From ee42c94897261af9f4aa0dc7dc2348988fda77a2 Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Wed, 13 Dec 2023 14:34:04 -0800 Subject: [PATCH 01/10] Add lints for S/MIME BR 7.1.2.3.b --- ...ribers_crl_distribution_points_are_http.go | 78 +++++++++++++++++++ ...s_crl_distribution_points_are_http_test.go | 35 +++++++++ ...riber_with_http_crl_distribution_point.pem | 44 +++++++++++ ...r_with_non_http_crl_distribution_point.pem | 44 +++++++++++ 4 files changed, 201 insertions(+) create mode 100644 v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go create mode 100644 v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go create mode 100644 v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem create mode 100644 v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go new file mode 100644 index 000000000..6ad80ca6c --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -0,0 +1,78 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_subscribers_crl_distribution_points_are_http", + Description: "cRLDistributionPoints SHALL have URL scheme HTTP.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewSubscriberCrlDistributionPointsHTTP, + }) +} + +type subscriberCrlDistributionPointsHTTP struct{} + +func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { + return &subscriberCrlDistributionPointsHTTP{} +} + +func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { + fmt.Println(util.IsSubscriberCert(c)) + fmt.Println(util.IsMultipurposeSMIMECertificate(c)) + fmt.Println(util.IsStrictSMIMECertificate(c)) + + b := util.IsSubscriberCert(c) && (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) + + fmt.Printf("b = %t\n", b) + return b + +} + +func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { + fmt.Println("exeucintg") + for _, dp := range c.CRLDistributionPoints { + fmt.Println(dp) + + parsed, err := url.Parse(dp) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid CRL distribution point", + } + } + + fmt.Printf("%+v\n", parsed.Scheme) + + if parsed.Scheme != "http" { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid URL scheme in CRL distribution point", + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go new file mode 100644 index 000000000..1c9340bfe --- /dev/null +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go @@ -0,0 +1,35 @@ +package cabf_smime_br + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "pass - cert with HTTP CRL distribution point", + InputFilename: "smime/subscriber_with_http_crl_distribution_point.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "error - cert without a non-HTTP CRL distribution point", + InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_subscribers_crl_distribution_points_are_http", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem b/v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem new file mode 100644 index 000000000..11834e698 --- /dev/null +++ b/v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Dec 13 22:18:21 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:c8:dc:df:60:b9:e2:c3:90:c7:c6:03:32:04:e1: + 4a:de:08:08:24:4c:0c:97:ed:3a:31:0f:7b:ed:47: + a0:a9:af:df:04:9d:eb:7c:df:64:87:ab:2d:f2:60: + 42:2d:65:3e:18:4d:cb:12:2e:fb:74:ef:7f:3b:ae: + 0a:e3:f3:56:d3 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + X509v3 CRL Distribution Points: + Full Name: + URI:http://example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:0c:0b:81:2d:9c:12:c2:86:59:1a:cd:1f:46:3c: + b4:22:a0:91:0c:33:3f:ad:f4:4d:a7:64:34:d8:37:ab:53:eb: + 02:21:00:c7:d4:f1:98:29:55:db:fe:3e:21:1e:0e:db:58:57: + c1:04:20:2f:d8:6f:53:74:05:ce:ec:f0:c4:63:0e:4d:09 +-----BEGIN CERTIFICATE----- +MIIBQjCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjEzMjIxODIxWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATI3N9g +ueLDkMfGAzIE4UreCAgkTAyX7ToxD3vtR6Cpr98Enet832SHqy3yYEItZT4YTcsS +Lvt07387rgrj81bTo1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL +MAkGB2eBDAEFAQMwIwYDVR0fBBwwGjAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29t +MAoGCCqGSM49BAMCA0gAMEUCIAwLgS2cEsKGWRrNH0Y8tCKgkQwzP630TadkNNg3 +q1PrAiEAx9TxmClV2/4+IR4O21hXwQQgL9hvU3QFzuzwxGMOTQk= +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem b/v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem new file mode 100644 index 000000000..dd401daa4 --- /dev/null +++ b/v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Dec 13 22:06:27 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:55:ab:f1:eb:ba:b6:de:14:c5:9f:02:33:86:2d: + 85:61:4a:b1:21:cf:3f:7e:95:37:fc:98:8d:21:a5: + a5:26:df:51:f4:97:9d:ec:b5:d0:c4:2b:41:66:52: + e0:a6:c4:a6:3f:0a:f3:fd:90:6a:2e:0a:b9:33:27: + c2:56:df:ae:19 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + X509v3 CRL Distribution Points: + Full Name: + URI:ldap://example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:05:60:ca:c3:8c:12:a6:58:6f:d3:7f:e9:82:cc: + 38:ec:1e:dc:51:88:a1:45:f2:37:64:47:d4:96:1f:9c:1e:ef: + 02:21:00:93:d1:b3:6a:b5:32:69:e0:14:be:8f:70:d9:1c:54: + 7d:1a:cd:7f:5a:a5:d2:30:ad:a2:9c:fa:37:66:8a:31:61 +-----BEGIN CERTIFICATE----- +MIIBQjCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjEzMjIwNjI3WhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVq/Hr +urbeFMWfAjOGLYVhSrEhzz9+lTf8mI0hpaUm31H0l53stdDEK0FmUuCmxKY/CvP9 +kGouCrkzJ8JW364Zo1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL +MAkGB2eBDAEFAQMwIwYDVR0fBBwwGjAYoBagFIYSbGRhcDovL2V4YW1wbGUuY29t +MAoGCCqGSM49BAMCA0gAMEUCIAVgysOMEqZYb9N/6YLMOOwe3FGIoUXyN2RH1JYf +nB7vAiEAk9GzarUyaeAUvo9w2RxUfRrNf1ql0jCtopz6N2aKMWE= +-----END CERTIFICATE----- From 35506533f5aa21284ea817d7b2df22525ca2aaa3 Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Wed, 13 Dec 2023 14:48:44 -0800 Subject: [PATCH 02/10] remove logging --- ...scribers_crl_distribution_points_are_http.go | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go index 6ad80ca6c..669413544 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -15,7 +15,6 @@ package cabf_smime_br import ( - "fmt" "net/url" "github.com/zmap/zcrypto/x509" @@ -41,22 +40,11 @@ func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { } func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { - fmt.Println(util.IsSubscriberCert(c)) - fmt.Println(util.IsMultipurposeSMIMECertificate(c)) - fmt.Println(util.IsStrictSMIMECertificate(c)) - - b := util.IsSubscriberCert(c) && (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) - - fmt.Printf("b = %t\n", b) - return b - + return util.IsSubscriberCert(c) && (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) } func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { - fmt.Println("exeucintg") for _, dp := range c.CRLDistributionPoints { - fmt.Println(dp) - parsed, err := url.Parse(dp) if err != nil { return &lint.LintResult{ @@ -64,9 +52,6 @@ func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint Details: "SMIME certificate contains invalid CRL distribution point", } } - - fmt.Printf("%+v\n", parsed.Scheme) - if parsed.Scheme != "http" { return &lint.LintResult{ Status: lint.Error, From be223b7cf5c65f43e00902a2b9d6419dcebe3fbd Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 19 Dec 2023 09:19:02 -0800 Subject: [PATCH 03/10] Update logic to include legacy certs --- ...ribers_crl_distribution_points_are_http.go | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go index 669413544..6f5549b81 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -40,10 +40,11 @@ func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { } func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) } func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { + httpCount := 0 for _, dp := range c.CRLDistributionPoints { parsed, err := url.Parse(dp) if err != nil { @@ -52,12 +53,23 @@ func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint Details: "SMIME certificate contains invalid CRL distribution point", } } - if parsed.Scheme != "http" { - return &lint.LintResult{ - Status: lint.Error, - Details: "SMIME certificate contains invalid URL scheme in CRL distribution point", - } + if parsed.Scheme == "http" { + httpCount++ } } + + if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid URL scheme in CRL distribution point", + } + } + if util.IsLegacySMIMECertificate(c) && httpCount == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains no HTTP URL schemes in CRL distribution points", + } + } + return &lint.LintResult{Status: lint.Pass} } From