From f4918444c7b46bfc94b6ae254d6ef5f3b1bab0b5 Mon Sep 17 00:00:00 2001 From: robplee Date: Tue, 2 May 2023 11:49:56 +0100 Subject: [PATCH 01/11] Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates --- v3/lint/base.go | 3 + v3/lint/source.go | 25 +++--- ...ated_enforce_subject_field_restrictions.go | 78 +++++++++++++++++++ ...enforce_subject_field_restrictions_test.go | 59 ++++++++++++++ .../domainValidatedWithEmailCommonName.pem | 39 ++++++++++ .../mailboxValidatedLegacyWithCommonName.pem | 39 ++++++++++ ...oxValidatedLegacyWithCommonNameMay2023.pem | 39 ++++++++++ .../mailboxValidatedLegacyWithCountryName.pem | 39 ++++++++++ ...datedMultipurposeWithEmptyEmailAddress.pem | 38 +++++++++ ...lboxValidatedMultipurposeWithNoSubject.pem | 38 +++++++++ ...edMultipurposeWithNonsenseSubjectField.pem | 39 ++++++++++ ...mailboxValidatedStrictWithEmailAddress.pem | 39 ++++++++++ ...mailboxValidatedStrictWithSerialNumber.pem | 38 +++++++++ v3/util/ca.go | 12 +++ v3/util/oid.go | 13 ++-- v3/util/smime_policies.go | 13 ++++ v3/util/time.go | 1 + 17 files changed, 535 insertions(+), 17 deletions(-) create mode 100644 v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go create mode 100644 v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go create mode 100644 v3/testdata/domainValidatedWithEmailCommonName.pem create mode 100644 v3/testdata/mailboxValidatedLegacyWithCommonName.pem create mode 100644 v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem create mode 100644 v3/testdata/mailboxValidatedLegacyWithCountryName.pem create mode 100644 v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem create mode 100644 v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem create mode 100644 v3/testdata/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem create mode 100644 v3/testdata/mailboxValidatedStrictWithEmailAddress.pem create mode 100644 v3/testdata/mailboxValidatedStrictWithSerialNumber.pem create mode 100644 v3/util/smime_policies.go diff --git a/v3/lint/base.go b/v3/lint/base.go index 72c38c907..bc705bba9 100644 --- a/v3/lint/base.go +++ b/v3/lint/base.go @@ -221,6 +221,9 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } + if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { + return &LintResult{Status: NA} + } lint := l.Lint() err := config.MaybeConfigure(lint, l.Name) if err != nil { diff --git a/v3/lint/source.go b/v3/lint/source.go index 2af67d4f8..f83ded1f8 100644 --- a/v3/lint/source.go +++ b/v3/lint/source.go @@ -27,18 +27,19 @@ import ( type LintSource string const ( - UnknownLintSource LintSource = "Unknown" - RFC3279 LintSource = "RFC3279" - RFC5280 LintSource = "RFC5280" - RFC5480 LintSource = "RFC5480" - RFC5891 LintSource = "RFC5891" - RFC8813 LintSource = "RFC8813" - CABFBaselineRequirements LintSource = "CABF_BR" - CABFEVGuidelines LintSource = "CABF_EV" - MozillaRootStorePolicy LintSource = "Mozilla" - AppleRootStorePolicy LintSource = "Apple" - Community LintSource = "Community" - EtsiEsi LintSource = "ETSI_ESI" + UnknownLintSource LintSource = "Unknown" + RFC3279 LintSource = "RFC3279" + RFC5280 LintSource = "RFC5280" + RFC5480 LintSource = "RFC5480" + RFC5891 LintSource = "RFC5891" + RFC8813 LintSource = "RFC8813" + CABFBaselineRequirements LintSource = "CABF_BR" + CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" + CABFEVGuidelines LintSource = "CABF_EV" + MozillaRootStorePolicy LintSource = "Mozilla" + AppleRootStorePolicy LintSource = "Apple" + Community LintSource = "Community" + EtsiEsi LintSource = "ETSI_ESI" ) // UnmarshalJSON implements the json.Unmarshaler interface. It ensures that the diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go new file mode 100644 index 000000000..a6c9327fe --- /dev/null +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -0,0 +1,78 @@ +package cabf_smime_br + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// MailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates +type MailboxValidatedEnforceSubjectFieldRestrictions struct{} + +var forbiddenSubjectFields = map[string]string{ + "0.9.2342.19200300.100.1.25": "subject:domainComponent", + "1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", + "1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince", + "1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry", + "2.5.4.4": "subject:surname", + "2.5.4.6": "subject:countryName", + "2.5.4.7": "subject:localityName", + "2.5.4.8": "subject:stateOrProvinceName", + "2.5.4.9": "subject:streetAddress", + "2.5.4.10": "subject:organizationName", + "2.5.4.11": "subject:organizationalUnitName", + "2.5.4.12": "subject:title", + "2.5.4.17": "subject:postalCode", + "2.5.4.42": "subject:givenName", + "2.5.4.65": "subject:pseudonym", + "2.5.4.97": "subject:organizationIdentifier", +} + +var acceptableSubjectFields = map[string]string{ + "1.2.840.113549.1.9.1": "subject:emailAddress", + "2.5.4.3": "subject:commonName", + "2.5.4.5": "subject:serialNumber", +} + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_mailbox_validated_enforce_subject_field_restrictions", + Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN", + Citation: "SMIME BRs: 7.1.4.2.3", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: func() lint.LintInterface { + return &MailboxValidatedEnforceSubjectFieldRestrictions{} + }, + }) +} + +// NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { + return &MailboxValidatedEnforceSubjectFieldRestrictions{} +} + +// CheckApplies is returns true if the certificate's policies assert that it conforms to the mailbox validated SMIME BRs +func (l *MailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *MailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult { + for _, rdnSeq := range c.Subject.OriginalRDNS { + for _, field := range rdnSeq { + oidStr := field.Type.String() + + if _, ok := acceptableSubjectFields[oidStr]; !ok { + if fieldName, knownField := forbiddenSubjectFields[oidStr]; knownField { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)} + } + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go new file mode 100644 index 000000000..1b0176bd4 --- /dev/null +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go @@ -0,0 +1,59 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestMailboxValidatedEnforceSubjectFieldRestrictions(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + + ExpectedResult lint.LintStatus + ExpectedDetails string + }{ + { + Name: "ok - certificate with commonName", + InputFilename: "mailboxValidatedLegacyWithCommonName.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "ok - certificate without mailbox validated policy", + InputFilename: "domainValidatedWithEmailCommonName.pem", + ExpectedResult: lint.NA, + }, + { + Name: "ok - certificate with NotBefore before effective date of lint", + InputFilename: "mailboxValidatedLegacyWithCommonNameMay2023.pem", + ExpectedResult: lint.NE, + }, + { + Name: "error - certificate with countryName", + InputFilename: "mailboxValidatedLegacyWithCountryName.pem", + ExpectedResult: lint.Error, + ExpectedDetails: "subject DN contains forbidden field: subject:countryName (2.5.4.6)", + }, + { + Name: "error - certificate containing nonsense subject field (1.2.3.4.5.6.7.8.9.0)", + InputFilename: "mailboxValidatedMultipurposeWithNonsenseSubjectField.pem", + ExpectedResult: lint.Error, + ExpectedDetails: "subject DN contains forbidden field: 1.2.3.4.5.6.7.8.9.0", + }, + } + + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_mailbox_validated_enforce_subject_field_restrictions", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + } + + if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details { + t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details) + } + }) + } +} diff --git a/v3/testdata/domainValidatedWithEmailCommonName.pem b/v3/testdata/domainValidatedWithEmailCommonName.pem new file mode 100644 index 000000000..2149ae0df --- /dev/null +++ b/v3/testdata/domainValidatedWithEmailCommonName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = brains@tracyisland.