Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lints for CABF SMIME BRs 7.1.2.3.f - EKUs #747

Merged
merged 7 commits into from
Oct 22, 2023
Original file line number Diff line number Diff line change
Expand Up @@ -72,12 +72,13 @@ func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface {
}
}

// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers:
// CheckApplies returns true if the provided certificate is a subscriber certificate and contains one-or-more of the following
// SMIME BR policy identifiers:
// - Mailbox Validated Legacy
// - Mailbox Validated Multipurpose
// - Mailbox Validated Strict
func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool {
return util.IsMailboxValidatedCertificate(c)
return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To address #713 (comment) raised by @mtgag

}

// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates
Expand Down
80 changes: 80 additions & 0 deletions v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
package cabf_smime_br

/*
* ZLint Copyright 2023 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

// shallHaveCrlDistributionPoints - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU
type legacyMultipurposeEKUCheck struct {
}

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_smime_legacy_multipurpose_eku_check",
Description: "Strict/Multipurpose and Legacy: id-kp-emailProtection SHALL be present. Other values MAY be present. The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present.",

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, it's preferred if there is only one SHALL clause in a given lint. This is primarily due to the scenario of encountering both errors at the same time, which typically results in one error shadowing the other. Both errors will eventually be addressed, although the second one will only show up after the first one is resolved.

That's not a blocker for this particular lint, I think, but just a consideration for others.

Citation: "SMIME BRs: 7.1.2.3.f",
Source: lint.CABFSMIMEBaselineRequirements,
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
},
Lint: NewLegacyMultipurposeEKUCheck,
})
}

// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs
func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface {
return &legacyMultipurposeEKUCheck{}
}

// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers:
// - Mailbox Validated Legacy
// - Mailbox Validated Multipurpose
// - Organization Validated Legacy
// - Organization Validated Multipurpose
// - Sponsor Validated Legacy
// - Sponsor Validated Multipurpose
// - Individual Validated Legacy
// - Individual Validated Multipurpose
func (l *legacyMultipurposeEKUCheck) CheckApplies(c *x509.Certificate) bool {
return (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsSubscriberCert(c)
}

// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates
func (l *legacyMultipurposeEKUCheck) Execute(c *x509.Certificate) *lint.LintResult {
hasEmailProtectionEKU := false
ekusOK := true

for _, eku := range c.ExtKeyUsage {
if eku == x509.ExtKeyUsageEmailProtection {
hasEmailProtectionEKU = true
} else if eku == x509.ExtKeyUsageServerAuth || eku == x509.ExtKeyUsageCodeSigning || eku == x509.ExtKeyUsageTimeStamping || eku == x509.ExtKeyUsageAny {
ekusOK = false
}
}

if !hasEmailProtectionEKU {
return &lint.LintResult{Status: lint.Error, Details: "id-kp-emailProtection SHALL be present"}
}

if !ekusOK {
return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present"}
}

return &lint.LintResult{Status: lint.Pass}
}
73 changes: 73 additions & 0 deletions v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
package cabf_smime_br

/*
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

func TestLegacyMultipurposeEKUCheck(t *testing.T) {
testCases := []struct {
Name string
InputFilename string

ExpectedResult lint.LintStatus
ExpectedDetails string
}{
{
Name: "pass - mailbox validated, legacy with commonName",
InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem",
ExpectedResult: lint.Pass,
},
{
Name: "na - certificate without mailbox validated policy",
InputFilename: "smime/domainValidatedWithEmailCommonName.pem",
ExpectedResult: lint.NA,
},
{
Name: "ne - certificate with NotBefore before effective date of lint",
InputFilename: "smime/mailboxValidatedLegacyWithCommonNameMay2023.pem",
ExpectedResult: lint.NE,
},
{
Name: "error - certificate without emailProtection EKU",
InputFilename: "smime/mailboxValidatedLegacyWithoutEmailProtectionEKU.pem",
ExpectedResult: lint.Error,
ExpectedDetails: "id-kp-emailProtection SHALL be present",
},
{
Name: "error - certificate containing serverAuthEKU",
InputFilename: "smime/organizationValidatedMultipurposeWithServerAuthEKU.pem",
ExpectedResult: lint.Error,
ExpectedDetails: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present",
},
}

for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) {
result := test.TestLint("e_smime_legacy_multipurpose_eku_check", tc.InputFilename)
if result.Status != tc.ExpectedResult {
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
}

if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details {
t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details)
}
})
}
}
71 changes: 71 additions & 0 deletions v3/lints/cabf_smime_br/smime_strict_eku_check.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
package cabf_smime_br

