Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle ips in aia internal names #791

Merged
merged 26 commits into from
Feb 10, 2024
Merged

Handle ips in aia internal names #791

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
6c23670
lint about the encoding of qcstatements for PSD2
Feb 4, 2020
4666bb7
Revert "lint about the encoding of qcstatements for PSD2"
Feb 4, 2020
01996c6
Merge https://github.com/zmap/zlint
Aug 26, 2020
28481cc
Merge https://github.com/zmap/zlint
Sep 1, 2021
749d896
Merge https://github.com/zmap/zlint
Oct 21, 2021
e56e2a0
util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC
web-flow Oct 21, 2021
8600050
Merge pull request #1 from mtgag/zlint-gtld-update
mtgag Oct 21, 2021
30b096e
Merge https://github.com/zmap/zlint
mtgag Apr 19, 2023
92e659c
always check and perform the operation in the execution
mtgag Apr 27, 2023
351a379
Merge branch 'master' into master
christopher-henderson May 14, 2023
b52111b
Merge https://github.com/zmap/zlint
mtgag May 16, 2023
526f9be
Merge https://github.com/zmap/zlint
mtgag Jun 9, 2023
92902fc
Merge https://github.com/zmap/zlint
mtgag Jul 1, 2023
1652cfa
synchronised with project
mtgag Jul 5, 2023
d4f2f9f
synchronised with project
mtgag Aug 30, 2023
88c933e
Merge https://github.com/zmap/zlint
mtgag Aug 30, 2023
cee805f
Merge https://github.com/zmap/zlint
mtgag Dec 3, 2023
2408543
synchronised with project
mtgag Dec 14, 2023
67537e9
synchronised with project
mtgag Dec 14, 2023
e77fae1
synchronised with project
mtgag Jan 24, 2024
69caf00
if the AIA contains an IP then pass instead of warn
mtgag Jan 24, 2024
c068359
fixed merge message
mtgag Jan 24, 2024
d2a928b
trying to resolve conflicts
mtgag Feb 1, 2024
379b7b7
Merge branch 'master' into handle_ips_in_aia_internal_names
mtgag Feb 1, 2024
acd0140
enhancement; lint only if extension is present otherwise not applicable
mtgag Feb 1, 2024
4d2e309
Merge branch 'handle_ips_in_aia_internal_names' of https://github.com…
mtgag Feb 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ package cabf_br
*/

import (
"net"
"net/url"
"time"

Expand Down Expand Up @@ -53,7 +54,7 @@ func NewSubCertAIAInternalName() lint.LintInterface {
}

func (l *subCertAIAInternalName) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c)
return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID)
}

func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult {
Expand All @@ -62,6 +63,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult {
if err != nil {
return &lint.LintResult{Status: lint.Error}
}

if net.ParseIP(purl.Host) != nil {
continue
}

if !util.HasValidTLD(purl.Hostname(), time.Now()) {
return &lint.LintResult{Status: lint.Warn}
}
Expand All @@ -71,6 +77,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult {
if err != nil {
return &lint.LintResult{Status: lint.Error}
}

if net.ParseIP(purl.Host) != nil {
continue
}

if !util.HasValidTLD(purl.Hostname(), time.Now()) {
return &lint.LintResult{Status: lint.Warn}
}
Expand Down
10 changes: 10 additions & 0 deletions v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@ func TestAIAInternalName(t *testing.T) {
InputFilename: "aiaWithInternalNames.pem",
ExpectedResult: lint.Warn,
},
{
Name: "pass - aia with an IP address",
InputFilename: "aiaWithIP.pem",
ExpectedResult: lint.Pass,
},
{
Name: "na - aia is not present",
InputFilename: "akiCritical.pem",
ExpectedResult: lint.NA,
},
}
for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) {
Expand Down
48 changes: 48 additions & 0 deletions v3/testdata/aiaWithIP.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
41:3a:cf:f0:21:c6:b7:4e:8a:52:bb:8f
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Lint CA, O = Lint, C = DE
Validity
Not Before: Sep 1 00:00:00 2023 GMT
Not After : Sep 1 00:00:00 2024 GMT
Subject: CN = Certificate, O = Lint, C = DE
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:4e:40:12:56:a9:f2:b9:24:4b:90:a1:91:be:11:
36:15:3e:d8:5b:03:92:1b:73:05:f7:52:e8:da:36:
01:ad:9e:e2:aa:a7:44:f6:15:77:de:b8:a2:28:ac:
b4:73:c6:3b:2f:61:7e:4d:8f:ba:89:cf:a0:f9:dc:
d8:ca:ea:82:98
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:A8:25:78:6E:21:C4:67:13:2C:AB:40:4F:2D:1E:A5:72:AE:74:02:E4

X509v3 Subject Key Identifier:
7C:C8:86:05:72:0B:B5:5A:EE:0E:47:CF:02:DE:D8:A4:D4:B9:7B:FF
Authority Information Access:
OCSP - URI:http://198.51.100.42/ocsp

Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:88:bc:ba:4c:9f:70:98:95:90:db:bc:16:18:
11:80:87:d3:ee:75:1d:8b:5f:57:13:d3:63:b5:35:ab:38:70:
ad:02:20:09:62:76:1b:4c:1f:92:da:54:4b:7f:f9:a4:6f:6c:
85:b9:07:80:98:11:02:2b:fc:42:d9:57:4a:9b:c3:da:99
-----BEGIN CERTIFICATE-----
MIIB0zCCAXmgAwIBAgIMQTrP8CHGt06KUruPMAoGCCqGSM49BAMCMC4xEDAOBgNV
BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkw
MTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowMjEUMBIGA1UEAwwLQ2VydGlmaWNhdGUx
DTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMFkwEwYHKoZIzj0CAQYIKoZIzj0D
AQcDQgAETkASVqnyuSRLkKGRvhE2FT7YWwOSG3MF91Lo2jYBrZ7iqqdE9hV33rii
KKy0c8Y7L2F+TY+6ic+g+dzYyuqCmKN5MHcwHwYDVR0jBBgwFoAUqCV4biHEZxMs
q0BPLR6lcq50AuQwHQYDVR0OBBYEFHzIhgVyC7Va7g5HzwLe2KTUuXv/MDUGCCsG
AQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovLzE5OC41MS4xMDAuNDIvb2Nz
cDAKBggqhkjOPQQDAgNIADBFAiEAiLy6TJ9wmJWQ27wWGBGAh9PudR2LX1cT02O1
Nas4cK0CIAlidhtMH5LaVEt/+aRvbIW5B4CYEQIr/ELZV0qbw9qZ
-----END CERTIFICATE-----
Loading