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:0d:74:25:fa:6f:5f:3a:2f:ff:16:bf:a3:be:f1: + 02:ac:59:ed:e9:22:4e:5e:31:11:31:89:d1:2e:7c: + c6:df:e0:43:65:8a:24:aa:67:83:ae:82:46:16:e8: + 66:1a:ce:b2:e7:55:ef:63:7c:d7:13:ac:ca:27:dc: + c8:3e:cf:1f:bd + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:66:73:1c:1f:93:6b:bb:2c:3a:80:49:42:3d:28: + be:18:ab:87:71:8c:60:b5:17:c6:07:3d:e0:bc:0d:5c:d4:1c: + 02:20:71:11:4a:e7:31:97:c3:27:e6:ed:52:2e:60:cc:86:89: + c1:1e:47:c0:9b:ac:cf:65:31:a8:f4:a4:15:6e:a6:32 +-----BEGIN CERTIFICATE----- +MIIBJzCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j +b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQNdCX6b186L/8Wv6O+8QKsWe3p +Ik5eMRExidEufMbf4ENliiSqZ4OugkYW6GYazrLnVe9jfNcTrMon3Mg+zx+9oxcw +FTATBgNVHSAEDDAKMAgGBmeBDAECATAKBggqhkjOPQQDAgNHADBEAiBmcxwfk2u7 +LDqASUI9KL4Yq4dxjGC1F8YHPeC8DVzUHAIgcRFK5zGXwyfm7VIuYMyGicEeR8Cb +rM9lMaj0pBVupjI= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedLegacyWithCommonName.pem b/v3/testdata/mailboxValidatedLegacyWithCommonName.pem new file mode 100644 index 000000000..76cffea7e --- /dev/null +++ b/v3/testdata/mailboxValidatedLegacyWithCommonName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = brains@tracyisland.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:b9:d4:53:05:fc:2d:f5:4b:77:63:d7:2c:bf: + fc:d9:a0:d7:68:6f:ce:3c:6a:5a:1a:bb:f1:a4:3a: + ea:ad:e6:bc:90:ea:a4:70:b8:1f:3c:da:02:c6:7d: + 6e:b2:93:8b:8f:4b:b2:ed:20:94:6e:6e:59:35:fc: + bc:31:7f:75:bc + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:e4:9b:da:66:53:b2:f0:52:71:69:da:16:79: + 09:04:12:dc:79:5b:0c:35:b6:df:46:2a:37:0b:c3:1b:15:8c: + e2:02:20:61:6e:98:a7:3a:b5:bd:32:05:aa:ee:df:fb:20:3a: + 5e:a0:67:4f:6f:fe:ad:f8:2c:b2:53:05:9a:e7:c2:21:62 +-----BEGIN CERTIFICATE----- +MIIBKTCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j +b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMudRTBfwt9Ut3Y9csv/zZoNdo +b848aloau/GkOuqt5ryQ6qRwuB882gLGfW6yk4uPS7LtIJRublk1/Lwxf3W8oxgw +FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSAAwRQIhAOSb2mZT +svBScWnaFnkJBBLceVsMNbbfRio3C8MbFYziAiBhbpinOrW9MgWq7t/7IDpeoGdP +b/6t+CyyUwWa58IhYg== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem b/v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem new file mode 100644 index 000000000..793168552 --- /dev/null +++ b/v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: May 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = brains@tracyisland.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:ae:c3:b8:71:e1:ea:7f:8e:e7:0f:9a:f5:e0:98: + cd:a8:f3:d9:13:4d:fb:1d:1b:37:2b:56:83:5c:5c: + de:77:60:f4:f7:05:59:59:38:d3:ff:64:17:e5:da: + ef:51:03:20:81:b9:32:00:b2:6f:b6:34:6d:f8:00: + a0:ff:0f:eb:03 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:d4:34:07:e7:93:dc:44:6b:45:cd:8e:33:fa: + 6b:68:8c:76:ff:bf:f0:69:ca:26:e3:a2:a8:4f:fd:d2:29:4a: + 13:02:21:00:ad:28:cf:d7:ca:7f:a4:91:7c:ca:c3:c9:2d:fe: + 7f:cc:6d:27:c5:3d:31:f6:26:70:69:da:67:bc:9a:98:c6:24 +-----BEGIN CERTIFICATE----- +MIIBKjCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwNTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j +b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuw7hx4ep/jucPmvXgmM2o89kT +TfsdGzcrVoNcXN53YPT3BVlZONP/ZBfl2u9RAyCBuTIAsm+2NG34AKD/D+sDoxgw +FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSQAwRgIhANQ0B+eT +3ERrRc2OM/praIx2/7/wacom46KoT/3SKUoTAiEArSjP18p/pJF8ysPJLf5/zG0n +xT0x9iZwadpnvJqYxiQ= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedLegacyWithCountryName.pem b/v3/testdata/mailboxValidatedLegacyWithCountryName.pem new file mode 100644 index 000000000..086acd8d1 --- /dev/null +++ b/v3/testdata/mailboxValidatedLegacyWithCountryName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = brains@tracyisland.com, C = GB + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:99:f1:eb:ed:36:18:ff:2e:50:10:94:be:88:77: + a6:a9:7b:f9:86:36:24:89:df:88:98:ac:ff:87:75: + c7:af:8e:92:8d:7e:50:54:be:52:f1:48:fc:14:74: + e3:3b:16:0f:0b:28:47:55:cd:86:15:33:8e:52:ec: + 17:1b:38:89:ae + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:ef:63:18:62:1f:82:9e:09:92:fb:62:9f:ef: + 00:57:62:9a:6f:c7:4b:4b:f5:af:3b:e5:a7:71:83:88:3b:7f: + 2f:02:21:00:8d:5e:bb:f2:92:15:8d:55:82:89:c2:1d:c9:48: + 97:54:69:af:05:84:cc:f5:54:c3:09:90:1b:b7:97:47:b6:84 +-----BEGIN CERTIFICATE----- +MIIBNzCB3aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMC4xHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j +b20xCzAJBgNVBAYTAkdCMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmfHr7TYY +/y5QEJS+iHemqXv5hjYkid+ImKz/h3XHr46SjX5QVL5S8Uj8FHTjOxYPCyhHVc2G +FTOOUuwXGziJrqMYMBYwFAYDVR0gBA0wCzAJBgdngQwBBQEBMAoGCCqGSM49BAMC +A0kAMEYCIQDvYxhiH4KeCZL7Yp/vAFdimm/HS0v1rzvlp3GDiDt/LwIhAI1eu/KS +FY1VgonCHclIl1RprwWEzPVUwwmQG7eXR7aE +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem b/v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem new file mode 100644 index 000000000..14e5b9e7d --- /dev/null +++ b/v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem @@ -0,0 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: emailAddress = + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:e1:e8:dd:0e:89:86:c5:31:ed:7a:55:81:b8:30: + 2d:cb:13:88:ff:6b:00:74:56:41:6d:a9:54:bf:fa: + 8a:24:6d:a8:45:80:14:04:e9:29:c4:aa:62:9c:4d: + 06:73:3c:77:29:bc:09:d4:3a:ef:9b:47:4b:23:23: + 61:b4:bc:7e:94 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:4c:03:07:aa:61:61:3e:a7:43:5d:60:f2:e1:99: + 49:24:43:42:80:d6:32:bc:17:cf:86:60:63:26:89:93:85:00: + 02:21:00:9d:4e:d4:37:71:bd:8e:ae:95:7c:60:42:64:b1:73: + ba:67:8d:56:0f:2c:d3:ca:52:ac:59:77:e4:40:04:71:53 +-----BEGIN CERTIFICATE----- +MIIBGTCBwKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMBExDzANBgkqhkiG9w0BCQETADBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABOHo3Q6JhsUx7XpVgbgwLcsTiP9rAHRWQW2pVL/6iiRtqEWA +FATpKcSqYpxNBnM8dym8CdQ675tHSyMjYbS8fpSjGDAWMBQGA1UdIAQNMAswCQYH +Z4EMAQUBAjAKBggqhkjOPQQDAgNIADBFAiBMAweqYWE+p0NdYPLhmUkkQ0KA1jK8 +F8+GYGMmiZOFAAIhAJ1O1DdxvY6ulXxgQmSxc7pnjVYPLNPKUqxZd+RABHFT +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem b/v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem new file mode 100644 index 000000000..8025fe970 --- /dev/null +++ b/v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem @@ -0,0 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:a1:f6:b3:a1:64:29:f0:ea:65:65:bd:7d:aa:4d: + e0:d2:5b:d1:2e:7b:4d:7c:54:d9:15:5c:20:f8:3b: + 08:9e:cd:dd:fc:74:06:c0:88:fe:07:79:32:f4:92: + 80:80:dd:9a:f3:80:e6:7b:97:41:56:22:23:05:17: + 85:5f:9b:be:17 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:a0:87:b2:b3:b1:16:18:66:eb:2b:ad:e1:7d: + b9:8d:d8:b0:e1:99:3b:89:72:de:58:0b:c6:85:2c:3e:33:d9: + 40:02:20:65:6c:60:33:aa:2e:cf:8c:73:2f:5a:3d:10:68:01: + 1e:5e:bd:6a:34:9b:46:cc:53:b9:46:5a:8a:80:ae:b4:d1 +-----BEGIN CERTIFICATE----- +MIIBCDCBr6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASh9rOh +ZCnw6mVlvX2qTeDSW9Eue018VNkVXCD4Owiezd38dAbAiP4HeTL0koCA3ZrzgOZ7 +l0FWIiMFF4Vfm74XoxgwFjAUBgNVHSAEDTALMAkGB2eBDAEFAQIwCgYIKoZIzj0E +AwIDSAAwRQIhAKCHsrOxFhhm6yut4X25jdiw4Zk7iXLeWAvGhSw+M9lAAiBlbGAz +qi7PjHMvWj0QaAEeXr1qNJtGzFO5RlqKgK600Q== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem b/v3/testdata/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem new file mode 100644 index 000000000..dcfbda03b --- /dev/null +++ b/v3/testdata/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: 1.2.3.4.5.6.7.8.9.0 = any old rubbish + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:e7:21:34:a8:97:83:75:62:ff:6d:8f:dc:95:69: + 24:08:76:19:c4:7a:83:f4:93:ba:10:05:dd:a8:e4: + c4:20:69:22:19:f2:96:ed:d9:9b:1a:cc:78:6b:bf: + ce:1b:21:7c:c2:6e:d1:40:dc:d9:66:a8:cc:24:f2: + 6b:18:d9:59:2f + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:38:f1:af:88:ec:b2:fc:81:9b:bb:73:a1:9c:4f: + c9:79:e8:7f:ff:a7:c4:71:45:8f:9a:1d:67:54:54:57:8a:cb: + 02:21:00:9e:4e:c7:2f:0b:54:d8:6e:5f:43:1c:e8:79:c2:c1: + 7a:46:1b:ec:da:91:d9:42:03:b5:5a:64:e0:86:95:ed:c4 +-----BEGIN CERTIFICATE----- +MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCAxHjAcBgkqAwQFBgcICQATD2FueSBvbGQgcnViYmlz +aDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOchNKiXg3Vi/22P3JVpJAh2GcR6 +g/STuhAF3ajkxCBpIhnylu3ZmxrMeGu/zhshfMJu0UDc2WaozCTyaxjZWS+jGDAW +MBQGA1UdIAQNMAswCQYHZ4EMAQUBAjAKBggqhkjOPQQDAgNIADBFAiA48a+I7LL8 +gZu7c6GcT8l56H//p8RxRY+aHWdUVFeKywIhAJ5Oxy8LVNhuX0Mc6HnCwXpGG+za +kdlCA7VaZOCGle3E +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedStrictWithEmailAddress.pem b/v3/testdata/mailboxValidatedStrictWithEmailAddress.pem new file mode 100644 index 000000000..8e7e67493 --- /dev/null +++ b/v3/testdata/mailboxValidatedStrictWithEmailAddress.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: emailAddress = brains@tracyisland.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:16:fd:e0:d9:5f:ee:fc:ba:4c:45:1c:d3:b8:fb: + 60:e5:44:d2:8a:ca:f4:6d:9d:61:b3:d4:37:8c:c9: + 06:1e:fb:b8:5a:7c:1a:2e:99:2f:18:4f:34:9f:0c: + 51:87:21:91:b7:e7:e3:16:cf:fc:10:2e:66:d0:6d: + 32:68:d5:e3:92 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:eb:7f:0f:95:3b:70:ab:0b:7f:de:c5:cf:01: + 4e:2f:71:1c:2d:a0:d8:66:9d:80:9b:41:3e:82:cd:1f:a4:15: + a0:02:21:00:f2:31:1e:39:16:24:b5:a8:67:a9:5a:3a:c0:b3: + 22:07:ff:99:47:7e:d9:89:5e:0b:db:ba:72:29:f0:a7:7d:ad +-----BEGIN CERTIFICATE----- +MIIBMDCB1qADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCcxJTAjBgkqhkiG9w0BCQEMFmJyYWluc0B0cmFjeWlz +bGFuZC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW/eDZX+78ukxFHNO4 ++2DlRNKKyvRtnWGz1DeMyQYe+7hafBoumS8YTzSfDFGHIZG35+MWz/wQLmbQbTJo +1eOSoxgwFjAUBgNVHSAEDTALMAkGB2eBDAEFAQMwCgYIKoZIzj0EAwIDSQAwRgIh +AOt/D5U7cKsLf97FzwFOL3EcLaDYZp2Am0E+gs0fpBWgAiEA8jEeORYktahnqVo6 +wLMiB/+ZR37ZiV4L27pyKfCnfa0= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedStrictWithSerialNumber.pem b/v3/testdata/mailboxValidatedStrictWithSerialNumber.pem new file mode 100644 index 000000000..2079bf942 --- /dev/null +++ b/v3/testdata/mailboxValidatedStrictWithSerialNumber.pem @@ -0,0 +1,38 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: serialNumber = TB1 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:bf:44:7a:aa:50:08:e6:c7:62:a4:49:91:a7:8b: + d8:1b:9a:4d:66:97:e4:04:4a:7b:21:e9:17:37:b8: + 7b:02:14:49:1b:c1:18:3c:00:43:96:e6:51:91:fd: + 97:d2:48:6b:fe:f7:12:05:c6:ab:cc:1e:20:69:4b: + 33:e8:e0:a7:5b + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:ad:cc:61:50:2c:cc:ce:bd:48:32:ec:ad:77: + 77:40:22:4d:c5:4f:5d:e0:ac:67:61:db:08:a5:85:69:b9:9a: + ad:02:21:00:bb:9e:84:6c:d3:61:01:b8:b4:55:96:74:b1:54: + 37:29:c3:51:17:bb:e5:e8:90:4a:5f:6c:82:77:56:4f:e4:ea +-----BEGIN CERTIFICATE----- +MIIBFzCBvaADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMA4xDDAKBgNVBAUTA1RCMTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABL9EeqpQCObHYqRJkaeL2BuaTWaX5ARKeyHpFze4ewIUSRvBGDwA +Q5bmUZH9l9JIa/73EgXGq8weIGlLM+jgp1ujGDAWMBQGA1UdIAQNMAswCQYHZ4EM +AQUBAzAKBggqhkjOPQQDAgNJADBGAiEArcxhUCzMzr1IMuytd3dAIk3FT13grGdh +2wilhWm5mq0CIQC7noRs02EBuLRVlnSxVDcpw1EXu+XokEpfbIJ3Vk/k6g== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/util/ca.go b/v3/util/ca.go index 43e2755b0..eeb31e13b 100644 --- a/v3/util/ca.go +++ b/v3/util/ca.go @@ -62,3 +62,15 @@ func IsServerAuthCert(cert *x509.Certificate) bool { } return false } + +func IsEmailProtectionCert(cert *x509.Certificate) bool { + if len(cert.ExtKeyUsage) == 0 { + return true + } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + return true + } + } + return false +} diff --git a/v3/util/oid.go b/v3/util/oid.go index 0141ab37d..b4116c2f1 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -49,11 +49,14 @@ var ( SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier // CA/B reserved policies - BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated - BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated - BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated - BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor - CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier + BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated + BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated + BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated + BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor + CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier + SMIMEBRMailboxValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy + SMIMEBRMailboxValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 2} // CA/B SMIME BR Mailbox Validated, Multipurpose + SMIMEBRMailboxValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 3} // CA/B SMIME BR Mailbox Validated, Strict //X.500 attribute types CommonNameOID = asn1.ObjectIdentifier{2, 5, 4, 3} SurnameOID = asn1.ObjectIdentifier{2, 5, 4, 4} diff --git a/v3/util/smime_policies.go b/v3/util/smime_policies.go new file mode 100644 index 000000000..76b3e9575 --- /dev/null +++ b/v3/util/smime_policies.go @@ -0,0 +1,13 @@ +package util + +import "github.com/zmap/zcrypto/x509" + +func IsMailboxValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { + return true + } + } + + return false +} diff --git a/v3/util/time.go b/v3/util/time.go index e3313970e..5d6d8efbb 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -72,6 +72,7 @@ var ( CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) ) var ( From cad890662bca2cf8a40bf03808ce94f85d2a7a64 Mon Sep 17 00:00:00 2001 From: robplee Date: Tue, 2 May 2023 11:58:13 +0100 Subject: [PATCH 02/11] Add zlint copyright text to new files. --- ...validated_enforce_subject_field_restrictions.go | 14 ++++++++++++++ ...ated_enforce_subject_field_restrictions_test.go | 14 ++++++++++++++ v3/util/smime_policies.go | 14 ++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index a6c9327fe..2ae563cb0 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -1,5 +1,19 @@ package cabf_smime_br +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + import ( "fmt" diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go index 1b0176bd4..429bd9e21 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go @@ -1,5 +1,19 @@ package cabf_smime_br +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + import ( "testing" diff --git a/v3/util/smime_policies.go b/v3/util/smime_policies.go index 76b3e9575..051e483ba 100644 --- a/v3/util/smime_policies.go +++ b/v3/util/smime_policies.go @@ -1,5 +1,19 @@ package util +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + import "github.com/zmap/zcrypto/x509" func IsMailboxValidatedCertificate(c *x509.Certificate) bool { From 9dbd012bc6d587e14c30f832ebe822d6117e68e1 Mon Sep 17 00:00:00 2001 From: robplee Date: Tue, 2 May 2023 16:26:39 +0100 Subject: [PATCH 03/11] Add cabf_smime_br lint source to TestNotMissingAnyLintSources --- v3/profiles/profiles_test.