bb:aa:74:68:d0:cc:3b:56:12:34:
+                    dc:47:0c:43:76:7b:06:a2:b5:eb:ec:a4:de:e9:38:
+                    2d:8e:43:0b:15:30:db:eb:57:0c:52:26:40:63:23:
+                    08:8e:fd:88:9e:61:56:17:99:2b:1f:12:c4:95:63:
+                    14:18:e5:33:78:6c:c1:49:d3:53:15:89:aa:61:10:
+                    4f:01:f2:fa:15:fb:1b:2e:7e:a7:6c:f3:d0:70:25:
+                    b4:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage:
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 CRL Distribution Points:
+
+                Full Name:
+                  URI:http://crl.godaddy.com/gdig2s3-18.crl
+
+            X509v3 Certificate Policies:
+                Policy: 2.16.840.1.114413.1.7.23.3
+                  CPS: http://certificates.godaddy.com/repository/
+                Policy: 2.23.140.1.1
+
+            Authority Information Access:
+                OCSP - URI:http://ocsp.godaddy.com/
+                CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
+
+            X509v3 Authority Key Identifier:
+                keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
+
+            X509v3 Subject Alternative Name:
+                DNS:*.backup.velia.net, DNS:backup.velia.net
+            X509v3 Subject Key Identifier:
+                2D:3A:0E:93:44:E6:A1:D1:07:E6:F0:32:9F:CC:91:24:1C:E5:03:37
+            CT Precertificate Poison: critical
+                NULL
+    Signature Algorithm: sha256WithRSAEncryption
+         83:07:02:2d:2f:7c:fa:95:a0:04:3c:bb:57:e1:d7:08:68:a7:
+         aa:6c:30:ba:6f:5c:97:57:85:c9:21:68:b5:09:b5:92:12:b3:
+         77:92:df:58:61:32:58:d0:29:ca:0f:7e:5d:eb:b6:3e:5b:8b:
+         28:68:67:0b:3c:54:56:2b:73:f0:d6:c9:2e:32:0b:8a:26:8c:
+         9c:8a:a7:9d:1c:43:f4:00:7f:b2:db:f9:ed:d0:de:2b:ec:0d:
+         ee:08:94:56:1f:60:a5:3c:ba:5b:79:aa:41:42:6a:b1:60:53:
+         62:be:0c:b5:0a:90:99:42:6f:04:60:97:51:cb:d1:f3:28:0e:
+         cf:00:6c:fc:a1:b9:07:33:1a:ae:a2:d1:d9:5b:a8:26:17:03:
+         3d:19:99:66:dc:39:44:05:1d:f9:e4:f8:51:93:49:30:3f:3a:
+         7f:d4:a6:b4:1c:a4:59:8f:a8:87:08:25:43:b8:22:ce:31:f8:
+         dd:b5:ce:fc:ff:91:2e:4d:f3:49:9e:63:89:3d:3a:8d:3f:f1:
+         f8:8d:73:05:73:a0:75:2c:44:d3:49:a8:9e:f1:52:7f:36:66:
+         a2:57:7e:a2:98:88:8c:e5:eb:d8:3f:54:97:99:b3:d6:57:50:
+         64:c1:e3:2c:3a:5b:db:fd:5f:a5:7f:72:38:64:56:35:95:3a:
+         73:d6:4f:ac
+-----BEGIN CERTIFICATE-----
+MIIF1DCCBLygAwIBAgIIRNhbi+n2foIwDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
+GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
+LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
+cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjEwOTE3MDEwNzE2WhcN
+MjIxMDE5MDEwNzE2WjCBxTETMBEGCysGAQQBgjc8AgEDEwJVUzEYMBYGCysGAQQB
+gjc8AgECEwdBcml6b25hMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjES
+MBAGA1UEBRMJRjIwMjQ0NjIwMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9u
+YTEOMAwGA1UEBxMFVGVtcGUxFTATBgNVBAoTDEdvRGFkZHkgSW5jLjEbMBkGA1UE
+AwwSKi5iYWNrdXAudmVsaWEubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEArnX+0o0+QbXsF6yOc8aG5IVdSZkjcKpPsOetx1G6xLH3z78wKgCJ+4Yc
+R2FnaYNB912FS7bgXeuwuJi8EyQCMqTZ25swt9KGWqyi3q93hworHfXMAH0EwUXs
+Gc0K9dd17pKbpfrjdGQen4dg7FVhg55z1BEavYUnXf6iXaHNyLDqdhb8/MANRhpt
+rQA3MMNSaf1oPlEijrhTjuQha0kGXuOBfsSrwFj1FruqdGjQzDtWEjTcRwxDdnsG
+orXr7KTe6TgtjkMLFTDb61cMUiZAYyMIjv2InmFWF5krHxLElWMUGOUzeGzBSdNT
+FYmqYRBPAfL6FfsbLn6nbPPQcCW0uwIDAQABo4IB1TCCAdEwDAYDVR0TAQH/BAIw
+ADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWg
+MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJz
+My0xOC5jcmwwXAYDVR0gBFUwUzBIBgtghkgBhv1tAQcXAzA5MDcGCCsGAQUFBwIB
+FitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMAcG
+BWeBDAEBMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
+Z29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdv
+ZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeO
+zDSDMKIz1/tss/C0LIDOMC8GA1UdEQQoMCaCEiouYmFja3VwLnZlbGlhLm5ldIIQ
+YmFja3VwLnZlbGlhLm5ldDAdBgNVHQ4EFgQULToOk0TmodEH5vAyn8yRJBzlAzcw
+EwYKKwYBBAHWeQIEAwEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBAIMHAi0vfPqV
+oAQ8u1fh1whop6psMLpvXJdXhckhaLUJtZISs3eS31hhMljQKcoPfl3rtj5biyho
+Zws8VFYrc/DWyS4yC4omjJyKp50cQ/QAf7Lb+e3Q3ivsDe4IlFYfYKU8ult5qkFC
+arFgU2K+DLUKkJlCbwRgl1HL0fMoDs8AbPyhuQczGq6i0dlbqCYXAz0ZmWbcOUQF
+Hfnk+FGTSTA/On/UprQcpFmPqIcIJUO4Is4x+N21zvz/kS5N80meY4k9Oo0/8fiN
+cwVzoHUsRNNJqJ7xUn82ZqJXfqKYiIzl69g/VJeZs9ZXUGTB4yw6W9v9X6V/cjhk
+VjWVOnPWT6w=
+-----END CERTIFICATE-----