-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lints for CABF SMIME BRs 7.1.2.3.f - EKUs #747
Changes from all commits
b273865
5d64dff
ad6e46e
c84db13
9519487
6cba7d8
1018dcd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
package cabf_smime_br | ||
|
||
/* | ||
* ZLint Copyright 2023 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import ( | ||
"github.com/zmap/zcrypto/x509" | ||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/util" | ||
) | ||
|
||
// shallHaveCrlDistributionPoints - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU | ||
type legacyMultipurposeEKUCheck struct { | ||
} | ||
|
||
func init() { | ||
lint.RegisterCertificateLint(&lint.CertificateLint{ | ||
LintMetadata: lint.LintMetadata{ | ||
Name: "e_smime_legacy_multipurpose_eku_check", | ||
Description: "Strict/Multipurpose and Legacy: id-kp-emailProtection SHALL be present. Other values MAY be present. The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present.", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In general, it's preferred if there is only one That's not a blocker for this particular lint, I think, but just a consideration for others. |
||
Citation: "SMIME BRs: 7.1.2.3.f", | ||
Source: lint.CABFSMIMEBaselineRequirements, | ||
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, | ||
}, | ||
Lint: NewLegacyMultipurposeEKUCheck, | ||
}) | ||
} | ||
|
||
// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs | ||
func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface { | ||
return &legacyMultipurposeEKUCheck{} | ||
} | ||
|
||
// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: | ||
// - Mailbox Validated Legacy | ||
// - Mailbox Validated Multipurpose | ||
// - Organization Validated Legacy | ||
// - Organization Validated Multipurpose | ||
// - Sponsor Validated Legacy | ||
// - Sponsor Validated Multipurpose | ||
// - Individual Validated Legacy | ||
// - Individual Validated Multipurpose | ||
func (l *legacyMultipurposeEKUCheck) CheckApplies(c *x509.Certificate) bool { | ||
return (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsSubscriberCert(c) | ||
} | ||
|
||
// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates | ||
func (l *legacyMultipurposeEKUCheck) Execute(c *x509.Certificate) *lint.LintResult { | ||
hasEmailProtectionEKU := false | ||
ekusOK := true | ||
|
||
for _, eku := range c.ExtKeyUsage { | ||
if eku == x509.ExtKeyUsageEmailProtection { | ||
hasEmailProtectionEKU = true | ||
} else if eku == x509.ExtKeyUsageServerAuth || eku == x509.ExtKeyUsageCodeSigning || eku == x509.ExtKeyUsageTimeStamping || eku == x509.ExtKeyUsageAny { | ||
ekusOK = false | ||
} | ||
} | ||
|
||
if !hasEmailProtectionEKU { | ||
return &lint.LintResult{Status: lint.Error, Details: "id-kp-emailProtection SHALL be present"} | ||
} | ||
|
||
if !ekusOK { | ||
return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present"} | ||
} | ||
|
||
return &lint.LintResult{Status: lint.Pass} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package cabf_smime_br | ||
|
||
/* | ||
* ZLint Copyright 2021 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/test" | ||
) | ||
|
||
func TestLegacyMultipurposeEKUCheck(t *testing.T) { | ||
testCases := []struct { | ||
Name string | ||
InputFilename string | ||
|
||
ExpectedResult lint.LintStatus | ||
ExpectedDetails string | ||
}{ | ||
{ | ||
Name: "pass - mailbox validated, legacy with commonName", | ||
InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem", | ||
ExpectedResult: lint.Pass, | ||
}, | ||
{ | ||
Name: "na - certificate without mailbox validated policy", | ||
InputFilename: "smime/domainValidatedWithEmailCommonName.pem", | ||
ExpectedResult: lint.NA, | ||
}, | ||
{ | ||
Name: "ne - certificate with NotBefore before effective date of lint", | ||
InputFilename: "smime/mailboxValidatedLegacyWithCommonNameMay2023.pem", | ||
ExpectedResult: lint.NE, | ||
}, | ||
{ | ||
Name: "error - certificate without emailProtection EKU", | ||
InputFilename: "smime/mailboxValidatedLegacyWithoutEmailProtectionEKU.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "id-kp-emailProtection SHALL be present", | ||
}, | ||
{ | ||
Name: "error - certificate containing serverAuthEKU", | ||
InputFilename: "smime/organizationValidatedMultipurposeWithServerAuthEKU.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present", | ||
}, | ||
} | ||
|
||
for _, tc := range testCases { | ||
t.Run(tc.Name, func(t *testing.T) { | ||
result := test.TestLint("e_smime_legacy_multipurpose_eku_check", tc.InputFilename) | ||
if result.Status != tc.ExpectedResult { | ||
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) | ||
} | ||
|
||
if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details { | ||
t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details) | ||
} | ||
}) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
package cabf_smime_br | ||
|
||
/* | ||