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/v3/profiles/profiles_test.go b/v3/profiles/profiles_test.go index 57f7cbe77..49f0ad085 100644 --- a/v3/profiles/profiles_test.go +++ b/v3/profiles/profiles_test.go @@ -22,6 +22,7 @@ import ( _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" + _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" _ "github.com/zmap/zlint/v3/lints/etsi" _ "github.com/zmap/zlint/v3/lints/mozilla" @@ -45,13 +46,14 @@ func TestLintsInAllProfilesExist(t *testing.T) { // lint source in the future that we don't miss importing it into this test file. func TestNotMissingAnyLintSources(t *testing.T) { expected := map[string]bool{ - "apple": true, - "cabf_br": true, - "cabf_ev": true, - "community": true, - "etsi": true, - "mozilla": true, - "rfc": true, + "apple": true, + "cabf_br": true, + "cabf_ev": true, + "cabf_smime_br": true, + "community": true, + "etsi": true, + "mozilla": true, + "rfc": true, } dir, err := ioutil.ReadDir("../lints") if err != nil { From 10c5ef1e328c3576888b44c73629d57dba788dd9 Mon Sep 17 00:00:00 2001 From: robplee Date: Thu, 4 May 2023 15:11:01 +0100 Subject: [PATCH 04/11] refactor lint to add lists of allowed and forbidden fields into the lint struct --- ...ated_enforce_subject_field_restrictions.go | 60 ++++++++++--------- ...enforce_subject_field_restrictions_test.go | 2 +- 2 files changed, 32 insertions(+), 30 deletions(-) diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index 2ae563cb0..9177b6af6 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -23,31 +23,9 @@ import ( ) // MailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates -type MailboxValidatedEnforceSubjectFieldRestrictions struct{} - -var forbiddenSubjectFields = map[string]string{ - "0.9.2342.19200300.100.1.25": "subject:domainComponent", - "1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", - "1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince", - "1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry", - "2.5.4.4": "subject:surname", - "2.5.4.6": "subject:countryName", - "2.5.4.7": "subject:localityName", - "2.5.4.8": "subject:stateOrProvinceName", - "2.5.4.9": "subject:streetAddress", - "2.5.4.10": "subject:organizationName", - "2.5.4.11": "subject:organizationalUnitName", - "2.5.4.12": "subject:title", - "2.5.4.17": "subject:postalCode", - "2.5.4.42": "subject:givenName", - "2.5.4.65": "subject:pseudonym", - "2.5.4.97": "subject:organizationIdentifier", -} - -var acceptableSubjectFields = map[string]string{ - "1.2.840.113549.1.9.1": "subject:emailAddress", - "2.5.4.3": "subject:commonName", - "2.5.4.5": "subject:serialNumber", +type MailboxValidatedEnforceSubjectFieldRestrictions struct { + forbiddenSubjectFields map[string]string + allowedSubjectFields map[string]string } func init() { @@ -58,14 +36,38 @@ func init() { Source: lint.CABFSMIMEBaselineRequirements, EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, Lint: func() lint.LintInterface { - return &MailboxValidatedEnforceSubjectFieldRestrictions{} + return NewMailboxValidatedEnforceSubjectFieldRestrictions() }, }) } // NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { - return &MailboxValidatedEnforceSubjectFieldRestrictions{} + return &MailboxValidatedEnforceSubjectFieldRestrictions{ + forbiddenSubjectFields: map[string]string{ + "0.9.2342.19200300.100.1.25": "subject:domainComponent", + "1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", + "1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince", + "1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry", + "2.5.4.4": "subject:surname", + "2.5.4.6": "subject:countryName", + "2.5.4.7": "subject:localityName", + "2.5.4.8": "subject:stateOrProvinceName", + "2.5.4.9": "subject:streetAddress", + "2.5.4.10": "subject:organizationName", + "2.5.4.11": "subject:organizationalUnitName", + "2.5.4.12": "subject:title", + "2.5.4.17": "subject:postalCode", + "2.5.4.42": "subject:givenName", + "2.5.4.65": "subject:pseudonym", + "2.5.4.97": "subject:organizationIdentifier", + }, + allowedSubjectFields: map[string]string{ + "1.2.840.113549.1.9.1": "subject:emailAddress", + "2.5.4.3": "subject:commonName", + "2.5.4.5": "subject:serialNumber", + }, + } } // CheckApplies is returns true if the certificate's policies assert that it conforms to the mailbox validated SMIME BRs @@ -79,8 +81,8 @@ func (l *MailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certif for _, field := range rdnSeq { oidStr := field.Type.String() - if _, ok := acceptableSubjectFields[oidStr]; !ok { - if fieldName, knownField := forbiddenSubjectFields[oidStr]; knownField { + if _, ok := l.allowedSubjectFields[oidStr]; !ok { + if fieldName, knownField := l.forbiddenSubjectFields[oidStr]; knownField { return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)} } return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)} diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go index 429bd9e21..625604f49 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go @@ -62,7 +62,7 @@ func TestMailboxValidatedEnforceSubjectFieldRestrictions(t *testing.T) { t.Run(tc.Name, func(t *testing.T) { result := test.TestLint("e_mailbox_validated_enforce_subject_field_restrictions", tc.InputFilename) if result.Status != tc.ExpectedResult { - t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status) + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) } if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details { From 745d87a8a7ee1926421edc72ab5948a238925b8a Mon Sep 17 00:00:00 2001 From: robplee Date: Thu, 4 May 2023 15:12:22 +0100 Subject: [PATCH 05/11] rename mailboxValidatedEnforceSubjectFieldRestrictions lint to no longer export the underlying struct as per other lints in zlint --- ...box_validated_enforce_subject_field_restrictions.