Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (…

…#742) * Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present * adressing linter * correcting copying error * fixing typo in filename
zmap · Oct 8, 2023 · 386a8dc · 386a8dc
1 parent 48baa89
commit 386a8dc
Show file tree

Hide file tree

Showing 4 changed files with 168 additions and 0 deletions.
diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go
@@ -0,0 +1,53 @@
+/*
+ * ZLint Copyright 2023 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_smime_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterLint(&lint.Lint{
+		Name:          "e_subscribers_shall_have_crl_distribution_points",
+		Description:   "cRLDistributionPoints SHALL be present.",
+		Citation:      "7.1.2.3.b",
+		Source:        lint.CABFSMIMEBaselineRequirements,
+		EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		Lint:          NewSubscriberCrlDistributionPoints,
+	})
+}
+
+type SubscriberCrlDistributionPoints struct{}
+
+func NewSubscriberCrlDistributionPoints() lint.LintInterface {
+	return &SubscriberCrlDistributionPoints{}
+}
+
+func (l *SubscriberCrlDistributionPoints) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c)
+}
+
+func (l *SubscriberCrlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult {
+	if len(c.CRLDistributionPoints) == 0 {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "SMIME certificate contains zero CRL distribution points",
+		}
+	} else {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+}
diff --git a/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points_test.go b/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points_test.go
@@ -0,0 +1,35 @@
+package cabf_smime_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestSubscriberCrlDistributionPoints(t *testing.T) {
+	testCases := []struct {
+		Name           string
+		InputFilename  string
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - cert with a CRL distribution point",
+			InputFilename:  "smime/subscriber_with_crl_distribution_points.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "error - cert without a CRL distribution point",
+			InputFilename:  "smime/subscriber_no_crl_distribution_points.pem",
+			ExpectedResult: lint.Error,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_subscribers_shall_have_crl_distribution_points", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/smime/subscriber_no_crl_distribution_points.pem b/v3/testdata/smime/subscriber_no_crl_distribution_points.pem
@@ -0,0 +1,38 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep 30 15:02:57 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:b0:ea:1e:f1:18:fe:47:2c:63:90:84:55:31:84:
+                    a9:7d:05:a9:53:01:21:6f:cf:c4:b3:08:33:d2:4c:
+                    0a:e0:39:40:d2:c8:05:e0:7a:a2:cf:14:04:9e:75:
+                    c9:8a:41:b1:ce:6f:ea:6e:f2:5f:f7:0c:58:39:d5:
+                    b3:b6:83:fc:79
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:9f:89:3b:b4:a6:ca:2f:d3:24:cf:5c:0f:d2:
+        b4:0c:a5:23:e2:77:ae:dc:4e:60:f9:fb:a5:d7:17:b6:eb:d7:
+        be:02:20:60:21:54:e0:ef:0c:eb:d7:7d:c0:f6:28:29:86:d2:
+        be:b1:3e:c7:a6:f5:23:84:37:18:68:af:cd:6d:fe:4d:b0
+-----BEGIN CERTIFICATE-----
+MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMjU3WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASw6h7x
+GP5HLGOQhFUxhKl9BalTASFvz8SzCDPSTArgOUDSyAXgeqLPFASedcmKQbHOb+pu
+8l/3DFg51bO2g/x5oxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
+AgNIADBFAiEAn4k7tKbKL9Mkz1wP0rQMpSPid67cTmD5+6XXF7br174CIGAhVODv
+DOvXfcD2KCmG0r6xPsem9SOENxhor81t/k2w
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/subscriber_with_crl_distribution_points.pem b/v3/testdata/smime/subscriber_with_crl_distribution_points.pem
@@ -0,0 +1,42 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep 30 15:03:33 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:77:fb:36:f7:93:14:be:12:85:91:d5:e5:ac:69:
+                    d8:3e:53:62:67:69:31:da:d8:cb:b1:31:26:4a:c3:
+                    50:75:fa:8c:3b:a4:3c:28:f3:a9:b7:2f:6d:bb:92:
+                    9b:17:11:b0:f3:40:5f:07:d6:57:f6:ae:0a:42:1b:
+                    a9:02:9e:d7:7c
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:atleastone.com
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:aa:1a:66:ac:5b:22:a9:e3:2d:b8:33:54:49:
+        fa:28:22:24:b1:11:49:44:46:6e:7d:55:13:fb:25:56:96:e1:
+        e1:02:20:60:b3:d6:eb:ff:34:2a:e7:0a:aa:0b:4b:4b:b3:32:
+        ba:96:7a:44:f5:f8:07:ff:86:86:89:ae:65:f0:6d:1b:00
+-----BEGIN CERTIFICATE-----
+MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTUwMzMzWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3+zb3
+kxS+EoWR1eWsadg+U2JnaTHa2MuxMSZKw1B1+ow7pDwo86m3L227kpsXEbDzQF8H
+1lf2rgpCG6kCntd8ozgwNjATBgNVHSUEDDAKBggrBgEFBQcDBDAfBgNVHR8EGDAW
+MBSgEqAQhg5hdGxlYXN0b25lLmNvbTAKBggqhkjOPQQDAgNIADBFAiEAqhpmrFsi
+qeMtuDNUSfooIiSxEUlERm59VRP7JVaW4eECIGCz1uv/NCrnCqoLS0uzMrqWekT1
++Af/hoaJrmXwbRsA
+-----END CERTIFICATE-----