/*
* ZLint Copyright 2023 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

// strictEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU
type strictEKUCheck struct {
}

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_smime_strict_eku_check",
Description: "Strict: id-kp-emailProtection SHALL be present. Other values SHALL NOT be present",
Citation: "SMIME BRs: 7.1.2.3.f",
Source: lint.CABFSMIMEBaselineRequirements,
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
},
Lint: NewStrictEKUCheck,
})
}

// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs
func NewStrictEKUCheck() lint.CertificateLintInterface {
return &strictEKUCheck{}
}

// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers:
// - Mailbox Validated Strict
// - Organization Validated Strict
// - Sponsor Validated Strict
// - Individual Validated Strict
func (l *strictEKUCheck) CheckApplies(c *x509.Certificate) bool {
return util.IsStrictSMIMECertificate(c) && util.IsSubscriberCert(c)
}

// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates
func (l *strictEKUCheck) Execute(c *x509.Certificate) *lint.LintResult {
hasEmailProtectionEKU := false

for _, eku := range c.ExtKeyUsage {
if eku == x509.ExtKeyUsageEmailProtection {
hasEmailProtectionEKU = true
} else {
return &lint.LintResult{Status: lint.Error}
}
}

if hasEmailProtectionEKU {
return &lint.LintResult{Status: lint.Pass}
}

return &lint.LintResult{Status: lint.Error}
}
66 changes: 66 additions & 0 deletions v3/lints/cabf_smime_br/smime_strict_eku_check_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
package cabf_smime_br

/*
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

func TestStrictEKUCheck(t *testing.T) {
testCases := []struct {
Name string
InputFilename string

ExpectedResult lint.LintStatus
}{
{
Name: "pass - mailbox validated, strict with EmailProtectionEKU",
InputFilename: "smime/mailboxValidatedStrictWithCommonName.pem",
ExpectedResult: lint.Pass,
},
{
Name: "na - certificate without mailbox validated policy",
InputFilename: "smime/domainValidatedWithEmailCommonName.pem",
ExpectedResult: lint.NA,
},
{
Name: "na - mailbox validated legacy certificate",
InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem",
ExpectedResult: lint.NA,
},
{
Name: "ne - certificate with NotBefore before effective date of lint",
InputFilename: "smime/mailboxValidatedStrictMay2023.pem",
ExpectedResult: lint.NE,
},
{
Name: "error - certificate with extra EKU",
InputFilename: "smime/individualValidatedStrictWithServerAuthEKU.pem",
ExpectedResult: lint.Error,
},
}

for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) {
result := test.TestLint("e_smime_strict_eku_check", tc.InputFilename)
if result.Status != tc.ExpectedResult {
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
}
})
}
}
41 changes: 41 additions & 0 deletions v3/testdata/smime/individualValidatedStrictWithServerAuthEKU.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer:
Validity
Not Before: Sep 2 00:00:00 2023 GMT
Not After : Nov 30 00:00:00 9998 GMT
Subject: CN = johnsmith@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f3:96:63:02:f4:04:19:9b:03:3f:01:a4:78:80:
f3:fe:ca:fb:ea:54:d1:e0:5c:1d:f9:58:9e:38:9a:
3f:70:b4:b9:3e:41:6f:a5:4c:5f:c3:fc:d4:a6:a3:
e6:c2:34:31:31:f4:ef:7c:15:f4:0d:f3:c5:0d:5d:
36:08:d0:67:20
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Server Authentication
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.4.3

Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:8e:9c:01:a7:ea:ea:5a:ba:1a:7a:a0:e8:34:
ef:75:65:32:23:ed:db:6d:b6:f0:6a:c0:6d:f4:1c:6c:17:91:
72:02:21:00:e5:1e:31:8b:4e:4f:7e:65:74:c0:75:1d:03:54:
6b:c1:21:b7:93:10:81:bf:e2:8c:39:36:05:8d:fb:cf:5b:66
-----BEGIN CERTIFICATE-----
MIIBSDCB7qADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv
bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPOWYwL0BBmbAz8BpHiA8/7K++pU
0eBcHflYnjiaP3C0uT5Bb6VMX8P81Kaj5sI0MTH073wV9A3zxQ1dNgjQZyCjNzA1
MB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDATAUBgNVHSAEDTALMAkGB2eB
DAEFBAMwCgYIKoZIzj0EAwIDSQAwRgIhAI6cAafq6lq6Gnqg6DTvdWUyI+3bbbbw
asBt9BxsF5FyAiEA5R4xi05PfmV0wHUdA1RrwSG3kxCBv+KMOTYFjfvPW2Y=
-----END CERTIFICATE-----
32 changes: 17 additions & 15 deletions v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem
Original file line number Diff line number Diff line change
Expand Up @@ -12,28 +12,30 @@ Certificate:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:a1:ed:8b:dd:62:fc:cc:2d:f4:28:cd:8c:8d:5a:
1d:1f:6c:36:c3:03:81:b4:9f:6e:6d:2d:90:b1:7d:
fa:2f:eb:d6:3c:83:7c:9f:2c:5a:b4:37:3e:ae:56:
57:6b:db:df:6a:1c:db:73:e6:d4:25:b1:15:d6:47:
f2:71:de:51:d0
04:d7:dd:dd:da:90:73:84:98:a6:9c:29:96:f2:9f:
ae:33:b1:0c:f6:43:5d:78:7f:a7:4a:6b:d0:e4:bf:
9b:b0:13:cb:14:4c:da:79:5b:25:6c:f9:62:e1:fc:
f2:a7:22:6f:3b:98:97:76:08:6b:0e:e7:8b:11:4a:
24:64:e9:c1:bd
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Extended Key Usage:
E-mail Protection
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.1.1

Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:41:fa:93:51:d2:80:69:a5:5e:4a:cb:85:6a:1e:
47:eb:cb:9b:b3:7b:2b:94:a7:be:a4:b2:55:cc:4a:15:16:f7:
02:21:00:81:0c:18:bd:55:7a:16:6a:0c:84:a9:3b:bf:29:e2:
21:d0:fd:b6:9b:99:14:5b:0b:55:a8:43:b9:64:b6:8e:dc
30:45:02:20:5c:fe:57:a1:85:87:b9:ec:61:51:c0:8d:da:96:
d1:1a:09:bd:29:4a:8a:22:f7:c1:a3:93:45:f3:7e:a5:cd:cf:
02:21:00:c4:27:2c:38:2e:87:f0:d3:32:5f:82:d5:68:8c:bc:
c5:1f:db:c2:9b:ab:5f:07:cf:39:de:49:52:a1:f4:3c:4d
-----BEGIN CERTIFICATE-----
MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
MIIBPTCB5KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv
bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKHti91i/Mwt9CjNjI1aHR9sNsMD
gbSfbm0tkLF9+i/r1jyDfJ8sWrQ3Pq5WV2vb32oc23Pm1CWxFdZH8nHeUdCjGDAW
MBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggqhkjOPQQDAgNIADBFAiBB+pNR0oBp
pV5Ky4VqHkfry5uzeyuUp76kslXMShUW9wIhAIEMGL1VehZqDISpO78p4iHQ/bab
mRRbC1WoQ7lkto7c
bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNfd3dqQc4SYppwplvKfrjOxDPZD
XXh/p0pr0OS/m7ATyxRM2nlbJWz5YuH88qcibzuYl3YIaw7nixFKJGTpwb2jLTAr
MBMGA1UdJQQMMAoGCCsGAQUFBwMEMBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggq
hkjOPQQDAgNIADBFAiBc/lehhYe57GFRwI3altEaCb0pSooi98Gjk0XzfqXNzwIh
AMQnLDguh/DTMl+C1WiMvMUf28Kbq18HzzneSVKh9DxN
-----END CERTIFICATE-----
Loading
Loading