zmap · christopher-henderson · Feb 25, 2024 · Feb 4, 2020 · Feb 4, 2020 · Aug 26, 2020
diff --git a/v3/lints/cabf_smime_br/lint_subject_dir_attr.go b/v3/lints/cabf_smime_br/lint_subject_dir_attr.go
@@ -26,7 +26,7 @@ func init() {
 	lint.RegisterCertificateLint(&lint.CertificateLint{
 		LintMetadata: lint.LintMetadata{
 			Name:          "e_strict_multipurpose_smime_ext_subject_directory_attr",
-			Description:   "SMIME Strict and Multipurpose certificates cannot have Subject Directory Attribute",
+			Description:   "SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributes",
 			Citation:      "BRs: 7.1.2.3j",
 			Source:        lint.CABFSMIMEBaselineRequirements,
 			EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,

diff --git a/v3/lints/cabf_smime_br/lint_subject_dir_attr_test.go b/v3/lints/cabf_smime_br/lint_subject_dir_attr_test.go
@@ -18,8 +18,16 @@ func TestSMIMESubjectDirAttributes(t *testing.T) {
 			InputFilename:  "smime/mailboxValidatedStrictWithCommonName.pem",
 			ExpectedResult: lint.Pass,
 		},
-		// A negative test case is hard to construct because neither the x509 package
-		// nor OpenSSL support writing the subject directory attributes extension.
+		{
+			Name:           "error - multipurpose with subject dir attributes extension",
+			InputFilename:  "smime/multipurposeWithSubjectDirectoryAttributes.pem",
+			ExpectedResult: lint.Error,
+		},
+		{
+			Name:           "error - legacy no subject dir attributes extension",
+			InputFilename:  "smime/ec_legacy_digital_signature_ku.pem",
+			ExpectedResult: lint.NA,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.Name, func(t *testing.T) {

diff --git a/v3/testdata/smime/multipurposeWithSubjectDirectoryAttributes.pem b/v3/testdata/smime/multipurposeWithSubjectDirectoryAttributes.pem
@@ -0,0 +1,43 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            26:c1:67:41:26:dd:01:6c:a6:98:6b:51
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep  1 00:00:00 2023 GMT
+            Not After : Sep  1 00:00:00 2024 GMT
+        Subject: CN = test@example.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:27:9e:42:c6:b2:b3:d4:54:ff:33:36:a4:2a:5e:
+                    26:50:73:a5:ba:32:4d:5a:9a:a9:f5:93:9e:77:d3:
+                    35:82:81:25:2b:86:3e:3d:bd:e2:87:a4:79:a2:57:
+                    87:6c:48:71:2e:36:bb:9b:52:57:82:cf:3c:90:9d:
+                    c0:9a:8a:f6:5a
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.2
+
+            X509v3 Subject Directory Attributes: 
+                0.0...+.......1...DE
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:85:35:98:67:73:3e:d5:f3:e8:88:9a:08:50:
+         52:a8:b6:f0:39:77:aa:15:28:f0:30:7e:e7:9d:72:98:f9:b6:
+         68:02:20:05:63:ed:60:19:8d:5b:7d:ca:ca:f5:65:03:9c:60:
+         36:83:d6:db:ce:6f:c1:5f:b4:0f:ec:3b:a4:15:7f:07:b4
+-----BEGIN CERTIFICATE-----
+MIIBeDCCAR6gAwIBAgIMJsFnQSbdAWymmGtRMAoGCCqGSM49BAMCMC4xEDAOBgNV
+BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkw
+MTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowGzEZMBcGA1UEAwwQdGVzdEBleGFtcGxl
+LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCeeQsays9RU/zM2pCpeJlBz
+pboyTVqaqfWTnnfTNYKBJSuGPj294oekeaJXh2xIcS42u5tSV4LPPJCdwJqK9lqj
+NTAzMBQGA1UdIAQNMAswCQYHZ4EMAQUBAjAbBgNVHQkEFDASMBAGCCsGAQUFBwkF
+MQQTAkRFMAoGCCqGSM49BAMCA0gAMEUCIQCFNZhncz7V8+iImghQUqi28Dl3qhUo
+8DB+551ymPm2aAIgBWPtYBmNW33KyvVlA5xgNoPW285vwV+0D+w7pBV/B7Q=
+-----END CERTIFICATE-----