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index 9177b6af6..dba191582 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -22,8 +22,8 @@ import ( "github.com/zmap/zlint/v3/util" ) -// MailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates -type MailboxValidatedEnforceSubjectFieldRestrictions struct { +// mailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates +type mailboxValidatedEnforceSubjectFieldRestrictions struct { forbiddenSubjectFields map[string]string allowedSubjectFields map[string]string } @@ -43,7 +43,7 @@ func init() { // NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { - return &MailboxValidatedEnforceSubjectFieldRestrictions{ + return &mailboxValidatedEnforceSubjectFieldRestrictions{ forbiddenSubjectFields: map[string]string{ "0.9.2342.19200300.100.1.25": "subject:domainComponent", "1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", @@ -71,12 +71,12 @@ func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { } // CheckApplies is returns true if the certificate's policies assert that it conforms to the mailbox validated SMIME BRs -func (l *MailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { +func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { return util.IsMailboxValidatedCertificate(c) } // Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates -func (l *MailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult { +func (l *mailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult { for _, rdnSeq := range c.Subject.OriginalRDNS { for _, field := range rdnSeq { oidStr := field.Type.String() From 69d4a678a3d38a7f999efd9dc9f344499ce57c78 Mon Sep 17 00:00:00 2001 From: robplee Date: Wed, 10 May 2023 10:56:05 +0100 Subject: [PATCH 06/11] Update mailbox lint to use new certificatelint interface --- ...lidated_enforce_subject_field_restrictions.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index dba191582..a7323c9c3 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -29,13 +29,15 @@ type mailboxValidatedEnforceSubjectFieldRestrictions struct { } func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mailbox_validated_enforce_subject_field_restrictions", - Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN", - Citation: "SMIME BRs: 7.1.4.2.3", - Source: lint.CABFSMIMEBaselineRequirements, - EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, - Lint: func() lint.LintInterface { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mailbox_validated_enforce_subject_field_restrictions", + Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN", + Citation: "SMIME BRs: 7.1.4.2.3", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: func() lint.CertificateLintInterface { return NewMailboxValidatedEnforceSubjectFieldRestrictions() }, }) From 1840f44df5aa1385d86598d214c1529e3cd0716d Mon Sep 17 00:00:00 2001 From: robplee Date: Wed, 10 May 2023 11:29:06 +0100 Subject: [PATCH 07/11] fix mailbox validated field lint unit tests, reorganise smime testdata, remove unused test certificates --- ...enforce_subject_field_restrictions_test.go | 26 +++++++++---- .../domainValidatedWithEmailCommonName.pem | 39 ------------------- .../mailboxValidatedLegacyWithCommonName.pem | 39 ------------------- ...oxValidatedLegacyWithCommonNameMay2023.pem | 39 ------------------- .../mailboxValidatedLegacyWithCountryName.pem | 39 ------------------- ...datedMultipurposeWithEmptyEmailAddress.pem | 38 ------------------ ...lboxValidatedMultipurposeWithNoSubject.pem | 38 ------------------ ...mailboxValidatedStrictWithEmailAddress.pem | 39 ------------------- ...mailboxValidatedStrictWithSerialNumber.pem | 38 ------------------ .../domainValidatedWithEmailCommonName.pem | 39 +++++++++++++++++++ .../mailboxValidatedLegacyWithCommonName.pem | 39 +++++++++++++++++++ ...oxValidatedLegacyWithCommonNameMay2023.pem | 39 +++++++++++++++++++ .../mailboxValidatedLegacyWithCountryName.pem | 39 +++++++++++++++++++ ...boxValidatedMultipurposeWithCommonName.pem | 39 +++++++++++++++++++ ...edMultipurposeWithNonsenseSubjectField.pem | 0 .../mailboxValidatedStrictWithCommonName.pem | 39 +++++++++++++++++++ 16 files changed, 252 insertions(+), 317 deletions(-) delete mode 100644 v3/testdata/domainValidatedWithEmailCommonName.pem delete mode 100644 v3/testdata/mailboxValidatedLegacyWithCommonName.pem delete mode 100644 v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem delete mode 100644 v3/testdata/mailboxValidatedLegacyWithCountryName.pem delete mode 100644 v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem delete mode 100644 v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem delete mode 100644 v3/testdata/mailboxValidatedStrictWithEmailAddress.pem delete mode 100644 v3/testdata/mailboxValidatedStrictWithSerialNumber.pem create mode 100644 v3/testdata/smime/domainValidatedWithEmailCommonName.pem create mode 100644 v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem create mode 100644 v3/testdata/smime/mailboxValidatedLegacyWithCommonNameMay2023.pem create mode 100644 v3/testdata/smime/mailboxValidatedLegacyWithCountryName.pem create mode 100644 v3/testdata/smime/mailboxValidatedMultipurposeWithCommonName.pem rename v3/testdata/{ => smime}/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem (100%) create mode 100644 v3/testdata/smime/mailboxValidatedStrictWithCommonName.pem diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go index 625604f49..fd1560dc8 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go @@ -30,29 +30,39 @@ func TestMailboxValidatedEnforceSubjectFieldRestrictions(t *testing.T) { ExpectedDetails string }{ { - Name: "ok - certificate with commonName", - InputFilename: "mailboxValidatedLegacyWithCommonName.pem", + Name: "pass - mailbox validated, legacy with commonName", + InputFilename: "smime/mailboxValidatedLegacyWithCommonName.pem", ExpectedResult: lint.Pass, }, { - Name: "ok - certificate without mailbox validated policy", - InputFilename: "domainValidatedWithEmailCommonName.pem", + Name: "pass - mailbox validated, multipurpose with commonName", + InputFilename: "smime/mailboxValidatedMultipurposeWithCommonName.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "pass - mailbox validated, strict with commonName", + InputFilename: "smime/mailboxValidatedStrictWithCommonName.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "na - certificate without mailbox validated policy", + InputFilename: "smime/domainValidatedWithEmailCommonName.pem", ExpectedResult: lint.NA, }, { - Name: "ok - certificate with NotBefore before effective date of lint", - InputFilename: "mailboxValidatedLegacyWithCommonNameMay2023.pem", + Name: "ne - certificate with NotBefore before effective date of lint", + InputFilename: "smime/mailboxValidatedLegacyWithCommonNameMay2023.pem", ExpectedResult: lint.NE, }, { Name: "error - certificate with countryName", - InputFilename: "mailboxValidatedLegacyWithCountryName.pem", + InputFilename: "smime/mailboxValidatedLegacyWithCountryName.pem", ExpectedResult: lint.Error, ExpectedDetails: "subject DN contains forbidden field: subject:countryName (2.5.4.6)", }, { Name: "error - certificate containing nonsense subject field (1.2.3.4.5.6.7.8.9.0)", - InputFilename: "mailboxValidatedMultipurposeWithNonsenseSubjectField.pem", + InputFilename: "smime/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem", ExpectedResult: lint.Error, ExpectedDetails: "subject DN contains forbidden field: 1.2.3.4.5.6.7.8.9.0", }, diff --git a/v3/testdata/domainValidatedWithEmailCommonName.pem b/v3/testdata/domainValidatedWithEmailCommonName.pem deleted file mode 100644 index 2149ae0df..000000000 --- a/v3/testdata/domainValidatedWithEmailCommonName.pem +++ /dev/null @@ -1,39 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: CN = brains@tracyisland.