* ZLint Copyright 2023 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import ( | ||
"github.com/zmap/zcrypto/x509" | ||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/util" | ||
) | ||
|
||
// strictEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU | ||
type strictEKUCheck struct { | ||
} | ||
|
||
func init() { | ||
lint.RegisterCertificateLint(&lint.CertificateLint{ | ||
LintMetadata: lint.LintMetadata{ | ||
Name: "e_smime_strict_eku_check", | ||
Description: "Strict: id-kp-emailProtection SHALL be present. Other values SHALL NOT be present", | ||
Citation: "SMIME BRs: 7.1.2.3.f", | ||
Source: lint.CABFSMIMEBaselineRequirements, | ||
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, | ||
}, | ||
Lint: NewStrictEKUCheck, | ||
}) | ||
} | ||
|
||
// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs | ||
func NewStrictEKUCheck() lint.CertificateLintInterface { | ||
return &strictEKUCheck{} | ||
} | ||
|
||
// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: | ||
// - Mailbox Validated Strict | ||
// - Organization Validated Strict | ||
// - Sponsor Validated Strict | ||
// - Individual Validated Strict | ||
func (l *strictEKUCheck) CheckApplies(c *x509.Certificate) bool { | ||
return util.IsStrictSMIMECertificate(c) && util.IsSubscriberCert(c) | ||
} | ||
|
||
// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates | ||
func (l *strictEKUCheck) Execute(c *x509.Certificate) *lint.LintResult { | ||
hasEmailProtectionEKU := false | ||
|
||
for _, eku := range c.ExtKeyUsage { | ||
if eku == x509.ExtKeyUsageEmailProtection { | ||
hasEmailProtectionEKU = true | ||
} else { | ||
return &lint.LintResult{Status: lint.Error} | ||
} | ||
} | ||
|
||
if hasEmailProtectionEKU { | ||
return &lint.LintResult{Status: lint.Pass} | ||
} | ||
|
||
return &lint.LintResult{Status: lint.Error} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
package cabf_smime_br | ||
|
||
/* | ||
* ZLint Copyright 2021 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/test" | ||
) | ||
|
||
func TestStrictEKUCheck(t *testing.T) { | ||
testCases := []struct { | ||
Name string | ||
InputFilename string | ||
|
||
ExpectedResult lint.LintStatus | ||
}{ | ||
{ | ||
Name: "pass - mailbox validated, strict with EmailProtectionEKU", | ||
InputFilename: "smime/mailboxValidatedStrictWithCommonName.pem", | ||
ExpectedResult: lint.Pass, | ||
}, | ||
{ | ||
Name: "na - certificate without mailbox validated policy", | ||
InputFilename: "smime/domainValidatedWithEmailCommonName.pem", | ||
ExpectedResult: lint.NA, | ||
}, | ||
{ | ||
Name: "na - mailbox validated legacy certificate", | ||
InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem", | ||
ExpectedResult: lint.NA, | ||
}, | ||
{ | ||
Name: "ne - certificate with NotBefore before effective date of lint", | ||
InputFilename: "smime/mailboxValidatedStrictMay2023.pem", | ||
ExpectedResult: lint.NE, | ||
}, | ||
{ | ||
Name: "error - certificate with extra EKU", | ||
InputFilename: "smime/individualValidatedStrictWithServerAuthEKU.pem", | ||
ExpectedResult: lint.Error, | ||
}, | ||
} | ||
|
||
for _, tc := range testCases { | ||
t.Run(tc.Name, func(t *testing.T) { | ||
result := test.TestLint("e_smime_strict_eku_check", tc.InputFilename) | ||
if result.Status != tc.ExpectedResult { | ||
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) | ||
} | ||
}) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Sep 2 00:00:00 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: CN = johnsmith@example.com | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:f3:96:63:02:f4:04:19:9b:03:3f:01:a4:78:80: | ||
f3:fe:ca:fb:ea:54:d1:e0:5c:1d:f9:58:9e:38:9a: | ||
3f:70:b4:b9:3e:41:6f:a5:4c:5f:c3:fc:d4:a6:a3: | ||
e6:c2:34:31:31:f4:ef:7c:15:f4:0d:f3:c5:0d:5d: | ||
36:08:d0:67:20 | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Extended Key Usage: | ||
E-mail Protection, TLS Web Server Authentication | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.4.3 | ||
|
||
Signature Algorithm: ecdsa-with-SHA256 | ||
30:46:02:21:00:8e:9c:01:a7:ea:ea:5a:ba:1a:7a:a0:e8:34: | ||
ef:75:65:32:23:ed:db:6d:b6:f0:6a:c0:6d:f4:1c:6c:17:91: | ||
72:02:21:00:e5:1e:31:8b:4e:4f:7e:65:74:c0:75:1d:03:54: | ||
6b:c1:21:b7:93:10:81:bf:e2:8c:39:36:05:8d:fb:cf:5b:66 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBSDCB7qADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP | ||
OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv | ||
bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPOWYwL0BBmbAz8BpHiA8/7K++pU | ||
0eBcHflYnjiaP3C0uT5Bb6VMX8P81Kaj5sI0MTH073wV9A3zxQ1dNgjQZyCjNzA1 | ||
MB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDATAUBgNVHSAEDTALMAkGB2eB | ||
DAEFBAMwCgYIKoZIzj0EAwIDSQAwRgIhAI6cAafq6lq6Gnqg6DTvdWUyI+3bbbbw | ||
asBt9BxsF5FyAiEA5R4xi05PfmV0wHUdA1RrwSG3kxCBv+KMOTYFjfvPW2Y= | ||
-----END CERTIFICATE----- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To address #713 (comment) raised by @mtgag