From c5bdfc594dd2c1779c6494cf8478d1e45da31dea Mon Sep 17 00:00:00 2001
From: christopher-henderson <chris@chenderson.org>
Date: Sat, 30 Sep 2023 08:07:26 -0700
Subject: [PATCH 1/4] Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints
 SHALL be present

---
 ...ers_shall_have_crl_ddistribution_points.go | 53 +++++++++++++++++++
 ...hall_have_crl_ddistribution_points_test.go | 34 ++++++++++++
 .../subscriber_no_crl_distribution_points.pem | 38 +++++++++++++
 ...ubscriber_with_crl_distribution_points.pem | 42 +++++++++++++++
 4 files changed, 167 insertions(+)
 create mode 100644 v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points.go
 create mode 100644 v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
 create mode 100644 v3/testdata/smime/subscriber_no_crl_distribution_points.pem
 create mode 100644 v3/testdata/smime/subscriber_with_crl_distribution_points.pem

diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points.go
new file mode 100644
index 000000000..699935f0c
--- /dev/null
+++ b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points.go
@@ -0,0 +1,53 @@
+/*
+ * ZLint Copyright 2023 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_smime_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterLint(&lint.Lint{
+		Name:          "e_subscribers_shall_have_crl_distribution_points",
+		Description:   "cRLDistributionPoints SHALL be present.",
+		Citation:      "7.1.2.3.b",
+		Source:        lint.CABFSMIMEBaselineRequirements,
+		EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		Lint:          NewSubscriberCrlDistributionPoints,
+	})
+}
+
+type SubscriberCrlDistributionPoints struct{}
+
+func NewSubscriberCrlDistributionPoints() lint.LintInterface {
+	return &SubscriberCrlDistributionPoints{}
+}
+
+func (l *SubscriberCrlDistributionPoints) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c)
+}
+
+func (l *SubscriberCrlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult {
+	if len(c.CRLDistributionPoints) == 0 {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "SMIME certificate contains zero CRL distribution points",
+		}
+	} else {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+}
diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
new file mode 100644
index 000000000..2b5562687
--- /dev/null
+++ b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
@@ -0,0 +1,34 @@
+package cabf_smime_br
+
+import (
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+	"testing"
+)
+
+func TestSubscriberCrlDistributionPoints(t *testing.T) {
+	testCases := []struct {
+		Name           string
+		InputFilename  string
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - mailbox validated, legacy with commonName",
+			InputFilename:  "smime/subscriber_with_crl_distribution_points.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "pass - mailbox validated, multipurpose with commonName",
+			InputFilename:  "smime/subscriber_no_crl_distribution_points.pem",
+			ExpectedResult: lint.Error,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_subscribers_shall_have_crl_distribution_points", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/smime/subscriber_no_crl_distribution_points.pem b/v3/testdata/smime/subscriber_no_crl_distribution_points.pem
new file mode 100644
index 000000000..164f0f33b
--- /dev/null
+++ b/v3/testdata/smime/subscriber_no_crl_distribution_points.pem
@@ -0,0 +1,38 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep 30 15:02:57 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:b0:ea:1e:f1:18:fe:47:2c:63:90:84:55:31:84:
+                    a9:7d:05:a9:53:01:21:6f:cf:c4:b3:08:33:d2:4c:
+                    0a:e0:39:40:d2:c8:05:e0:7a:a2:cf:14:04:9e:75:
+                    c9:8a:41:b1:ce:6f:ea:6e:f2:5f:f7:0c:58:39:d5:
+                    b3:b6:83:fc:79
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:9f:89:3b:b4:a6:ca:2f:d3:24:cf:5c:0f:d2:
+        b4:0c:a5:23:e2:77:ae:dc:4e:60:f9:fb:a5:d7:17:b6:eb:d7:
+        be:02:20:60:21:54:e0:ef:0c:eb:d7:7d:c0:f6:28:29:86:d2:
+        be:b1:3e:c7:a6:f5:23:84:37:18:68:af:cd:6d:fe:4d:b0
+-----BEGIN CERTIFICATE-----
+MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASw6h7x
+GP5HLGOQhFUxhKl9BalTASFvz8SzCDPSTArgOUDSyAXgeqLPFASedcmKQbHOb+pu
+8l/3DFg51bO2g/x5oxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
+AgNIADBFAiEAn4k7tKbKL9Mkz1wP0rQMpSPid67cTmD5+6XXF7br174CIGAhVODv
+DOvXfcD2KCmG0r6xPsem9SOENxhor81t/k2w
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/subscriber_with_crl_distribution_points.pem b/v3/testdata/smime/subscriber_with_crl_distribution_points.pem
new file mode 100644
index 000000000..138da9ae7
--- /dev/null
+++ b/v3/testdata/smime/subscriber_with_crl_distribution_points.pem
@@ -0,0 +1,42 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep 30 15:03:33 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:77:fb:36:f7:93:14:be:12:85:91:d5:e5:ac:69:
+                    d8:3e:53:62:67:69:31:da:d8:cb:b1:31:26:4a:c3:
+                    50:75:fa:8c:3b:a4:3c:28:f3:a9:b7:2f:6d:bb:92:
+                    9b:17:11:b0:f3:40:5f:07:d6:57:f6:ae:0a:42:1b:
+                    a9:02:9e:d7:7c
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:atleastone.com
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:aa:1a:66:ac:5b:22:a9:e3:2d:b8:33:54:49:
+        fa:28:22:24:b1:11:49:44:46:6e:7d:55:13:fb:25:56:96:e1:
+        e1:02:20:60:b3:d6:eb:ff:34:2a:e7:0a:aa:0b:4b:4b:b3:32:
+        ba:96:7a:44:f5:f8:07:ff:86:86:89:ae:65:f0:6d:1b:00
+-----BEGIN CERTIFICATE-----
+MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3+zb3
+kxS+EoWR1eWsadg+U2JnaTHa2MuxMSZKw1B1+ow7pDwo86m3L227kpsXEbDzQF8H
+1lf2rgpCG6kCntd8ozgwNjATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHR8EGDAW
+MBSgEqAQhg5hdGxlYXN0b25lLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqhpmrFsi
+qeMtuDNUSfooIiSxEUlERm59VRP7JVaW4eECIGCz1uv/NCrnCqoLS0uzMrqWekT1
++Af/hoaJrmXwbRsA
+-----END CERTIFICATE-----