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:0d:74:25:fa:6f:5f:3a:2f:ff:16:bf:a3:be:f1: - 02:ac:59:ed:e9:22:4e:5e:31:11:31:89:d1:2e:7c: - c6:df:e0:43:65:8a:24:aa:67:83:ae:82:46:16:e8: - 66:1a:ce:b2:e7:55:ef:63:7c:d7:13:ac:ca:27:dc: - c8:3e:cf:1f:bd - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.2.1 - - Signature Algorithm: ecdsa-with-SHA256 - 30:44:02:20:66:73:1c:1f:93:6b:bb:2c:3a:80:49:42:3d:28: - be:18:ab:87:71:8c:60:b5:17:c6:07:3d:e0:bc:0d:5c:d4:1c: - 02:20:71:11:4a:e7:31:97:c3:27:e6:ed:52:2e:60:cc:86:89: - c1:1e:47:c0:9b:ac:cf:65:31:a8:f4:a4:15:6e:a6:32 ------BEGIN CERTIFICATE----- -MIIBJzCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j -b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQNdCX6b186L/8Wv6O+8QKsWe3p -Ik5eMRExidEufMbf4ENliiSqZ4OugkYW6GYazrLnVe9jfNcTrMon3Mg+zx+9oxcw -FTATBgNVHSAEDDAKMAgGBmeBDAECATAKBggqhkjOPQQDAgNHADBEAiBmcxwfk2u7 -LDqASUI9KL4Yq4dxjGC1F8YHPeC8DVzUHAIgcRFK5zGXwyfm7VIuYMyGicEeR8Cb -rM9lMaj0pBVupjI= ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedLegacyWithCommonName.pem b/v3/testdata/mailboxValidatedLegacyWithCommonName.pem deleted file mode 100644 index 76cffea7e..000000000 --- a/v3/testdata/mailboxValidatedLegacyWithCommonName.pem +++ /dev/null @@ -1,39 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: CN = brains@tracyisland.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:8c:b9:d4:53:05:fc:2d:f5:4b:77:63:d7:2c:bf: - fc:d9:a0:d7:68:6f:ce:3c:6a:5a:1a:bb:f1:a4:3a: - ea:ad:e6:bc:90:ea:a4:70:b8:1f:3c:da:02:c6:7d: - 6e:b2:93:8b:8f:4b:b2:ed:20:94:6e:6e:59:35:fc: - bc:31:7f:75:bc - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.1 - - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:21:00:e4:9b:da:66:53:b2:f0:52:71:69:da:16:79: - 09:04:12:dc:79:5b:0c:35:b6:df:46:2a:37:0b:c3:1b:15:8c: - e2:02:20:61:6e:98:a7:3a:b5:bd:32:05:aa:ee:df:fb:20:3a: - 5e:a0:67:4f:6f:fe:ad:f8:2c:b2:53:05:9a:e7:c2:21:62 ------BEGIN CERTIFICATE----- -MIIBKTCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j -b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMudRTBfwt9Ut3Y9csv/zZoNdo -b848aloau/GkOuqt5ryQ6qRwuB882gLGfW6yk4uPS7LtIJRublk1/Lwxf3W8oxgw -FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSAAwRQIhAOSb2mZT -svBScWnaFnkJBBLceVsMNbbfRio3C8MbFYziAiBhbpinOrW9MgWq7t/7IDpeoGdP -b/6t+CyyUwWa58IhYg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem b/v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem deleted file mode 100644 index 793168552..000000000 --- a/v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem +++ /dev/null @@ -1,39 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: May 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: CN = brains@tracyisland.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:ae:c3:b8:71:e1:ea:7f:8e:e7:0f:9a:f5:e0:98: - cd:a8:f3:d9:13:4d:fb:1d:1b:37:2b:56:83:5c:5c: - de:77:60:f4:f7:05:59:59:38:d3:ff:64:17:e5:da: - ef:51:03:20:81:b9:32:00:b2:6f:b6:34:6d:f8:00: - a0:ff:0f:eb:03 - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.1 - - Signature Algorithm: ecdsa-with-SHA256 - 30:46:02:21:00:d4:34:07:e7:93:dc:44:6b:45:cd:8e:33:fa: - 6b:68:8c:76:ff:bf:f0:69:ca:26:e3:a2:a8:4f:fd:d2:29:4a: - 13:02:21:00:ad:28:cf:d7:ca:7f:a4:91:7c:ca:c3:c9:2d:fe: - 7f:cc:6d:27:c5:3d:31:f6:26:70:69:da:67:bc:9a:98:c6:24 ------BEGIN CERTIFICATE----- -MIIBKjCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwNTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j -b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuw7hx4ep/jucPmvXgmM2o89kT -TfsdGzcrVoNcXN53YPT3BVlZONP/ZBfl2u9RAyCBuTIAsm+2NG34AKD/D+sDoxgw -FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSQAwRgIhANQ0B+eT -3ERrRc2OM/praIx2/7/wacom46KoT/3SKUoTAiEArSjP18p/pJF8ysPJLf5/zG0n -xT0x9iZwadpnvJqYxiQ= ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedLegacyWithCountryName.pem b/v3/testdata/mailboxValidatedLegacyWithCountryName.pem deleted file mode 100644 index 086acd8d1..000000000 --- a/v3/testdata/mailboxValidatedLegacyWithCountryName.pem +++ /dev/null @@ -1,39 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: CN = brains@tracyisland.com, C = GB - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:99:f1:eb:ed:36:18:ff:2e:50:10:94:be:88:77: - a6:a9:7b:f9:86:36:24:89:df:88:98:ac:ff:87:75: - c7:af:8e:92:8d:7e:50:54:be:52:f1:48:fc:14:74: - e3:3b:16:0f:0b:28:47:55:cd:86:15:33:8e:52:ec: - 17:1b:38:89:ae - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.1 - - Signature Algorithm: ecdsa-with-SHA256 - 30:46:02:21:00:ef:63:18:62:1f:82:9e:09:92:fb:62:9f:ef: - 00:57:62:9a:6f:c7:4b:4b:f5:af:3b:e5:a7:71:83:88:3b:7f: - 2f:02:21:00:8d:5e:bb:f2:92:15:8d:55:82:89:c2:1d:c9:48: - 97:54:69:af:05:84:cc:f5:54:c3:09:90:1b:b7:97:47:b6:84 ------BEGIN CERTIFICATE----- -MIIBNzCB3aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMC4xHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j -b20xCzAJBgNVBAYTAkdCMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmfHr7TYY -/y5QEJS+iHemqXv5hjYkid+ImKz/h3XHr46SjX5QVL5S8Uj8FHTjOxYPCyhHVc2G -FTOOUuwXGziJrqMYMBYwFAYDVR0gBA0wCzAJBgdngQwBBQEBMAoGCCqGSM49BAMC -A0kAMEYCIQDvYxhiH4KeCZL7Yp/vAFdimm/HS0v1rzvlp3GDiDt/LwIhAI1eu/KS -FY1VgonCHclIl1RprwWEzPVUwwmQG7eXR7aE ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem b/v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem deleted file mode 100644 index 14e5b9e7d..000000000 --- a/v3/testdata/mailboxValidatedMultipurposeWithEmptyEmailAddress.pem +++ /dev/null @@ -1,38 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: emailAddress = - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:e1:e8:dd:0e:89:86:c5:31:ed:7a:55:81:b8:30: - 2d:cb:13:88:ff:6b:00:74:56:41:6d:a9:54:bf:fa: - 8a:24:6d:a8:45:80:14:04:e9:29:c4:aa:62:9c:4d: - 06:73:3c:77:29:bc:09:d4:3a:ef:9b:47:4b:23:23: - 61:b4:bc:7e:94 - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.2 - - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:20:4c:03:07:aa:61:61:3e:a7:43:5d:60:f2:e1:99: - 49:24:43:42:80:d6:32:bc:17:cf:86:60:63:26:89:93:85:00: - 02:21:00:9d:4e:d4:37:71:bd:8e:ae:95:7c:60:42:64:b1:73: - ba:67:8d:56:0f:2c:d3:ca:52:ac:59:77:e4:40:04:71:53 ------BEGIN CERTIFICATE----- -MIIBGTCBwKADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMBExDzANBgkqhkiG9w0BCQETADBZMBMGByqGSM49AgEG -CCqGSM49AwEHA0IABOHo3Q6JhsUx7XpVgbgwLcsTiP9rAHRWQW2pVL/6iiRtqEWA -FATpKcSqYpxNBnM8dym8CdQ675tHSyMjYbS8fpSjGDAWMBQGA1UdIAQNMAswCQYH -Z4EMAQUBAjAKBggqhkjOPQQDAgNIADBFAiBMAweqYWE+p0NdYPLhmUkkQ0KA1jK8 -F8+GYGMmiZOFAAIhAJ1O1DdxvY6ulXxgQmSxc7pnjVYPLNPKUqxZd+RABHFT ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem b/v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem deleted file mode 100644 index 8025fe970..000000000 --- a/v3/testdata/mailboxValidatedMultipurposeWithNoSubject.pem +++ /dev/null @@ -1,38 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:a1:f6:b3:a1:64:29:f0:ea:65:65:bd:7d:aa:4d: - e0:d2:5b:d1:2e:7b:4d:7c:54:d9:15:5c:20:f8:3b: - 08:9e:cd:dd:fc:74:06:c0:88:fe:07:79:32:f4:92: - 80:80:dd:9a:f3:80:e6:7b:97:41:56:22:23:05:17: - 85:5f:9b:be:17 - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.2 - - Signature Algorithm: ecdsa-with-SHA256 - 30:45:02:21:00:a0:87:b2:b3:b1:16:18:66:eb:2b:ad:e1:7d: - b9:8d:d8:b0:e1:99:3b:89:72:de:58:0b:c6:85:2c:3e:33:d9: - 40:02:20:65:6c:60:33:aa:2e:cf:8c:73:2f:5a:3d:10:68:01: - 1e:5e:bd:6a:34:9b:46:cc:53:b9:46:5a:8a:80:ae:b4:d1 ------BEGIN CERTIFICATE----- -MIIBCDCBr6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASh9rOh -ZCnw6mVlvX2qTeDSW9Eue018VNkVXCD4Owiezd38dAbAiP4HeTL0koCA3ZrzgOZ7 -l0FWIiMFF4Vfm74XoxgwFjAUBgNVHSAEDTALMAkGB2eBDAEFAQIwCgYIKoZIzj0E -AwIDSAAwRQIhAKCHsrOxFhhm6yut4X25jdiw4Zk7iXLeWAvGhSw+M9lAAiBlbGAz -qi7PjHMvWj0QaAEeXr1qNJtGzFO5RlqKgK600Q== ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedStrictWithEmailAddress.pem b/v3/testdata/mailboxValidatedStrictWithEmailAddress.pem deleted file mode 100644 index 