diff --git a/go.mod b/go.mod index db76ddb5f..9b27da9a7 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/mattn/go-sqlite3 v1.14.22 github.com/prometheus/client_golang v1.19.0 github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 - github.com/zmap/zlint/v3 v3.5.0 + github.com/zmap/zlint/v3 v3.6.2 golang.org/x/crypto v0.21.0 ) diff --git a/go.sum b/go.sum index 40b8a5a3c..efcbca07f 100644 --- a/go.sum +++ b/go.sum @@ -364,8 +364,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 h1:DZH5n7L3L8RxKdSyJHZt7WePgwdhHnPhQFdQSJaHF+o= github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300/go.mod h1:mOd4yUMgn2fe2nV9KXsa9AyQBFZGzygVPovsZR+Rl5w= github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= -github.com/zmap/zlint/v3 v3.5.0 h1:Eh2B5t6VKgVH0DFmTwOqE50POvyDhUaU9T2mJOe1vfQ= -github.com/zmap/zlint/v3 v3.5.0/go.mod h1:JkNSrsDJ8F4VRtBZcYUQSvnWFL7utcjDIn+FE64mlBI= +github.com/zmap/zlint/v3 v3.6.2 h1:IK1Ida6HFLgBrczrCGZa8VVRpksO5iVhYw7WSDl+Irs= +github.com/zmap/zlint/v3 v3.6.2/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= diff --git a/vendor/github.com/zmap/zlint/v3/.goreleaser.yml b/vendor/github.com/zmap/zlint/v3/.goreleaser.yml index 2b84be004..cdd316399 100644 --- a/vendor/github.com/zmap/zlint/v3/.goreleaser.yml +++ b/vendor/github.com/zmap/zlint/v3/.goreleaser.yml @@ -18,11 +18,14 @@ builds: archives: - wrap_in_directory: true - replacements: - darwin: Darwin - linux: Linux - windows: Windows - amd64: x86_64 + name_template: >- + {{- .ProjectName }}_ + {{- .Version }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end -}} snapshot: name_template: "{{ .Tag }}-next" release: diff --git a/vendor/github.com/zmap/zlint/v3/LICENSE b/vendor/github.com/zmap/zlint/v3/LICENSE index b209ae0fc..19a9b8a00 100644 --- a/vendor/github.com/zmap/zlint/v3/LICENSE +++ b/vendor/github.com/zmap/zlint/v3/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2020 Regents of the University of Michigan + Copyright 2024 Regents of the University of Michigan Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/vendor/github.com/zmap/zlint/v3/lint/base.go b/vendor/github.com/zmap/zlint/v3/lint/base.go index 6c6e5f514..499810e74 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/base.go +++ b/vendor/github.com/zmap/zlint/v3/lint/base.go @@ -1,7 +1,7 @@ package lint /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -221,6 +221,9 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } + if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { + return &LintResult{Status: NA} + } lint := l.Lint() err := config.MaybeConfigure(lint, l.Name) if err != nil { diff --git a/vendor/github.com/zmap/zlint/v3/lint/configuration.go b/vendor/github.com/zmap/zlint/v3/lint/configuration.go index 0ace959be..9c60a97cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/configuration.go +++ b/vendor/github.com/zmap/zlint/v3/lint/configuration.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go b/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go index 0438fab33..4d7758441 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go +++ b/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go b/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go index 91d723606..273aaec9c 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go +++ b/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/profile.go b/vendor/github.com/zmap/zlint/v3/lint/profile.go index d94c94c03..20050b964 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/profile.go +++ b/vendor/github.com/zmap/zlint/v3/lint/profile.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/registration.go b/vendor/github.com/zmap/zlint/v3/lint/registration.go index 9e77ebf8c..d380b2218 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/registration.go +++ b/vendor/github.com/zmap/zlint/v3/lint/registration.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/result.go b/vendor/github.com/zmap/zlint/v3/lint/result.go index ca3d6db0e..5839fb0d3 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/result.go +++ b/vendor/github.com/zmap/zlint/v3/lint/result.go @@ -1,7 +1,7 @@ package lint /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -62,8 +62,9 @@ var ( // LintResult contains a LintStatus, and an optional human-readable description. // The output of a lint is a LintResult. type LintResult struct { - Status LintStatus `json:"result"` - Details string `json:"details,omitempty"` + Status LintStatus `json:"result"` + Details string `json:"details,omitempty"` + LintMetadata LintMetadata `json:"-"` } // MarshalJSON implements the json.Marshaler interface. diff --git a/vendor/github.com/zmap/zlint/v3/lint/source.go b/vendor/github.com/zmap/zlint/v3/lint/source.go index c1808c063..2486cb0a9 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/source.go +++ b/vendor/github.com/zmap/zlint/v3/lint/source.go @@ -7,7 +7,7 @@ import ( ) /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,18 +27,19 @@ import ( type LintSource string const ( - UnknownLintSource LintSource = "Unknown" - RFC3279 LintSource = "RFC3279" - RFC5280 LintSource = "RFC5280" - RFC5480 LintSource = "RFC5480" - RFC5891 LintSource = "RFC5891" - RFC8813 LintSource = "RFC8813" - CABFBaselineRequirements LintSource = "CABF_BR" - CABFEVGuidelines LintSource = "CABF_EV" - MozillaRootStorePolicy LintSource = "Mozilla" - AppleRootStorePolicy LintSource = "Apple" - Community LintSource = "Community" - EtsiEsi LintSource = "ETSI_ESI" + UnknownLintSource LintSource = "Unknown" + RFC3279 LintSource = "RFC3279" + RFC5280 LintSource = "RFC5280" + RFC5480 LintSource = "RFC5480" + RFC5891 LintSource = "RFC5891" + RFC8813 LintSource = "RFC8813" + CABFBaselineRequirements LintSource = "CABF_BR" + CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" + CABFEVGuidelines LintSource = "CABF_EV" + MozillaRootStorePolicy LintSource = "Mozilla" + AppleRootStorePolicy LintSource = "Apple" + Community LintSource = "Community" + EtsiEsi LintSource = "ETSI_ESI" ) // UnmarshalJSON implements the json.Unmarshaler interface. It ensures that the @@ -50,7 +51,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error { } switch LintSource(throwAway) { - case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: + case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: *s = LintSource(throwAway) return nil default: @@ -78,6 +79,8 @@ func (s *LintSource) FromString(src string) { *s = CABFBaselineRequirements case CABFEVGuidelines: *s = CABFEVGuidelines + case CABFSMIMEBaselineRequirements: + *s = CABFSMIMEBaselineRequirements case MozillaRootStorePolicy: *s = MozillaRootStorePolicy case AppleRootStorePolicy: diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go index 0f2eb822b..eba5da4a9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ import ( type sctPolicyCount struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ct_sct_policy_count_unsatisfied", - Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy", - Citation: "https://support.apple.com/en-us/HT205280", - Source: lint.AppleRootStorePolicy, - EffectiveDate: util.AppleCTPolicyDate, - Lint: NewSctPolicyCount, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ct_sct_policy_count_unsatisfied", + Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy", + Citation: "https://support.apple.com/en-us/HT205280", + Source: lint.AppleRootStorePolicy, + EffectiveDate: util.AppleCTPolicyDate, + }, + Lint: NewSctPolicyCount, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go index b953c1b74..f67985de9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,14 +25,16 @@ import ( type serverCertValidityTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_tls_server_cert_valid_time_longer_than_398_days", - Description: "TLS server certificates issued on or after September 1, 2020 " + - "00:00 GMT/UTC must not have a validity period greater than 398 days", - Citation: "https://support.apple.com/en-us/HT211025", - Source: lint.AppleRootStorePolicy, - EffectiveDate: util.AppleReducedLifetimeDate, - Lint: NewServerCertValidityTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_tls_server_cert_valid_time_longer_than_398_days", + Description: "TLS server certificates issued on or after September 1, 2020 " + + "00:00 GMT/UTC must not have a validity period greater than 398 days", + Citation: "https://support.apple.com/en-us/HT211025", + Source: lint.AppleRootStorePolicy, + EffectiveDate: util.AppleReducedLifetimeDate, + }, + Lint: NewServerCertValidityTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go index 532b84683..d1d6daa4b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,14 +25,16 @@ import ( type serverCertValidityAlmostTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_tls_server_cert_valid_time_longer_than_397_days", - Description: "TLS server certificates issued on or after September 1, 2020 " + - "00:00 GMT/UTC should not have a validity period greater than 397 days", - Citation: "https://support.apple.com/en-us/HT211025", - Source: lint.AppleRootStorePolicy, - EffectiveDate: util.AppleReducedLifetimeDate, - Lint: NewServerCertValidityAlmostTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_tls_server_cert_valid_time_longer_than_397_days", + Description: "TLS server certificates issued on or after September 1, 2020 " + + "00:00 GMT/UTC should not have a validity period greater than 397 days", + Citation: "https://support.apple.com/en-us/HT211025", + Source: lint.AppleRootStorePolicy, + EffectiveDate: util.AppleReducedLifetimeDate, + }, + Lint: NewServerCertValidityAlmostTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go index 4a350a245..5e27380f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type caCommonNameMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_common_name_missing", - Description: "CA Certificates common name MUST be included.", - Citation: "BRs: 7.1.4.3.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV148Date, - Lint: NewCaCommonNameMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_common_name_missing", + Description: "CA Certificates common name MUST be included.", + Citation: "BRs: 7.1.4.3.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV148Date, + }, + Lint: NewCaCommonNameMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go index 0c1ce0534..dae179d2d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ in which the CA’s place of business is located. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_country_name_invalid", - Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaCountryNameInvalid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_country_name_invalid", + Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaCountryNameInvalid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go index a5fdb48f2..fa97bd977 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ in which the CA’s place of business is located. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_country_name_missing", - Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaCountryNameMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_country_name_missing", + Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaCountryNameMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go index fac3e3e90..8530f0941 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ signing OCSP responses, then the digitalSignature bit MUST be set. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_crl_sign_not_set", - Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaCRLSignNotSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_crl_sign_not_set", + Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaCRLSignNotSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go index f76531643..1d1f84be2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_ca_digital_signature_not_set", - Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaDigSignNotSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_ca_digital_signature_not_set", + Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaDigSignNotSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go index 170beb261..eed504195 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type caIsCA struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_is_ca", - Description: "Root and Sub CA Certificate: The CA field MUST be set to true.", - Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaIsCA, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_is_ca", + Description: "Root and Sub CA Certificate: The CA field MUST be set to true.", + Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaIsCA, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go index 9fe92b638..481f08b66 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_key_cert_sign_not_set", - Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaKeyCertSignNotSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_key_cert_sign_not_set", + Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaKeyCertSignNotSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go index 84e0a9db5..0467c1c6f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ Conforming CAs MUST include this extension in certificates that ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_key_usage_missing", - Description: "Root and Subordinate CA certificate keyUsage extension MUST be present", - Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC3280Date, - Lint: NewCaKeyUsageMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_key_usage_missing", + Description: "Root and Subordinate CA certificate keyUsage extension MUST be present", + Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewCaKeyUsageMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go index 11a03b78e..eb19f2233 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_key_usage_not_critical", - Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaKeyUsageNotCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_key_usage_not_critical", + Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaKeyUsageNotCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go index e4a686c7d..e8041fe92 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ The Certificate Subject MUST contain the following: organizationName (OID 2.5.4. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_organization_name_missing", - Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaOrganizationNameMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_organization_name_missing", + Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaOrganizationNameMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go index e4776b6b1..393f2306e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_locality", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithLocality, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_locality", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject", + Citation: "BRs: 7.1.6.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithLocality, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go index 648cb03a8..8f849cf92 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_org", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithOrg, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_org", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithOrg, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go index 27e1997e3..f982d5688 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_postal", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithPostal, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_postal", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithPostal, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go index f26fdbc49..b2a6f0c32 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_province", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithProvince, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_province", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithProvince, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go index e842d6d5d..0d9d87eff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_street", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithStreet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_street", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithStreet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go new file mode 100644 index 000000000..ee768fe97 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go @@ -0,0 +1,86 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type dvSubjectInvalidValues struct{} + +/************************************************ +7.1.2.7.2 Domain Validated + +The following table details the acceptable AttributeTypes that may appear within the type +field of an AttributeTypeAndValue, as well as the contents permitted within the value field. + +Table 35: Domain Validated subject Attributes + +countryName MAY The two‐letter ISO 3166‐1 country code for the country +associated with the Subject. Section 3.2.2.3 + +commonName NOT RECOMMENDED +If present, MUST contain a value derived from the +subjectAltName extension according to Section +7.1.4.3. + +Any other attribute MUST NOT +************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_subject_invalid_values", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.", + Citation: "BRs: 7.1.2.7.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewDvSubjectInvalidValues, + }) +} + +func NewDvSubjectInvalidValues() lint.LintInterface { + return &dvSubjectInvalidValues{} +} + +func (l *dvSubjectInvalidValues) CheckApplies(cert *x509.Certificate) bool { + return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && util.IsSubscriberCert(cert) +} + +func (l *dvSubjectInvalidValues) Execute(cert *x509.Certificate) *lint.LintResult { + names := util.GetTypesInName(&cert.Subject) + var cnFound = false + for _, n := range names { + if n.Equal(util.CommonNameOID) { + cnFound = true + continue + } + if n.Equal(util.CountryNameOID) { + continue + } + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("DV certificate contains the invalid attribute type %s", n)} + } + + if cnFound { + return &lint.LintResult{Status: lint.Warn, Details: "DV certificate contains a subject common name, this is not recommended."} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go index 4c7a758d4..32c016175 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_iv_requires_personal_name", - Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: NewCertPolicyRequiresPersonalName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_iv_requires_personal_name", + Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV131Date, + }, + Lint: NewCertPolicyRequiresPersonalName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go index c73b7665b..7206ff712 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ required under Section 7.1.4.2.2), and countryName in the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_ov_requires_org", - Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyRequiresOrg, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_ov_requires_org", + Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyRequiresOrg, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go new file mode 100644 index 000000000..a09416506 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go @@ -0,0 +1,60 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlReasonCodeNotCritical struct{} + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_crl_reason_code_not_critical", + Description: "If present, CRL Reason Code extension MUST NOT be marked critical.", + Citation: "BRs: 7.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCrlReasonCodeNotCritical, + }) +} + +func NewCrlReasonCodeNotCritical() lint.RevocationListLintInterface { + return &crlReasonCodeNotCritical{} +} + +func (l *crlReasonCodeNotCritical) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +func (l *crlReasonCodeNotCritical) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + for _, ext := range c.Extensions { + if ext.Id.Equal(util.ReasonCodeOID) { + if ext.Critical { + return &lint.LintResult{Status: lint.Error, Details: "CRL Reason Code extension MUST NOT be marked as critical."} + } + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go new file mode 100644 index 000000000..470b1e125 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go @@ -0,0 +1,68 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlHasValidReasonCodes struct{} + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_crl_has_valid_reason_code", + Description: "Only the following CRLReasons MAY be present: 1, 3, 4, 5, 9.", + Citation: "BRs: 7.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_8_7_Date, + }, + Lint: NewCrlHasValidReasonCode, + }) +} + +func NewCrlHasValidReasonCode() lint.RevocationListLintInterface { + return &crlHasValidReasonCodes{} +} + +func (l *crlHasValidReasonCodes) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +var validReasons = map[int]bool{ + 1: true, + 3: true, + 4: true, + 5: true, + 9: true, +} + +func (l *crlHasValidReasonCodes) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + code := *c.ReasonCode + if code == 0 { + return &lint.LintResult{Status: lint.Error, Details: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value."} + } + if _, ok := validReasons[code]; !ok { + return &lint.LintResult{Status: lint.Error, Details: "Reason code not included in BR: 7.2.2"} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go index a33dcaa55..f05f8553e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_iv_requires_country", - Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: NewCertPolicyIVRequiresCountry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_iv_requires_country", + Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV131Date, + }, + Lint: NewCertPolicyIVRequiresCountry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go index 5e423bb0e..c146f90cd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ the Subject field. // 7.1.4.2.2 applies only to subscriber certificates. func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_iv_requires_province_or_locality", - Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: NewCertPolicyIVRequiresProvinceOrLocal, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_iv_requires_province_or_locality", + Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV131Date, + }, + Lint: NewCertPolicyIVRequiresProvinceOrLocal, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go index 7ef68f93e..1cc761db0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ required under Section 7.1.4.2.2), and countryName in the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_ov_requires_country", - Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyOVRequiresCountry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_ov_requires_country", + Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyOVRequiresCountry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go index 99cfb6d46..59dda9e4a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ Note: 7.1.4.2.2 applies only to subscriber certificates. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_ov_requires_province_or_locality", - Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyOVRequiresProvinceOrLocal, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_ov_requires_province_or_locality", + Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyOVRequiresProvinceOrLocal, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go new file mode 100644 index 000000000..739ed233d --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go @@ -0,0 +1,79 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crlissuer_must_not_be_present_in_cdp", + Description: "crlIssuer and/or Reason field MUST NOT be present in the CDP extension.", + Citation: "BR Section 7.1.2.11.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCrlissuerMustNotBePresentInCdp, + }) +} + +type CrlissuerMustNotBePresentInCdp struct{} + +func NewCrlissuerMustNotBePresentInCdp() lint.LintInterface { + return &CrlissuerMustNotBePresentInCdp{} +} + +func (l *CrlissuerMustNotBePresentInCdp) CheckApplies(c *x509.Certificate) bool { + return c.CRLDistributionPoints != nil +} + +func (l *CrlissuerMustNotBePresentInCdp) Execute(c *x509.Certificate) *lint.LintResult { + + for _, ext := range c.Extensions { + if ext.Id.Equal(util.CrlDistOID) { + var cdp []distributionPoint + _, err := asn1.Unmarshal(ext.Value, &cdp) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + for _, dp := range cdp { + if (len(dp.CRLIssuer.Bytes) > 0) || (len(dp.Reason.Bytes) > 0) { + return &lint.LintResult{Status: lint.Error} + } + + } + + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +type distributionPoint struct { + DistributionPoint distributionPointName `asn1:"optional,tag:0"` + Reason asn1.BitString `asn1:"optional,tag:1"` + CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` +} + +type distributionPointName struct { + FullName asn1.RawValue `asn1:"optional,tag:0"` + RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go index 244d2376c..db9546ebd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,14 +25,16 @@ import ( type dsaParamsMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_params_missing", - Description: "DSA: Certificates MUST include all domain parameters", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - IneffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewDsaParamsMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_params_missing", + Description: "DSA: Certificates MUST include all domain parameters", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewDsaParamsMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go index ebf317840..4147d04ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ type DNSNameProperCharacters struct { } func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_bad_character_in_label", - Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *", - Citation: "BRs: 7.1.4.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameProperCharacters, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_bad_character_in_label", + Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameProperCharacters, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go index b829d19e0..ed3bcc871 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameLeftLabelWildcardCheck struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_left_label_wildcard_correct", - Description: "Wildcards in the left label of DNSName should only be *", - Citation: "BRs: 1.6.1, Wildcard Certificate and Wildcard Domain Name", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameLeftLabelWildcardCheck, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_left_label_wildcard_correct", + Description: "Wildcards in the left label of DNSName should only be *", + Citation: "BRs: 1.6.1, Wildcard Certificate and Wildcard Domain Name", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameLeftLabelWildcardCheck, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go index 57405f324..61d46b556 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type dnsNameContainsBareIANASuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_contains_bare_iana_suffix", - Description: "DNSNames should not contain a bare IANA suffix.", - Citation: "BRs: 1.6.1, Base Domain Name", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDnsNameContainsBareIANASuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_contains_bare_iana_suffix", + Description: "DNSNames should not contain a bare IANA suffix.", + Citation: "BRs: 1.6.1, Base Domain Name", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDnsNameContainsBareIANASuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go index e5be883f9..d2b0a0ac9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameEmptyLabel struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_empty_label", - Description: "DNSNames should not have an empty label.", - Citation: "BRs: 7.1.4.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameEmptyLabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_empty_label", + Description: "DNSNames should not have an empty label.", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameEmptyLabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go index ef9d4a191..aa6342c87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_contains_prohibited_reserved_label", - Description: "FQDNs MUST consist solely of Domain Labels that are P‐Labels or Non‐Reserved LDH Labels", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.NoReservedDomainLabelsDate, - Lint: NewDNSNameContainsProhibitedReservedLabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_contains_prohibited_reserved_label", + Description: "FQDNs MUST consist solely of Domain Labels that are P‐Labels or Non‐Reserved LDH Labels", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.NoReservedDomainLabelsDate, + }, + Lint: NewDNSNameContainsProhibitedReservedLabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go index 83c00642c..9a7474b3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameHyphenInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_hyphen_in_sld", - Description: "DNSName should not have a hyphen beginning or ending the SLD", - Citation: "BRs 7.1.4.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameHyphenInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_hyphen_in_sld", + Description: "DNSName should not have a hyphen beginning or ending the SLD", + Citation: "BRs 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameHyphenInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go index e103b7c4a..6d619e7b8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameLabelLengthTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_label_too_long", - Description: "DNSName labels MUST be less than or equal to 63 characters", - Citation: "RFC 1035", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameLabelLengthTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_label_too_long", + Description: "DNSName labels MUST be less than or equal to 63 characters", + Citation: "RFC 1035", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameLabelLengthTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go index 7d36e69d1..8bc682a9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type DNSNameValidTLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_not_valid_tld", - Description: "DNSNames must have a valid TLD.", - Citation: "BRs: 3.2.2.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameValidTLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_not_valid_tld", + Description: "DNSNames must have a valid TLD.", + Citation: "BRs: 3.2.2.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameValidTLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go index f024ace59..0a0f1de67 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_underscore_in_sld", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_underscore_in_sld", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go index b6266573a..0384cf376 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInTRD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_dnsname_underscore_in_trd", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInTRD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_dnsname_underscore_in_trd", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInTRD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go index 3277e3e6d..30be62ff1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type DNSNameWildcardLeftofPublicSuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_dnsname_wildcard_left_of_public_suffix", - Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registry‐controlled” label or “public suffix”", - Citation: "BRs: 3.2.2.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameWildcardLeftofPublicSuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_dnsname_wildcard_left_of_public_suffix", + Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registry‐controlled” label or “public suffix”", + Citation: "BRs: 3.2.2.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameWildcardLeftofPublicSuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go index 4d6338d39..38a952117 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameWildcardOnlyInLeftlabel struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_wildcard_only_in_left_label", - Description: "DNSName should not have wildcards except in the left-most label", - Citation: "BRs: 1.6.1, Wildcard Domain Name", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameWildcardOnlyInLeftlabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_wildcard_only_in_left_label", + Description: "DNSName should not have wildcards except in the left-most label", + Citation: "BRs: 1.6.1, Wildcard Domain Name", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameWildcardOnlyInLeftlabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go index 03183614f..6dc0a0dce 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,16 @@ import ( type dsaSubgroup struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_correct_order_in_subgroup", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDsaSubgroup, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_correct_order_in_subgroup", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewDsaSubgroup, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go index 149373cb3..83a497528 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type dsaImproperSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_improper_modulus_or_divisor_size", - Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256", - Citation: "BRs v1.7.0: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewDsaImproperSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_improper_modulus_or_divisor_size", + Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256", + Citation: "BRs v1.7.0: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewDsaImproperSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go index f7084b79e..bde8f0ee4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,14 +25,17 @@ import ( type dsaTooShort struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_shorter_than_2048_bits", - Description: "DSA modulus size must be at least 2048 bits", - Citation: "BRs v1.7.0: 6.1.5", - // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewDsaTooShort, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_shorter_than_2048_bits", + Description: "DSA modulus size must be at least 2048 bits", + Citation: "BRs v1.7.0: 6.1.5", + // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewDsaTooShort, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go index 8ed63b848..cdb5019ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,16 @@ import ( type dsaUniqueCorrectRepresentation struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_unique_correct_representation", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDsaUniqueCorrectRepresentation, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_unique_correct_representation", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewDsaUniqueCorrectRepresentation, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go index 8d8e038b2..ac887fa1d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,14 +31,16 @@ marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP res ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_aia_missing", - Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - IneffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewCaAiaMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_aia_missing", + Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewCaAiaMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go index 711c11a09..4309c979a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,14 +31,16 @@ ECC Curve: NIST P-256, P-384, or P-521 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ec_improper_curves", - Description: "Only one of NIST P‐256, P‐384, or P‐521 can be used", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - EffectiveDate: util.ZeroDate, - Lint: NewEcImproperCurves, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ec_improper_curves", + Description: "Only one of NIST P‐256, P‐384, or P‐521 can be used", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally + EffectiveDate: util.ZeroDate, + }, + Lint: NewEcImproperCurves, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go new file mode 100644 index 000000000..43a2f1394 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go @@ -0,0 +1,52 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type eKUCrit struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_eku_critical", + Description: "Subscriber Certificate extkeyUsage extension MUST NOT be marked critical", + Citation: "BRs: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewEKUCrit, + }) +} + +func NewEKUCrit() lint.LintInterface { + return &eKUCrit{} +} + +func (l *eKUCrit) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) +} + +func (l *eKUCrit) Execute(c *x509.Certificate) *lint.LintResult { + if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical { + return &lint.LintResult{Status: lint.Error} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go index 47b3e714a..7e7b2d198 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Subject commonName field containing a Reserved IP Address or Internal Name. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_nc_intersects_reserved_ip", - Description: "iPAddress name constraint intersects an IANA reserved network", - Citation: "BRs: 7.1.5 / 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewNCReservedIPNet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_nc_intersects_reserved_ip", + Description: "iPAddress name constraint intersects an IANA reserved network", + Citation: "BRs: 7.1.5 / 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewNCReservedIPNet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go index 74cf1ae16..875690c9d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type SANReservedIP struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_contains_reserved_ip", - Description: "CAs SHALL NOT issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANReservedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_contains_reserved_ip", + Description: "CAs SHALL NOT issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANReservedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go index eb965fc95..d2ab41470 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Further, if the only subject identity included in the certificate is an ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_san_critical_with_subject_dn", - Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANCriticalWithSubjectDN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_san_critical_with_subject_dn", + Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANCriticalWithSubjectDN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go index 5f402c7c5..f299c4b74 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_directory_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANDirName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_directory_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANDirName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go index 4c9196f3c..e883544a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_edi_party_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANEDI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_edi_party_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANEDI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go index d97caf02a..17cecfac2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ Required/Optional: Required ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_missing", - Description: "Subscriber certificates MUST contain the Subject Alternate Name extension", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_missing", + Description: "Subscriber certificates MUST contain the Subject Alternate Name extension", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go index 7b792ded5..693ac5f91 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_other_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANOtherName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_other_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANOtherName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go index 37fcee954..1206b1fbd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_registered_id_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANRegId, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_registered_id_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANRegId, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go index caf2ca23d..1e181c1f6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_rfc822_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANRfc822, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_rfc822_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANRfc822, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go index 707ee7e00..daa6e0478 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uniform_resource_identifier_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANURI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uniform_resource_identifier_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANURI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go new file mode 100644 index 000000000..73d0d24c5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go @@ -0,0 +1,70 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subjectKeyIdNotRecommendedSubscriber struct{} + +/********************************************************************** +RFC5280 suggested the addition of SKI extension, but CABF BR SC62 +marked the extension as NOT RECOMMENDED for subscriber certificates + +Warning: +Users of zlint will trigger either +`w_ext_subject_key_identifier_not_recommended_subscriber` (this lint) +or `w_ext_subject_key_identifier_missing_sub_cert` the one enforcing +RFC5280's behavior. + +Users are expected to specifically ignore one or the other lint +depending on which one apply to them. + +See: + - https://github.com/zmap/zlint/issues/749 + - https://github.com/zmap/zlint/issues/762 +**********************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_subject_key_identifier_not_recommended_subscriber", + Description: "Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED", + Citation: "BRs v2: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubjectKeyIdNotRecommendedSubscriber, + }) +} + +func NewSubjectKeyIdNotRecommendedSubscriber() lint.LintInterface { + return &subjectKeyIdNotRecommendedSubscriber{} +} + +func (l *subjectKeyIdNotRecommendedSubscriber) CheckApplies(cert *x509.Certificate) bool { + return util.IsSubscriberCert(cert) +} + +func (l *subjectKeyIdNotRecommendedSubscriber) Execute(cert *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) { + return &lint.LintResult{Status: lint.Warn} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go index 4d63e7776..c4b5db833 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ import ( type torServiceDescHashInvalid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_tor_service_descriptor_hash_invalid", - Description: "certificates with v2 .onion names need valid TorServiceDescriptors in extension", - Citation: "BRs: Ballot 201, Ballot SC27", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV201Date, - Lint: NewTorServiceDescHashInvalid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_tor_service_descriptor_hash_invalid", + Description: "certificates with v2 .onion names need valid TorServiceDescriptors in extension", + Citation: "BRs: Ballot 201, Ballot SC27", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV201Date, + }, + Lint: NewTorServiceDescHashInvalid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go index 03cc2a2a6..95feb2b81 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type extraSubjectCommonNames struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_extra_subject_common_names", - Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewExtraSubjectCommonNames, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_extra_subject_common_names", + Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewExtraSubjectCommonNames, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go index f66f6b4de..b6bcd92a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ Certificates MUST be of type X.509 v3. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_invalid_certificate_version", - Description: "Certificates MUST be of type X.590 v3", - Citation: "BRs: 7.1.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV130Date, - Lint: NewInvalidCertificateVersion, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_certificate_version", + Description: "Certificates MUST be of type X.590 v3", + Citation: "BRs: 7.1.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV130Date, + }, + Lint: NewInvalidCertificateVersion, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go new file mode 100644 index 000000000..b4710e205 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -0,0 +1,145 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "crypto/x509/pkix" + "encoding/asn1" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_subject_rdn_order", + Description: "Subject field attributes (RDNs) SHALL be encoded in a specific order", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidSubjectRDNOrder, + }) +} + +type invalidSubjectRDNOrder struct{} + +func NewInvalidSubjectRDNOrder() lint.LintInterface { + return &invalidSubjectRDNOrder{} +} + +func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func getShortOIDName(oid string) string { + switch oid { + case "0.9.2342.19200300.100.1.25": + return "DC" + case "2.5.4.6": + return "C" + case "2.5.4.8": + return "ST" + case "2.5.4.7": + return "L" + case "2.5.4.17": + return "postalCode" + case "2.5.4.9": + return "street" + case "2.5.4.10": + return "O" + case "2.5.4.4": + return "SN" + case "2.5.4.42": + return "givenName" + case "2.5.4.11": + return "OU" + case "2.5.4.3": + return "CN" + default: + return "" + } +} + +func findElement(arr []string, target string) (int, bool) { + for i, value := range arr { + if value == target { + return i, true + } + } + return -1, false +} + +func checkOrder(actualOrder []string, expectedOrder []string) bool { + var prevPosition int + prevPosition = 0 + + for _, targetElement := range actualOrder { + position, found := findElement(expectedOrder, targetElement) + if found { + if position < prevPosition { + return false + } + prevPosition = position + } + } + return true +} + +func checkSubjectRDNOrder(cert *x509.Certificate) bool { + + rawSubject := cert.RawSubject + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(rawSubject, &rdnSequence) + if err != nil { + return false + } + + var rdnOrder []string + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + rdnShortName := getShortOIDName(atv.Type.String()) + if rdnShortName != "" { + rdnOrder = append(rdnOrder, rdnShortName) + } + } + } + + // Expected order of RDNs as per CABF BR section 7.1.4.2 + expectedRDNOrder := []string{"DC", "C", "ST", "L", "postalCode", "street", "O", "SN", "givenName", "OU", "CN"} + + return checkOrder(rdnOrder, expectedRDNOrder) +} + +func (l *invalidSubjectRDNOrder) Execute(c *x509.Certificate) *lint.LintResult { + + var out lint.LintResult + + if checkSubjectRDNOrder(c) { + out.Status = lint.Pass + } else { + out.Status = lint.Error + } + return &out +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go index 316c835b4..47790642a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,14 +24,16 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_no_underscores_before_1_6_2", - Description: "Before explicitly stating as such in CABF 1.6.2, the stance of RFC5280 is adopted that DNSNames MUST NOT contain an underscore character.", - Citation: "BR 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - IneffectiveDate: util.CABFBRs_1_6_2_Date, - Lint: func() lint.LintInterface { return &NoUnderscoreBefore1_6_2{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_no_underscores_before_1_6_2", + Description: "Before explicitly stating as such in CABF 1.6.2, the stance of RFC5280 is adopted that DNSNames MUST NOT contain an underscore character.", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + IneffectiveDate: util.CABFBRs_1_6_2_Date, + }, + Lint: func() lint.LintInterface { return &NoUnderscoreBefore1_6_2{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go index 8601321ee..ecc0d8cba 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,14 +23,16 @@ import ( type OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth", - Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" + - " defined by RFC6960", - Citation: "BRs: 4.9.9", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth", + Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" + + " defined by RFC6960", + Citation: "BRs: 4.9.9", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go index 527f8c94c..e16c9a06c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type rootCaModSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_old_root_ca_rsa_mod_less_than_2048_bits", - Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewRootCaModSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_old_root_ca_rsa_mod_less_than_2048_bits", + Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRootCaModSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go index dfe5c41de..527d8e3b4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,14 +27,16 @@ import ( type subCaModSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits", - Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test - EffectiveDate: util.ZeroDate, - Lint: NewSubCaModSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits", + Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubCaModSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go index 3d742fe19..03af21782 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,14 +25,16 @@ import ( type subModSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits", - Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test - EffectiveDate: util.ZeroDate, - Lint: NewSubModSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits", + Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubModSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go index e485adea5..bf8b1e094 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -21,13 +21,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_organizational_unit_name_prohibited", - Description: "OrganizationalUnitName is prohibited if...the certificate was issued on or after September 1, 2022", - Citation: "BRs: 7.1.4.2.2-i", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_OU_Prohibited_Date, - Lint: NewOrganizationalUnitNameProhibited, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_organizational_unit_name_prohibited", + Description: "OrganizationalUnitName is prohibited if...the certificate was issued on or after September 1, 2022", + Citation: "BRs: 7.1.4.2.2-i", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_OU_Prohibited_Date, + }, + Lint: NewOrganizationalUnitNameProhibited, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go new file mode 100644 index 000000000..56177b66b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go @@ -0,0 +1,58 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_policy_qualifiers_other_than_cps_not_permitted", + Description: "Policy Qualifiers other than id-qt-cps MUST NOT be present for certificates issued on or after September 15, 2023", + Citation: "BRs: 7.1.2.7.9", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewPolicyQualifiersOtherThanCpsNotPermitted, + }) +} + +type PolicyQualifiersOtherThanCpsNotPermitted struct{} + +func NewPolicyQualifiersOtherThanCpsNotPermitted() lint.LintInterface { + return &PolicyQualifiersOtherThanCpsNotPermitted{} +} + +func (l *PolicyQualifiersOtherThanCpsNotPermitted) CheckApplies(c *x509.Certificate) bool { + + return util.IsExtInCert(c, util.CertPolicyOID) + +} + +func (l *PolicyQualifiersOtherThanCpsNotPermitted) Execute(c *x509.Certificate) *lint.LintResult { + for _, qualifiers := range c.QualifierId { + for _, qt := range qualifiers { + if !qt.Equal(util.CpsOID) { + return &lint.LintResult{Status: lint.Error} + } + } + } + return &lint.LintResult{Status: lint.Pass} + +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go index 95c06d3ea..21c6076c3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type prohibitDSAUsage struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_br_prohibit_dsa_usage", - Description: "DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1.", - Citation: "BRs: v1.7.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewProhibitDSAUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_br_prohibit_dsa_usage", + Description: "DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1.", + Citation: "BRs: v1.7.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewProhibitDSAUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go index 83146b83f..24096b46f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type publicKeyAllowed struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_public_key_type_not_allowed", - Description: "Certificates MUST have RSA, DSA, or ECDSA public key type", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewPublicKeyAllowed, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_public_key_type_not_allowed", + Description: "Certificates MUST have RSA, DSA, or ECDSA public key type", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewPublicKeyAllowed, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go index 6360e6f0f..cf9da0bb4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ This extension MUST appear as a critical extension. The cA field MUST be set tru ***********************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_root_ca_basic_constraints_path_len_constraint_field_present", - Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewRootCaPathLenPresent, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_root_ca_basic_constraints_path_len_constraint_field_present", + Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewRootCaPathLenPresent, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go index 655a190fa..aff346cbf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ This extension SHOULD NOT be present. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_root_ca_contains_cert_policy", - Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewRootCAContainsCertPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_root_ca_contains_cert_policy", + Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewRootCAContainsCertPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go index adf06b02f..4be1f786f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ This extension MUST NOT be present. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_root_ca_extended_key_usage_present", - Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewRootCAContainsEKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_root_ca_extended_key_usage_present", + Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewRootCAContainsEKU, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go index 89e181a3a..f7009eb2b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type rootCAKeyUsageMustBeCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_root_ca_key_usage_must_be_critical", - Description: "Root CA certificates MUST have Key Usage Extension marked critical", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC2459Date, - Lint: NewRootCAKeyUsageMustBeCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_root_ca_key_usage_must_be_critical", + Description: "Root CA certificates MUST have Key Usage Extension marked critical", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewRootCAKeyUsageMustBeCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go index 7fdf2468d..463720b81 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type rootCAKeyUsagePresent struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_root_ca_key_usage_present", - Description: "Root CA certificates MUST have Key Usage Extension Present", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC2459Date, - Lint: NewRootCAKeyUsagePresent, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_root_ca_key_usage_present", + Description: "Root CA certificates MUST have Key Usage Extension Present", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewRootCAKeyUsagePresent, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go index 7b6700839..81c0961d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number **************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rsa_mod_factors_smaller_than_752", - Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaModSmallFactor, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rsa_mod_factors_smaller_than_752", + Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaModSmallFactor, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go index 9431e7a16..e2eb036a0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type rsaParsedTestsKeySize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_mod_less_than_2048_bits", - Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewRsaParsedTestsKeySize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_mod_less_than_2048_bits", + Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRsaParsedTestsKeySize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go index 6f71c19fc..0ab938329 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rsa_mod_not_odd", - Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsKeyModOdd, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rsa_mod_not_odd", + Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsKeyModOdd, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go index 79e1d3a3c..69a193944 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rsa_public_exponent_not_in_range", - Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsExpInRange, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rsa_public_exponent_not_in_range", + Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsExpInRange, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go index 597a3efd6..af71f1d23 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_public_exponent_not_odd", - Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsKeyExpOdd, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_public_exponent_not_odd", + Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsKeyExpOdd, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go index 7750879d5..351cbb67d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_public_exponent_too_small", - Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsExpBounds, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_public_exponent_too_small", + Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsExpBounds, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go index c169e55a8..0751e9b8d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -78,13 +78,15 @@ See also https://github.com/cabforum/documents/issues/191 *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_onion_invalid", - Description: "certificates with a .onion subject name must be issued in accordance with the Tor address/rendezvous specification", - Citation: "RFC 7686, EVGs v1.7.2: Appendix F, BRs v1.6.9: Appendix C", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewOnionNotValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_onion_invalid", + Description: "certificates with a .onion subject name must be issued in accordance with the Tor address/rendezvous specification", + Citation: "RFC 7686, EVGs v1.7.2: Appendix F, BRs v1.6.9: Appendix C", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewOnionNotValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go index 806496396..fcbf64afd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type onionNotEV struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_onion_not_ev_cert", - Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines", - Citation: "CABF Ballot 144", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewOnionNotEV, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_onion_not_ev_cert", + Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines", + Citation: "CABF Ballot 144", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewOnionNotEV, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go index 045f6a06f..e80c303af 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -55,13 +55,15 @@ var ( type signatureAlgorithmNotSupported struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_signature_algorithm_not_supported", - Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewSignatureAlgorithmNotSupported, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_signature_algorithm_not_supported", + Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSignatureAlgorithmNotSupported, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go index 44a5569ed..c65bced54 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ It SHOULD contain the HTTP URL of the Issuing CA’s certificate (accessMethod = ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url", - Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCaIssuerUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url", + Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCaIssuerUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go index 7cc7f0342..249ef4b2e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCaAIAMarkedCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_aia_marked_critical", - Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewSubCaAIAMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_aia_marked_critical", + Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubCaAIAMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go index fab68b54a..858ed64b1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_certificate_policies_marked_critical", - Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACertPolicyCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_certificate_policies_marked_critical", + Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACertPolicyCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go index 74829dc41..8a4e8ebb2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_certificate_policies_missing", - Description: "Subordinate CA certificates must have a certificatePolicies extension", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACertPolicyMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_certificate_policies_missing", + Description: "Subordinate CA certificates must have a certificatePolicies extension", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACertPolicyMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go index 78a4e4ac7..8401a6833 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ It MUST contain the HTTP URL of the CA’s CRL service. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_crl_distribution_points_does_not_contain_url", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACRLDistNoUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_crl_distribution_points_does_not_contain_url", + Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACRLDistNoUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go index 5c7314565..65f266c37 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ It MUST contain the HTTP URL of the CA’s CRL service. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_crl_distribution_points_marked_critical", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACRLDistCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_crl_distribution_points_marked_critical", + Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACRLDistCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go index f6d58a77f..4dda8d6b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ It MUST contain the HTTP URL of the CA’s CRL service. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_crl_distribution_points_missing", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACRLDistMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_crl_distribution_points_missing", + Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACRLDistMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go index 8210ee8be..7d80cc5b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ If present, this extension SHOULD be marked non‐critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_eku_critical", - Description: "Subordinate CA certificate extkeyUsage extension should be marked non-critical if present", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV116Date, - Lint: NewSubCAEKUCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_eku_critical", + Description: "Subordinate CA certificate extkeyUsage extension should be marked non-critical if present", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV116Date, + }, + Lint: NewSubCAEKUCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go index 913005eda..444023ac3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCAEKUMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_sub_ca_eku_missing", - Description: "To be considered Technically Constrained, the Subordinate CA certificate MUST have extkeyUsage extension", - Citation: "BRs: 7.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCAEKUMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_sub_ca_eku_missing", + Description: "To be considered Technically Constrained, the Subordinate CA certificate MUST have extkeyUsage extension", + Citation: "BRs: 7.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCAEKUMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go index 6cecabb37..999458fa8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCAEKUValidFields struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_sub_ca_eku_not_technically_constrained", - Description: "Subordinate CA extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present to be technically constrained.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV116Date, - Lint: NewSubCAEKUValidFields, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_sub_ca_eku_not_technically_constrained", + Description: "Subordinate CA extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present to be technically constrained.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV116Date, + }, + Lint: NewSubCAEKUValidFields, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go index 9df044f06..bbdebdc70 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ substantial portion of Relying Parties worldwide ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_name_constraints_not_critical", - Description: "Subordinate CA Certificate: NameConstraints if present, SHOULD be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV102Date, - Lint: NewSubCANameConstraintsNotCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_name_constraints_not_critical", + Description: "Subordinate CA Certificate: NameConstraints if present, SHOULD be marked critical.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV102Date, + }, + Lint: NewSubCANameConstraintsNotCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go new file mode 100644 index 000000000..837f925d9 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go @@ -0,0 +1,90 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net" + "net/url" + "time" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subCertAIAInternalName struct{} + +/************************************************************************ +BRs: 7.1.2.10.3 +CA Certificate Authority Information Access +This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the +HTTP URL of the CA’s CRL service. + +id-ad-ocsp A HTTP URL of the Issuing CA's OCSP responder. +id-ad-caIssuers A HTTP URL of the Issuing CA's Certificate. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_aia_contains_internal_names", + Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate, for public certificates this should not be an internal name", + Citation: "BRs: 7.1.2.10.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertAIAInternalName, + }) +} + +func NewSubCertAIAInternalName() lint.LintInterface { + return &subCertAIAInternalName{} +} + +func (l *subCertAIAInternalName) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) +} + +func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + + if net.ParseIP(purl.Host) != nil { + continue + } + + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + + if net.ParseIP(purl.Host) != nil { + continue + } + + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go index 3c1b6de60..9447ab920 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ HTTP URL of the CA’s CRL service. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_aia_does_not_contain_issuing_ca_url", - Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertIssuerUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_aia_does_not_contain_issuing_ca_url", + Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertIssuerUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go index 6c7812c8e..d007651de 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMet ***************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_aia_does_not_contain_ocsp_url", - Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertOcspUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_aia_does_not_contain_ocsp_url", + Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertOcspUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go index 2b626eb7f..67fee7305 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertAiaMarkedCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_aia_marked_critical", - Description: "Subscriber Certificate: authorityInformationAccess MUST NOT be marked critical", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertAiaMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_aia_marked_critical", + Description: "Subscriber Certificate: authorityInformationAccess MUST NOT be marked critical", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertAiaMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go index 86303f65a..894009790 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP res ***************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_aia_missing", - Description: "Subscriber Certificate: authorityInformationAccess MUST be present.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertAiaMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_aia_missing", + Description: "Subscriber Certificate: authorityInformationAccess MUST be present.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertAiaMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go new file mode 100644 index 000000000..0c76a10b2 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go @@ -0,0 +1,65 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subCertBasicConstCrit struct{} + +/************************************************ +CA/Browser Forum BRs: 7.1.2.7.6 Subscriber Certificate Extensions + +| __Extension__ | __Presence__ | __Critical__ | __Description__ | +| ---- | - | - | ----- | +| `basicConstraints` | MAY | Y | See [Section 7.1.2.7.8](#71278-subscriber-certificate-basic-constraints) | +************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_basic_constraints_not_critical", + Description: "basicConstraints MAY appear in the certificate, and when it is included MUST be marked as critical", + Citation: "CA/Browser Forum BRs: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubCertBasicConstCrit, + }) +} + +func NewSubCertBasicConstCrit() lint.LintInterface { + return &subCertBasicConstCrit{} +} + +func (l *subCertBasicConstCrit) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.BasicConstOID) +} + +func (l *subCertBasicConstCrit) Execute(c *x509.Certificate) *lint.LintResult { + if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil { + if e.Critical { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Basic Constraints extension is present (%v) and marked as non-critical", e.Id)} + } + } + return &lint.LintResult{Status: lint.Fatal, Details: "Error processing Basic Constraints extension"} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go index 740d96b16..198ec4f66 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertPolicyEmpty struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_cert_policy_empty", - Description: "Subscriber certificates must contain at least one policy identifier that indicates adherence to CAB standards", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertPolicyEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_cert_policy_empty", + Description: "Subscriber certificates must contain at least one policy identifier that indicates adherence to CAB standards", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertPolicyEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go index b89fb0c60..33c968117 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ******************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_certificate_policies_marked_critical", - Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertPolicyCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_certificate_policies_marked_critical", + Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertPolicyCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go index 012a32d57..54bfeb4a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ******************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_certificate_policies_missing", - Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_certificate_policies_missing", + Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go index 1b6a6499d..ffae34b0b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertCountryNameMustAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_country_name_must_appear", - Description: "Subscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertCountryNameMustAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_country_name_must_appear", + Description: "Subscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertCountryNameMustAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go index d81ae5fb6..3cd2333b7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ URL of the CA’s CRL service. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_crl_distribution_points_does_not_contain_url", - Description: "Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCRLDistNoURL, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_crl_distribution_points_does_not_contain_url", + Description: "Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCRLDistNoURL, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go index 074472a94..eef345c16 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ URL of the CA’s CRL service. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_crl_distribution_points_marked_critical", - Description: "Subscriber Certificate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCrlDistCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_crl_distribution_points_marked_critical", + Description: "Subscriber Certificate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCrlDistCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go index 5c13ca7ff..2febde6fe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ present. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_eku_extra_values", - Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubExtKeyUsageLegalUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_eku_extra_values", + Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubExtKeyUsageLegalUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go index b3ac8a7e9..3781ef226 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ present. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_eku_missing", - Description: "Subscriber certificates MUST have the extended key usage extension present", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubExtKeyUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_eku_missing", + Description: "Subscriber certificates MUST have the extended key usage extension present", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubExtKeyUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go index 1173e594a..3ef75c2b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ present. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_eku_server_auth_client_auth_missing", - Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubExtKeyUsageClientOrServer, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_eku_server_auth_client_auth_missing", + Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubExtKeyUsageClientOrServer, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go index 2bb02bcc8..dfc2c1933 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertSubjectGnOrSnContainsPolicy struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_given_name_surname_contains_correct_policy", - Description: "Subscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertSubjectGnOrSnContainsPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_given_name_surname_contains_correct_policy", + Description: "Subscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertSubjectGnOrSnContainsPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go index 67359e5a0..940c12be2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type subCertNotCA struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_not_is_ca", - Description: "Subscriber Certificate: basicContrainsts cA field MUST NOT be true.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertNotCA, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_not_is_ca", + Description: "Subscriber Certificate: basicContrainsts cA field MUST NOT be true.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertNotCA, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go index 499c7b084..bc7d912ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ If present, bit positions for keyCertSign and cRLSign MUST NOT be set. ***************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_key_usage_cert_sign_bit_set", - Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertKeyUsageBitSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_key_usage_cert_sign_bit_set", + Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertKeyUsageBitSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go index dc67297b8..c154ef033 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ If present, bit positions for keyCertSign and cRLSign MUST NOT be set. ***************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_key_usage_crl_sign_bit_set", - Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCrlSignAllowed, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_key_usage_crl_sign_bit_set", + Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCrlSignAllowed, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go index 8744f1855..090d8797a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertLocalityNameMustAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_locality_name_must_appear", - Description: "Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertLocalityNameMustAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_locality_name_must_appear", + Description: "Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertLocalityNameMustAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go index ea2f96f57..c2578e5c5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertLocalityNameMustNotAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_locality_name_must_not_appear", - Description: "Subscriber Certificate: subject:localityName MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertLocalityNameMustNotAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_locality_name_must_not_appear", + Description: "Subscriber Certificate: subject:localityName MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertLocalityNameMustNotAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go index df6e4774a..37da133d4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ SHA‐1 MAY be used with RSA keys in accordance with the criteria defined in Sec **************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_or_sub_ca_using_sha1", - Description: "CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016", - Citation: "BRs: 7.1.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.NO_SHA1, - Lint: NewSigAlgTestsSHA1, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_or_sub_ca_using_sha1", + Description: "CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016", + Citation: "BRs: 7.1.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.NO_SHA1, + }, + Lint: NewSigAlgTestsSHA1, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go index aae8d28e7..bfc7a29e5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertPostalCodeMustNotAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_postal_code_must_not_appear", - Description: "Subscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertPostalCodeMustNotAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_postal_code_must_not_appear", + Description: "Subscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertPostalCodeMustNotAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go index 0dd5a7076..480804d6a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertProvinceMustAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_province_must_appear", - Description: "Subscriber Certificate: subject:stateOrProvinceName MUST appear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertProvinceMustAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_province_must_appear", + Description: "Subscriber Certificate: subject:stateOrProvinceName MUST appear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertProvinceMustAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go index d33d85644..2b3e50346 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertProvinceMustNotAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_province_must_not_appear", - Description: "Subscriber Certificate: subject:stateOrProvinceName MUST NOT appear if the subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertProvinceMustNotAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_province_must_not_appear", + Description: "Subscriber Certificate: subject:stateOrProvinceName MUST NOT appear if the subject:organizationName, subject:givenName, and subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertProvinceMustNotAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go index 5f4a59f2a..14d33bcbe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ CAs and Subscribers using such certificates do so at their own risk. ****************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_sha1_expiration_too_long", - Description: "Subscriber certificates using the SHA-1 algorithm SHOULD NOT have an expiration date later than 1 Jan 2017", - Citation: "BRs: 7.1.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_2_1_Date, - Lint: NewSha1ExpireLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_sha1_expiration_too_long", + Description: "Subscriber certificates using the SHA-1 algorithm SHOULD NOT have an expiration date later than 1 Jan 2017", + Citation: "BRs: 7.1.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_2_1_Date, + }, + Lint: NewSha1ExpireLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go index 4c09cd1a6..831c607b8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertStreetAddressShouldNotExist struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_street_address_should_not_exist", - Description: "Subscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertStreetAddressShouldNotExist, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_street_address_should_not_exist", + Description: "Subscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertStreetAddressShouldNotExist, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go index fbba31e95..71e9d36b6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertValidTimeLongerThan39Months struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_valid_time_longer_than_39_months", - Description: "Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.", - Citation: "BRs: 6.3.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.SubCert39Month, - Lint: NewSubCertValidTimeLongerThan39Months, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_valid_time_longer_than_39_months", + Description: "Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.", + Citation: "BRs: 6.3.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SubCert39Month, + }, + Lint: NewSubCertValidTimeLongerThan39Months, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go index eb8ae16a3..7290fbcc3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type subCertValidTimeLongerThan825Days struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_valid_time_longer_than_825_days", - Description: "Subscriber Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity Period greater than 825 days.", - Citation: "BRs: 6.3.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.SubCert825Days, - Lint: NewSubCertValidTimeLongerThan825Days, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_valid_time_longer_than_825_days", + Description: "Subscriber Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity Period greater than 825 days.", + Citation: "BRs: 6.3.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SubCert825Days, + }, + Lint: NewSubCertValidTimeLongerThan825Days, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go index bf7f1d04d..e34635957 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,16 @@ Required/Optional: Deprecated (Discouraged, but not prohibited) ***************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_subject_common_name_included", - Description: "Subscriber Certificate: commonName is deprecated.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCommonNames, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_subject_common_name_included", + Description: "Subscriber Certificate: commonName is deprecated.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCommonNames, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go new file mode 100644 index 000000000..6eb502563 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go @@ -0,0 +1,57 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type commonNamesSC62 struct{} + +/*************************************************************** +BRs: 7.1.2.7.1 +Required/Optional: NOT RECOMMENDED +***************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_common_name_included", + Description: "Subscriber Certificate: commonName is NOT RECOMMENDED.", + Citation: "BRs: 7.1.2.7.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCommonNamesSC62, + }) +} + +func NewCommonNamesSC62() lint.LintInterface { + return &commonNamesSC62{} +} + +func (l *commonNamesSC62) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *commonNamesSC62) Execute(c *x509.Certificate) *lint.LintResult { + if c.Subject.CommonName == "" { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Warn} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go index ceb77fe71..b73b38d58 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ the subjectAltName extension. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_common_name_not_exactly_from_san", - Description: "The common name field in subscriber certificates must include only names from the SAN extension", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_8_0_Date, - Lint: NewSubjectCommonNameNotExactlyFromSAN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_common_name_not_exactly_from_san", + Description: "The common name field in subscriber certificates must include only names from the SAN extension", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_8_0_Date, + }, + Lint: NewSubjectCommonNameNotExactlyFromSAN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go index 4f6fe3fde..a394e95ce 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,14 +32,16 @@ contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_common_name_not_from_san", - Description: "The common name field in subscriber certificates must include only names from the SAN extension", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - IneffectiveDate: util.CABFBRs_1_8_0_Date, - Lint: NewSubjectCommonNameNotFromSAN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_common_name_not_from_san", + Description: "The common name field in subscriber certificates must include only names from the SAN extension", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_8_0_Date, + }, + Lint: NewSubjectCommonNameNotFromSAN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go index d2f6a2752..209b46f5b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,23 +32,25 @@ import ( type arpaMalformedIP struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_contains_malformed_arpa_ip", - Description: "Checks no subject domain name contains a rDNS entry in the " + - "registry-controlled .arpa zone with the wrong number of labels, or " + - "an invalid IP address (RFC 3596, BCP49)", - // NOTE(@cpu): 3.2.2.6 is particular to wildcard domain validation for names - // in a registry controlled zone (like .arpa), which would be an appropriate - // citation for when this lint finds a rDNS entry with the wrong - // number of labels/invalid IP because of the presence of a wildcard - // character. There is a larger on-going discussion[0] on the BRs stance on - // the .arpa zone entries that may produce a better citation to use here. - // - // [0]: https://github.com/cabforum/documents/issues/153 - Citation: "BRs: 3.2.2.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewArpaMalformedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_contains_malformed_arpa_ip", + Description: "Checks no subject domain name contains a rDNS entry in the " + + "registry-controlled .arpa zone with the wrong number of labels, or " + + "an invalid IP address (RFC 3596, BCP49)", + // NOTE(@cpu): 3.2.2.6 is particular to wildcard domain validation for names + // in a registry controlled zone (like .arpa), which would be an appropriate + // citation for when this lint finds a rDNS entry with the wrong + // number of labels/invalid IP because of the presence of a wildcard + // character. There is a larger on-going discussion[0] on the BRs stance on + // the .arpa zone entries that may produce a better citation to use here. + // + // [0]: https://github.com/cabforum/documents/issues/153 + Citation: "BRs: 3.2.2.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewArpaMalformedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go index 00ae9daa7..933411021 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ be used. **********************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_noninformational_value", - Description: "Subject name fields must not contain '.','-',' ' or any other indication that the field has been omitted", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewIllegalChar, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_noninformational_value", + Description: "Subject name fields must not contain '.','-',' ' or any other indication that the field has been omitted", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewIllegalChar, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go index b5aced626..ac694a5f0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ This lint check the first requirement, i.e.: Prohibited if the subject:organizat ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_organizational_unit_name_and_no_organization_name", - Description: "If a subject organization name is absent then an organizational unit name MUST NOT be included in subject", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_9_Date, - Lint: NewSubjectContainsOrganizationalUnitNameButNoOrganizationName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_organizational_unit_name_and_no_organization_name", + Description: "If a subject organization name is absent then an organizational unit name MUST NOT be included in subject", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_9_Date, + }, + Lint: NewSubjectContainsOrganizationalUnitNameButNoOrganizationName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go index df93f9c26..b1f0fc452 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -55,13 +55,15 @@ const ( type arpaReservedIP struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_reserved_arpa_ip", - Description: "Checks no subject domain name contains a rDNS entry in an .arpa zone specifying a reserved IP address", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewArpaReservedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_reserved_arpa_ip", + Description: "Checks no subject domain name contains a rDNS entry in an .arpa zone specifying a reserved IP address", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewArpaReservedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go index 39cba99e7..188a11bf1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ Address or Internal Name. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_reserved_ip", - Description: "Certificates expiring later than 11 Jan 2015 MUST NOT contain a reserved IP address in the common name field", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubjectReservedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_reserved_ip", + Description: "Certificates expiring later than 11 Jan 2015 MUST NOT contain a reserved IP address in the common name field", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubjectReservedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go index 8d1aff75f..2ef0a9e5e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ place of business is located. **************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_country_not_iso", - Description: "The country name field MUST contain the two-letter ISO code for the country or XX", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCountryNotIso, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_country_not_iso", + Description: "The country name field MUST contain the two-letter ISO code for the country or XX", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCountryNotIso, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go index a8c017581..d27a61ad0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -42,14 +42,16 @@ For P‐521 keys: 301006072a8648ce3d020106052b81040023 *********************************************** */ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_algorithm_identifier_improper_encoding", - Description: "Encoded AlgorithmObjectIdentifier objects inside a SubjectPublicKeyInfo field " + - "MUST comply with specified byte sequences.", - Citation: "BRs: 7.1.3.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewAlgorithmObjectIdentifierEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_algorithm_identifier_improper_encoding", + Description: "Encoded AlgorithmObjectIdentifier objects inside a SubjectPublicKeyInfo field " + + "MUST comply with specified byte sequences.", + Citation: "BRs: 7.1.3.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewAlgorithmObjectIdentifierEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go index 525fff4a6..183d55100 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_underscore_not_permissible_in_dnsname", - Description: "DNSNames MUST NOT contain underscore characters", - Citation: "BR 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, - Lint: func() lint.LintInterface { return &UnderscoreNotPermissibleInDNSName{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_underscore_not_permissible_in_dnsname", + Description: "DNSNames MUST NOT contain underscore characters", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, + }, + Lint: func() lint.LintInterface { return &UnderscoreNotPermissibleInDNSName{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go new file mode 100644 index 000000000..422218b76 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go @@ -0,0 +1,59 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_underscore_permissible_in_dnsname_if_valid_when_replaced", + Description: "From December 10th 2018 to April 1st 2019 DNSNames may contain underscores if-and-only-if every label within each DNS name is a valid LDH label after replacing all underscores with hyphens", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_6_2_Date, + IneffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, + }, + Lint: func() lint.LintInterface { return &UnderscorePermissibleInDNSNameIfValidWhenReplaced{} }, + }) +} + +type UnderscorePermissibleInDNSNameIfValidWhenReplaced struct{} + +func (l *UnderscorePermissibleInDNSNameIfValidWhenReplaced) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.DNSNamesExist(c) +} + +func (l *UnderscorePermissibleInDNSNameIfValidWhenReplaced) Execute(c *x509.Certificate) *lint.LintResult { + for _, dns := range c.DNSNames { + for _, label := range strings.Split(dns, ".") { + if !strings.Contains(label, "_") || label == "*" { + continue + } + replaced := strings.ReplaceAll(label, "_", "-") + if !util.IsLDHLabel(replaced) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("When all underscores (_) in %q are replaced with hypens (-) the result is %q which not a valid LDH label", label, replaced)} + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go new file mode 100644 index 000000000..3460cdc3b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go @@ -0,0 +1,61 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_underscore_present_with_too_long_validity", + Description: "From 2018-12-10 to 2019-04-01, DNSNames may contain underscores if-and-only-if the certificate is valid for less than thirty days.", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_6_2_Date, + IneffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, + }, + Lint: func() lint.LintInterface { return &UnderscorePresentWithTooLongValidity{} }, + }) +} + +type UnderscorePresentWithTooLongValidity struct{} + +func (l *UnderscorePresentWithTooLongValidity) CheckApplies(c *x509.Certificate) bool { + longValidity := util.BeforeOrOn(c.NotBefore.AddDate(0, 0, 30), c.NotAfter) + return util.IsSubscriberCert(c) && util.DNSNamesExist(c) && longValidity +} + +func (l *UnderscorePresentWithTooLongValidity) Execute(c *x509.Certificate) *lint.LintResult { + for _, dns := range c.DNSNames { + if strings.Contains(dns, "_") { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf( + "The DNSName '%s' contains an underscore character which is only permissible if the certiticate is valid for less than 30 days (this certificate is valid for %d days)", + dns, + c.NotAfter.Sub(c.NotBefore)/util.DurationDay, + ), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go index c366a815e..2b1c3db9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ It SHOULD contain the HTTP URL of the Issuing CA’s certificate (accessMethod = ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_aia_missing", - Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD be present.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewCaAiaShouldNotBeMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_aia_missing", + Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD be present.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewCaAiaShouldNotBeMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go index ece50bfac..445ccff3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type evNoBiz struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_business_category_missing", - Description: "EV certificates must include businessCategory in subject", - Citation: "EVGs: 9.2.3", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvNoBiz, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_business_category_missing", + Description: "EV certificates must include businessCategory in subject", + Citation: "EVGs: 9.2.3", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvNoBiz, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go index 869089954..80eadfd4f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type evCountryMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_country_name_missing", - Description: "EV certificates must include countryName in subject", - Citation: "EVGs: 9.2.4", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvCountryMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_country_name_missing", + Description: "EV certificates must include countryName in subject", + Citation: "EVGs: 9.2.4", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvCountryMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go index da1e8c845..f0ed4bcc5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_not_wildcard", - Description: "Wildcard certificates are not allowed for EV Certificates except for those with .onion as the TLD.", - Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewEvNotWildCard, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_not_wildcard", + Description: "Wildcard certificates are not allowed for EV Certificates except for those with .onion as the TLD.", + Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewEvNotWildCard, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go index 50ed6dab8..695b909c6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,14 +23,16 @@ import ( type evOrgIdExtMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_organization_id_missing", - Description: "Effective January 31, 2020, if the subject:organizationIdentifier field is " + - "present, this [cabfOrganizationIdentifier] field MUST be present.", - Citation: "CA/Browser Forum EV Guidelines v1.7.0, Sec. 9.8.2", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.CABFEV_9_8_2, - Lint: NewEvOrgIdExtMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_organization_id_missing", + Description: "Effective January 31, 2020, if the subject:organizationIdentifier field is " + + "present, this [cabfOrganizationIdentifier] field MUST be present.", + Citation: "CA/Browser Forum EV Guidelines v1.7.0, Sec. 9.8.2", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.CABFEV_9_8_2, + }, + Lint: NewEvOrgIdExtMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go index c3d877acc..8250c3c2c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type evOrgMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_organization_name_missing", - Description: "EV certificates must include organizationName in subject", - Citation: "EVGs: 9.2.1", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvOrgMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_organization_name_missing", + Description: "EV certificates must include organizationName in subject", + Citation: "EVGs: 9.2.1", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvOrgMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go index 591715f15..cb5d41c45 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -21,13 +21,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_san_ip_address_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' name types.", - Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvSanIpAddressPresent, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_san_ip_address_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' name types.", + Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvSanIpAddressPresent, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go index f9938da7d..aff09c831 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type evSNMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_serial_number_missing", - Description: "EV certificates must include serialNumber in subject", - Citation: "EVGs: 9.2.6", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvSNMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_serial_number_missing", + Description: "EV certificates must include serialNumber in subject", + Citation: "EVGs: 9.2.6", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvSNMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go index b207d027c..ab8be5f8a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type evValidTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_valid_time_too_long", - Description: "EV certificates must be 27 months in validity or less", - Citation: "EVGs 1.0: 8(a), EVGs 1.6.1: 9.4", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvValidTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_valid_time_too_long", + Description: "EV certificates must be 27 months in validity or less", + Citation: "EVGs 1.0: 8(a), EVGs 1.6.1: 9.4", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvValidTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go index 40f619616..699565071 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,15 +33,17 @@ const ( type torValidityTooLarge struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_onion_subject_validity_time_too_large", - Description: fmt.Sprintf( - "certificates with .onion names can not be valid for more than %d months", - maxOnionValidityMonths), - Citation: "EVGs: Appendix F", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewTorValidityTooLarge, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_onion_subject_validity_time_too_large", + Description: fmt.Sprintf( + "certificates with .onion names can not be valid for more than %d months", + maxOnionValidityMonths), + Citation: "EVGs: Appendix F", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewTorValidityTooLarge, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go new file mode 100644 index 000000000..e37074d3a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go @@ -0,0 +1,63 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_adobe_extensions_legacy_multipurpose_criticality", + Description: "If present, Adobe Time‐stamp X509 extension (1.2.840.113583.1.1.9.1) or the Adobe ArchiveRevInfo extension (1.2.840.113583.1.1.9.2) SHALL NOT be marked as critical for multipurpose/legacy SMIME certificates", + Citation: "7.1.2.3.m", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAdobeExtensionsLegacyMultipurposeCriticality, + }) +} + +type adobeExtensionsLegacyMultipurposeCriticality struct{} + +// NewAdobeExtensionsLegacyMultipurposeCriticality creates a new linter to enforce adobe x509 extensions requirements for multipurpose or legacy SMIME certs +func NewAdobeExtensionsLegacyMultipurposeCriticality() lint.CertificateLintInterface { + return &adobeExtensionsLegacyMultipurposeCriticality{} +} + +// CheckApplies returns true if for any subscriber certificate the certificate's policies assert that it conforms to the multipurpose or legacy policy requirements defined in the SMIME BRs +// and the certificate contains one of the adobe x509 extensions +func (l *adobeExtensionsLegacyMultipurposeCriticality) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && hasAdobeX509Extensions(c) +} + +// Execute applies the requirements of adobe x509 extensions not being marked as critical, if present, for multipurpose or legacy SMIME certificates +func (l *adobeExtensionsLegacyMultipurposeCriticality) Execute(c *x509.Certificate) *lint.LintResult { + adobeTimeStampExt := util.GetExtFromCert(c, util.AdobeTimeStampOID) + if adobeTimeStampExt != nil && adobeTimeStampExt.Critical { + return &lint.LintResult{Status: lint.Error} + } + + adobeArchRevInfoExt := util.GetExtFromCert(c, util.AdobeArchiveRevInfoOID) + if adobeArchRevInfoExt != nil && adobeArchRevInfoExt.Critical { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go new file mode 100644 index 000000000..73603ea91 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_adobe_extensions_strict_presence", + Description: "Adobe Time‐stamp X509 extension (1.2.840.113583.1.1.9.1) and the Adobe ArchiveRevInfo extension (1.2.840.113583.1.1.9.2) are prohibited for strict SMIME certificates", + Citation: "7.1.2.3.m", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAdobeExtensionsStrictPresence, + }) +} + +type adobeExtensionsStrictPresence struct{} + +// NewAdobeExtensionsStrictPresence creates a new linter to enforce adobe x509 extensions requirements for strict SMIME certs +func NewAdobeExtensionsStrictPresence() lint.CertificateLintInterface { + return &adobeExtensionsStrictPresence{} +} + +// CheckApplies returns true if for any subscriber certificate the certificate's policies assert that it conforms to the strict policy requirements defined in the SMIME BRs +func (l *adobeExtensionsStrictPresence) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsStrictSMIMECertificate(c) +} + +// Execute applies the requirements of adobe x509 extensions not being allowed for strict SMIME certificates +func (l *adobeExtensionsStrictPresence) Execute(c *x509.Certificate) *lint.LintResult { + if hasAdobeX509Extensions(c) { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} + +func hasAdobeX509Extensions(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.AdobeTimeStampOID) || util.IsExtInCert(c, util.AdobeArchiveRevInfoOID) +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go new file mode 100644 index 000000000..f22551fd4 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go @@ -0,0 +1,91 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net" + "net/url" + "time" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type smimeAIAContainsInternalNames struct{} + +/************************************************************************ +BRs: 7.1.2.3c +CA Certificate Authority Information Access +The authorityInformationAccess extension MAY contain one or more accessMethod +values for each of the following types: + +id-ad-ocsp specifies the URI of the Issuing CA's OCSP responder. +id-ad-caIssuers specifies the URI of the Issuing CA's Certificate. + +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_smime_aia_contains_internal_names", + Description: "SMIME certificates authorityInformationAccess. Internal domain names should not be included.", + Citation: "BRs: 7.1.2.3c", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSMIMEAIAInternalName, + }) +} + +func NewSMIMEAIAInternalName() lint.LintInterface { + return &smimeAIAContainsInternalNames{} +} + +func (l *smimeAIAContainsInternalNames) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.AiaOID) && util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *smimeAIAContainsInternalNames) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + + if net.ParseIP(purl.Host) != nil { + continue + } + + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + + if net.ParseIP(purl.Host) != nil { + continue + } + + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go new file mode 100644 index 000000000..a8c3835b5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go @@ -0,0 +1,85 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type keyIdentifier struct { + KeyIdentifier asn1.RawValue `asn1:"optional,tag:0"` + AuthorityCertIssuer asn1.RawValue `asn1:"optional,tag:1"` + AuthorityCertSerialNumber asn1.RawValue `asn1:"optional,tag:2"` +} + +type authorityKeyIdentifierCorrect struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_authority_key_identifier_correct", + Description: "authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.", + Citation: "7.1.2.3.g", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAuthorityKeyIdentifierCorrect, + }) +} + +func NewAuthorityKeyIdentifierCorrect() lint.LintInterface { + return &authorityKeyIdentifierCorrect{} +} + +func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *lint.LintResult { + ext := util.GetExtFromCert(c, util.AuthkeyOID) + if ext == nil { + return &lint.LintResult{Status: lint.Error, Details: "missing authorityKeyIdentifier"} + } + if ext.Critical { + return &lint.LintResult{Status: lint.Error, Details: "authorityKeyIdentifier is critical"} + } + + var keyID keyIdentifier + if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: fmt.Sprintf("error unmarshalling authority key identifier extension: %v", err), + } + } + + hasKeyID := len(keyID.KeyIdentifier.Bytes) > 0 + hasCertIssuer := len(keyID.AuthorityCertIssuer.Bytes) > 0 + hasCertSerial := len(keyID.AuthorityCertSerialNumber.Bytes) > 0 + if !hasKeyID { + return &lint.LintResult{Status: lint.Error, Details: "keyIdentifier not present"} + } + if hasCertIssuer { + return &lint.LintResult{Status: lint.Error, Details: "authorityCertIssuer is present"} + } + if hasCertSerial { + return &lint.LintResult{Status: lint.Error, Details: "authorityCertSerialNumber is present"} + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go new file mode 100644 index 000000000..06df676fd --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_commonname_mailbox_validated", + Description: "If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address", + Citation: "S/MIME BRs: 7.1.4.2.2a", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewCommonNameMailboxValidated, + }) +} + +type commonNameMailboxValidated struct{} + +func NewCommonNameMailboxValidated() lint.LintInterface { + return &commonNameMailboxValidated{} +} + +func (l *commonNameMailboxValidated) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) +} + +func (l *commonNameMailboxValidated) Execute(c *x509.Certificate) *lint.LintResult { + commonNames := []string{c.Subject.CommonName} + commonNames = append(commonNames, c.Subject.CommonNames...) + for _, cn := range commonNames { + if !util.IsMailboxAddress(cn) { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go new file mode 100644 index 000000000..664b4fc36 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go @@ -0,0 +1,85 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ecpublickey_key_usages", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment.For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewECPublicKeyKeyUsages, + }) +} + +type ecPublicKeyKeyUsages struct{} + +func NewECPublicKeyKeyUsages() lint.LintInterface { + return &ecPublicKeyKeyUsages{} +} + +func (l *ecPublicKeyKeyUsages) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.ECDSA +} + +func (l *ecPublicKeyKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyAgreement) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyAgreement | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go new file mode 100644 index 000000000..659288ac7 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go @@ -0,0 +1,56 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ec_other_key_usages", + Description: "Other bit positions SHALL NOT be set.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewECOtherKeyUsages, + }) +} + +type ecOtherKeyUsages struct{} + +func NewECOtherKeyUsages() lint.LintInterface { + return &ecOtherKeyUsages{} +} + +func (l *ecOtherKeyUsages) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.ECDSA +} + +func (l *ecOtherKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !(util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) || util.HasKeyUsage(c, x509.KeyUsageKeyAgreement)) { + if c.KeyUsage != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go new file mode 100644 index 000000000..d89c18d7a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go @@ -0,0 +1,58 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_edwardspublickey_key_usages", + Description: "Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewEdwardsPublicKeyKeyUsages, + }) +} + +type edwardsPublicKeyKeyUsages struct{} + +func NewEdwardsPublicKeyKeyUsages() lint.LintInterface { + return &edwardsPublicKeyKeyUsages{} +} + +func (l *edwardsPublicKeyKeyUsages) CheckApplies(c *x509.Certificate) bool { + // TODO add support for curve448 certificate linting + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.Ed25519 +} + +func (l *edwardsPublicKeyKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + return &lint.LintResult{Status: lint.Error} + } + + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go new file mode 100644 index 000000000..5e1fb0bb1 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go @@ -0,0 +1,54 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_key_usage_criticality", + Description: "keyUsage... This extension SHOULD be marked critical", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewKeyUsageCriticality, + }) +} + +type keyUsageCriticality struct{} + +func NewKeyUsageCriticality() lint.LintInterface { + return &keyUsageCriticality{} +} + +func (l *keyUsageCriticality) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) + +} + +func (l *keyUsageCriticality) Execute(c *x509.Certificate) *lint.LintResult { + kuExt := util.GetExtFromCert(c, util.KeyUsageOID) + if !kuExt.Critical { + return &lint.LintResult{Status: lint.Warn} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go new file mode 100644 index 000000000..994b5ee07 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go @@ -0,0 +1,52 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_key_usage_presence", + Description: "keyUsage (SHALL be present)", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewKeyUsagePresence, + }) +} + +type keyUsagePresence struct{} + +func NewKeyUsagePresence() lint.LintInterface { + return &keyUsagePresence{} +} + +func (l *keyUsagePresence) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *keyUsagePresence) Execute(c *x509.Certificate) *lint.LintResult { + if util.HasKeyUsageOID(c) { + return &lint.LintResult{Status: lint.Pass} + } + + return &lint.LintResult{Status: lint.Error} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go new file mode 100644 index 000000000..8aa198fd2 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go @@ -0,0 +1,90 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type smimeLegacyAIAHasOneHTTP struct{} + +/************************************************************************ +BRs: 7.1.2.3c +CA Certificate Authority Information Access +The authorityInformationAccess extension MAY contain one or more accessMethod +values for each of the following types: + +id-ad-ocsp specifies the URI of the Issuing CA's OCSP responder. +id-ad-caIssuers specifies the URI of the Issuing CA's Certificate. + +For Legacy: When provided, at least one accessMethod SHALL have the URI scheme HTTP. Other schemes (LDAP, FTP, ...) MAY be present. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_legacy_aia_shall_have_one_http", + Description: "SMIME Legacy certificates authorityInformationAccess When provided, at least one accessMethod SHALL have the URI scheme HTTP. Other schemes (LDAP, FTP, ...) MAY be present.", + Citation: "BRs: 7.1.2.3c", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSMIMELegacyAIAHasOneHTTP, + }) +} + +func NewSMIMELegacyAIAHasOneHTTP() lint.LintInterface { + return &smimeLegacyAIAHasOneHTTP{} +} + +func (l *smimeLegacyAIAHasOneHTTP) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) && util.IsLegacySMIMECertificate(c) +} + +func (l *smimeLegacyAIAHasOneHTTP) Execute(c *x509.Certificate) *lint.LintResult { + atLeastOneHttp := false + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme == "http" { + atLeastOneHttp = true + } + } + if !atLeastOneHttp && len(c.OCSPServer) != 0 { + return &lint.LintResult{Status: lint.Error, Details: "at least one id-ad-ocsp accessMethod MUST have the URI scheme HTTP"} + } + + atLeastOneHttp = false + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme == "http" { + atLeastOneHttp = true + } + } + if !atLeastOneHttp && len(c.IssuingCertificateURL) != 0 { + return &lint.LintResult{Status: lint.Error, Details: "at least one id-ad-caIssuers accessMethod MUST have the URI scheme HTTP"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go new file mode 100644 index 000000000..0cd6b6bbe --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go @@ -0,0 +1,83 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_legal_entity_identifier", + Description: "Mailbox/individual: prohibited. Organization/sponsor: may be present", + Citation: "7.1.2.3.l", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewLegalEntityIdentifier, + }) +} + +type legalEntityIdentifier struct{} + +func NewLegalEntityIdentifier() lint.LintInterface { + return &legalEntityIdentifier{} +} + +func (l *legalEntityIdentifier) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *legalEntityIdentifier) Execute(c *x509.Certificate) *lint.LintResult { + leiPresent := util.IsExtInCert(c, util.LegalEntityIdentifierOID) + leiExt := util.GetExtFromCert(c, util.LegalEntityIdentifierOID) + leiRolePresent := util.IsExtInCert(c, util.LegalEntityIdentifierRoleOID) + leiRoleExt := util.GetExtFromCert(c, util.LegalEntityIdentifierRoleOID) + + switch { + case util.IsMailboxValidatedCertificate(c), util.IsIndividualValidatedCertificate(c): + if leiPresent { + // Mailbox-validated and Individual-validated prohibited. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present"} + } + case util.IsOrganizationValidatedCertificate(c): + if leiPresent && leiExt.Critical { + // LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"} + } + if leiRolePresent { + // This is affirming the negative. Sponsor validated certificates MAY have an LEI Role, so + // it is being taken here that not explicitly as such for organization validated certificates + // implies that they are not allowed. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present"} + } + case util.IsSponsorValidatedCertificate(c): + if leiPresent && leiExt.Critical { + // LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"} + } + if leiRolePresent && leiRoleExt.Critical { + // LEI Role (1.3.6.1.4.1.52266.2) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present and critical"} + } + default: + return &lint.LintResult{Status: lint.Error, Details: "Unknown validation type"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go new file mode 100644 index 000000000..da37a90be --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_qc_statements_must_not_be_critical", + Description: "This extension MAY be present and SHALL NOT be marked critical.", + Citation: "7.1.2.3.k", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewQCStatementNotCritical, + }) +} + +type qcStatementNotCritical struct{} + +func NewQCStatementNotCritical() lint.LintInterface { + return &qcStatementNotCritical{} +} + +func (l *qcStatementNotCritical) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.QcStateOid) && util.IsSMIMEBRCertificate(c) +} + +func (l *qcStatementNotCritical) Execute(c *x509.Certificate) *lint.LintResult { + san := util.GetExtFromCert(c, util.QcStateOid) + if san.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "qc statements extension is marked critical", + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go new file mode 100644 index 000000000..b5a2d24d3 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go @@ -0,0 +1,106 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "regexp" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// Regex to match the start of an organization identifier: 3 character registration scheme identifier and 2 character ISO 3166 country code +var countryRegex = regexp.MustCompile(`^([A-Z]{3})([A-Z]{2})`) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_registration_scheme_id_matches_subject_country", + Description: "The country code used in the Registration Scheme identifier SHALL match that of the subject:countryName in the Certificate as specified in Section 7.1.4.2.2", + Citation: "Appendix A.1", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRegistrationSchemeIDMatchesSubjectCountry, + }) +} + +type registrationSchemeIDMatchesSubjectCountry struct{} + +// NewRegistrationSchemeIDMatchesSubjectCountry creates a new linter to enforce SHALL requirements for registration scheme identifiers matching subject:countryName +func NewRegistrationSchemeIDMatchesSubjectCountry() lint.CertificateLintInterface { + return ®istrationSchemeIDMatchesSubjectCountry{} +} + +// CheckApplies returns true if the provided certificate contains subject:countryName 2 characters in length, a partially valid subject.organizationID and an Organization or Sponsor Validated policy OID +func (l *registrationSchemeIDMatchesSubjectCountry) CheckApplies(c *x509.Certificate) bool { + if c.Subject.Country == nil { + return false + } + + if len(c.Subject.Country[0]) != 2 { + return false + } + + orgIDsAreInternational := true + for _, id := range c.Subject.OrganizationIDs { + submatches := countryRegex.FindStringSubmatch(id) + if len(submatches) < 3 { + return false + } + + orgIDsAreInternational = orgIDsAreInternational && (submatches[1] == "INT" || submatches[1] == "LEI") + } + + if orgIDsAreInternational { + return false + } + + return util.IsOrganizationValidatedCertificate(c) || util.IsSponsorValidatedCertificate(c) +} + +// Execute applies the requirements on matching subject:countryName with registration scheme identifiers +func (l *registrationSchemeIDMatchesSubjectCountry) Execute(c *x509.Certificate) *lint.LintResult { + country := c.Subject.Country[0] + + for _, id := range c.Subject.OrganizationIDs { + if err := verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id, country); err != nil { + return &lint.LintResult{Status: lint.Error, Details: err.Error()} + } + } + return &lint.LintResult{Status: lint.Pass} +} + +// verifySMIMEOrganizationIdentifierContainSubjectNameCountry verifies that the country code used in the subject:organizationIdentifier matches subject:countryName +func verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id string, country string) error { + submatches := countryRegex.FindStringSubmatch(id) + + if submatches[1] == "INT" || submatches[1] == "LEI" { + return nil + } + + // Captures the country code from the organization identifier + // Note that this raw indexing into the second position is only safe + // due to a length check done in CheckApplies + identifierCountry := submatches[2] + + if identifierCountry != country { + return fmt.Errorf("the country code used in the Registration Scheme identifier SHALL match that of the subject:countryName") + } + + return nil +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go new file mode 100644 index 000000000..eb318106a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go @@ -0,0 +1,92 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_key_usage_legacy_multipurpose", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment and MAY be set for dataEncipherment. For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation and dataEncipherment.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRSAKeyUsageLegacyMultipurpose, + }) +} + +type rsaKeyUsageLegacyMultipurpose struct{} + +func NewRSAKeyUsageLegacyMultipurpose() lint.LintInterface { + return &rsaKeyUsageLegacyMultipurpose{} +} + +func (l *rsaKeyUsageLegacyMultipurpose) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaKeyUsageLegacyMultipurpose) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go new file mode 100644 index 000000000..b61de15ee --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go @@ -0,0 +1,92 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_key_usage_strict", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment. For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRSAKeyUsageStrict, + }) +} + +type rsaKeyUsageStrict struct{} + +func NewRSAKeyUsageStrict() lint.LintInterface { + return &rsaKeyUsageStrict{} +} + +func (l *rsaKeyUsageStrict) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && util.IsStrictSMIMECertificate(c) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaKeyUsageStrict) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go new file mode 100644 index 000000000..b16d86780 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go @@ -0,0 +1,63 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_other_key_usages", + Description: "Other bit positions SHALL NOT be set.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRSAOtherKeyUsages, + }) +} + +type rsaOtherKeyUsages struct{} + +func NewRSAOtherKeyUsages() lint.LintInterface { + return &rsaOtherKeyUsages{} +} + +func (l *rsaOtherKeyUsages) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaOtherKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !(util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) || util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment)) { + if c.KeyUsage != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go new file mode 100644 index 000000000..60b2d5e3d --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_shall_be_present", + Description: "Subject alternative name SHALL be present", + Citation: "7.1.2.3.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectAlternativeNameShallBePresent, + }) +} + +type subjectAlternativeNameShallBePresent struct{} + +func NewSubjectAlternativeNameShallBePresent() lint.LintInterface { + return &subjectAlternativeNameShallBePresent{} +} + +func (l *subjectAlternativeNameShallBePresent) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *subjectAlternativeNameShallBePresent) Execute(c *x509.Certificate) *lint.LintResult { + if !util.IsExtInCert(c, util.SubjectAlternateNameOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate does not have a subject alternative name extension", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go new file mode 100644 index 000000000..a963d2675 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go @@ -0,0 +1,66 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "reflect" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_san_should_not_be_critical", + Description: "subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence.", + Citation: "7.1.2.3.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectAlternativeNameNotCritical, + }) +} + +type SubjectAlternativeNameNotCritical struct{} + +func NewSubjectAlternativeNameNotCritical() lint.LintInterface { + return &SubjectAlternativeNameNotCritical{} +} + +func (l *SubjectAlternativeNameNotCritical) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.SubjectAlternateNameOID) && util.IsSMIMEBRCertificate(c) +} + +func (l *SubjectAlternativeNameNotCritical) Execute(c *x509.Certificate) *lint.LintResult { + san := util.GetExtFromCert(c, util.SubjectAlternateNameOID) + isCritical := san.Critical + emptySubject := reflect.DeepEqual(c.Subject, pkix.Name{OriginalRDNS: pkix.RDNSequence{}}) + if isCritical && emptySubject { + // "...unless the subject field is an empty sequence" + return &lint.LintResult{Status: lint.Pass} + } else if isCritical && !emptySubject { + // Critical, but there's a non-empty SAN. + return &lint.LintResult{ + Status: lint.Warn, + Details: "subject is not empty, but subjectAlternativeName is marked critical", + } + } else { + // Not critical, not empty SAN. + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go new file mode 100644 index 000000000..d9731d559 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go @@ -0,0 +1,77 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "net/mail" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/************************************************************************* +7.1.4.2.1 Subject alternative name extension + +All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be +repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this +extension. + +7.1.4.2.2 Subject distinguished name fields + +h. Certificate Field: subject:emailAddress (1.2.840.113549.1.9.1) Contents: If present, the +subject:emailAddress SHALL contain a single Mailbox Address as verified under +Section 3.2.2. + +Combining these requirements, this lint checks for malformed email addresses in SAN entries +covering the case of a non-single Mailbox Address. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_single_email_if_present", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address. All Mailbox Addresses in the subject field SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in SAN extension.", + Citation: "7.1.4.2.1 and 7.1.4.2.2.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSingleEmailIfPresent, + }) +} + +type singleEmailIfPresent struct{} + +func NewSingleEmailIfPresent() lint.LintInterface { + return &singleEmailIfPresent{} +} + +func (l *singleEmailIfPresent) CheckApplies(c *x509.Certificate) bool { + addresses := c.EmailAddresses + return util.IsSubscriberCert(c) && addresses != nil && len(addresses) != 0 && util.IsSMIMEBRCertificate(c) +} + +func (l *singleEmailIfPresent) Execute(c *x509.Certificate) *lint.LintResult { + for _, email := range c.EmailAddresses { + if _, err := mail.ParseAddress(email); err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("san:emailAddress was present and contained an invalid email address (%s)", email), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go new file mode 100644 index 000000000..1958a95d5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "net/mail" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_single_email_subject_if_present", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", + Citation: "7.1.4.2.2.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSingleEmailSubjectIfPresent, + }) +} + +type singleEmailSubjectIfPresent struct{} + +func NewSingleEmailSubjectIfPresent() lint.LintInterface { + return &singleEmailSubjectIfPresent{} +} + +func (l *singleEmailSubjectIfPresent) CheckApplies(c *x509.Certificate) bool { + emailAddress := c.Subject.EmailAddress + return util.IsSubscriberCert(c) && emailAddress != nil && len(emailAddress) != 0 && util.IsSMIMEBRCertificate(c) +} + +func (l *singleEmailSubjectIfPresent) Execute(c *x509.Certificate) *lint.LintResult { + for _, email := range c.Subject.EmailAddress { + if _, err := mail.ParseAddress(email); err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("subject:emailAddress was present and contained an invalid email address (%s)", email), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go new file mode 100644 index 000000000..61bd8666a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go @@ -0,0 +1,80 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type smimeStrictAIAHasHTTPOnly struct{} + +/************************************************************************ +BRs: 7.1.2.3c +CA Certificate Authority Information Access +The authorityInformationAccess extension MAY contain one or more accessMethod +values for each of the following types: + +id-ad-ocsp specifies the URI of the Issuing CA's OCSP responder. +id-ad-caIssuers specifies the URI of the Issuing CA's Certificate. + +For Strict and Multipurpose: When provided, every accessMethod SHALL have the URI scheme HTTP. Other schemes SHALL NOT be present. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_strict_aia_shall_have_http_only", + Description: "SMIME Strict certificates authorityInformationAccess. When provided, every accessMethod SHALL have the URI scheme HTTP. Other schemes SHALL NOT be present.", + Citation: "BRs: 7.1.2.3c", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSMIMEStrictAIAHasHTTPOnly, + }) +} + +func NewSMIMEStrictAIAHasHTTPOnly() lint.LintInterface { + return &smimeStrictAIAHasHTTPOnly{} +} + +func (l *smimeStrictAIAHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.AiaOID) && util.IsSubscriberCert(c) && (util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) +} + +func (l *smimeStrictAIAHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error} + } + } + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go new file mode 100644 index 000000000..07a7dfd02 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_country_name", + Description: "If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject", + Citation: "S/MIME BRs: 7.1.4.2.2n", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectCountryName, + }) +} + +type subjectCountryName struct{} + +func NewSubjectCountryName() lint.LintInterface { + return &subjectCountryName{} +} + +func (l *subjectCountryName) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) +} + +func (l *subjectCountryName) Execute(c *x509.Certificate) *lint.LintResult { + for _, cc := range c.Subject.Country { + if !util.IsISOCountryCode(cc) && strings.ToUpper(cc) != "XX" { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go new file mode 100644 index 000000000..13215469b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go @@ -0,0 +1,52 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subDirAttr struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_strict_multipurpose_smime_ext_subject_directory_attr", + Description: "SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributes", + Citation: "BRs: 7.1.2.3j", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubDirAttr, + }) +} + +func NewSubDirAttr() lint.LintInterface { + return &subDirAttr{} +} + +func (l *subDirAttr) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) +} + +func (l *subDirAttr) Execute(c *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(c, util.SubjectDirAttrOID) { + return &lint.LintResult{Status: lint.Error} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go new file mode 100644 index 000000000..3333e36ba --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -0,0 +1,77 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subscribers_crl_distribution_points_are_http", + Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubscriberCrlDistributionPointsHTTP, + }) +} + +type subscriberCrlDistributionPointsHTTP struct{} + +func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { + return &subscriberCrlDistributionPointsHTTP{} +} + +func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { + httpCount := 0 + for _, dp := range c.CRLDistributionPoints { + parsed, err := url.Parse(dp) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid CRL distribution point", + } + } + if parsed.Scheme == "http" { + httpCount++ + } + } + + if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid URI scheme in CRL distribution point", + } + } + if util.IsLegacySMIMECertificate(c) && httpCount == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go new file mode 100644 index 000000000..2fe604360 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subscribers_shall_have_crl_distribution_points", + Description: "cRLDistributionPoints SHALL be present.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubscriberCrlDistributionPoints, + }) +} + +type SubscriberCrlDistributionPoints struct{} + +func NewSubscriberCrlDistributionPoints() lint.LintInterface { + return &SubscriberCrlDistributionPoints{} +} + +func (l *SubscriberCrlDistributionPoints) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *SubscriberCrlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult { + if len(c.CRLDistributionPoints) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains zero CRL distribution points", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go new file mode 100644 index 000000000..139b051d6 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go @@ -0,0 +1,124 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// MailboxAddressFromSAN - linter to enforce MAY/SHALL NOT requirements for SMIME certificates +type MailboxAddressFromSAN struct { +} + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_mailbox_address_shall_contain_an_rfc822_name", + Description: "All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension", + Citation: "SMIME BRs: 7.1.4.2.1", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewMailboxAddressFromSAN, + }) +} + +// NewMailboxAddressFromSAN creates a new linter to enforce the requirement that all Mailbox Addresses in SMIME BR certificates must be copied from the SAN +func NewMailboxAddressFromSAN() lint.LintInterface { + return &MailboxAddressFromSAN{} +} + +// CheckApplies is returns true if the certificate's policies assert that it conforms to the SMIME BRs +func (l *MailboxAddressFromSAN) CheckApplies(c *x509.Certificate) bool { + + if !(util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c)) { + return false + } + + toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c)) + + for _, dirName := range c.DirectoryNames { + toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...) + } + + return len(toFindMailboxAddresses) > 0 + +} + +// Execute checks all the places where Mailbox Addresses may be found in an SMIME certificate and confirms that they are present in the SAN rfc822Name or SAN otherName +func (l *MailboxAddressFromSAN) Execute(c *x509.Certificate) *lint.LintResult { + lintErr := &lint.LintResult{ + Status: lint.Error, + Details: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear", + } + + // build list of Mailbox addresses from subject:commonName, subject:emailAddress, dirName + + toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c)) + + for _, dirName := range c.DirectoryNames { + toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...) + } + + sanNames := map[string]bool{} + for _, rfc822Name := range c.EmailAddresses { + sanNames[rfc822Name] = true + } + + for _, otherName := range c.OtherNames { + if otherName.TypeID.Equal(util.OidIdOnSmtpUtf8Mailbox) { + // The otherName needs to be specially unmarshalled since it is + // stored as a UTF-8 string rather than what the asn1 package + // describes as a PrintableString. + var otherNameValue string + rest, err := asn1.UnmarshalWithParams(otherName.Value.Bytes, &otherNameValue, "utf8") + if len(rest) > 0 || err != nil { + return lintErr + } + + sanNames[otherNameValue] = true + } + } + + for _, mailboxAddress := range toFindMailboxAddresses { + if _, found := sanNames[mailboxAddress]; !found { + return lintErr + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +func getMailboxAddressesFromDistinguishedName(name pkix.Name, includeCN bool) []string { + mailboxAddresses := []string{} + + if includeCN { + for _, commonName := range name.CommonNames { + if util.IsMailboxAddress(commonName) { + mailboxAddresses = append(mailboxAddresses, commonName) + } + } + } + + for _, emailAddress := range name.EmailAddress { + if util.IsMailboxAddress(emailAddress) { + mailboxAddresses = append(mailboxAddresses, emailAddress) + } + } + + return mailboxAddresses +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go new file mode 100644 index 000000000..64ce52bd7 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -0,0 +1,100 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// mailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates +type mailboxValidatedEnforceSubjectFieldRestrictions struct { + forbiddenSubjectFields map[string]string + allowedSubjectFields map[string]string +} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mailbox_validated_enforce_subject_field_restrictions", + Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN", + Citation: "SMIME BRs: 7.1.4.2.3", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: func() lint.CertificateLintInterface { + return NewMailboxValidatedEnforceSubjectFieldRestrictions() + }, + }) +} + +// NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { + return &mailboxValidatedEnforceSubjectFieldRestrictions{ + forbiddenSubjectFields: map[string]string{ + "0.9.2342.19200300.100.1.25": "subject:domainComponent", + "1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", + "1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince", + "1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry", + "2.5.4.4": "subject:surname", + "2.5.4.6": "subject:countryName", + "2.5.4.7": "subject:localityName", + "2.5.4.8": "subject:stateOrProvinceName", + "2.5.4.9": "subject:streetAddress", + "2.5.4.10": "subject:organizationName", + "2.5.4.11": "subject:organizationalUnitName", + "2.5.4.12": "subject:title", + "2.5.4.17": "subject:postalCode", + "2.5.4.42": "subject:givenName", + "2.5.4.65": "subject:pseudonym", + "2.5.4.97": "subject:organizationIdentifier", + }, + allowedSubjectFields: map[string]string{ + "1.2.840.113549.1.9.1": "subject:emailAddress", + "2.5.4.3": "subject:commonName", + "2.5.4.5": "subject:serialNumber", + }, + } +} + +// CheckApplies returns true if the provided certificate is a subscriber certificate and contains one-or-more of the following +// SMIME BR policy identifiers: +// - Mailbox Validated Legacy +// - Mailbox Validated Multipurpose +// - Mailbox Validated Strict +func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *mailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult { + for _, rdnSeq := range c.Subject.OriginalRDNS { + for _, field := range rdnSeq { + oidStr := field.Type.String() + + if _, ok := l.allowedSubjectFields[oidStr]; !ok { + if fieldName, knownField := l.forbiddenSubjectFields[oidStr]; knownField { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)} + } + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go new file mode 100644 index 000000000..8f3ac35e1 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go @@ -0,0 +1,80 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// legacyMultipurposeEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU +type legacyMultipurposeEKUCheck struct { +} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_legacy_multipurpose_eku_check", + Description: "Strict/Multipurpose and Legacy: id-kp-emailProtection SHALL be present. Other values MAY be present. The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present.", + Citation: "SMIME BRs: 7.1.2.3.f", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewLegacyMultipurposeEKUCheck, + }) +} + +// NewLegacyMultipurposeEKUCheck creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface { + return &legacyMultipurposeEKUCheck{} +} + +// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: +// - Mailbox Validated Legacy +// - Mailbox Validated Multipurpose +// - Organization Validated Legacy +// - Organization Validated Multipurpose +// - Sponsor Validated Legacy +// - Sponsor Validated Multipurpose +// - Individual Validated Legacy +// - Individual Validated Multipurpose +func (l *legacyMultipurposeEKUCheck) CheckApplies(c *x509.Certificate) bool { + return (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsSubscriberCert(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *legacyMultipurposeEKUCheck) Execute(c *x509.Certificate) *lint.LintResult { + hasEmailProtectionEKU := false + ekusOK := true + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageEmailProtection { + hasEmailProtectionEKU = true + } else if eku == x509.ExtKeyUsageServerAuth || eku == x509.ExtKeyUsageCodeSigning || eku == x509.ExtKeyUsageTimeStamping || eku == x509.ExtKeyUsageAny { + ekusOK = false + } + } + + if !hasEmailProtectionEKU { + return &lint.LintResult{Status: lint.Error, Details: "id-kp-emailProtection SHALL be present"} + } + + if !ekusOK { + return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go new file mode 100644 index 000000000..491540012 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go @@ -0,0 +1,71 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// strictEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU +type strictEKUCheck struct { +} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_strict_eku_check", + Description: "Strict: id-kp-emailProtection SHALL be present. Other values SHALL NOT be present", + Citation: "SMIME BRs: 7.1.2.3.f", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewStrictEKUCheck, + }) +} + +// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewStrictEKUCheck() lint.CertificateLintInterface { + return &strictEKUCheck{} +} + +// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: +// - Mailbox Validated Strict +// - Organization Validated Strict +// - Sponsor Validated Strict +// - Individual Validated Strict +func (l *strictEKUCheck) CheckApplies(c *x509.Certificate) bool { + return util.IsStrictSMIMECertificate(c) && util.IsSubscriberCert(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *strictEKUCheck) Execute(c *x509.Certificate) *lint.LintResult { + hasEmailProtectionEKU := false + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageEmailProtection { + hasEmailProtectionEKU = true + } else { + return &lint.LintResult{Status: lint.Error} + } + } + + if hasEmailProtectionEKU { + return &lint.LintResult{Status: lint.Pass} + } + + return &lint.LintResult{Status: lint.Error} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go index 5a25d8d9a..7b31c3171 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type brIANBareWildcard struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_bare_wildcard", - Description: "A wildcard MUST be accompanied by other data to its right (Only checks IANDNSNames)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewBrIANBareWildcard, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_bare_wildcard", + Description: "A wildcard MUST be accompanied by other data to its right (Only checks IANDNSNames)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewBrIANBareWildcard, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go index d6f10fca3..4dfa36eb1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type IANDNSNull struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_dns_name_includes_null_char", - Description: "DNSName MUST NOT include a null character", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIANDNSNull, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_dns_name_includes_null_char", + Description: "DNSName MUST NOT include a null character", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIANDNSNull, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go index afa9085de..0207e5d8f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type IANDNSPeriod struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_dns_name_starts_with_period", - Description: "DNSName MUST NOT start with a period", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIANDNSPeriod, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_dns_name_starts_with_period", + Description: "DNSName MUST NOT start with a period", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIANDNSPeriod, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go index cfbcd04d4..a62cf458f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type IANPubSuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ian_iana_pub_suffix_empty", - Description: "Domain SHOULD NOT have a bare public suffix", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIANPubSuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ian_iana_pub_suffix_empty", + Description: "Domain SHOULD NOT have a bare public suffix", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIANPubSuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go index 807c20ef5..56e4210e5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type brIANWildcardFirst struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_wildcard_not_first", - Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks IANDNSNames)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewBrIANWildcardFirst, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_wildcard_not_first", + Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks IANDNSNames)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewBrIANWildcardFirst, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go index 686f08a62..7c374dfc6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameRedacted struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_contains_redacted_dnsname", - Description: "Some precerts are redacted and of the form ?.?.a.com or *.?.a.com", - Source: lint.Community, - Citation: "IETF Draft: https://tools.ietf.org/id/draft-strad-trans-redaction-00.html", - EffectiveDate: util.ZeroDate, - Lint: NewDNSNameRedacted, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_contains_redacted_dnsname", + Description: "Some precerts are redacted and of the form ?.?.a.com or *.?.a.com", + Source: lint.Community, + Citation: "IETF Draft: https://tools.ietf.org/id/draft-strad-trans-redaction-00.html", + EffectiveDate: util.ZeroDate, + }, + Lint: NewDNSNameRedacted, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go index aa99a67a2..dbb159744 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type IssuerDNLeadingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_issuer_dn_leading_whitespace", - Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerDNLeadingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_issuer_dn_leading_whitespace", + Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerDNLeadingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go index 39122541f..5372a207b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type IssuerDNTrailingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_issuer_dn_trailing_whitespace", - Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerDNTrailingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_issuer_dn_trailing_whitespace", + Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerDNTrailingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go index 9affa1473..fa81020b2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type IssuerRDNHasMultipleAttribute struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_multiple_issuer_rdn", - Description: "Certificates should not have multiple attributes in a single RDN (issuer)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerRDNHasMultipleAttribute, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_multiple_issuer_rdn", + Description: "Certificates should not have multiple attributes in a single RDN (issuer)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerRDNHasMultipleAttribute, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go index f4ff1f236..dc0b4a0a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type rsaExpNegative struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_exp_negative", - Description: "RSA public key exponent MUST be positive", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewRsaExpNegative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_exp_negative", + Description: "RSA public key exponent MUST be positive", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRsaExpNegative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go index 3a9be265b..1bca73c21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,15 +29,17 @@ type fermatFactorization struct { } func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_fermat_factorization", - Description: "RSA key pairs that are too close to each other are susceptible to the Fermat Factorization " + - "Method (for more information please see https://en.wikipedia.org/wiki/Fermat%27s_factorization_method " + - "and https://fermatattack.secvuln.info/)", - Citation: "Pierre de Fermat", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewFermatFactorization, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_fermat_factorization", + Description: "RSA key pairs that are too close to each other are susceptible to the Fermat Factorization " + + "Method (for more information please see https://en.wikipedia.org/wiki/Fermat%27s_factorization_method " + + "and https://fermatattack.secvuln.info/)", + Citation: "Pierre de Fermat", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewFermatFactorization, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go index 255114773..0539a19d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type rsaParsedPubKeyExist struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_no_public_key", - Description: "The RSA public key should be present", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewRsaParsedPubKeyExist, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_no_public_key", + Description: "The RSA public key should be present", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRsaParsedPubKeyExist, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go index 5bc95ff57..437b8146d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type brSANBareWildcard struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_bare_wildcard", - Description: "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewBrSANBareWildcard, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_bare_wildcard", + Description: "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewBrSANBareWildcard, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go index bc3205e91..f4aa71a70 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type SANDNSDuplicate struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_san_dns_name_duplicate", - Description: "SAN DNSName contains duplicate values", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANDNSDuplicate, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_san_dns_name_duplicate", + Description: "SAN DNSName contains duplicate values", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANDNSDuplicate, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go index a1a35a11f..32fa169a4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type SANDNSNull struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_includes_null_char", - Description: "DNSName MUST NOT include a null character", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANDNSNull, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_includes_null_char", + Description: "DNSName MUST NOT include a null character", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANDNSNull, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go index 9e0388804..9a08549ae 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type SANDNSPeriod struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_starts_with_period", - Description: "DNSName MUST NOT start with a period", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANDNSPeriod, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_starts_with_period", + Description: "DNSName MUST NOT start with a period", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANDNSPeriod, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go index 5749c4987..ba0de82ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type pubSuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_san_iana_pub_suffix_empty", - Description: "The domain SHOULD NOT have a bare public suffix", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewPubSuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_san_iana_pub_suffix_empty", + Description: "The domain SHOULD NOT have a bare public suffix", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewPubSuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go index 49a2c6f0a..a31e90edb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type SANWildCardFirst struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_wildcard_not_first", - Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANWildCardFirst, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_wildcard_not_first", + Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANWildCardFirst, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go index 57683e517..e4b51d04e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type SubjectDNLeadingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_dn_leading_whitespace", - Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNLeadingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_dn_leading_whitespace", + Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNLeadingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go index 1aadefe28..50c471a40 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type SubjectDNTrailingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_dn_trailing_whitespace", - Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNTrailingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_dn_trailing_whitespace", + Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNTrailingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go index 32b255042..a19821f69 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type SubjectRDNHasMultipleAttribute struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_multiple_subject_rdn", - Description: "Certificates typically do not have multiple attributes in a single RDN (subject). This may be an error.", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectRDNHasMultipleAttribute, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_multiple_subject_rdn", + Description: "Certificates typically do not have multiple attributes in a single RDN (subject). This may be an error.", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectRDNHasMultipleAttribute, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go index 02c61ff7d..aa610ba79 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type validityNegative struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_validity_time_not_positive", - Description: "Certificates MUST have a positive time for which they are valid", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewValidityNegative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_validity_time_not_positive", + Description: "Certificates MUST have a positive time for which they are valid", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewValidityNegative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go index 1e465a8a9..88126e401 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type qcStatemQcEtsiPresentQcsCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_etsi_present_qcs_critical", - Description: "Checks that a QC Statement which contains any of the id-etsi-qcs-... QC Statements is not marked critical", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.1", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcEtsiPresentQcsCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_etsi_present_qcs_critical", + Description: "Checks that a QC Statement which contains any of the id-etsi-qcs-... QC Statements is not marked critical", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.1", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcEtsiPresentQcsCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go index 2952aa72b..52c2e1362 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type qcStatemEtsiTypeAsStatem struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_etsi_type_as_statem", - Description: "Checks for erroneous QC Statement OID that actually are represented by ETSI ESI QC type OID.", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemEtsiTypeAsStatem, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_etsi_type_as_statem", + Description: "Checks for erroneous QC Statement OID that actually are represented by ETSI ESI QC type OID.", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemEtsiTypeAsStatem, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go index 099f244d6..a32fe53a0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type qcStatemQcmandatoryEtsiStatems struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_mandatory_etsi_statems", - Description: "Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 5", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcmandatoryEtsiStatems, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_mandatory_etsi_statems", + Description: "Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 5", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcmandatoryEtsiStatems, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go index 61a3fae1a..0cd439673 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type qcStatemQcComplianceValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qccompliance_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcCompliance has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.1", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcComplianceValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qccompliance_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcCompliance has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.1", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcComplianceValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go index a589ed6bf..2ed1db224 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type qcStatemQcLimitValueValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qclimitvalue_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcLimitValue has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.2", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcLimitValueValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qclimitvalue_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcLimitValue has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.2", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcLimitValueValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go index 63111891e..244286d2f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ import ( type qcStatemQcPdsLangCase struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_qcstatem_qcpds_lang_case", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS features a language code comprised of only lower case letters", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcPdsLangCase, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_qcstatem_qcpds_lang_case", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS features a language code comprised of only lower case letters", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcPdsLangCase, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go index b10d75e2d..8dfd35230 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ import ( type qcStatemQcPdsValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qcpds_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcPdsValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qcpds_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcPdsValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go index 27700805a..ecece31df 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type qcStatemQcRetentionPeriodValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qcretentionperiod_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcRetentionPeriod has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11)/ Section 4.3.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcRetentionPeriodValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qcretentionperiod_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcRetentionPeriod has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11)/ Section 4.3.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcRetentionPeriodValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go index 70efac551..b4ba4d8c7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type qcStatemQcSscdValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qcsscd_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcSSCD has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.2", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcSscdValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qcsscd_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcSSCD has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.2", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcSscdValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go index 5e63b86c4..0add14df4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type qcStatemQctypeValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qctype_valid", - Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features a non-empty list of only the allowed QcType OIDs", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQctypeValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qctype_valid", + Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features a non-empty list of only the allowed QcType OIDs", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQctypeValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go index d6969a5fd..680820c9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type qcStatemQctypeWeb struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_qcstatem_qctype_web", - Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least the type IdEtsiQcsQctWeb", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQctypeWeb, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_qcstatem_qctype_web", + Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least the type IdEtsiQcsQctWeb", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQctypeWeb, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go index 3382f92b7..af8370c60 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ Root certificates in our root program, and any certificate which chains up to th ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_prohibit_dsa_usage", - Description: "DSA is not an explicitly allowed signature algorithm, therefore it is forbidden.", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy241Date, - Lint: NewProhibitDSAUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_prohibit_dsa_usage", + Description: "DSA is not an explicitly allowed signature algorithm, therefore it is forbidden.", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy241Date, + }, + Lint: NewProhibitDSAUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go index fe586cb02..4db414db7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ intermediates. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_mp_allowed_eku", - Description: "A SubCA certificate must not have key usage that allows for both server auth and email protection, and must not use anyExtendedKeyUsage", - Citation: "Mozilla Root Store Policy / Section 5.3", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), - Lint: NewAllowedEKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_mp_allowed_eku", + Description: "A SubCA certificate must not have key usage that allows for both server auth and email protection, and must not use anyExtendedKeyUsage", + Citation: "Mozilla Root Store Policy / Section 5.3", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), + }, + Lint: NewAllowedEKU, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go index 1e2ae7eb6..c18c41f87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ CAs MUST NOT issue certificates that have: ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_authority_key_identifier_correct", - Description: "CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number", - Citation: "Mozilla Root Store Policy / Section 5.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy22Date, - Lint: NewAuthorityKeyIdentifierCorrect, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_authority_key_identifier_correct", + Description: "CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number", + Citation: "Mozilla Root Store Policy / Section 5.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy22Date, + }, + Lint: NewAuthorityKeyIdentifierCorrect, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go index 9dc5f2505..f170e2747 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -44,13 +44,15 @@ curve OID. Certificates MUST NOT use the implicit or specified curve forms. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_ecdsa_pub_key_encoding_correct", - Description: "The encoded algorithm identifiers for ECDSA public keys MUST match specific bytes", - Citation: "Mozilla Root Store Policy / Section 5.1.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewEcdsaPubKeyAidEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_ecdsa_pub_key_encoding_correct", + Description: "The encoded algorithm identifiers for ECDSA public keys MUST match specific bytes", + Citation: "Mozilla Root Store Policy / Section 5.1.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewEcdsaPubKeyAidEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go index 9c97622b7..0a86abe87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -45,13 +45,15 @@ an explicit NULL. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_ecdsa_signature_encoding_correct", - Description: "The encoded algorithm identifiers for ECDSA signatures MUST match specific hex-encoded bytes", - Citation: "Mozilla Root Store Policy / Section 5.1.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewEcdsaSignatureAidEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_ecdsa_signature_encoding_correct", + Description: "The encoded algorithm identifiers for ECDSA signatures MUST match specific hex-encoded bytes", + Citation: "Mozilla Root Store Policy / Section 5.1.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewEcdsaSignatureAidEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go index 010741499..05e4fbc23 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ CAs MUST NOT issue certificates that have: ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_exponent_cannot_be_one", - Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", - Citation: "Mozilla Root Store Policy / Section 5.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: NewExponentCannotBeOne, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_exponent_cannot_be_one", + Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", + Citation: "Mozilla Root Store Policy / Section 5.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + }, + Lint: NewExponentCannotBeOne, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go index bd0da2470..2a15354d4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_modulus_must_be_2048_bits_or_more", - Description: "RSA keys must have modulus size of at least 2048 bits", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: NewModulus2048OrMore, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_modulus_must_be_2048_bits_or_more", + Description: "RSA keys must have modulus size of at least 2048 bits", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + }, + Lint: NewModulus2048OrMore, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go index aed4a8d50..fea9f4857 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_modulus_must_be_divisible_by_8", - Description: "RSA keys must have a modulus size divisible by 8", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: NewModulusDivisibleBy8, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_modulus_must_be_divisible_by_8", + Description: "RSA keys must have a modulus size divisible by 8", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + }, + Lint: NewModulusDivisibleBy8, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go index 03ba32b00..122749bab 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -58,13 +58,15 @@ The encoded AlgorithmIdentifier MUST match the following hex-encoded bytes: ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct", - Description: "The encoded AlgorithmIdentifier for RSASSA-PSS in the signature algorithm MUST match specific bytes", - Citation: "Mozilla Root Store Policy / Section 5.1.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewRsaPssAidEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct", + Description: "The encoded AlgorithmIdentifier for RSASSA-PSS in the signature algorithm MUST match specific bytes", + Citation: "Mozilla Root Store Policy / Section 5.1.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewRsaPssAidEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go index 9a4e842c6..0a884d70f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectP ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_rsassa-pss_in_spki", - Description: "CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectPublicKeyInfo to represent a RSA key.", - Citation: "Mozilla Root Store Policy / Section 5.1.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewRsaPssInSPKI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_rsassa-pss_in_spki", + Description: "CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectPublicKeyInfo to represent a RSA key.", + Citation: "Mozilla Root Store Policy / Section 5.1.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewRsaPssInSPKI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go index 4d6b8dabf..015517c3d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ management public keys used with certificate. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_basic_constraints_not_critical", - Description: "basicConstraints MUST appear as a critical extension", - Citation: "RFC 5280: 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewBasicConstCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_basic_constraints_not_critical", + Description: "basicConstraints MUST appear as a critical extension", + Citation: "RFC 5280: 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewBasicConstCrit, }) } @@ -58,9 +60,8 @@ func (l *basicConstCrit) Execute(c *x509.Certificate) *lint.LintResult { if e.Critical { return &lint.LintResult{Status: lint.Pass} } else { - return &lint.LintResult{Status: lint.Error} + return &lint.LintResult{Status: lint.Error, Details: "Basic Constraints extension is marked as non-critical"} } - } else { - return &lint.LintResult{Status: lint.NA} } + return &lint.LintResult{Status: lint.Error, Details: "Error processing Basic Constraints extension"} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go index 55ddd8833..7befaa686 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ The subject field identifies the entity associated with the public ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_subject_field_empty", - Description: "CA Certificates subject field MUST not be empty and MUST have a non-empty distinguished name", - Citation: "RFC 5280: 4.1.2.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewCaSubjectEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_subject_field_empty", + Description: "The subject field of a CA certificate MUST have a non-empty distinguished name", + Citation: "RFC 5280: 4.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewCaSubjectEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go index 0184d4496..ba8462df3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ type CertContainsUniqueIdentifier struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_contains_unique_identifier", - Description: "CAs MUST NOT generate certificate with unique identifiers", - Source: lint.RFC5280, - Citation: "RFC 5280: 4.1.2.8", - EffectiveDate: util.RFC5280Date, - Lint: NewCertContainsUniqueIdentifier, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_contains_unique_identifier", + Description: "CAs MUST NOT generate certificate with unique identifiers", + Source: lint.RFC5280, + Citation: "RFC 5280: 4.1.2.8", + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertContainsUniqueIdentifier, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go index 48ada489a..c19282ffd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -42,13 +42,15 @@ type CertExtensionsVersonNot3 struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_extensions_version_not_3", - Description: "The extensions field MUST only appear in version 3 certificates", - Citation: "RFC 5280: 4.1.2.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewCertExtensionsVersonNot3, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_extensions_version_not_3", + Description: "The extensions field MUST only appear in version 3 certificates", + Citation: "RFC 5280: 4.1.2.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewCertExtensionsVersonNot3, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go index 01bbef59b..6b250b612 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ RFC 5280: 4.1.2.8 ****************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_unique_identifier_version_not_2_or_3", - Description: "Unique identifiers MUST only appear if the X.509 version is 2 or 3", - Citation: "RFC 5280: 4.1.2.8", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewCertUniqueIdVersion, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_unique_identifier_version_not_2_or_3", + Description: "Unique identifiers MUST only appear if the X.509 version is 2 or 3", + Citation: "RFC 5280: 4.1.2.8", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertUniqueIdVersion, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go index 70dd461dd..d881307e0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go new file mode 100644 index 000000000..20bbb2303 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go @@ -0,0 +1,73 @@ +package rfc + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlHasValidReasonCode struct{} + +/* +*********************************************** +RFC 5280: 5.3.1 + + CRL issuers are strongly + encouraged to include meaningful reason codes in CRL entries; + however, the reason code CRL entry extension SHOULD be absent instead + of using the unspecified (0) reasonCode value. + +*********************************************** +*/ +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_has_valid_reason_code", + Description: "If a CRL entry has a reason code, it MUST be in RFC5280 section 5.3.1 and SHOULD be absent instead of using unspecified (0)", + Citation: "RFC 5280: 5.3.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCrlHasValidReasonCode, + }) +} + +func NewCrlHasValidReasonCode() lint.RevocationListLintInterface { + return &crlHasValidReasonCode{} +} + +func (l *crlHasValidReasonCode) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +func (l *crlHasValidReasonCode) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + code := *c.ReasonCode + if code == 0 { + return &lint.LintResult{Status: lint.Warn, Details: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value."} + } + if code == 7 || code > 10 { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Reason code, %v, not included in RFC 5280 section 5.3.1", code)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go index 5a7324919..c3b53dbdf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -49,13 +49,15 @@ the distributionPoint field. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_distribution_point_incomplete", - Description: "A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present", - Citation: "RFC 5280: 4.2.1.13", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewDpIncomplete, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_distribution_point_incomplete", + Description: "A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present", + Citation: "RFC 5280: 4.2.1.13", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewDpIncomplete, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go index f381a1fe9..4640f8877 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ When present, DistributionPointName SHOULD include at least one LDAP or HTTP URI ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_distribution_point_missing_ldap_or_uri", - Description: "When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI", - Citation: "RFC 5280: 4.2.1.13", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDistribNoLDAPorURI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_distribution_point_missing_ldap_or_uri", + Description: "When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI", + Citation: "RFC 5280: 4.2.1.13", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDistribNoLDAPorURI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go index 4e094e45f..0b9f7b70c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameEmptyLabel struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_empty_label", - Description: "DNSNames should not have an empty label.", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameEmptyLabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_empty_label", + Description: "DNSNames should not have an empty label.", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameEmptyLabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go index 11e8db068..9ab2060f6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameHyphenInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_hyphen_in_sld", - Description: "DNSName should not have a hyphen beginning or ending the SLD", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameHyphenInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_hyphen_in_sld", + Description: "DNSName should not have a hyphen beginning or ending the SLD", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameHyphenInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go index 23d33441b..5aad650d8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameLabelLengthTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_label_too_long", - Description: "DNSName labels MUST be less than or equal to 63 characters", - Citation: "RFC 5280: 4.2.1.6, citing RFC 1035", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameLabelLengthTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_label_too_long", + Description: "DNSName labels MUST be less than or equal to 63 characters", + Citation: "RFC 5280: 4.2.1.6, citing RFC 1035", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameLabelLengthTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go index 1c2686167..ae2604d00 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_underscore_in_sld", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_underscore_in_sld", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go index c5e404206..380d84cc7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInTRD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rfc_dnsname_underscore_in_trd", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "RFC5280: 4.1.2.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInTRD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rfc_dnsname_underscore_in_trd", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "RFC5280: 4.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInTRD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go index 46e5f5c9d..a2e89f71f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -40,13 +40,15 @@ If the keyUsage extension is present in a certificate that indicates *********************************************** */ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ecdsa_allowed_ku", - Description: "Key usage values keyEncipherment or dataEncipherment MUST NOT be present in certificates with ECDSA public keys", - Citation: "RFC 8813 Section 3", - Source: lint.RFC8813, - EffectiveDate: util.RFC8813Date, - Lint: NewEcdsaAllowedKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ecdsa_allowed_ku", + Description: "Key usage values keyEncipherment or dataEncipherment MUST NOT be present in certificates with ECDSA public keys", + Citation: "RFC 8813 Section 3", + Source: lint.RFC8813, + EffectiveDate: util.RFC8813Date, + }, + Lint: NewEcdsaAllowedKU, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go index 05811eb28..2400115e9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ import ( type ecdsaInvalidKU struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_ecdsa_ee_invalid_ku", - Description: "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement", - Citation: "RFC 5480 Section 3", - Source: lint.RFC5480, - EffectiveDate: util.CABEffectiveDate, - Lint: NewEcdsaInvalidKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_ecdsa_ee_invalid_ku", + Description: "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement", + Citation: "RFC 5480 Section 3", + Source: lint.RFC5480, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewEcdsaInvalidKU, }) } @@ -46,7 +48,7 @@ func NewEcdsaInvalidKU() lint.LintInterface { // CheckApplies returns true when the certificate is a subscriber cert using an // ECDSA public key algorithm. func (l *ecdsaInvalidKU) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA + return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA && util.HasKeyUsageOID(c) } // Execute returns a Notice level lint.LintResult if the ECDSA end entity certificate diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go index 4d4536092..84d3403e7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ If a CA includes extended key usages to satisfy such applications, ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_eku_critical_improperly", - Description: "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present", - Citation: "RFC 5280: 4.2.1.12", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewEkuBadCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_eku_critical_improperly", + Description: "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present", + Citation: "RFC 5280: 4.2.1.12", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewEkuBadCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go index fd39686cd..c57bad163 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ An authorityInfoAccess extension may include multiple instances of ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_aia_access_location_missing", - Description: "When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI", - Citation: "RFC 5280: 4.2.2.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewAiaNoHTTPorLDAP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_aia_access_location_missing", + Description: "When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI", + Citation: "RFC 5280: 4.2.2.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewAiaNoHTTPorLDAP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go index df491a346..2257957f7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ Authority Information Access //See also: BRs: 7.1.2.3 & CAB: 7.1.2.2 func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_aia_marked_critical", - Description: "Conforming CAs must mark the Authority Information Access extension as non-critical", - Citation: "RFC 5280: 4.2.2.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtAiaMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_aia_marked_critical", + Description: "Conforming CAs must mark the Authority Information Access extension as non-critical", + Citation: "RFC 5280: 4.2.2.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtAiaMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go index a15092077..51cea0cc8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ Conforming CAs MUST mark this extension as non-critical. **********************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_authority_key_identifier_critical", - Description: "The authority key identifier extension must be non-critical", - Citation: "RFC 5280: 4.2.1.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewAuthorityKeyIdCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_authority_key_identifier_critical", + Description: "The authority key identifier extension must be non-critical", + Citation: "RFC 5280: 4.2.1.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewAuthorityKeyIdCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_missing.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_missing.go deleted file mode 100644 index 663c23b15..000000000 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_missing.go +++ /dev/null @@ -1,65 +0,0 @@ -package rfc - -/* - * ZLint Copyright 2023 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/v3/lint" - "github.com/zmap/zlint/v3/util" -) - -type authorityKeyIdMissing struct{} - -/*********************************************************************** -RFC 5280: 4.2.1.1 -The keyIdentifier field of the authorityKeyIdentifier extension MUST - be included in all certificates generated by conforming CAs to - facilitate certification path construction. There is one exception; - where a CA distributes its public key in the form of a "self-signed" - certificate, the authority key identifier MAY be omitted. The - signature on a self-signed certificate is generated with the private - key associated with the certificate's subject public key. (This - proves that the issuer possesses both the public and private keys.) - In this case, the subject and authority key identifiers would be - identical, but only the subject key identifier is needed for - certification path building. -***********************************************************************/ - -func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_authority_key_identifier_missing", - Description: "CAs must support key identifiers and include them in all certificates", - Citation: "RFC 5280: 4.2 & 4.2.1.