From 7fa089a5c5cbc421c49f55a20b546e8f43a88a33 Mon Sep 17 00:00:00 2001
From: christopher-henderson <chris@chenderson.org>
Date: Sat, 30 Sep 2023 08:11:21 -0700
Subject: [PATCH 2/4] adressing linter

---
 ...int_subscribers_shall_have_crl_ddistribution_points_test.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
index 2b5562687..ee0afd6a5 100644
--- a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
+++ b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
@@ -1,9 +1,10 @@
 package cabf_smime_br
 
 import (
+	"testing"
+
 	"github.com/zmap/zlint/v3/lint"
 	"github.com/zmap/zlint/v3/test"
-	"testing"
 )
 
 func TestSubscriberCrlDistributionPoints(t *testing.T) {

From cc0d58d43f09c759f41683479ca9ce2a93ba03bf Mon Sep 17 00:00:00 2001
From: christopher-henderson <chris@chenderson.org>
Date: Sat, 30 Sep 2023 09:01:36 -0700
Subject: [PATCH 3/4] correcting copying error

---
 ...nt_subscribers_shall_have_crl_ddistribution_points_test.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
index ee0afd6a5..4b2bccba3 100644
--- a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
+++ b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
@@ -14,12 +14,12 @@ func TestSubscriberCrlDistributionPoints(t *testing.T) {
 		ExpectedResult lint.LintStatus
 	}{
 		{
-			Name:           "pass - mailbox validated, legacy with commonName",
+			Name:           "pass - cert with a CRL distribution point",
 			InputFilename:  "smime/subscriber_with_crl_distribution_points.pem",
 			ExpectedResult: lint.Pass,
 		},
 		{
-			Name:           "pass - mailbox validated, multipurpose with commonName",
+			Name:           "error - cert without a CRL distribution point",
 			InputFilename:  "smime/subscriber_no_crl_distribution_points.pem",
 			ExpectedResult: lint.Error,
 		},

From 18a35d960fcd5c611c2bbfe4ba8a32fc33a5fcd3 Mon Sep 17 00:00:00 2001
From: christopher-henderson <chris@chenderson.org>
Date: Sun, 8 Oct 2023 08:18:12 -0700
Subject: [PATCH 4/4] fixing typo in filename

---
 ....go => lint_subscribers_shall_have_crl_distribution_points.go} | 0
 ...> lint_subscribers_shall_have_crl_distribution_points_test.go} | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename v3/lints/cabf_smime_br/{lint_subscribers_shall_have_crl_ddistribution_points.go => lint_subscribers_shall_have_crl_distribution_points.go} (100%)
 rename v3/lints/cabf_smime_br/{lint_subscribers_shall_have_crl_ddistribution_points_test.go => lint_subscribers_shall_have_crl_distribution_points_test.go} (100%)

diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go
similarity index 100%
rename from v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points.go
rename to v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go
diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points_test.go
similarity index 100%
rename from v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_ddistribution_points_test.go
rename to v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points_test.go