8e7e67493..000000000 --- a/v3/testdata/mailboxValidatedStrictWithEmailAddress.pem +++ /dev/null @@ -1,39 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: emailAddress = brains@tracyisland.com - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:16:fd:e0:d9:5f:ee:fc:ba:4c:45:1c:d3:b8:fb: - 60:e5:44:d2:8a:ca:f4:6d:9d:61:b3:d4:37:8c:c9: - 06:1e:fb:b8:5a:7c:1a:2e:99:2f:18:4f:34:9f:0c: - 51:87:21:91:b7:e7:e3:16:cf:fc:10:2e:66:d0:6d: - 32:68:d5:e3:92 - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.3 - - Signature Algorithm: ecdsa-with-SHA256 - 30:46:02:21:00:eb:7f:0f:95:3b:70:ab:0b:7f:de:c5:cf:01: - 4e:2f:71:1c:2d:a0:d8:66:9d:80:9b:41:3e:82:cd:1f:a4:15: - a0:02:21:00:f2:31:1e:39:16:24:b5:a8:67:a9:5a:3a:c0:b3: - 22:07:ff:99:47:7e:d9:89:5e:0b:db:ba:72:29:f0:a7:7d:ad ------BEGIN CERTIFICATE----- -MIIBMDCB1qADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMCcxJTAjBgkqhkiG9w0BCQEMFmJyYWluc0B0cmFjeWlz -bGFuZC5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW/eDZX+78ukxFHNO4 -+2DlRNKKyvRtnWGz1DeMyQYe+7hafBoumS8YTzSfDFGHIZG35+MWz/wQLmbQbTJo -1eOSoxgwFjAUBgNVHSAEDTALMAkGB2eBDAEFAQMwCgYIKoZIzj0EAwIDSQAwRgIh -AOt/D5U7cKsLf97FzwFOL3EcLaDYZp2Am0E+gs0fpBWgAiEA8jEeORYktahnqVo6 -wLMiB/+ZR37ZiV4L27pyKfCnfa0= ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedStrictWithSerialNumber.pem b/v3/testdata/mailboxValidatedStrictWithSerialNumber.pem deleted file mode 100644 index 2079bf942..000000000 --- a/v3/testdata/mailboxValidatedStrictWithSerialNumber.pem +++ /dev/null @@ -1,38 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: ecdsa-with-SHA256 - Issuer: - Validity - Not Before: Sep 2 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT - Subject: serialNumber = TB1 - Subject Public Key Info: - Public Key Algorithm: id-ecPublicKey - Public-Key: (256 bit) - pub: - 04:bf:44:7a:aa:50:08:e6:c7:62:a4:49:91:a7:8b: - d8:1b:9a:4d:66:97:e4:04:4a:7b:21:e9:17:37:b8: - 7b:02:14:49:1b:c1:18:3c:00:43:96:e6:51:91:fd: - 97:d2:48:6b:fe:f7:12:05:c6:ab:cc:1e:20:69:4b: - 33:e8:e0:a7:5b - ASN1 OID: prime256v1 - NIST CURVE: P-256 - X509v3 extensions: - X509v3 Certificate Policies: - Policy: 2.23.140.1.5.1.3 - - Signature Algorithm: ecdsa-with-SHA256 - 30:46:02:21:00:ad:cc:61:50:2c:cc:ce:bd:48:32:ec:ad:77: - 77:40:22:4d:c5:4f:5d:e0:ac:67:61:db:08:a5:85:69:b9:9a: - ad:02:21:00:bb:9e:84:6c:d3:61:01:b8:b4:55:96:74:b1:54: - 37:29:c3:51:17:bb:e5:e8:90:4a:5f:6c:82:77:56:4f:e4:ea ------BEGIN CERTIFICATE----- -MIIBFzCBvaADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMA4xDDAKBgNVBAUTA1RCMTBZMBMGByqGSM49AgEGCCqG -SM49AwEHA0IABL9EeqpQCObHYqRJkaeL2BuaTWaX5ARKeyHpFze4ewIUSRvBGDwA -Q5bmUZH9l9JIa/73EgXGq8weIGlLM+jgp1ujGDAWMBQGA1UdIAQNMAswCQYHZ4EM -AQUBAzAKBggqhkjOPQQDAgNJADBGAiEArcxhUCzMzr1IMuytd3dAIk3FT13grGdh -2wilhWm5mq0CIQC7noRs02EBuLRVlnSxVDcpw1EXu+XokEpfbIJ3Vk/k6g== ------END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/domainValidatedWithEmailCommonName.pem b/v3/testdata/smime/domainValidatedWithEmailCommonName.pem new file mode 100644 index 000000000..79b007920 --- /dev/null +++ b/v3/testdata/smime/domainValidatedWithEmailCommonName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = johnsmith@example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:30:eb:57:97:dc:90:9a:27:8f:7f:39:80:fa:21: + aa:3d:48:b1:35:6d:39:97:cf:9e:a4:ca:42:22:0c: + b2:71:67:42:bb:f4:a3:56:4a:51:fc:5e:0f:ec:ed: + 98:9e:11:cf:f0:8a:68:62:c4:bf:8f:7b:65:ec:30: + 69:d5:64:41:76 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.2.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:ab:fa:9a:25:c9:b9:5f:c3:7c:bf:c1:dd:d2: + dc:4f:00:ad:1d:b7:18:94:0f:a2:37:9d:34:13:b7:cf:7d:a1: + da:02:21:00:f3:20:3b:d8:74:0e:b9:8d:6e:7a:74:d1:00:c8: + 72:fb:2c:34:6d:c0:c4:7e:5b:25:ef:04:27:5c:88:22:47:6f +-----BEGIN CERTIFICATE----- +MIIBKDCBzqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv +bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDDrV5fckJonj385gPohqj1IsTVt +OZfPnqTKQiIMsnFnQrv0o1ZKUfxeD+ztmJ4Rz/CKaGLEv497ZewwadVkQXajFzAV +MBMGA1UdIAQMMAowCAYGZ4EMAQIBMAoGCCqGSM49BAMCA0kAMEYCIQCr+polyblf +w3y/wd3S3E8ArR23GJQPojedNBO3z32h2gIhAPMgO9h0DrmNbnp00QDIcvssNG3A +xH5bJe8EJ1yIIkdv +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem b/v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem new file mode 100644 index 000000000..7cc031221 --- /dev/null +++ b/v3/testdata/smime/mailboxValidatedLegacyWithCommonName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = johnsmith@example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:a1:ed:8b:dd:62:fc:cc:2d:f4:28:cd:8c:8d:5a: + 1d:1f:6c:36:c3:03:81:b4:9f:6e:6d:2d:90:b1:7d: + fa:2f:eb:d6:3c:83:7c:9f:2c:5a:b4:37:3e:ae:56: + 57:6b:db:df:6a:1c:db:73:e6:d4:25:b1:15:d6:47: + f2:71:de:51:d0 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:41:fa:93:51:d2:80:69:a5:5e:4a:cb:85:6a:1e: + 47:eb:cb:9b:b3:7b:2b:94:a7:be:a4:b2:55:cc:4a:15:16:f7: + 02:21:00:81:0c:18:bd:55:7a:16:6a:0c:84:a9:3b:bf:29:e2: + 21:d0:fd:b6:9b:99:14:5b:0b:55:a8:43:b9:64:b6:8e:dc +-----BEGIN CERTIFICATE----- +MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv +bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKHti91i/Mwt9CjNjI1aHR9sNsMD +gbSfbm0tkLF9+i/r1jyDfJ8sWrQ3Pq5WV2vb32oc23Pm1CWxFdZH8nHeUdCjGDAW +MBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggqhkjOPQQDAgNIADBFAiBB+pNR0oBp +pV5Ky4VqHkfry5uzeyuUp76kslXMShUW9wIhAIEMGL1VehZqDISpO78p4iHQ/bab +mRRbC1WoQ7lkto7c +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/mailboxValidatedLegacyWithCommonNameMay2023.pem b/v3/testdata/smime/mailboxValidatedLegacyWithCommonNameMay2023.pem new file mode 100644 index 000000000..d6b8b2053 --- /dev/null +++ b/v3/testdata/smime/mailboxValidatedLegacyWithCommonNameMay2023.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: May 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = johnsmith@example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:60:a6:a1:36:40:de:33:5a:09:73:86:a9:30:2c: + cb:43:aa:d7:77:f4:77:37:d7:bf:4c:f5:48:24:39: + 1b:8f:fc:51:0a:77:81:3a:6e:34:c2:1c:ef:a8:03: + 39:42:21:16:2e:1a:f7:ed:8d:0e:38:e0:9f:23:52: + 04:3c:9e:9d:c4 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:c8:88:94:49:ba:b0:73:0f:f0:c9:26:0c:5a: + 99:a0:36:b4:6b:e0:cf:c1:2f:49:9b:cb:bc:d7:ac:52:97:f0: + ca:02:21:00:a5:14:41:7c:46:dc:dd:af:02:89:0e:3b:79:17: + 16:c0:b1:3c:4a:c2:e3:e8:e5:51:9e:e9:9b:a1:69:01:c5:a0 +-----BEGIN CERTIFICATE----- +MIIBKTCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwNTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv +bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGCmoTZA3jNaCXOGqTAsy0Oq13f0 +dzfXv0z1SCQ5G4/8UQp3gTpuNMIc76gDOUIhFi4a9+2NDjjgnyNSBDyencSjGDAW +MBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggqhkjOPQQDAgNJADBGAiEAyIiUSbqw +cw/wySYMWpmgNrRr4M/BL0mby7zXrFKX8MoCIQClFEF8RtzdrwKJDjt5FxbAsTxK +wuPo5VGe6ZuhaQHFoA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/mailboxValidatedLegacyWithCountryName.pem b/v3/testdata/smime/mailboxValidatedLegacyWithCountryName.pem new file mode 100644 index 000000000..909b19fc6 --- /dev/null +++ b/v3/testdata/smime/mailboxValidatedLegacyWithCountryName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = johnsmith@example.com, C = US + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:1d:18:18:38:d0:29:57:63:f6:1e:e6:be:c1:5e: + c6:45:65:5a:94:c4:68:6c:95:2e:47:7b:fd:d3:1b: + d8:6b:18:d1:82:88:71:46:3a:8f:c2:6f:55:a8:a1: + 