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewAuthorityKeyIdMissing, - }) -} - -func NewAuthorityKeyIdMissing() lint.LintInterface { - return &authorityKeyIdMissing{} -} - -func (l *authorityKeyIdMissing) CheckApplies(c *x509.Certificate) bool { - return !util.IsRootCA(c) -} - -func (l *authorityKeyIdMissing) Execute(c *x509.Certificate) *lint.LintResult { - if !util.IsExtInCert(c, util.AuthkeyOID) && !util.IsSelfSigned(c) { - return &lint.LintResult{Status: lint.Error} - } else { - return &lint.LintResult{Status: lint.Pass} - } -} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go index 115287660..81103b46f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -38,13 +38,15 @@ The keyIdentifier field of the authorityKeyIdentifier extension MUST ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_authority_key_identifier_no_key_identifier", - Description: "CAs must include keyIdentifer field of AKI in all non-self-issued certificates", - Citation: "RFC 5280: 4.2.1.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewAuthorityKeyIdNoKeyIdField, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_authority_key_identifier_no_key_identifier", + Description: "CAs must include keyIdentifer field of AKI in all non-self-issued certificates", + Citation: "RFC 5280: 4.2.1.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewAuthorityKeyIdNoKeyIdField, }) } @@ -57,9 +59,9 @@ func (l *authorityKeyIdNoKeyIdField) CheckApplies(c *x509.Certificate) bool { } func (l *authorityKeyIdNoKeyIdField) Execute(c *x509.Certificate) *lint.LintResult { - if c.AuthorityKeyId == nil && !util.IsSelfSigned(c) { //will be nil by default if not found in x509.parseCert - return &lint.LintResult{Status: lint.Error} - } else { + if c.AuthorityKeyId != nil || util.IsCACert(c) && util.IsSelfSigned(c) { return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} } } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go index 79e4b468b..19944aa35 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ option. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_contains_noticeref", - Description: "Compliant certificates SHOULD NOT use the noticeRef option", - Citation: "RFC 5280: 4.2.1.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNoticeRefPres, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_contains_noticeref", + Description: "Compliant certificates SHOULD NOT use the noticeRef option", + Citation: "RFC 5280: 4.2.1.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNoticeRefPres, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go index d67cd3ebd..002af303d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -15,6 +15,9 @@ package rfc */ import ( + "errors" + + "github.com/zmap/zcrypto/encoding/asn1" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" @@ -22,6 +25,11 @@ import ( type unrecommendedQualifier struct{} +type policyInformation struct { + policyIdentifier asn1.ObjectIdentifier + policyQualifiersBytes asn1.RawValue +} + /******************************************************************* RFC 5280: 4.2.1.4 To promote interoperability, this profile RECOMMENDS that policy @@ -34,13 +42,15 @@ qualifiers returned as a result of path validation are considered. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_disallowed_any_policy_qualifier", - Description: "When qualifiers are used with the special policy anyPolicy, they must be limited to qualifiers identified in this section: (4.2.1.4)", - Citation: "RFC 5280: 4.2.1.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewUnrecommendedQualifier, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_disallowed_any_policy_qualifier", + Description: "When qualifiers are used with the special policy anyPolicy, they must be limited to qualifiers identified in this section: (4.2.1.4)", + Citation: "RFC 5280: 4.2.1.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewUnrecommendedQualifier, }) } @@ -49,16 +59,113 @@ func NewUnrecommendedQualifier() lint.LintInterface { } func (l *unrecommendedQualifier) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) + + // TODO? extract to util method: HasAnyPolicyOID(c) + if !util.IsExtInCert(c, util.CertPolicyOID) { + return false + } + + for _, policyIds := range c.PolicyIdentifiers { + if policyIds.Equal(util.AnyPolicyOID) { + return true + } + } + return false } func (l *unrecommendedQualifier) Execute(c *x509.Certificate) *lint.LintResult { - for _, firstLvl := range c.QualifierId { - for _, qualifierId := range firstLvl { - if !qualifierId.Equal(util.CpsOID) && !qualifierId.Equal(util.UserNoticeOID) { + + var err, certificatePolicies = getCertificatePolicies(c) + + if err != nil { + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} + } + + for _, policyInformation := range certificatePolicies { + + if !policyInformation.policyIdentifier.Equal(util.AnyPolicyOID) { // if the policyIdentifier is not anyPolicy do not examine further + continue + } + + if len(policyInformation.policyQualifiersBytes.Bytes) == 0 { // this policy information does not have any policyQualifiers + continue + } + + var policyQualifiersSeq, policyQualifierInfoSeq asn1.RawValue + + empty, err := asn1.Unmarshal(policyInformation.policyQualifiersBytes.Bytes, &policyQualifiersSeq) + + if err != nil || len(empty) != 0 || policyQualifiersSeq.Class != 0 || policyQualifiersSeq.Tag != 16 || !policyQualifiersSeq.IsCompound { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policyQualifiers sequence."} + } + + //iterate over policyQualifiers ... SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL + for policyQualifierInfoSeqProcessed := false; !policyQualifierInfoSeqProcessed; { + // these bytes belong to the next PolicyQualifierInfo + policyQualifiersSeq.Bytes, err = asn1.Unmarshal(policyQualifiersSeq.Bytes, &policyQualifierInfoSeq) + if err != nil || policyQualifierInfoSeq.Class != 0 || policyQualifierInfoSeq.Tag != 16 || !policyQualifierInfoSeq.IsCompound { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policy qualifiers"} + } + if len(policyQualifiersSeq.Bytes) == 0 { // no further PolicyQualifierInfo exists + policyQualifierInfoSeqProcessed = true + } + + var policyQualifierId asn1.ObjectIdentifier + _, err = asn1.Unmarshal(policyQualifierInfoSeq.Bytes, &policyQualifierId) + if err != nil { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policyQualifierId."} + } + + if !policyQualifierId.Equal(util.CpsOID) && !policyQualifierId.Equal(util.UserNoticeOID) { return &lint.LintResult{Status: lint.Error} } } } + return &lint.LintResult{Status: lint.Pass} } + +func getCertificatePolicies(c *x509.Certificate) (error, []policyInformation) { + + extVal := util.GetExtFromCert(c, util.CertPolicyOID).Value + + // adjusted code taken from v3/util/oid.go GetMappedPolicies, see comments there + var certificatePoliciesSeq, policyInformationSeq asn1.RawValue + + empty, err := asn1.Unmarshal(extVal, &certificatePoliciesSeq) + + if err != nil || len(empty) != 0 || certificatePoliciesSeq.Class != 0 || certificatePoliciesSeq.Tag != 16 || !certificatePoliciesSeq.IsCompound { + return errors.New("policyExtensions: Could not unmarshal certificatePolicies sequence."), nil + } + + var certificatePolicies []policyInformation + + // iterate over certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + for policyInformationSeqProcessed := false; !policyInformationSeqProcessed; { + + // these bytes belong to the next PolicyInformation + certificatePoliciesSeq.Bytes, err = asn1.Unmarshal(certificatePoliciesSeq.Bytes, &policyInformationSeq) + if err != nil || policyInformationSeq.Class != 0 || policyInformationSeq.Tag != 16 || !policyInformationSeq.IsCompound { + return errors.New("policyExtensions: Could not unmarshal policyInformation sequence."), nil + } + + if len(certificatePoliciesSeq.Bytes) == 0 { // no further PolicyInformation exists + policyInformationSeqProcessed = true + } + + //PolicyInformation ::= SEQUENCE { + // policyIdentifier CertPolicyId, + // policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } + + var certPolicyId asn1.ObjectIdentifier + var policyQualifiers asn1.RawValue + policyQualifiers.Bytes, err = asn1.Unmarshal(policyInformationSeq.Bytes, &certPolicyId) + if err != nil { + return errors.New("policyExtensions: Could not unmarshal certPolicyId."), nil + } + + information := policyInformation{certPolicyId, policyQualifiers} + certificatePolicies = append(certificatePolicies, information) + } + return nil, certificatePolicies +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go index e1da6d26a..d6b446029 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ type ExtCertPolicyDuplicate struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_duplicate", - Description: "A certificate policy OID must not appear more than once in the extension", - Citation: "RFC 5280: 4.2.1.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtCertPolicyDuplicate, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_duplicate", + Description: "A certificate policy OID must not appear more than once in the extension", + Citation: "RFC 5280: 4.2.1.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtCertPolicyDuplicate, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go index 08e28247d..66d86b4ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ to Unicode normalization form C (NFC) [NFC]. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_explicit_text_ia5_string", - Description: "Compliant certificates must not encode explicitTest as an IA5String", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExplicitTextIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_explicit_text_ia5_string", + Description: "Compliant certificates must not encode explicitTest as an IA5String", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExplicitTextIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go index 89316938c..3db9981bc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ normalized according to Unicode normalization form C (NFC) [NFC]. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_explicit_text_includes_control", - Description: "Explicit text should not include any control characters", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewControlChar, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_explicit_text_includes_control", + Description: "Explicit text should not include any control characters", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewControlChar, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go index 9b22a8fc7..bd9350234 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ type ExtCertPolicyExplicitTextNotNFC struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_explicit_text_not_nfc", - Description: "When utf8string or bmpstring encoding is used for explicitText field in certificate policy, it SHOULD be normalized by NFC format", - Citation: "RFC6181 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExtCertPolicyExplicitTextNotNFC, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_explicit_text_not_nfc", + Description: "When utf8string or bmpstring encoding is used for explicitText field in certificate policy, it SHOULD be normalized by NFC format", + Citation: "RFC6181 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExtCertPolicyExplicitTextNotNFC, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go index e7334c520..ec7ec651e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -38,13 +38,15 @@ to Unicode normalization form C (NFC) [NFC]. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_explicit_text_not_utf8", - Description: "Compliant certificates should use the utf8string encoding for explicitText", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExplicitTextUtf8, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_explicit_text_not_utf8", + Description: "Compliant certificates should use the utf8string encoding for explicitText", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExplicitTextUtf8, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go index bbea96b3d..023b130fe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ to Unicode normalization form C (NFC) [NFC]. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_explicit_text_too_long", - Description: "Explicit text has a maximum size of 200 characters", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExplicitTextTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_explicit_text_too_long", + Description: "Explicit text has a maximum size of 200 characters", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExplicitTextTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go index 7b56a22a5..4d4e2a4a1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ The CRL distribution points extension identifies how CRL information is obtained ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_crl_distribution_marked_critical", - Description: "If included, the CRL Distribution Points extension SHOULD NOT be marked critical", - Citation: "RFC 5280: 4.2.1.13", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtCrlDistributionMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_crl_distribution_marked_critical", + Description: "If included, the CRL Distribution Points extension SHOULD NOT be marked critical", + Citation: "RFC 5280: 4.2.1.13", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtCrlDistributionMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go index 8f036eec8..431f19aad 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ type extDuplicateExtension struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_duplicate_extension", - Description: "A certificate MUST NOT include more than one instance of a particular extension", - Citation: "RFC 5280: 4.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtDuplicateExtension, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_duplicate_extension", + Description: "A certificate MUST NOT include more than one instance of a particular extension", + Citation: "RFC 5280: 4.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtDuplicateExtension, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go index a6d34ae68..5f198ff8b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ The freshest CRL extension identifies how delta CRL information is obtained. The ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_freshest_crl_marked_critical", - Description: "Freshest CRL MUST be marked as non-critical by conforming CAs", - Citation: "RFC 5280: 4.2.1.15", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewExtFreshestCrlMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_freshest_crl_marked_critical", + Description: "Freshest CRL MUST be marked as non-critical by conforming CAs", + Citation: "RFC 5280: 4.2.1.15", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewExtFreshestCrlMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go index 6479d5722..5e6f4c319 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ Issuer Alternative Name ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_ian_critical", - Description: "Issuer alternate name should be marked as non-critical", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtIANCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_ian_critical", + Description: "Issuer alternate name should be marked as non-critical", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtIANCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go index f1d31d876..49fa5f948 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ encoding internationalized domain names are specified in Section 7.2. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_dns_not_ia5_string", - Description: "DNSNames MUST be IA5 strings", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANDNSNotIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_dns_not_ia5_string", + Description: "DNSNames MUST be IA5 strings", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANDNSNotIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go index 2d812a843..75f657d21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ path is not defined by this profile. ******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_empty_name", - Description: "General name fields must not be empty in IAN", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANEmptyName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_empty_name", + Description: "General name fields must not be empty in IAN", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANEmptyName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go index 63995b387..85191ea0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ If the issuerAltName extension is present, the sequence MUST contain ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_no_entries", - Description: "If present, the IAN extension must contain at least one entry", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANNoEntry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_no_entries", + Description: "If present, the IAN extension must contain at least one entry", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANNoEntry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go index 7266a8ac1..37f65e0cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ RFC 5280: 4.2.1.6 ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_rfc822_format_invalid", - Description: "Email must not be surrounded with `<>`, and there MUST NOT be trailing comments in `()`", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANEmail, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_rfc822_format_invalid", + Description: "Email must not be surrounded with `<>`, and there MUST NOT be trailing comments in `()`", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANEmail, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go index 3f7f88a1f..02177c033 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ encoding internationalized domain names are specified in Section 7.2. **********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_space_dns_name", - Description: "dNSName ' ' MUST NOT be used", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_space_dns_name", + Description: "dNSName ' ' MUST NOT be used", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go index c5afd3745..bb93397b3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ scheme (e.g., "http" or "ftp") and a scheme-specific-part. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_format_invalid", - Description: "URIs in the subjectAltName extension MUST have a scheme and scheme specific part", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewIANURIFormat, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_format_invalid", + Description: "URIs in the subjectAltName extension MUST have a scheme and scheme specific part", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewIANURIFormat, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go index 2ee7450ca..6e344a9bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ Section 7.4. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_host_not_fqdn_or_ip", - Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewIANURIFQDNOrIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_host_not_fqdn_or_ip", + Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewIANURIFQDNOrIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go index 4d4602b8e..48f66868d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ stored in the uniformResourceIdentifier (an IA5String). ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_not_ia5", - Description: "When issuer alternative name contains a URI, the name MUST be an IA5 string", - Citation: "RFC5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewIANURIIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_not_ia5", + Description: "When issuer alternative name contains a URI, the name MUST be an IA5 string", + Citation: "RFC5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewIANURIIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go index bf5e2d7c7..ae489ada5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ Section 7.4. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_relative", - Description: "When issuerAltName extension is present and the URI is used, the name MUST NOT be a relative URI", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewUriRelative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_relative", + Description: "When issuerAltName extension is present and the URI is used, the name MUST NOT be a relative URI", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewUriRelative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go index 226da4f46..1edac2988 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ The cA boolean indicates whether the certified public key may be used ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_key_usage_cert_sign_without_ca", - Description: "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted", - Citation: "RFC 5280: 4.2.1.3 & 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewKeyUsageCertSignNoCa, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_key_usage_cert_sign_without_ca", + Description: "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted", + Citation: "RFC 5280: 4.2.1.3 & 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewKeyUsageCertSignNoCa, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go index 0b11d39d5..fb35aafec 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ type checkKeyUsageCritical struct{} // "When present, conforming CAs SHOULD mark this extension as critical." func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_key_usage_not_critical", - Description: "The keyUsage extension SHOULD be critical", - Citation: "RFC 5280: 4.2.1.3", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewCheckKeyUsageCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_key_usage_not_critical", + Description: "The keyUsage extension SHOULD be critical", + Citation: "RFC 5280: 4.2.1.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewCheckKeyUsageCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go index dc93976a7..6c2ab82f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ type keyUsageBitsSet struct{} ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_key_usage_without_bits", - Description: "When the keyUsage extension is included, at least one bit MUST be set to 1", - Citation: "RFC 5280: 4.2.1.3", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewKeyUsageBitsSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_key_usage_without_bits", + Description: "When the keyUsage extension is included, at least one bit MUST be set to 1", + Citation: "RFC 5280: 4.2.1.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewKeyUsageBitsSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go index ea5e456a7..88f5086c4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ Restrictions are defined in terms of permitted or excluded name ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_name_constraints_not_critical", - Description: "If it is included, conforming CAs MUST mark the name constraints extension as critical", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstraintCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_name_constraints_not_critical", + Description: "If it is included, conforming CAs MUST mark the name constraints extension as critical", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstraintCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go index 1f1ba618d..1f44017ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ The name constraints extension, which MUST be used only in a CA ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_name_constraints_not_in_ca", - Description: "The name constraints extension MUST only be used in CA certificates", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstraintNotCa, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_name_constraints_not_in_ca", + Description: "The name constraints extension MUST only be used in CA certificates", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstraintNotCa, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go index e9d0d2096..54e612861 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ Conforming CAs MUST NOT issue certificates where policy constraints *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_policy_constraints_empty", - Description: "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present", - Citation: "RFC 5280: 4.2.1.11", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewPolicyConstraintsContents, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_policy_constraints_empty", + Description: "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present", + Citation: "RFC 5280: 4.2.1.11", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewPolicyConstraintsContents, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go index df3a03508..91873c9fa 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ Conforming CAs MUST mark this extension as critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_policy_constraints_not_critical", - Description: "Conforming CAs MUST mark the policy constraints extension as critical", - Citation: "RFC 5280: 4.2.1.11", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewPolicyConstraintsCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_policy_constraints_not_critical", + Description: "Conforming CAs MUST mark the policy constraints extension as critical", + Citation: "RFC 5280: 4.2.1.11", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewPolicyConstraintsCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go index 9d009bbb7..2df3f9f0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ Each issuerDomainPolicy named in the policy mappings extension SHOULD ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_policy_map_any_policy", - Description: "Policies must not be mapped to or from the anyPolicy value", - Citation: "RFC 5280: 4.2.1.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewPolicyMapAnyPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_policy_map_any_policy", + Description: "Policies must not be mapped to or from the anyPolicy value", + Citation: "RFC 5280: 4.2.1.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewPolicyMapAnyPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go index ce9e87e2e..b0531ef0f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ This extension MAY be supported by CAs and/or applications. **********************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_policy_map_not_critical", - Description: "Policy mappings should be marked as critical", - Citation: "RFC 5280: 4.2.1.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewPolicyMapCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_policy_map_not_critical", + Description: "Policy mappings should be marked as critical", + Citation: "RFC 5280: 4.2.1.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewPolicyMapCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go index c9efdc466..dc8b8a059 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ Each issuerDomainPolicy named in the policy mapping extension SHOULD *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_policy_map_not_in_cert_policy", - Description: "Each issuerDomainPolicy named in the policy mappings extension should also be asserted in a certificate policies extension", - Citation: "RFC 5280: 4.2.1.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewPolicyMapMatchesCertPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_policy_map_not_in_cert_policy", + Description: "Each issuerDomainPolicy named in the policy mappings extension should also be asserted in a certificate policies extension", + Citation: "RFC 5280: 4.2.1.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewPolicyMapMatchesCertPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go index 612c3de33..5095558f5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,13 +23,15 @@ import ( type SANDNSTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_dns_name_too_long", - Description: "DNSName must be less than or equal to 253 bytes", - Citation: "RFC 5280", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewSANDNSTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_dns_name_too_long", + Description: "DNSName must be less than or equal to 253 bytes", + Citation: "RFC 5280", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewSANDNSTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go index 31fa30470..7849fe6bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ encoding internationalized domain names are specified in Section 7.2. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_dns_not_ia5_string", - Description: "dNSNames MUST be IA5 strings", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANDNSNotIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_dns_not_ia5_string", + Description: "dNSNames MUST be IA5 strings", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANDNSNotIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go index 0c4911466..8dd70b39b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ path is not defined by this profile. ******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_empty_name", - Description: "General name fields MUST NOT be empty in subjectAlternateNames", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANEmptyName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_empty_name", + Description: "General name fields MUST NOT be empty in subjectAlternateNames", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANEmptyName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go index 25495715b..02969f71e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ If the subjectAltName extension is present, the sequence MUST contain ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_no_entries", - Description: "If present, the SAN extension MUST contain at least one entry", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANNoEntry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_no_entries", + Description: "If present, the SAN extension MUST contain at least one entry", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANNoEntry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go index cd2686727..396169f40 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ Further, if the only subject identity included in the certificate is ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_not_critical_without_subject", - Description: "If there is an empty subject field, then the SAN extension MUST be critical", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtSANNotCritNoSubject, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_not_critical_without_subject", + Description: "If there is an empty subject field, then the SAN extension MUST be critical", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtSANNotCritNoSubject, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go index 0a09cd560..80c1cb72e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ RFC 5280: 4.2.1.6 ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_rfc822_format_invalid", - Description: "Email MUST NOT be surrounded with `<>`, and there must be no trailing comments in `()`", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewInvalidEmail, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_rfc822_format_invalid", + Description: "Email MUST NOT be surrounded with `<>`, and there must be no trailing comments in `()`", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewInvalidEmail, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go index b58d5c835..7f4bc1c3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ When the subjectAltName extension contains a domain name system ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_space_dns_name", - Description: "The dNSName ` ` MUST NOT be used", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANIsSpaceDNS, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_space_dns_name", + Description: "The dNSName ` ` MUST NOT be used", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANIsSpaceDNS, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go index dac113af8..783f9b47d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ scheme (e.g., "http" or "ftp") and a scheme-specific-part. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_format_invalid", - Description: "URIs in SAN extension must have a scheme and scheme specific part", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANURIFormatInvalid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_format_invalid", + Description: "URIs in SAN extension must have a scheme and scheme specific part", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANURIFormatInvalid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go index b1a72bab9..410c1fd00 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ Section 7.4. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_host_not_fqdn_or_ip", - Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewSANURIHost, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_host_not_fqdn_or_ip", + Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewSANURIHost, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go index d91812421..243788956 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ stored in the uniformResourceIdentifier (an IA5String). ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_not_ia5", - Description: "When subjectAlternateName contains a URI, the name MUST be an IA5 string", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANURINotIA5, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_not_ia5", + Description: "When subjectAlternateName contains a URI, the name MUST be an IA5 string", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANURINotIA5, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go index 0e9db95f6..78cb772b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ Section 7.4. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_relative", - Description: "When the subjectAlternateName extension is present and a URI is used, the name MUST NOT be a relative URI", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANURIRelative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_relative", + Description: "When the subjectAlternateName extension is present and a URI is used, the name MUST NOT be a relative URI", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANURIRelative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go index 82925fde0..ba54e83a4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ The subject directory attributes extension is used to convey ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_subject_directory_attr_critical", - Description: "Conforming CAs MUST mark the Subject Directory Attributes extension as not critical", - Citation: "RFC 5280: 4.2.1.8", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubDirAttrCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_subject_directory_attr_critical", + Description: "Conforming CAs MUST mark the Subject Directory Attributes extension as not critical", + Citation: "RFC 5280: 4.2.1.8", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubDirAttrCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go index 15cd21839..5b589f4bf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -28,13 +28,15 @@ RFC 5280: 4.2.1.2 **********************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_subject_key_identifier_critical", - Description: "The subject key identifier extension MUST be non-critical", - Citation: "RFC 5280: 4.2.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectKeyIdCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_subject_key_identifier_critical", + Description: "The subject key identifier extension MUST be non-critical", + Citation: "RFC 5280: 4.2.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectKeyIdCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go index 7adae089e..df6d46d27 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -43,13 +43,15 @@ type subjectKeyIdMissingCA struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_subject_key_identifier_missing_ca", - Description: "CAs MUST include a Subject Key Identifier in all CA certificates", - Citation: "RFC 5280: 4.2 & 4.2.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectKeyIdMissingCA, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_subject_key_identifier_missing_ca", + Description: "CAs MUST include a Subject Key Identifier in all CA certificates", + Citation: "RFC 5280: 4.2 & 4.2.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectKeyIdMissingCA, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go index c8ba38a12..948a00d43 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -43,13 +43,15 @@ type subjectKeyIdMissingSubscriber struct{} **********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_subject_key_identifier_missing_sub_cert", - Description: "Sub certificates SHOULD include Subject Key Identifier in end entity certs", - Citation: "RFC 5280: 4.2 & 4.2.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectKeyIdMissingSubscriber, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_subject_key_identifier_missing_sub_cert", + Description: "Sub certificates SHOULD include Subject Key Identifier in end entity certs", + Citation: "RFC 5280: 4.2 & 4.2.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectKeyIdMissingSubscriber, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go index c3496008a..17928a960 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -38,13 +38,15 @@ is zero. GeneralizedTime values MUST NOT include fractional seconds. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_generalized_time_does_not_include_seconds", - Description: "Generalized time values MUST include seconds", - Citation: "RFC 5280: 4.1.2.5.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedNoSeconds, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_generalized_time_does_not_include_seconds", + Description: "Generalized time values MUST include seconds", + Citation: "RFC 5280: 4.1.2.5.