Merge https://github.com/zmap/zlint

mtgag · Jun 6, 2024 · f0991f9 · f0991f9
2 parents 4d46729 + 26ca0f3
commit f0991f9
Show file tree

Hide file tree

Showing 133 changed files with 8,766 additions and 60 deletions.
diff --git a/v3/cmd/genTestCerts/go.mod b/v3/cmd/genTestCerts/go.mod
@@ -11,7 +11,7 @@ require (
 
 require (
 	github.com/weppos/publicsuffix-go v0.30.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.23.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 )
diff --git a/v3/cmd/genTestCerts/go.sum b/v3/cmd/genTestCerts/go.sum
@@ -48,8 +48,9 @@ golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -63,8 +64,9 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

diff --git a/v3/go.mod b/v3/go.mod
@@ -7,12 +7,12 @@ require (
 	github.com/pelletier/go-toml v1.9.3
 	github.com/sirupsen/logrus v1.9.0
 	github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300
-	golang.org/x/crypto v0.17.0
-	golang.org/x/net v0.17.0
+	golang.org/x/crypto v0.21.0
+	golang.org/x/net v0.23.0
 	golang.org/x/text v0.14.0
 )
 
 require (
 	github.com/weppos/publicsuffix-go v0.30.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 )
diff --git a/v3/go.sum b/v3/go.sum
@@ -51,8 +51,8 @@ golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -65,8 +65,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -83,8 +83,8 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

diff --git a/v3/integration/config.json b/v3/integration/config.json
@@ -383,7 +383,7 @@
     "e_cert_unique_identifier_version_not_2_or_3": {},
     "e_distribution_point_incomplete": {},
     "e_dnsname_bad_character_in_label": {
-      "ErrCount": 55927
+      "ErrCount": 55930
     },
     "e_dnsname_contains_bare_iana_suffix": {
       "ErrCount": 8
@@ -400,7 +400,7 @@
       "ErrCount": 17
     },
     "e_dnsname_not_valid_tld": {
-      "ErrCount": 86371
+      "ErrCount": 86374
     },
     "e_dnsname_underscore_in_sld": {
       "ErrCount": 5
@@ -491,7 +491,7 @@
       "ErrCount": 2
     },
     "e_ext_san_missing": {
-      "ErrCount": 52385
+      "ErrCount": 52388
     },
     "e_ext_san_no_entries": {
       "ErrCount": 3
@@ -576,7 +576,7 @@
       "ErrCount": 370
     },
     "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth": {
-      "ErrCount": 93
+      "ErrCount": 95
     },
     "e_old_root_ca_rsa_mod_less_than_2048_bits": {
       "ErrCount": 1
@@ -711,7 +711,7 @@
       "ErrCount": 81098
     },
     "e_sub_cert_eku_server_auth_client_auth_missing": {
-      "ErrCount": 4934
+      "ErrCount": 4943
     },
     "e_sub_cert_given_name_surname_contains_correct_policy": {
       "ErrCount": 1793
@@ -751,7 +751,7 @@
       "ErrCount": 2
     },
     "e_subject_common_name_not_from_san": {
-      "ErrCount": 94976
+      "ErrCount": 94979
     },
     "e_subject_contains_noninformational_value": {
       "ErrCount": 338
@@ -818,7 +818,7 @@
     },
     "e_cab_dv_subject_invalid_values": {},
     "n_ca_digital_signature_not_set": {
-      "NoticeCount": 1409
+      "NoticeCount": 1411
     },
     "n_contains_redacted_dnsname": {
       "NoticeCount": 464
@@ -845,10 +845,10 @@
       "NoticeCount": 1415
     },
     "n_sub_ca_eku_not_technically_constrained": {
-      "NoticeCount": 10
+      "NoticeCount": 12
     },
     "n_subject_common_name_included": {
-      "NoticeCount": 712639
+      "NoticeCount": 712866
     },
     "w_ct_sct_policy_count_unsatisfied": {
       "NoticeCount": 5003
@@ -935,17 +935,17 @@
       "WarnCount": 9
     },
     "w_sub_ca_name_constraints_not_critical": {
-      "WarnCount": 115
+      "WarnCount": 116
     },
     "w_sub_cert_aia_contains_internal_names": {
       "WarnCount": 210
     },
     "w_sub_cert_aia_does_not_contain_issuing_ca_url": {
-      "WarnCount": 48465
+      "WarnCount": 48469
     },
     "w_sub_cert_certificate_policies_marked_critical": {},
     "w_sub_cert_eku_extra_values": {
-      "WarnCount": 25405
+      "WarnCount": 25412
     },
     "w_sub_cert_sha1_expiration_too_long": {
       "WarnCount": 11058
@@ -964,6 +964,9 @@
     "w_subject_surname_recommended_max_length": {},
     "w_tls_server_cert_valid_time_longer_than_397_days": {
       "WarnCount": 223
-    }
+    },
+    "e_ca_invalid_eku": {
+        "ErrCount": 1
+    }    
   }
-}
+}
diff --git a/v3/integration/small.config.json b/v3/integration/small.config.json
@@ -349,7 +349,7 @@
     },
     "n_sub_ca_eku_not_technically_constrained": {},
     "n_subject_common_name_included": {
-      "NoticeCount": 19776
+      "NoticeCount": 19785
     },
     "w_ct_sct_policy_count_unsatisfied": {
       "NoticeCount": 176

