From f0455f6cdbf1e9fd7669b6ad533d5c8f16389f83 Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 26 May 2024 09:40:31 -0700 Subject: [PATCH 1/5] simpler --- v3/lint/base.go | 14 +++++++++----- ...ix_ocsp_nocheck_ext_not_included_server_auth.go | 7 ++++--- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/v3/lint/base.go b/v3/lint/base.go index 499810e74..f1df4bbac 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -89,6 +89,8 @@ type LintMetadata struct { // true but with NotBefore >= IneffectiveDate. This check is bypassed if // IneffectiveDate is zero. Please see CheckEffective for more information. IneffectiveDate time.Time `json:"-"` + + OverrideFrameworkFilter bool } // A Lint struct represents a single lint, e.g. @@ -218,11 +220,13 @@ func (l *CertificateLint) CheckEffective(c *x509.Certificate) bool { // CheckEffective() // Execute() func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) *LintResult { - if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { - return &LintResult{Status: NA} - } - if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { - return &LintResult{Status: NA} + if !l.OverrideFrameworkFilter { + if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { + return &LintResult{Status: NA} + } + if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { + return &LintResult{Status: NA} + } } lint := l.Lint() err := config.MaybeConfigure(lint, l.Name) diff --git a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go index ecc0d8cba..b5b2995c3 100644 --- a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go +++ b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go @@ -28,9 +28,10 @@ func init() { Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth", Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" + " defined by RFC6960", - Citation: "BRs: 4.9.9", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Citation: "BRs: 4.9.9", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + OverrideFrameworkFilter: true, }, Lint: NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth, }) From 13a26793a362d904784ac8d9cd2d9b338aeaf96f Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 26 May 2024 09:45:12 -0700 Subject: [PATCH 2/5] linting the linter --- v3/lint/base.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/lint/base.go b/v3/lint/base.go index f1df4bbac..995f5b12a 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -90,7 +90,7 @@ type LintMetadata struct { // IneffectiveDate is zero. Please see CheckEffective for more information. IneffectiveDate time.Time `json:"-"` - OverrideFrameworkFilter bool + OverrideFrameworkFilter bool `json:"overrideFrameworkFilter,omitempty"` } // A Lint struct represents a single lint, e.g. From 98873bdc47690e025b812ca90df2ecbd3d5707c2 Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 26 May 2024 11:04:03 -0700 Subject: [PATCH 3/5] fix tests and lint --- v3/lint/base.go | 18 ++++++++++++++++++ ...csp_nocheck_ext_not_included_server_auth.go | 2 +- ...ocheck_ext_not_included_server_auth_test.go | 8 ++++---- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/v3/lint/base.go b/v3/lint/base.go index 995f5b12a..8e4bfb673 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -90,6 +90,24 @@ type LintMetadata struct { // IneffectiveDate is zero. Please see CheckEffective for more information. IneffectiveDate time.Time `json:"-"` + // The ZLint linting framework performs a kind of pre-flight "CheckApplies" + // for every lint that gets ran. For example, if that lint in question + // is targeting a CABF baseline requirement, then the framework will + // assert that the certificate in question is a server auth certificate. + // Doing so allows for nearly universal "CheckApplies" logic to be hoisted + // out of each individual lint and into the framework itself. + // + // However, there are rare occasions wherein a lint disagrees with the + // framework's pre-flight "CheckApplies" logic. For example, CABF 4.9.9 + // places a constraint on OCSP signing certificates. However, since an + // OCSP signing certificate is not a server auth certificate, this lint + // never gets ran due to the framework filtering CABF lints to only + // apply to server auth certificates. + // + // If a lint declares OverrideFrameworkFilter to be true, then the framework + // will perform no pre-flight check. This means that the lint in question + // is entirely responsible for accurately encoding all applicability rules + // in its own CheckApplies method. OverrideFrameworkFilter bool `json:"overrideFrameworkFilter,omitempty"` } diff --git a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go index b5b2995c3..4a8091de3 100644 --- a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go +++ b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go @@ -42,7 +42,7 @@ func NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth() lint.LintInterface { } func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) CheckApplies(c *x509.Certificate) bool { - return util.IsDelegatedOCSPResponderCert(c) && util.IsServerAuthCert(c) + return util.IsDelegatedOCSPResponderCert(c) } func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth_test.go b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth_test.go index b1a324080..b27c6b16f 100644 --- a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth_test.go +++ b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth_test.go @@ -74,11 +74,11 @@ func TestOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth(t *testing.T) { }, { Name: "o1s0ep0a0nc0", Filename: "o1s0ep0a0nc0.pem", - ExpectedResult: lint.NA, + ExpectedResult: lint.Error, }, { Name: "o1s0ep0a0nc1", Filename: "o1s0ep0a0nc1.pem", - ExpectedResult: lint.NA, + ExpectedResult: lint.Pass, }, { Name: "o1s0ep0a1nc0", Filename: "o1s0ep0a1nc0.pem", @@ -142,11 +142,11 @@ func TestOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth(t *testing.T) { }, { Name: "o1s0ep1a0nc0", Filename: "o1s0ep1a0nc0.pem", - ExpectedResult: lint.NA, + ExpectedResult: lint.Error, }, { Name: "o1s0ep1a0nc1", Filename: "o1s0ep1a0nc1.pem", - ExpectedResult: lint.NA, + ExpectedResult: lint.Pass, }, { Name: "o1s0ep1a1nc0", Filename: "o1s0ep1a1nc0.pem", From c9ced5c48182301f762db46596b4159a61ef2db7 Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 26 May 2024 12:00:06 -0700 Subject: [PATCH 4/5] more certs are being ran so more errors makes sense --- v3/integration/config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/integration/config.json b/v3/integration/config.json index 11e9d0153..6f997dee7 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -576,7 +576,7 @@ "ErrCount": 370 }, "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth": { - "ErrCount": 95 + "ErrCount": 262 }, "e_old_root_ca_rsa_mod_less_than_2048_bits": { "ErrCount": 1 From 6759fba223ac209f75d324c49672f920a8268070 Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sat, 29 Jun 2024 07:03:47 -0700 Subject: [PATCH 5/5] accidentally removed bracket --- v3/lint/base.go | 1 + 1 file changed, 1 insertion(+) diff --git a/v3/lint/base.go b/v3/lint/base.go index 71e0477e9..c219cc7cb 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -244,6 +244,7 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) } if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { return &LintResult{Status: NA} + } } lint := l.Lint() err := config.MaybeConfigure(lint, l.Name)