Ecdsa ee invalid ku check applies (#731)

* lint about the encoding of qcstatements for PSD2 * Revert "lint about the encoding of qcstatements for PSD2" This reverts commit 6c23670. * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC * always check and perform the operation in the execution * check applies could also check if the extension is present --------- Co-authored-by: mtg <git@mtg.de> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Christopher Henderson <chris@chenderson.org>
zmap · Jul 9, 2023 · 3f1605e · 3f1605e
1 parent 8c46bdf
commit 3f1605e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go
@@ -46,7 +46,7 @@ func NewEcdsaInvalidKU() lint.LintInterface {
 // CheckApplies returns true when the certificate is a subscriber cert using an
 // ECDSA public key algorithm.
 func (l *ecdsaInvalidKU) CheckApplies(c *x509.Certificate) bool {
-	return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA
+	return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA && util.HasKeyUsageOID(c)
 }
 
 // Execute returns a Notice level lint.LintResult if the ECDSA end entity certificate

diff --git a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku_test.go b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku_test.go
@@ -36,6 +36,11 @@ func TestECDSAInvalidKU(t *testing.T) {
 			expectedStatus:  lint.Notice,
 			expectedDetails: "Certificate had unexpected key usage(s): KeyUsageCRLSign, KeyUsageCertSign",
 		},
+		{
+			name:           "ecdsa ee cert, without key usage",
+			filename:       "CNWithoutSANSeptember2021.pem",
+			expectedStatus: lint.NA,
+		},
 	}
 
 	for _, tc := range testCases {