diff --git a/v3/lint/registration_test.go b/v3/lint/registration_test.go
@@ -131,6 +131,17 @@ func TestRegister(t *testing.T) {
 			expectNames:   []string{"goodLint", egLint.Name},
 			expectSources: SourceList{egLint.Source, MozillaRootStorePolicy},
 		},
+		{
+			name: "new lint source category",
+			lint: &Lint{
+				Name:   "sct",
+				Lint:   func() LintInterface { return &mockLint{} },
+				Source: RFC6962,
+			},
+			registry:      dupeReg,
+			expectNames:   []string{"goodLint", egLint.Name, "sct"},
+			expectSources: SourceList{egLint.Source, MozillaRootStorePolicy, RFC6962},
+		},
 	}
 
 	for _, tc := range testCases {

diff --git a/v3/lint/source.go b/v3/lint/source.go
@@ -32,6 +32,7 @@ const (
 	RFC5280                       LintSource = "RFC5280"
 	RFC5480                       LintSource = "RFC5480"
 	RFC5891                       LintSource = "RFC5891"
+	RFC6962                       LintSource = "RFC6962"
 	RFC8813                       LintSource = "RFC8813"
 	CABFBaselineRequirements      LintSource = "CABF_BR"
 	CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR"
@@ -51,7 +52,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error {
 	}
 
 	switch LintSource(throwAway) {
-	case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi:
+	case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi, RFC6962:
 		*s = LintSource(throwAway)
 		return nil
 	default:
@@ -87,6 +88,8 @@ func (s *LintSource) FromString(src string) {
 		*s = AppleRootStorePolicy
 	case Community:
 		*s = Community
+	case RFC6962:
+		*s = RFC6962
 	case EtsiEsi:
 		*s = EtsiEsi
 	}

diff --git a/v3/lints/cabf_br/lint_ca_invalid_eku.go b/v3/lints/cabf_br/lint_ca_invalid_eku.go
@@ -0,0 +1,81 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <asantoni64@gmail.com>
+ */
+
+package cabf_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"fmt"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_ca_invalid_eku",
+			Description:   "Checks that SubCA certificates do not contain forbidden values in their EKU extension.",
+			Citation:      "CABF BRs §7.1.2",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.CABFBRs_1_7_1_Date,
+		},
+		Lint: NewCaInvalidEKU,
+	})
+}
+
+type caInvalidEKU struct{}
+
+func NewCaInvalidEKU() lint.LintInterface {
+	return &caInvalidEKU{}
+}
+
+// This lint applies to any SubCA certificate to which the CABF BRs are applicable and which contains
+// the EKU extension. Given that the lint source is lint.CABFBaselineRequirements, if we arrive here
+// it's been already checked that the certificate falls within the purview of the CABF BRs.
+func (l *caInvalidEKU) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubCA(c) && len(c.ExtKeyUsage) != 0
+}
+
+func (l *caInvalidEKU) Execute(c *x509.Certificate) *lint.LintResult {
+
+	// If the EKU contains anyExtendedKeyUsage, it's probably a cross-certicate
+	// In this case, the EKU must not contain any other value
+	if util.HasEKU(c, x509.ExtKeyUsageAny) && len(c.ExtKeyUsage) > 1 {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "anyExtendedKeyUsage MUST NOT be accompanied by any other value in the EKU extension",
+		}
+	}
+
+	// If we get here, it is necessarily a SubCA with serverAuth in the EKU
+	for _, eku := range c.ExtKeyUsage {
+		if eku == x509.ExtKeyUsageEmailProtection ||
+			eku == x509.ExtKeyUsageCodeSigning ||
+			eku == x509.ExtKeyUsageTimeStamping ||
+			eku == x509.ExtKeyUsageOcspSigning {
+
+			return &lint.LintResult{
+				Status:  lint.Error,
+				Details: fmt.Sprintf("%s MUST not be present together with serverAuth in the EKU extension", util.GetEKUString(eku)),
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}