Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inclusion of approximately 190000 email protection certificates into the test corpus #738

Merged
merged 1 commit into from
Aug 20, 2023
Merged

Inclusion of approximately 190000 email protection certificates into the test corpus #738

merged 1 commit into from
Aug 20, 2023

Conversation

christopher-henderson
Copy link
Member

The ZLint project has begun writing lints for email protection certificates (#713) so it would appropriate to have a wide corpus for testing.

These certs were pulled from Censys using the following query.

SELECT fingerprint_sha256, raw FROM `censys-io.certificates_v2.certificates` 
WHERE (parsed.extensions.extended_key_usage.any = true 
or parsed.extensions.extended_key_usage.email_protection = true
or parsed.extensions.extended_key_usage is null)
and validation.nss.ever_valid = true

Aside from reformatting and sanitization, I have also gone through the task of deduplicating these certificates against the corpus because (as it turns out) there are about 1500 certs that are both email protection certs and server auth certs.

@zakird zakird merged commit 59d4dd3 into master Aug 20, 2023
8 checks passed
@zakird zakird deleted the email_certs_test_corpus branch August 20, 2023 16:11
@cardonator
Copy link
Contributor

cardonator commented Aug 20, 2023
edited
Loading

No concerns with this having been merged. I am curious if the corpus that was pulled from Censys is compatible with the SMIME BRs that go into effect on Sept 1. Is there a good way to determine that?

@christopher-henderson
Copy link
Member Author

@cardonator does this address the compatibility concerns you are referring to?

This query was constructed based off the boolean logic that was agreed upon in util.IsEmailProtectionCert

func IsEmailProtectionCert(cert *x509.Certificate) bool {
	if len(cert.ExtKeyUsage) == 0 {
		return true
	}
	for _, eku := range cert.ExtKeyUsage {
		if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection {
			return true
		}
	}
	return false
}

That is..

  • No EKUs present at all, or...
  • The presence of EKU Any ({2, 5, 29, 37, 0}), or...
  • The presence of EKU Email Protection ({1, 3, 6, 1, 5, 5, 7, 3, 4})

@cardonator
Copy link
Contributor

cardonator commented Aug 22, 2023
edited
Loading

@christopher-henderson logically I think what you have done is sound. The concern I have is that a significant corpus of these additions probably would not be compliant once zlint has a full set of SMIME checks. Perhaps that is what we would expect, but newly generated SMIME certs posted to CT post-Sept 1 will need to conform to the BR profiles where they don't currently need to.

@christopher-henderson christopher-henderson mentioned this pull request Feb 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zakird zakird zakird approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@christopher-henderson @cardonator @zakird