4c:1e:85:fd:76:f1:a7:69:49:2e:dd:51:19:fd:b7: + e4:6c:87:b4:0e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:7f:b7:d1:00:a3:3e:98:dc:fb:65:b9:af:e4:2b: + 11:9a:33:bf:a6:0c:15:6d:6b:44:f1:eb:49:1b:7b:56:a2:e4: + 02:21:00:d7:07:19:62:05:db:65:41:f4:58:36:e8:81:81:6d: + fe:00:b4:83:37:ef:e7:ae:3c:85:cb:76:2e:fe:b7:47:6a +-----BEGIN CERTIFICATE----- +MIIBNTCB3KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMC0xHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv +bTELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQdGBg40ClX +Y/Ye5r7BXsZFZVqUxGhslS5He/3TG9hrGNGCiHFGOo/Cb1WooUwehf128adpSS7d +URn9t+Rsh7QOoxgwFjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwID +SAAwRQIgf7fRAKM+mNz7Zbmv5CsRmjO/pgwVbWtE8etJG3tWouQCIQDXBxliBdtl +QfRYNuiBgW3+ALSDN+/nrjyFy3Yu/rdHag== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/mailboxValidatedMultipurposeWithCommonName.pem b/v3/testdata/smime/mailboxValidatedMultipurposeWithCommonName.pem new file mode 100644 index 000000000..a3033aab9 --- /dev/null +++ b/v3/testdata/smime/mailboxValidatedMultipurposeWithCommonName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = johnsmith@example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:23:7b:69:18:e3:f9:a1:37:a7:15:52:3a:93:26: + 4a:16:57:35:f9:2a:d5:63:ba:51:a5:84:27:71:db: + e8:87:cb:aa:bc:e1:37:39:0b:dc:6a:9f:c9:02:61: + a9:60:ae:e6:01:a4:c7:84:ee:65:f1:08:ba:fa:51: + 35:bf:5c:2e:27 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.2 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:df:00:d5:9c:b2:9c:af:09:35:3e:fb:09:18: + 98:05:1d:83:3b:7f:56:24:68:d3:0c:aa:11:ca:b2:1d:82:6a: + 93:02:20:6b:da:55:22:5d:84:59:c2:a0:c8:22:f6:3b:ef:34: + ac:3a:67:6e:c6:b0:c2:29:db:4f:fe:68:36:c7:39:b1:02 +-----BEGIN CERTIFICATE----- +MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv +bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCN7aRjj+aE3pxVSOpMmShZXNfkq +1WO6UaWEJ3Hb6IfLqrzhNzkL3GqfyQJhqWCu5gGkx4TuZfEIuvpRNb9cLiejGDAW +MBQGA1UdIAQNMAswCQYHZ4EMAQUBAjAKBggqhkjOPQQDAgNIADBFAiEA3wDVnLKc +rwk1PvsJGJgFHYM7f1YkaNMMqhHKsh2CapMCIGvaVSJdhFnCoMgi9jvvNKw6Z27G +sMIp20/+aDbHObEC +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem b/v3/testdata/smime/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem similarity index 100% rename from v3/testdata/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem rename to v3/testdata/smime/mailboxValidatedMultipurposeWithNonsenseSubjectField.pem diff --git a/v3/testdata/smime/mailboxValidatedStrictWithCommonName.pem b/v3/testdata/smime/mailboxValidatedStrictWithCommonName.pem new file mode 100644 index 000000000..9c546e380 --- /dev/null +++ b/v3/testdata/smime/mailboxValidatedStrictWithCommonName.pem @@ -0,0 +1,39 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 2 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: CN = johnsmith@example.com + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:40:42:9c:5b:49:e2:31:38:01:3d:07:42:a1:4c: + c8:43:2b:0a:cd:62:3d:5b:40:4a:e1:f6:ed:df:06: + a8:d3:cc:fd:bf:21:c1:4a:48:41:bb:3f:c1:66:a8: + 12:b3:84:40:97:18:a3:b9:ce:3e:31:cb:d4:48:84: + 81:12:52:93:df + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:20:09:34:af:8d:f7:20:90:a3:2e:de:44:12:8c:92: + c7:cf:02:73:b7:c3:e1:fb:fd:32:2a:19:65:7f:37:b8:f0:25: + 02:21:00:d0:50:43:27:a6:91:f0:52:7d:73:9d:ca:7c:6f:9d: + 7e:00:84:c9:3f:3f:2f:02:91:da:11:a1:6f:09:6f:a0:7a +-----BEGIN CERTIFICATE----- +MIIBKDCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP +OTk5ODExMzAwMDAwMDBaMCAxHjAcBgNVBAMMFWpvaG5zbWl0aEBleGFtcGxlLmNv +bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEBCnFtJ4jE4AT0HQqFMyEMrCs1i +PVtASuH27d8GqNPM/b8hwUpIQbs/wWaoErOEQJcYo7nOPjHL1EiEgRJSk9+jGDAW +MBQGA1UdIAQNMAswCQYHZ4EMAQUBAzAKBggqhkjOPQQDAgNIADBFAiAJNK+N9yCQ +oy7eRBKMksfPAnO3w+H7/TIqGWV/N7jwJQIhANBQQyemkfBSfXOdynxvnX4AhMk/ +Py8CkdoRoW8Jb6B6 +-----END CERTIFICATE----- \ No newline at end of file From 01b00bb2f9ca731eeb52af77f9176bc97647409f Mon Sep 17 00:00:00 2001 From: Rob <3725956+robplee@users.noreply.github.com> Date: Mon, 15 May 2023 13:57:11 +0100 Subject: [PATCH 08/11] Update v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go comment to list relevant policy OIDs Co-authored-by: Christopher Henderson --- .../mailbox_validated_enforce_subject_field_restrictions.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index a7323c9c3..89241b1c7 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -72,7 +72,10 @@ func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { } } -// CheckApplies is returns true if the certificate's policies assert that it conforms to the mailbox validated SMIME BRs +// CheckApplies returns true if the provided certificate contains on-or-more of the following SMIME BR policy identifiers: +// Mailbox Validated Legacy +// Mailbox Validated Multipurpose +// Mailbox Validated Strict func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { return util.IsMailboxValidatedCertificate(c) } From 23ad0f5edaba7af0ac1de73c79796f522a07efbc Mon Sep 17 00:00:00 2001 From: robplee Date: Tue, 16 May 2023 13:17:05 +0100 Subject: [PATCH 09/11] attempt to address lint complaint with comment describing CheckApplies of mailbox field presence lint --- ...ailbox_validated_enforce_subject_field_restrictions.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index 89241b1c7..fdb366fb9 100644 --- a/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -72,10 +72,10 @@ func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { } } -// CheckApplies returns true if the provided certificate contains on-or-more of the following SMIME BR policy identifiers: -// Mailbox Validated Legacy -// Mailbox Validated Multipurpose -// Mailbox Validated Strict +// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: +// - Mailbox Validated Legacy +// - Mailbox Validated Multipurpose +// - Mailbox Validated Strict func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { return util.IsMailboxValidatedCertificate(c) } From a9fe5fb67081fdae61fa3a43904747b722eb5eff Mon Sep 17 00:00:00 2001 From: robplee Date: Tue, 16 May 2023 15:58:44 +0100 Subject: [PATCH 10/11] Add explanatory comment to IsEmailProtectionCert --- v3/util/ca.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/v3/util/ca.go b/v3/util/ca.go index eeb31e13b..df086df0e 100644 --- a/v3/util/ca.go +++ b/v3/util/ca.go @@ -63,6 +63,10 @@ func IsServerAuthCert(cert *x509.Certificate) bool { return false } +// IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. +// A certificate is for use protecting emails if it contains the Any Purpose or emailProtection +// EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious +// and choosing to prefer false positives over false negatives. func IsEmailProtectionCert(cert *x509.Certificate) bool { if len(cert.ExtKeyUsage) == 0 { return true From 8634dce640407299aec1a1e6f28f52b9009bacbe Mon Sep 17 00:00:00 2001 From: Christopher Henderson Date: Sun, 13 Aug 2023 08:15:51 -0700 Subject: [PATCH 11/11] Fix styling in time.go --- v3/util/time.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/util/time.go b/v3/util/time.go index bca7fc6dc..c075b7eec 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -74,7 +74,7 @@ var ( CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061 - CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) + CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) ) var (