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedNoSeconds, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go index 57221f928..4b0e5be4e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -38,13 +38,15 @@ is zero. GeneralizedTime values MUST NOT include fractional seconds. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_generalized_time_includes_fraction_seconds", - Description: "Generalized time values MUST NOT include fractional seconds", - Citation: "RFC 5280: 4.1.2.5.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedTimeFraction, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_generalized_time_includes_fraction_seconds", + Description: "Generalized time values MUST NOT include fractional seconds", + Citation: "RFC 5280: 4.1.2.5.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedTimeFraction, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go index 289ee4ae0..415b4011c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ is zero. GeneralizedTime values MUST NOT include fractional seconds. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_generalized_time_not_in_zulu", - Description: "Generalized time values MUST be expressed in Greenwich Mean Time (Zulu)", - Citation: "RFC 5280: 4.1.2.5.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedNotZulu, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_generalized_time_not_in_zulu", + Description: "Generalized time values MUST be expressed in Greenwich Mean Time (Zulu)", + Citation: "RFC 5280: 4.1.2.5.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedNotZulu, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go index daaf1e473..ec9c01027 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type IDNMalformedUnicode struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_international_dns_name_not_unicode", - Description: "Internationalized DNSNames punycode not valid Unicode", - Citation: "RFC 3490", - EffectiveDate: util.RFC3490Date, - Source: lint.RFC5280, - Lint: NewIDNMalformedUnicode, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_international_dns_name_not_unicode", + Description: "Internationalized DNSNames punycode not valid Unicode", + Citation: "RFC 3490", + EffectiveDate: util.RFC3490Date, + Source: lint.RFC5280, + }, + Lint: NewIDNMalformedUnicode, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go index 74c64f33c..970f5bb51 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type IDNNotNFC struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_international_dns_name_not_nfc", - Description: "Internationalized DNSNames must be normalized by Unicode normalization form C", - Citation: "RFC 8399", - Source: lint.RFC5891, - EffectiveDate: util.RFC8399Date, - Lint: NewIDNNotNFC, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_international_dns_name_not_nfc", + Description: "Internationalized DNSNames must be normalized by Unicode normalization form C", + Citation: "RFC 8399", + Source: lint.RFC5891, + EffectiveDate: util.RFC8399Date, + }, + Lint: NewIDNNotNFC, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go index 6c0342261..51de2e854 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_incorrect_ku_encoding", - Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself defines that all trailing 0 bits be counted as being \"unused\".", - Citation: "Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: func() lint.LintInterface { return &incorrectKuEncoding{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_incorrect_ku_encoding", + Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself defines that all trailing 0 bits be counted as being \"unused\".", + Citation: "Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: func() lint.LintInterface { return &incorrectKuEncoding{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go index 4bd5a23e0..4e22b9aa3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -38,13 +38,15 @@ type InhibitAnyPolicyNotCritical struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_inhibit_any_policy_not_critical", - Description: "CAs MUST mark the inhibitAnyPolicy extension as critical", - Citation: "RFC 5280: 4.2.1.14", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewInhibitAnyPolicyNotCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_inhibit_any_policy_not_critical", + Description: "CAs MUST mark the inhibitAnyPolicy extension as critical", + Citation: "RFC 5280: 4.2.1.14", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewInhibitAnyPolicyNotCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go index 5a85d5923..956017a77 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type IssuerDNCountryNotPrintableString struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_issuer_dn_country_not_printable_string", - Description: "X520 Distinguished Name Country MUST BE encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerDNCountryNotPrintableString, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_issuer_dn_country_not_printable_string", + Description: "X520 Distinguished Name Country MUST BE encoded as PrintableString", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerDNCountryNotPrintableString, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go index 9429101ac..1c5e2bae1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ The issuer field identifies the entity that has signed and issued the ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_issuer_field_empty", - Description: "Certificate issuer field MUST NOT be empty and must have a non-empty distinguished name", - Citation: "RFC 5280: 4.1.2.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIssuerFieldEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_issuer_field_empty", + Description: "Certificate issuer field MUST NOT be empty and must have a non-empty distinguished name", + Citation: "RFC 5280: 4.1.2.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIssuerFieldEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go new file mode 100644 index 000000000..f49c5919f --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go @@ -0,0 +1,215 @@ +package rfc + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "sort" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type KUAndEKUInconsistent struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_key_usage_and_extended_key_usage_inconsistent", + Description: "The certificate MUST only be used for a purpose consistent with both key usage extension and extended key usage extension.", + Citation: "RFC 5280, Section 4.2.1.12.", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewKUAndEKUInconsistent, + }) +} + +func NewKUAndEKUInconsistent() lint.LintInterface { + return &KUAndEKUInconsistent{} +} + +func (l *KUAndEKUInconsistent) Initialize() error { + return nil +} + +// CheckApplies returns true when the certificate contains both a key usage +// extension and an extended key usage extension. +func (l *KUAndEKUInconsistent) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) && util.IsExtInCert(c, util.KeyUsageOID) +} + +// Execute returns an Error level lint.LintResult if the purposes of the certificate +// being linted is not consistent with both extensions. +func (l *KUAndEKUInconsistent) Execute(c *x509.Certificate) *lint.LintResult { + if len(c.ExtKeyUsage) > 1 { + return l.multiPurpose(c) + } + return l.strictPurpose(c) +} + +// RFC 5280 4.2.1.12 on multiple purposes: +// +// If multiple purposes are indicated the application need not recognize all purposes +// indicated, as long as the intended purpose is present. +func (l *KUAndEKUInconsistent) multiPurpose(c *x509.Certificate) *lint.LintResult { + // Create a map with each KeyUsage combination that is authorized for the + // included extKeyUsage(es). + var mp = map[x509.KeyUsage]bool{} + for _, extKeyUsage := range c.ExtKeyUsage { + var i int + if _, ok := eku[extKeyUsage]; !ok { + return &lint.LintResult{Status: lint.Pass} + } + for ku := range eku[extKeyUsage] { + // There is nothing to merge for the first EKU. + if i > 0 { + // We could see this EKU combined with any other EKU so + // create that possibility. + for mpku := range mp { + mp[mpku|ku] = true + } + } + + mp[ku] = true + i++ + } + } + if !mp[c.KeyUsage] { + // Sort the included KeyUsage strings for consistent error messages + // The order does not matter for this lint, but the consistency makes + // it easier to identify common errors. + keyUsage := util.GetKeyUsageStrings(c.KeyUsage) + sort.Strings(keyUsage) + + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("KeyUsage %v (%08b) inconsistent with multiple purpose ExtKeyUsage %v", keyUsage, c.KeyUsage, util.GetEKUStrings(c.ExtKeyUsage)), + } + } + return &lint.LintResult{Status: lint.Pass} +} + +// strictPurpose checks if the Key Usages (KU) included are permitted for each +// indicated Extended Key Usage (EKU) +func (l *KUAndEKUInconsistent) strictPurpose(c *x509.Certificate) *lint.LintResult { + for _, extKeyUsage := range c.ExtKeyUsage { + if _, ok := eku[extKeyUsage]; !ok { + continue + } + if !eku[extKeyUsage][c.KeyUsage] { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("KeyUsage %v (%08b) inconsistent with ExtKeyUsage %s", util.GetKeyUsageStrings(c.KeyUsage), c.KeyUsage, util.GetEKUString(extKeyUsage)), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} + +var eku = map[x509.ExtKeyUsage]map[x509.KeyUsage]bool{ + + // KU combinations with Server Authentication EKU: + // RFC 5280 4.2.1.12 on KU consistency with Server Authentication EKU: + // -- TLS WWW server authentication + // -- Key usage bits that may be consistent: digitalSignature, + // -- keyEncipherment or keyAgreement + + // (digitalSignature OR (keyEncipherment XOR keyAgreement)) + x509.ExtKeyUsageServerAuth: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageKeyAgreement: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement: true, + }, + + // KU combinations with Client Authentication EKU: + // RFC 5280 4.2.1.12 on KU consistency with Client Authentication EKU: + // -- TLS WWW client authentication + // -- Key usage bits that may be consistent: digitalSignature + // -- and/or keyAgreement + + // (digitalSignature OR keyAgreement) + x509.ExtKeyUsageClientAuth: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageKeyAgreement: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement: true, + }, + + // KU combinations with Code Signing EKU: + // RFC 5280 4.2.1.12 on KU consistency with Code Signing EKU: + // -- Signing of downloadable executable code + // -- Key usage bits that may be consistent: digitalSignature + + // (digitalSignature) + x509.ExtKeyUsageCodeSigning: { + x509.KeyUsageDigitalSignature: true, + }, + + // KU combinations with Email Protection EKU: + // RFC 5280 4.2.1.12 on KU consistency with Email Protection EKU: + // -- Email protection + // -- Key usage bits that may be consistent: digitalSignature, + // -- nonRepudiation, and/or (keyEncipherment or keyAgreement) + // Note: Recent editions of X.509 have renamed nonRepudiation bit to contentCommitment + + // (digitalSignature OR nonRepudiation OR (keyEncipherment XOR keyAgreement)) + x509.ExtKeyUsageEmailProtection: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageContentCommitment: true, + x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageKeyAgreement: true, + + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement: true, + + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement: true, + + x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement: true, + }, + + // KU combinations with Time Stamping EKU: + // RFC 5280 4.2.1.12 on KU consistency with Time Stamping EKU: + // -- Binding the hash of an object to a time + // -- Key usage bits that may be consistent: digitalSignature + // -- and/or nonRepudiation + // Note: Recent editions of X.509 have renamed nonRepudiation bit to contentCommitment + + // (digitalSignature OR nonRepudiation) + x509.ExtKeyUsageTimeStamping: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageContentCommitment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment: true, + }, + + // KU combinations with Ocsp Signing EKU: + // RFC 5280 4.2.1.12 on KU consistency with Ocsp Signing EKU: + // -- Signing OCSP responses + // -- Key usage bits that may be consistent: digitalSignature + // -- and/or nonRepudiation + // Note: Recent editions of X.509 have renamed nonRepudiation bit to contentCommitment + + // (digitalSignature OR nonRepudiation) + x509.ExtKeyUsageOcspSigning: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageContentCommitment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment: true, + }, +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go index 1f85c1a82..d93669617 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,13 +29,15 @@ import ( type keyUsageIncorrectLength struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_key_usage_incorrect_length", - Description: "The key usage is a bit string with exactly nine possible flags", - Citation: "RFC 5280: 4.2.1.3", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewKeyUsageIncorrectLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_key_usage_incorrect_length", + Description: "The key usage is a bit string with exactly nine possible flags", + Citation: "RFC 5280: 4.2.1.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewKeyUsageIncorrectLength, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go index a82cce491..dcdb358fb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ type nameConstraintEmpty struct{} ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_empty", - Description: "Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtree or excludedSubtree fields must be present", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_empty", + Description: "Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtree or excludedSubtree fields must be present", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go index b24ec5f9f..ff6ebd212 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ certificate. ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_maximum_not_absent", - Description: "Within the name constraints name form, the maximum field is not used and therefore MUST be absent", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstraintMax, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_maximum_not_absent", + Description: "Within the name constraints name form, the maximum field is not used and therefore MUST be absent", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstraintMax, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go index c52467411..ca05fc14b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ certificate. ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_minimum_non_zero", - Description: "Within the name constraints name forms, the minimum field is not used and therefore MUST be zero", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstMin, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_minimum_non_zero", + Description: "Within the name constraints name forms, the minimum field is not used and therefore MUST be zero", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstMin, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go index d9ca2cd71..e359024ee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,13 +37,15 @@ type nameConstraintNotFQDN struct{} ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_not_fqdn", - Description: "For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintNotFQDN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_not_fqdn", + Description: "For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintNotFQDN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go index b1111aae4..42bc2a7f1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ be present. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_name_constraint_on_edi_party_name", - Description: "The name constraints extension SHOULD NOT impose constraints on the ediPartyName name form", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintOnEDI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_name_constraint_on_edi_party_name", + Description: "The name constraints extension SHOULD NOT impose constraints on the ediPartyName name form", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintOnEDI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go index 0e2912a80..6ac32ff23 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ be present. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_name_constraint_on_registered_id", - Description: "The name constraints extension SHOULD NOT impose constraints on the registeredID name form", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintOnRegisteredId, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_name_constraint_on_registered_id", + Description: "The name constraints extension SHOULD NOT impose constraints on the registeredID name form", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintOnRegisteredId, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go index b9d2dae56..54cece228 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ be present. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_name_constraint_on_x400", - Description: "The name constraints extension SHOULD NOT impose constraints on the x400Address name form", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintOnX400, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_name_constraint_on_x400", + Description: "The name constraints extension SHOULD NOT impose constraints on the x400Address name form", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintOnX400, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go index 465c967ca..ddce296a6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ keyCertSign bit. ******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_path_len_constraint_improperly_included", - Description: "CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set", - Citation: "RFC 5280: 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewPathLenIncluded, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_path_len_constraint_improperly_included", + Description: "CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set", + Citation: "RFC 5280: 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewPathLenIncluded, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go index 51a613890..ac8133a01 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -46,13 +46,15 @@ not appear, no limit is imposed. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_path_len_constraint_zero_or_less", - Description: "Where it appears, the pathLenConstraint field MUST be greater than or equal to zero", - Citation: "RFC 5280: 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewPathLenNonPositive, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_path_len_constraint_zero_or_less", + Description: "Where it appears, the pathLenConstraint field MUST be greater than or equal to zero", + Citation: "RFC 5280: 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewPathLenNonPositive, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go index 931620bfc..9e9677ad6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -41,13 +41,15 @@ RFC 3279: 2.3.1 RSA Keys ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_allowed_ku_ca", - Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, and cRLSign may only be present in a CA certificate with an RSA key", - Citation: "RFC 3279: 2.3.1", - Source: lint.RFC3279, - EffectiveDate: util.RFC3279Date, - Lint: NewRsaAllowedKUCa, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_allowed_ku_ca", + Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, and cRLSign may only be present in a CA certificate with an RSA key", + Citation: "RFC 3279: 2.3.1", + Source: lint.RFC3279, + EffectiveDate: util.RFC3279Date, + }, + Lint: NewRsaAllowedKUCa, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go index 85e9e3269..45c9e137e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ RFC 3279: 2.3.1 RSA Keys ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_allowed_ku_ee", - Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment may only be present in an end entity certificate with an RSA key", - Citation: "RFC 3279: 2.3.1", - Source: lint.RFC3279, - EffectiveDate: util.RFC3279Date, - Lint: NewRsaAllowedKUEe, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_allowed_ku_ee", + Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment may only be present in an end entity certificate with an RSA key", + Citation: "RFC 3279: 2.3.1", + Source: lint.RFC3279, + EffectiveDate: util.RFC3279Date, + }, + Lint: NewRsaAllowedKUEe, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go index 7df5b2020..8e234995b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -41,13 +41,15 @@ RFC 3279: 2.3.1 RSA Keys ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_allowed_ku_no_encipherment_ca", - Description: "If Key usage value keyCertSign or cRLSign is present in a CA certificate both keyEncipherment and dataEncipherment SHOULD NOT be present", - Citation: "RFC 3279: 2.3.1", - Source: lint.RFC3279, - EffectiveDate: util.RFC3279Date, - Lint: NewRsaAllowedKUCaNoEncipherment, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_allowed_ku_no_encipherment_ca", + Description: "If Key usage value keyCertSign or cRLSign is present in a CA certificate both keyEncipherment and dataEncipherment SHOULD NOT be present", + Citation: "RFC 3279: 2.3.1", + Source: lint.RFC3279, + EffectiveDate: util.RFC3279Date, + }, + Lint: NewRsaAllowedKUCaNoEncipherment, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go index 2c86528fa..500bcefb4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -43,13 +43,15 @@ RFC 5280: 4.1.2.2. Serial Number ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_serial_number_longer_than_20_octets", - Description: "Certificates must not have a DER encoded serial number longer than 20 octets", - Citation: "RFC 5280: 4.1.2.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewSerialNumberTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_serial_number_longer_than_20_octets", + Description: "Certificates must not have a DER encoded serial number longer than 20 octets", + Citation: "RFC 5280: 4.1.2.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewSerialNumberTooLong, }) } @@ -68,12 +70,12 @@ func (l *serialNumberTooLong) Execute(c *x509.Certificate) *lint.LintResult { // DER encoded lengths are without having to guess. encoding, err := asn1.Marshal(c.SerialNumber) if err != nil { - return &lint.LintResult{Status: lint.Fatal, Details: fmt.Sprint(err)} + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} } serial := new(asn1.RawValue) _, err = asn1.Unmarshal(encoding, serial) if err != nil { - return &lint.LintResult{Status: lint.Fatal, Details: fmt.Sprint(err)} + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} } length := len(serial.Bytes) if length > 20 { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go index 4493b4bd5..709872ea1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -40,13 +40,15 @@ type SerialNumberNotPositive struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_serial_number_not_positive", - Description: "Certificates must have a positive serial number", - Citation: "RFC 5280: 4.1.2.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewSerialNumberNotPositive, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_serial_number_not_positive", + Description: "Certificates must have a positive serial number", + Citation: "RFC 5280: 4.1.2.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewSerialNumberNotPositive, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go index 0aff82047..a55ada9d7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,13 +30,15 @@ RSA: Encoded algorithm identifier MUST have NULL parameters. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_spki_rsa_encryption_parameter_not_null", - Description: "RSA: Encoded public key algorithm identifier MUST have NULL parameters", - Citation: "RFC 4055, Section 1.2", - Source: lint.RFC5280, // RFC4055 is referenced in lint.RFC5280, Section 1 - EffectiveDate: util.RFC5280Date, - Lint: NewRsaSPKIEncryptionParamNotNULL, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_spki_rsa_encryption_parameter_not_null", + Description: "RSA: Encoded public key algorithm identifier MUST have NULL parameters", + Citation: "RFC 4055, Section 1.2", + Source: lint.RFC5280, // RFC4055 is referenced in lint.RFC5280, Section 1 + EffectiveDate: util.RFC5280Date, + }, + Lint: NewRsaSPKIEncryptionParamNotNULL, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go index 49cc4eded..9126548ac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_common_name_max_length", - Description: "The commonName field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectCommonNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_common_name_max_length", + Description: "The commonName field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectCommonNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectCommonNameMaxLength() lint.LintInterface { } func (l *subjectCommonNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.CommonName) > 0 } func (l *subjectCommonNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go index bf7b2e3bd..7c1236ac8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type SubjectDNCountryNotPrintableString struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_country_not_printable_string", - Description: "X520 Distinguished Name Country MUST be encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNCountryNotPrintableString, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_country_not_printable_string", + Description: "X520 Distinguished Name Country MUST be encoded as PrintableString", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNCountryNotPrintableString, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go index 5e75ae9e0..d3a04187e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( type subjectDNNotPrintableCharacters struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_not_printable_characters", - Description: "X520 Subject fields MUST only contain printable control characters", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNNotPrintableCharacters, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_not_printable_characters", + Description: "X520 Subject fields MUST only contain printable control characters", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNNotPrintableCharacters, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go index 0095cdbc3..3a983c466 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -25,13 +25,15 @@ import ( type SubjectDNSerialNumberMaxLength struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_serial_number_max_length", - Description: "The 'Serial Number' field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNSerialNumberMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_serial_number_max_length", + Description: "The 'Serial Number' field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNSerialNumberMaxLength, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go index 4f1bf6e42..b772635b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( type SubjectDNSerialNumberNotPrintableString struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_serial_number_not_printable_string", - Description: "X520 Distinguished Name SerialNumber MUST be encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNSerialNumberNotPrintableString, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_serial_number_not_printable_string", + Description: "X520 Distinguished Name SerialNumber MUST be encoded as PrintableString", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNSerialNumberNotPrintableString, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go index 351951782..e4ca16bc0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,13 +39,15 @@ ub-emailaddress-length INTEGER ::= 255 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_email_max_length", - Description: "The 'Email' field of the subject MUST be less than 256 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectEmailMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_email_max_length", + Description: "The 'Email' field of the subject MUST be less than 256 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectEmailMaxLength, }) } @@ -54,7 +56,7 @@ func NewSubjectEmailMaxLength() lint.LintInterface { } func (l *subjectEmailMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.EmailAddress) > 0 } func (l *subjectEmailMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go index c8b92ef20..d53d96305 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,13 +36,15 @@ subjectAltName extension as non-critical. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_empty_without_san", - Description: "CAs MUST support subject alternative name if the subject field is an empty sequence", - Citation: "RFC 5280: 4.2 & 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewEmptyWithoutSAN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_empty_without_san", + Description: "CAs MUST support subject alternative name if the subject field is an empty sequence", + Citation: "RFC 5280: 4.2 & 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewEmptyWithoutSAN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go index 96f21dd00..b86e8eec8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -50,13 +50,15 @@ ub-name INTEGER ::= 32768 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_given_name_max_length", - Description: "The 'GivenName' field of the subject MUST be less than 32769 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectGivenNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_given_name_max_length", + Description: "The 'GivenName' field of the subject MUST be less than 32769 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectGivenNameMaxLength, }) } @@ -65,7 +67,7 @@ func NewSubjectGivenNameMaxLength() lint.LintInterface { } func (l *subjectGivenNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.GivenName) > 0 } func (l *subjectGivenNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go index 8fa32c78e..fab70f3cc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,14 +30,16 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_given_name_recommended_max_length", - Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + - "targeted this length, for compatibility purposes it may be prudent to limit given names to this length.", - Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectGivenNameRecommendedMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_given_name_recommended_max_length", + Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + + "targeted this length, for compatibility purposes it may be prudent to limit given names to this length.", + Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectGivenNameRecommendedMaxLength, }) } @@ -48,7 +50,7 @@ func NewSubjectGivenNameRecommendedMaxLength() lint.LintInterface { type SubjectGivenNameRecommendedMaxLength struct{} func (l *SubjectGivenNameRecommendedMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.GivenName) > 0 } func (l *SubjectGivenNameRecommendedMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go index 52d3b5ccb..85b9ffdee 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -27,13 +27,15 @@ The subject information access extension indicates how to access information and ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_info_access_marked_critical", - Description: "Conforming CAs MUST mark the Subject Info Access extension as non-critical", - Citation: "RFC 5280: 4.2.2.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewSiaCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_info_access_marked_critical", + Description: "Conforming CAs MUST mark the Subject Info Access extension as non-critical", + Citation: "RFC 5280: 4.2.2.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewSiaCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go index a317fc4ec..643368bc2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_locality_name_max_length", - Description: "The 'Locality Name' field of the subject MUST be less than 129 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectLocalityNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_locality_name_max_length", + Description: "The 'Locality Name' field of the subject MUST be less than 129 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectLocalityNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectLocalityNameMaxLength() lint.LintInterface { } func (l *subjectLocalityNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Locality) > 0 } func (l *subjectLocalityNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go index 43be8a466..9256742f8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -35,13 +35,15 @@ type subjectDN struct{} *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_not_dn", - Description: "When not empty, the subject field MUST be a distinguished name", - Citation: "RFC 5280: 4.1.2.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectDN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_not_dn", + Description: "When not empty, the subject field MUST be a distinguished name", + Citation: "RFC 5280: 4.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectDN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go index 9e77e3cfd..469968a6a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_organization_name_max_length", - Description: "The 'Organization Name' field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectOrganizationNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_organization_name_max_length", + Description: "The 'Organization Name' field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectOrganizationNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectOrganizationNameMaxLength() lint.LintInterface { } func (l *subjectOrganizationNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Organization) > 0 } func (l *subjectOrganizationNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go index ef3a9e428..15c2edcc8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_organizational_unit_name_max_length", - Description: "The 'Organizational Unit Name' field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectOrganizationalUnitNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_organizational_unit_name_max_length", + Description: "The 'Organizational Unit Name' field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectOrganizationalUnitNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectOrganizationalUnitNameMaxLength() lint.LintInterface { } func (l *subjectOrganizationalUnitNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.OrganizationalUnit) > 0 } func (l *subjectOrganizationalUnitNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go index 26ee9e910..e812e7375 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -33,13 +33,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_postal_code_max_length", - Description: "The 'PostalCode' field of the subject MUST be less than 17 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectPostalCodeMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_postal_code_max_length", + Description: "The 'PostalCode' field of the subject MUST be less than 17 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectPostalCodeMaxLength, }) } @@ -48,7 +50,7 @@ func NewSubjectPostalCodeMaxLength() lint.LintInterface { } func (l *subjectPostalCodeMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.PostalCode) > 0 } func (l *subjectPostalCodeMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go index b52a9ef5f..a5da6ebc5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,13 +26,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_printable_string_badalpha", - Description: "PrintableString type's alphabet only includes a-z, A-Z, 0-9, and 11 special characters", - Citation: "RFC 5280: Appendix B. ASN.1 Notes", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectPrintableStringBadAlpha, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_printable_string_badalpha", + Description: "PrintableString type's alphabet only includes a-z, A-Z, 0-9, and 11 special characters", + Citation: "RFC 5280: Appendix B. ASN.1 Notes", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectPrintableStringBadAlpha, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go index 616ee8b92..0b38c3f14 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_state_name_max_length", - Description: "The 'State Name' field of the subject MUST be less than 129 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectStateNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_state_name_max_length", + Description: "The 'State Name' field of the subject MUST be less than 129 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectStateNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectStateNameMaxLength() lint.LintInterface { } func (l *subjectStateNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Province) > 0 } func (l *subjectStateNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go index a65340699..2359cff36 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,13 +31,15 @@ ub-street-address INTEGER ::= 128 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_street_address_max_length", - Description: "The 'StreetAddress' field of the subject MUST be less than 129 characters", - Citation: "ITU-T X.520 (02/2001) UpperBounds", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectStreetAddressMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_street_address_max_length", + Description: "The 'StreetAddress' field of the subject MUST be less than 129 characters", + Citation: "ITU-T X.520 (02/2001) UpperBounds", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectStreetAddressMaxLength, }) } @@ -46,7 +48,7 @@ func NewSubjectStreetAddressMaxLength() lint.LintInterface { } func (l *subjectStreetAddressMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.StreetAddress) > 0 } func (l *subjectStreetAddressMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go index a27fd9b37..5fc3d20d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -50,13 +50,15 @@ ub-name INTEGER ::= 32768 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_surname_max_length", - Description: "The 'Surname' field of the subject MUST be less than 32769 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectSurnameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_surname_max_length", + Description: "The 'Surname' field of the subject MUST be less than 32769 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectSurnameMaxLength, }) } @@ -65,7 +67,7 @@ func NewSubjectSurnameMaxLength() lint.LintInterface { } func (l *subjectSurnameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Surname) > 0 } func (l *subjectSurnameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go index 537cd3f0a..652b085f1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -30,14 +30,16 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_surname_recommended_max_length", - Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + - "targeted this length, for compatibility purposes it may be prudent to limit surnames to this length.", - Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectSurnameRecommendedMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_surname_recommended_max_length", + Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + + "targeted this length, for compatibility purposes it may be prudent to limit surnames to this length.", + Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectSurnameRecommendedMaxLength, }) } @@ -48,7 +50,7 @@ func NewSubjectSurnameRecommendedMaxLength() lint.LintInterface { type SubjectSurnameRecommendedMaxLength struct{} func (l *SubjectSurnameRecommendedMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Surname) > 0 } func (l *SubjectSurnameRecommendedMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go index e8f9f50ff..54f44fe4a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,13 +24,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_superfluous_ku_encoding", - Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself must not have unnecessary trailing 00 bytes.", - Citation: "1.2.2 Where Rec. ITU-T X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: func() lint.LintInterface { return &superfluousKuEncoding{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_superfluous_ku_encoding", + Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself must not have unnecessary trailing 00 bytes.", + Citation: "1.2.2 Where Rec. ITU-T X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: func() lint.LintInterface { return &superfluousKuEncoding{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go index 2bbd0b2a8..04b577aa2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ tbsCertificate ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_sig_alg_not_match_tbs_sig_alg", - Description: "Certificate signature field must match TBSCertificate signature field", - Citation: "RFC 5280, Section 4.1.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewMismatchingSigAlg, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_sig_alg_not_match_tbs_sig_alg", + Description: "Certificate signature field must match TBSCertificate signature field", + Citation: "RFC 5280, Section 4.1.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewMismatchingSigAlg, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go index 0d79731f5..4731106e8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,13 +32,15 @@ RSA: Encoded algorithm identifier MUST have NULL parameters. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_tbs_signature_rsa_encryption_parameter_not_null", - Description: "RSA: Encoded signature algorithm identifier MUST have NULL parameters", - Citation: "RFC 4055, Section 5", - Source: lint.RFC5280, // RFC4055 is referenced in RFC5280, Section 1 - EffectiveDate: util.RFC5280Date, - Lint: NewRsaTBSSignatureEncryptionParamNotNULL, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_tbs_signature_rsa_encryption_parameter_not_null", + Description: "RSA: Encoded signature algorithm identifier MUST have NULL parameters", + Citation: "RFC 4055, Section 5", + Source: lint.RFC5280, // RFC4055 is referenced in RFC5280, Section 1 + EffectiveDate: util.RFC5280Date, + }, + Lint: NewRsaTBSSignatureEncryptionParamNotNULL, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go index 913c329b6..971b1e2d3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -41,13 +41,15 @@ systems MUST interpret the year field (YY) as follows: ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_utc_time_does_not_include_seconds", - Description: "UTCTime values MUST include seconds", - Citation: "RFC 5280: 4.1.2.5.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewUtcNoSecond, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_utc_time_does_not_include_seconds", + Description: "UTCTime values MUST include seconds", + Citation: "RFC 5280: 4.1.2.5.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewUtcNoSecond, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go index 4db76b0da..f14c477cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -44,13 +44,15 @@ type utcTimeGMT struct{} ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_utc_time_not_in_zulu", - Description: "UTCTime values MUST be expressed in Greenwich Mean Time (Zulu)", - Citation: "RFC 5280: 4.1.2.5.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewUtcTimeGMT, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_utc_time_not_in_zulu", + Description: "UTCTime values MUST be expressed in Greenwich Mean Time (Zulu)", + Citation: "RFC 5280: 4.1.2.5.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewUtcTimeGMT, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go index 7ecc63158..7cff58574 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,13 +34,15 @@ are encoded in either UTCTime or GeneralizedTime. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_wrong_time_format_pre2050", - Description: "Certificates valid through the year 2049 MUST be encoded in UTC time", - Citation: "RFC 5280: 4.1.2.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedPre2050, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_wrong_time_format_pre2050", + Description: "Certificates valid through the year 2049 MUST be encoded in UTC time", + Citation: "RFC 5280: 4.1.2.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedPre2050, }) } diff --git a/vendor/github.com/zmap/zlint/v3/newLint.sh b/vendor/github.com/zmap/zlint/v3/newLint.sh index fde173dc4..859d8e93f 100644 --- a/vendor/github.com/zmap/zlint/v3/newLint.sh +++ b/vendor/github.com/zmap/zlint/v3/newLint.sh @@ -1,51 +1,102 @@ -# Script to create new lint from template +#!/usr/bin/env bash -USAGE="Usage: $0 +function usage() { + echo "./newLint.sh [-h|--help] -r|--req -f|--file -s|--struct " + echo "" + echo "Options:" + echo " -h|--help Prints this help text." + echo " -r|--req The name of the requirements body governing this lint. Valid options are $(valid_requirement_names)." + echo " -f|--file The target filename for the given lint (no file extension is required)." + echo " -s|--struct The name of the Golang struct to create." + echo "" + echo "Example:" + echo " $ ./newLint.sh --req rfc --file crl_must_be_good --struct CrlMustBeGood " + echo " Created lint file /home/chris/projects/zlint/v3/lints/rfc/lint_crl_must_be_good.go with struct name CrlMustBeGood" + echo " Created test file /home/chris/projects/zlint/v3/lints/rfc/lint_crl_must_be_good_test.go" +} -ARG1: Path_name -ARG2: File_name/TestName (no 'lint_' prefix) -ARG3: Struct_name" +function git_root() { + git rev-parse --show-toplevel +} -if [ $# -eq 0 ]; then - echo "No arguments provided..." - echo "$USAGE" - exit 1 -fi +# Searches within the v3/lints directory for a subdirectory matching +# the name of the governing requirements body provided by the -r|--req flag. +# +# Exits with error code 1 if no such directory is found +function requirement_dir_exists() { + exists=$(find "$(git_root)/v3/lints/" -maxdepth 1 -type d -not -name lints -name "${1}") + if [ -z "${exists}" ]; then + echo "Unknown requirements body (${1}). Valid options are $(valid_requirement_names)." + usage + exit 1 + fi +} -if [ $# -eq 1 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 -fi +# Echoes out a comma separated list of directories within v3/lints +function valid_requirement_names() { + names=$(find "$(git_root)/v3/lints/" -type d -not -name "lints" -exec basename {} \;) + echo -n "${names}" | tr '\n' ', ' +} -if [ $# -eq 2 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 -fi +while [[ $# -gt 0 ]]; do + case "$1" in + -r | --req) + requirement_dir_exists "${2}" + REQUIREMENT="${2}" + shift 2 + ;; + -f | --file) + LINTNAME="${2}" + FILENAME="lint_${LINTNAME}.go" + TEST_FILENAME="lint_${LINTNAME}_test.go" + shift 2 + ;; + -s | --struct) + STRUCTNAME="$2" + shift 2 + ;; + -h | --help) + usage + exit 0 + ;; + *) + echo "Unknown option: $1" + usage + exit 1 + ;; + esac +done -if [ ! -d lints/$1 ] -then - echo "Directory 'lints/$1' does not exist. Can't make new file." - exit 1 +if [ -z "${REQUIREMENT}" ]; then + echo "The -r|--req flag is required. Valid options are $(valid_requirement_names)" + usage + exit 1 fi +if [ -z "${LINTNAME}" ]; then + echo "The -f|--file flag is required." + usage + exit 1 +fi -if [ -e lints/$1/lint_$2.go ] -then - echo "File already exists. Can't make new file." - exit 1 +if [ -z "${STRUCTNAME}" ]; then + echo "The -s|--strut flag is required." + usage + exit 1 fi -PATHNAME=$1 -LINTNAME=$2 -# Remove the first two characters from ${LINTNAME} and save the resulting string into FILENAME -FILENAME=${LINTNAME:2} -STRUCTNAME=$3 +PATHNAME="$(git_root)/v3/lints/${REQUIREMENT}/${FILENAME}" +TEST_PATHNAME="$(git_root)/v3/lints/${REQUIREMENT}/${TEST_FILENAME}" + +sed -e "s/PACKAGE/${REQUIREMENT}/" \ + -e "s/PASCAL_CASE_SUBST/${STRUCTNAME^}/g" \ + -e "s/SUBST/${STRUCTNAME}/g" \ + -e "s/SUBTEST/${LINTNAME}/g" "$(git_root)/v3/template" > "${PATHNAME}" -sed -e "s/PACKAGE/${PATHNAME}/" \ +sed -e "s/PACKAGE/${REQUIREMENT}/" \ -e "s/PASCAL_CASE_SUBST/${STRUCTNAME^}/g" \ -e "s/SUBST/${STRUCTNAME}/g" \ - -e "s/SUBTEST/${LINTNAME}/g" template > lints/${PATHNAME}/lint_${FILENAME}.go + -e "s/SUBTEST/${LINTNAME}/g" "$(git_root)/v3/test_template" > "${TEST_PATHNAME}" -echo "Created file lints/${PATHNAME}/lint_${FILENAME}.go with struct name ${STRUCTNAME}" +echo "Created lint file ${PATHNAME} with struct name ${STRUCTNAME}" +echo "Created test file ${TEST_PATHNAME}" diff --git a/vendor/github.com/zmap/zlint/v3/profileTemplate b/vendor/github.com/zmap/zlint/v3/profileTemplate index 109dc7d25..a65f3443e 100644 --- a/vendor/github.com/zmap/zlint/v3/profileTemplate +++ b/vendor/github.com/zmap/zlint/v3/profileTemplate @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/resultset.go b/vendor/github.com/zmap/zlint/v3/resultset.go index 9701e146c..5fd34d814 100644 --- a/vendor/github.com/zmap/zlint/v3/resultset.go +++ b/vendor/github.com/zmap/zlint/v3/resultset.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -39,6 +39,7 @@ func (z *ResultSet) executeCertificate(o *x509.Certificate, registry lint.Regist // Run each lint from the registry. for _, lint := range registry.CertificateLints().Lints() { res := lint.Execute(o, registry.GetConfiguration()) + res.LintMetadata = lint.LintMetadata z.Results[lint.Name] = res z.updateErrorStatePresent(res) } @@ -52,6 +53,7 @@ func (z *ResultSet) executeRevocationList(o *x509.RevocationList, registry lint. // Run each lints from the registry. for _, lint := range registry.RevocationListLints().Lints() { res := lint.Execute(o, registry.GetConfiguration()) + res.LintMetadata = lint.LintMetadata z.Results[lint.Name] = res z.updateErrorStatePresent(res) } diff --git a/vendor/github.com/zmap/zlint/v3/template b/vendor/github.com/zmap/zlint/v3/template index c474cc41e..224791623 100644 --- a/vendor/github.com/zmap/zlint/v3/template +++ b/vendor/github.com/zmap/zlint/v3/template @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -20,13 +20,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "SUBTEST", - Description: "Fill this in...", - Citation: "Fill this in...", - Source: UnknownLintSource, - EffectiveDate: "Change this...", - Lint: func() lint.LintInterface { return &SUBST{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "SUBTEST", + Description: "Fill this in...", + Citation: "Fill this in...", + Source: UnknownLintSource, + EffectiveDate: "Change this...", + }, + Lint: NewPASCAL_CASE_SUBST, }) } diff --git a/vendor/github.com/zmap/zlint/v3/test_template b/vendor/github.com/zmap/zlint/v3/test_template new file mode 100644 index 000000000..fdc41ce91 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/test_template @@ -0,0 +1,31 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package PACKAGE + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestPASCAL_CASE_SUBST(t *testing.T) { + inputPath := "TEST_CERT.pem" + expected := lint.Error + out := test.TestLint("LINT_NAME", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} diff --git a/vendor/github.com/zmap/zlint/v3/util/ca.go b/vendor/github.com/zmap/zlint/v3/util/ca.go index c24634811..c5cac2a54 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ca.go +++ b/vendor/github.com/zmap/zlint/v3/util/ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -62,3 +62,19 @@ func IsServerAuthCert(cert *x509.Certificate) bool { } return false } + +// IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. +// A certificate is for use protecting emails if it contains the Any Purpose or emailProtection +// EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious +// and choosing to prefer false positives over false negatives. +func IsEmailProtectionCert(cert *x509.Certificate) bool { + if len(cert.ExtKeyUsage) == 0 { + return true + } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + return true + } + } + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/countries.go b/vendor/github.com/zmap/zlint/v3/util/countries.go index 2ec04aee9..01915433d 100644 --- a/vendor/github.com/zmap/zlint/v3/util/countries.go +++ b/vendor/github.com/zmap/zlint/v3/util/countries.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/eku.go b/vendor/github.com/zmap/zlint/v3/util/eku.go index 9b2b53695..cd745da7d 100644 --- a/vendor/github.com/zmap/zlint/v3/util/eku.go +++ b/vendor/github.com/zmap/zlint/v3/util/eku.go @@ -1,6 +1,11 @@ package util -import "github.com/zmap/zcrypto/x509" +import ( + "fmt" + "sort" + + "github.com/zmap/zcrypto/x509" +) // HasEKU tests whether an Extended Key Usage (EKU) is present in a certificate. func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { @@ -12,3 +17,40 @@ func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { return false } + +// GetEKUString returns a human friendly Extended Key Usage (EKU) string. +func GetEKUString(eku x509.ExtKeyUsage) string { + switch eku { + case x509.ExtKeyUsageAny: + return "any" + case x509.ExtKeyUsageServerAuth: + return "serverAuth" + case x509.ExtKeyUsageClientAuth: + return "clientAuth" + case x509.ExtKeyUsageCodeSigning: + return "codeSigning" + case x509.ExtKeyUsageEmailProtection: + return "emailProtection" + case x509.ExtKeyUsageIpsecUser: + return "ipSecUser" + case x509.ExtKeyUsageIpsecTunnel: + return "ipSecTunnel" + case x509.ExtKeyUsageOcspSigning: + return "ocspSigning" + case x509.ExtKeyUsageMicrosoftServerGatedCrypto: + return "microsoftServerGatedCrypto" + case x509.ExtKeyUsageNetscapeServerGatedCrypto: + return "netscapeServerGatedCrypto" + } + return fmt.Sprintf("unknown EKU %d", eku) +} + +// GetEKUStrings returns a list of human friendly Extended Key Usage (EKU) strings. +func GetEKUStrings(eku []x509.ExtKeyUsage) []string { + var ekuStrings []string + for _, currentEku := range eku { + ekuStrings = append(ekuStrings, GetEKUString(currentEku)) + } + sort.Strings(ekuStrings) + return ekuStrings +} diff --git a/vendor/github.com/zmap/zlint/v3/util/encodings.go b/vendor/github.com/zmap/zlint/v3/util/encodings.go index 316217440..ca192675f 100644 --- a/vendor/github.com/zmap/zlint/v3/util/encodings.go +++ b/vendor/github.com/zmap/zlint/v3/util/encodings.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ev.go b/vendor/github.com/zmap/zlint/v3/util/ev.go index 54729f7dc..e3d3c1b32 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ev.go +++ b/vendor/github.com/zmap/zlint/v3/util/ev.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/fqdn.go b/vendor/github.com/zmap/zlint/v3/util/fqdn.go index 4be2ffb9f..ff4859da3 100644 --- a/vendor/github.com/zmap/zlint/v3/util/fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/fqdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -17,6 +17,7 @@ package util import ( "net" "net/url" + "regexp" "strings" zcutil "github.com/zmap/zcrypto/util" @@ -117,3 +118,14 @@ func CommonNameIsIP(cert *x509.Certificate) bool { return true } } + +var nonLDHCharacterRegex = regexp.MustCompile(`[^a-zA-Z0-9\-]`) + +func IsLDHLabel(label string) bool { + return len(label) > 0 && + len(label) <= 63 && + !nonLDHCharacterRegex.MatchString(label) && + !strings.HasPrefix(label, "-") && + !strings.HasSuffix(label, "-") && + !(HasReservedLabelPrefix(label) && !HasXNLabelPrefix(label)) +} diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld.go b/vendor/github.com/zmap/zlint/v3/util/gtld.go index 6a7fb64f3..c39429e56 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go index 22613c3b2..0dc054549 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go @@ -2,7 +2,7 @@ // This file was generated by zlint-gtld-update. /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,7 +31,7 @@ var tldMap = map[string]GTLDPeriod{ "abarth": { GTLD: "abarth", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "abb": { GTLD: "abb", @@ -116,7 +116,7 @@ var tldMap = map[string]GTLDPeriod{ "adac": { GTLD: "adac", DelegationDate: "2016-01-26", - RemovalDate: "", + RemovalDate: "2022-11-26", }, "ads": { GTLD: "ads", @@ -226,7 +226,7 @@ var tldMap = map[string]GTLDPeriod{ "alfaromeo": { GTLD: "alfaromeo", DelegationDate: "2016-08-02", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "alibaba": { GTLD: "alibaba", @@ -481,7 +481,7 @@ var tldMap = map[string]GTLDPeriod{ "avianca": { GTLD: "avianca", DelegationDate: "2016-03-09", - RemovalDate: "", + RemovalDate: "2024-03-27", }, "aw": { GTLD: "aw", @@ -536,7 +536,7 @@ var tldMap = map[string]GTLDPeriod{ "bananarepublic": { GTLD: "bananarepublic", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2024-01-22", }, "band": { GTLD: "band", @@ -1161,7 +1161,7 @@ var tldMap = map[string]GTLDPeriod{ "cbs": { GTLD: "cbs", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-10-25", }, "cc": { GTLD: "cc", @@ -1321,7 +1321,7 @@ var tldMap = map[string]GTLDPeriod{ "cityeats": { GTLD: "cityeats", DelegationDate: "2015-11-10", - RemovalDate: "", + RemovalDate: "2023-10-18", }, "ck": { GTLD: "ck", @@ -1426,7 +1426,7 @@ var tldMap = map[string]GTLDPeriod{ "comcast": { GTLD: "comcast", DelegationDate: "2016-07-07", - RemovalDate: "", + RemovalDate: "2024-02-06", }, "commbank": { GTLD: "commbank", @@ -1491,7 +1491,7 @@ var tldMap = map[string]GTLDPeriod{ "cookingchannel": { GTLD: "cookingchannel", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "cool": { GTLD: "cool", @@ -2061,7 +2061,7 @@ var tldMap = map[string]GTLDPeriod{ "etisalat": { GTLD: "etisalat", DelegationDate: "2017-06-01", - RemovalDate: "", + RemovalDate: "2023-11-17", }, "eu": { GTLD: "eu", @@ -2196,7 +2196,7 @@ var tldMap = map[string]GTLDPeriod{ "fiat": { GTLD: "fiat", DelegationDate: "2016-08-02", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "fidelity": { GTLD: "fidelity", @@ -2331,7 +2331,7 @@ var tldMap = map[string]GTLDPeriod{ "foodnetwork": { GTLD: "foodnetwork", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "football": { GTLD: "football", @@ -2396,7 +2396,7 @@ var tldMap = map[string]GTLDPeriod{ "frontdoor": { GTLD: "frontdoor", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-10-18", }, "frontier": { GTLD: "frontier", @@ -2771,7 +2771,7 @@ var tldMap = map[string]GTLDPeriod{ "guardian": { GTLD: "guardian", DelegationDate: "2016-05-13", - RemovalDate: "", + RemovalDate: "2024-03-05", }, "gucci": { GTLD: "gucci", @@ -2876,7 +2876,7 @@ var tldMap = map[string]GTLDPeriod{ "hgtv": { GTLD: "hgtv", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "hiphop": { GTLD: "hiphop", @@ -2991,7 +2991,7 @@ var tldMap = map[string]GTLDPeriod{ "hoteles": { GTLD: "hoteles", DelegationDate: "2015-06-26", - RemovalDate: "", + RemovalDate: "2023-07-07", }, "hotels": { GTLD: "hotels", @@ -3471,7 +3471,7 @@ var tldMap = map[string]GTLDPeriod{ "kinder": { GTLD: "kinder", DelegationDate: "2015-10-09", - RemovalDate: "", + RemovalDate: "2023-11-02", }, "kindle": { GTLD: "kindle", @@ -3601,7 +3601,7 @@ var tldMap = map[string]GTLDPeriod{ "lancia": { GTLD: "lancia", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "lancome": { GTLD: "lancome", @@ -3766,7 +3766,7 @@ var tldMap = map[string]GTLDPeriod{ "linde": { GTLD: "linde", DelegationDate: "2015-09-16", - RemovalDate: "", + RemovalDate: "2023-03-17", }, "link": { GTLD: "link", @@ -3831,7 +3831,7 @@ var tldMap = map[string]GTLDPeriod{ "loft": { GTLD: "loft", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2022-12-17", }, "lol": { GTLD: "lol", @@ -3936,7 +3936,7 @@ var tldMap = map[string]GTLDPeriod{ "macys": { GTLD: "macys", DelegationDate: "2016-07-12", - RemovalDate: "", + RemovalDate: "2023-03-07", }, "madrid": { GTLD: "madrid", @@ -4006,7 +4006,7 @@ var tldMap = map[string]GTLDPeriod{ "maserati": { GTLD: "maserati", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "mattel": { GTLD: "mattel", @@ -4351,7 +4351,7 @@ var tldMap = map[string]GTLDPeriod{ "mutual": { GTLD: "mutual", DelegationDate: "2016-04-05", - RemovalDate: "", + RemovalDate: "2023-08-01", }, "mutuelle": { GTLD: "mutuelle", @@ -4576,7 +4576,7 @@ var tldMap = map[string]GTLDPeriod{ "northwesternmutual": { GTLD: "northwesternmutual", DelegationDate: "2016-04-06", - RemovalDate: "", + RemovalDate: "2023-08-08", }, "norton": { GTLD: "norton", @@ -4676,7 +4676,7 @@ var tldMap = map[string]GTLDPeriod{ "oldnavy": { GTLD: "oldnavy", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2024-01-22", }, "ollo": { GTLD: "ollo", @@ -4831,7 +4831,7 @@ var tldMap = map[string]GTLDPeriod{ "passagens": { GTLD: "passagens", DelegationDate: "2016-03-02", - RemovalDate: "", + RemovalDate: "2023-07-07", }, "pay": { GTLD: "pay", @@ -5361,7 +5361,7 @@ var tldMap = map[string]GTLDPeriod{ "rocher": { GTLD: "rocher", DelegationDate: "2015-11-07", - RemovalDate: "", + RemovalDate: "2023-11-02", }, "rocks": { GTLD: "rocks", @@ -5541,7 +5541,7 @@ var tldMap = map[string]GTLDPeriod{ "sca": { GTLD: "sca", DelegationDate: "2014-08-14", - RemovalDate: "", + RemovalDate: "2023-12-11", }, "scb": { GTLD: "scb", @@ -5651,7 +5651,7 @@ var tldMap = map[string]GTLDPeriod{ "ses": { GTLD: "ses", DelegationDate: "2016-07-09", - RemovalDate: "", + RemovalDate: "2022-12-16", }, "seven": { GTLD: "seven", @@ -5746,7 +5746,7 @@ var tldMap = map[string]GTLDPeriod{ "showtime": { GTLD: "showtime", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-10-25", }, "shriram": { GTLD: "shriram", @@ -6286,7 +6286,7 @@ var tldMap = map[string]GTLDPeriod{ "tiffany": { GTLD: "tiffany", DelegationDate: "2016-01-21", - RemovalDate: "", + RemovalDate: "2023-07-25", }, "tips": { GTLD: "tips", @@ -6436,7 +6436,7 @@ var tldMap = map[string]GTLDPeriod{ "travelchannel": { GTLD: "travelchannel", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "travelers": { GTLD: "travelers", @@ -6726,7 +6726,7 @@ var tldMap = map[string]GTLDPeriod{ "volkswagen": { GTLD: "volkswagen", DelegationDate: "2016-01-09", - RemovalDate: "", + RemovalDate: "2023-11-20", }, "volvo": { GTLD: "volvo", @@ -6761,7 +6761,7 @@ var tldMap = map[string]GTLDPeriod{ "vuelos": { GTLD: "vuelos", DelegationDate: "2016-03-02", - RemovalDate: "", + RemovalDate: "2023-07-07", }, "wales": { GTLD: "wales", @@ -6956,7 +6956,7 @@ var tldMap = map[string]GTLDPeriod{ "xfinity": { GTLD: "xfinity", DelegationDate: "2016-07-07", - RemovalDate: "", + RemovalDate: "2024-02-06", }, "xihuan": { GTLD: "xihuan", @@ -7366,7 +7366,7 @@ var tldMap = map[string]GTLDPeriod{ "xn--jlq61u9w7b": { GTLD: "xn--jlq61u9w7b", DelegationDate: "2015-12-18", - RemovalDate: "", + RemovalDate: "2022-12-06", }, "xn--jvr189m": { GTLD: "xn--jvr189m", @@ -7431,7 +7431,7 @@ var tldMap = map[string]GTLDPeriod{ "xn--mgbaakc7dvf": { GTLD: "xn--mgbaakc7dvf", DelegationDate: "2017-06-10", - RemovalDate: "", + RemovalDate: "2023-11-17", }, "xn--mgbaam7a8h": { GTLD: "xn--mgbaam7a8h", diff --git a/vendor/github.com/zmap/zlint/v3/util/idna.go b/vendor/github.com/zmap/zlint/v3/util/idna.go index 45d14daab..c96f6ab04 100644 --- a/vendor/github.com/zmap/zlint/v3/util/idna.go +++ b/vendor/github.com/zmap/zlint/v3/util/idna.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ip.go b/vendor/github.com/zmap/zlint/v3/util/ip.go index 7aefe6797..a61c77344 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ip.go +++ b/vendor/github.com/zmap/zlint/v3/util/ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ku.go b/vendor/github.com/zmap/zlint/v3/util/ku.go index 529e4c355..0d5e1eaa2 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ku.go +++ b/vendor/github.com/zmap/zlint/v3/util/ku.go @@ -1,6 +1,10 @@ package util -import "github.com/zmap/zcrypto/x509" +import ( + "strings" + + "github.com/zmap/zcrypto/x509" +) var ( // KeyUsageToString maps an x509.KeyUsage bitmask to its name. @@ -34,3 +38,14 @@ func HasKeyUsage(c *x509.Certificate, usage x509.KeyUsage) bool { func KeyUsageIsPresent(keyUsages x509.KeyUsage, usage x509.KeyUsage) bool { return keyUsages&usage != 0 } + +// GetKeyUsageStrings returns a list of included key usages +func GetKeyUsageStrings(keyUsages x509.KeyUsage) []string { + var keyUsageStrings []string + for ku, name := range KeyUsageToString { + if KeyUsageIsPresent(keyUsages, ku) { + keyUsageStrings = append(keyUsageStrings, strings.TrimPrefix(name, "KeyUsage")) + } + } + return keyUsageStrings +} diff --git a/vendor/github.com/zmap/zlint/v3/util/names.go b/vendor/github.com/zmap/zlint/v3/util/names.go index e8fc5c49e..abccb2b94 100644 --- a/vendor/github.com/zmap/zlint/v3/util/names.go +++ b/vendor/github.com/zmap/zlint/v3/util/names.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/oid.go b/vendor/github.com/zmap/zlint/v3/util/oid.go index a8f976538..5ded05d68 100644 --- a/vendor/github.com/zmap/zlint/v3/util/oid.go +++ b/vendor/github.com/zmap/zlint/v3/util/oid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,36 +24,53 @@ import ( var ( //extension OIDs - AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access - AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier - BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints - CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies - CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points - CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax - FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL - InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy - IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name - KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage - LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext - NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints - OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check - PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints - PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings - PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period - QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements - TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List - SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities - SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name - SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes - SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax - SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension + AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension + AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access + AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier + BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints + CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies + CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points + CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison + EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax + FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL + InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy + IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name + KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage + LegalEntityIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1} // Legal Entity Identifier + LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2} // Legal Entity Identifier Role + LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext + NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints + OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check + PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints + PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings + PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period + QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements + TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List + SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities + SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name + SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes + SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax + SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code // CA/B reserved policies - BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated - BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated - BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated - BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor - CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier + BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated + BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated + BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated + BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor + CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier + SMIMEBRMailboxValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy + SMIMEBRMailboxValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 2} // CA/B SMIME BR Mailbox Validated, Multipurpose + SMIMEBRMailboxValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 3} // CA/B SMIME BR Mailbox Validated, Strict + SMIMEBROrganizationValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 1} // CA/B SMIME BR Organization Validated, Legacy + SMIMEBROrganizationValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 2} // CA/B SMIME BR Organization Validated, Multipurpose + SMIMEBROrganizationValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 3} // CA/B SMIME BR Organization Validated, Strict + SMIMEBRSponsorValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 1} // CA/B SMIME BR Sponsor Validated, Legacy + SMIMEBRSponsorValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 2} // CA/B SMIME BR Sponsor Validated, Multipurpose + SMIMEBRSponsorValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 3} // CA/B SMIME BR Sponsor Validated, Strict + SMIMEBRIndividualValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 1} // CA/B SMIME BR Individual Validated, Legacy + SMIMEBRIndividualValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 2} // CA/B SMIME BR Individual Validated, Multipurpose + SMIMEBRIndividualValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 3} // CA/B SMIME BR Individual Validated, Strict //X.500 attribute types CommonNameOID = asn1.ObjectIdentifier{2, 5, 4, 3} SurnameOID = asn1.ObjectIdentifier{2, 5, 4, 4} @@ -67,6 +84,8 @@ var ( BusinessOID = asn1.ObjectIdentifier{2, 5, 4, 15} PostalCodeOID = asn1.ObjectIdentifier{2, 5, 4, 17} GivenNameOID = asn1.ObjectIdentifier{2, 5, 4, 42} + // SAN otherNames + OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9} // Hash algorithms - see https://golang.org/src/crypto/x509/x509.go SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} @@ -141,6 +160,14 @@ func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool { return false } +func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier { + types := make([]asn1.ObjectIdentifier, 0) + for _, name := range name.Names { + types = append(types, name.Type) + } + return types +} + // helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error) { if polMap == nil { diff --git a/vendor/github.com/zmap/zlint/v3/util/primes.go b/vendor/github.com/zmap/zlint/v3/util/primes.go index 20b04f8df..6520a5400 100644 --- a/vendor/github.com/zmap/zlint/v3/util/primes.go +++ b/vendor/github.com/zmap/zlint/v3/util/primes.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go b/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go index a8f7c0a5e..b258053d7 100644 --- a/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go +++ b/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/rdn.go b/vendor/github.com/zmap/zlint/v3/util/rdn.go index 3ce4dd989..6b94e923c 100644 --- a/vendor/github.com/zmap/zlint/v3/util/rdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/rdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/san.go b/vendor/github.com/zmap/zlint/v3/util/san.go new file mode 100644 index 000000000..a22bda719 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/util/san.go @@ -0,0 +1,30 @@ +package util + +import ( + "net/mail" + + "github.com/zmap/zcrypto/x509" +) + +func HasEmailSAN(c *x509.Certificate) bool { + for _, san := range c.EmailAddresses { + if san != "" { + return true + } + } + + for _, name := range c.OtherNames { + if name.TypeID.Equal(OidIdOnSmtpUtf8Mailbox) && len(name.Value.Bytes) != 0 { + return true + } + } + + return false +} + +// IsMailboxAddress returns true if the passed in string resembles an RFC 5322 +// mailbox address. +func IsMailboxAddress(address string) bool { + validAddress, err := mail.ParseAddress(address) + return err == nil && validAddress.Address == address +} diff --git a/vendor/github.com/zmap/zlint/v3/util/smime_policies.go b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go new file mode 100644 index 000000000..f0f4eb3be --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go @@ -0,0 +1,93 @@ +package util + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" +) + +func IsSMIMEBRCertificate(c *x509.Certificate) bool { + return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) +} + +func IsIndividualValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRIndividualValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedStrictOID) { + return true + } + } + + return false +} + +func IsMailboxValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { + return true + } + } + + return false +} + +func IsOrganizationValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedMultipurposeOID) || oid.Equal(SMIMEBROrganizationValidatedStrictOID) { + return true + } + } + + return false +} + +func IsSponsorValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedMultipurposeOID) || oid.Equal(SMIMEBRSponsorValidatedStrictOID) { + return true + } + } + + return false +} + +func IsLegacySMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) { + return true + } + } + + return false +} + +func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBROrganizationValidatedMultipurposeOID) || oid.Equal(SMIMEBRSponsorValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) { + return true + } + } + + return false +} + +func IsStrictSMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedStrictOID) || oid.Equal(SMIMEBROrganizationValidatedStrictOID) || oid.Equal(SMIMEBRSponsorValidatedStrictOID) || oid.Equal(SMIMEBRIndividualValidatedStrictOID) { + return true + } + } + + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/time.go b/vendor/github.com/zmap/zlint/v3/util/time.go index 04dfeddb6..b702449ce 100644 --- a/vendor/github.com/zmap/zlint/v3/util/time.go +++ b/vendor/github.com/zmap/zlint/v3/util/time.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -21,6 +21,10 @@ import ( "github.com/zmap/zcrypto/x509" ) +const ( + DurationDay = 24 * time.Hour +) + var ( ZeroDate = time.Date(0000, time.January, 1, 0, 0, 0, 0, time.UTC) RFC1035Date = time.Date(1987, time.January, 1, 0, 0, 0, 0, time.UTC) @@ -70,8 +74,14 @@ var ( AppleReducedLifetimeDate = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) + // Enforcement date of CRL reason codes from Ballot SC 061 + CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) + // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ + SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) ) var ( diff --git a/vendor/github.com/zmap/zlint/v3/zlint.go b/vendor/github.com/zmap/zlint/v3/zlint.go index 18119340f..c94bcb6c7 100644 --- a/vendor/github.com/zmap/zlint/v3/zlint.go +++ b/vendor/github.com/zmap/zlint/v3/zlint.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,6 +24,7 @@ import ( _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" + _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" _ "github.com/zmap/zlint/v3/lints/etsi" _ "github.com/zmap/zlint/v3/lints/mozilla" @@ -74,7 +75,7 @@ func LintRevocationList(r *x509.RevocationList) *ResultSet { // lints that will be run. (See lint.Registry.Filter()) // // If registry is nil then the global registry of all lints is used and this -// function is equivalent to calling LintRevocationListEx(r). +// function is equivalent to calling LintRevocationList(r). func LintRevocationListEx(r *x509.RevocationList, registry lint.Registry) *ResultSet { if r == nil { return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index cb8033fad..9ad6c63e8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -119,13 +119,14 @@ github.com/zmap/zcrypto/util github.com/zmap/zcrypto/x509 github.com/zmap/zcrypto/x509/ct github.com/zmap/zcrypto/x509/pkix -# github.com/zmap/zlint/v3 v3.5.0 +# github.com/zmap/zlint/v3 v3.6.2 ## explicit; go 1.18 github.com/zmap/zlint/v3 github.com/zmap/zlint/v3/lint github.com/zmap/zlint/v3/lints/apple github.com/zmap/zlint/v3/lints/cabf_br github.com/zmap/zlint/v3/lints/cabf_ev +github.com/zmap/zlint/v3/lints/cabf_smime_br github.com/zmap/zlint/v3/lints/community github.com/zmap/zlint/v3/lints/etsi github.com/zmap/zlint/v3/lints/mozilla