c5cfb81ff7e03a15ed38569be9129620b5212c7c Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 19 Dec 2023 09:28:01 -0800 Subject: [PATCH 04/10] Add test for legacy certs --- ...r_with_non_http_crl_distribution_point.pem | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 v3/testdata/smime/legacy_subscriber_with_non_http_crl_distribution_point.pem diff --git a/v3/testdata/smime/legacy_subscriber_with_non_http_crl_distribution_point.pem b/v3/testdata/smime/legacy_subscriber_with_non_http_crl_distribution_point.pem new file mode 100644 index 000000000..433000e52 --- /dev/null +++ b/v3/testdata/smime/legacy_subscriber_with_non_http_crl_distribution_point.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Dec 19 17:22:50 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:4c:6f:d1:2b:55:07:e8:4c:93:9f:89:29:eb:c5: + 3f:e1:d5:61:14:43:39:5f:ac:f7:db:af:3c:68:37: + ca:b4:94:d9:b6:06:da:d8:39:4e:d3:58:19:29:60: + 5a:32:f3:9e:20:df:2a:51:e8:c1:ca:1d:d0:be:c5: + 77:06:b5:09:6c + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + X509v3 CRL Distribution Points: + Full Name: + URI:ldap://example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:44:02:20:37:8f:bc:61:b8:09:d3:bb:6e:c0:b6:ae:2a:64: + 1e:8e:02:60:dc:28:4a:74:88:bd:fb:a9:6f:e2:a8:3d:a1:b4: + 02:20:4e:db:12:05:79:b3:09:17:9b:66:b3:a3:d6:6b:45:52: + 7f:df:9b:58:93:36:13:1c:73:fb:78:95:4e:7f:ee:56 +-----BEGIN CERTIFICATE----- +MIIBQTCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjE5MTcyMjUwWhgP +OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARMb9Er +VQfoTJOfiSnrxT/h1WEUQzlfrPfbrzxoN8q0lNm2BtrYOU7TWBkpYFoy854g3ypR +6MHKHdC+xXcGtQlso1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL +MAkGB2eBDAEFAQEwIwYDVR0fBBwwGjAYoBagFIYSbGRhcDovL2V4YW1wbGUuY29t +MAoGCCqGSM49BAMCA0cAMEQCIDePvGG4CdO7bsC2ripkHo4CYNwoSnSIvfupb+Ko +PaG0AiBO2xIFebMJF5tms6PWa0VSf9+bWJM2Exxz+3iVTn/uVg== +-----END CERTIFICATE----- From 6209bc23d2a1ddf98339c213b0204e3a865ea7cc Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 19 Dec 2023 10:24:00 -0800 Subject: [PATCH 05/10] add test --- .../lint_subscribers_crl_distribution_points_are_http.go | 2 +- ...lint_subscribers_crl_distribution_points_are_http_test.go | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go index 6f5549b81..76da5daef 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -67,7 +67,7 @@ func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint if util.IsLegacySMIMECertificate(c) && httpCount == 0 { return &lint.LintResult{ Status: lint.Error, - Details: "SMIME certificate contains no HTTP URL schemes in CRL distribution points", + Details: "SMIME certificate contains no HTTP URL schemes as CRL distribution points", } } diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go index 1c9340bfe..592dd34ba 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go @@ -23,6 +23,11 @@ func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem", ExpectedResult: lint.Error, }, + { + Name: "error - cert without no HTTP CRL distribution points", + InputFilename: "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem", + ExpectedResult: lint.Error, + }, } for _, tc := range testCases { t.Run(tc.Name, func(t *testing.T) { From a5abd1bd26a908b8fcde4cd54c103b13bf72c34d Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 13 Feb 2024 12:11:06 -0800 Subject: [PATCH 06/10] Add tests with mixed HTTP and non-HTTP --- ...s_crl_distribution_points_are_http_test.go | 38 +++++++++++---- ...ber_with_mixed_crl_distribution_points.pem | 47 +++++++++++++++++++ ...ber_with_mixed_crl_distribution_points.pem | 47 +++++++++++++++++++ 3 files changed, 122 insertions(+), 10 deletions(-) create mode 100644 v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem create mode 100644 v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go index 592dd34ba..d7342761a 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go @@ -9,24 +9,38 @@ import ( func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { testCases := []struct { - Name string - InputFilename string - ExpectedResult lint.LintStatus + Name string + InputFilename string + ExpectedResult lint.LintStatus + ExpectedDetails string }{ { - Name: "pass - cert with HTTP CRL distribution point", + Name: "pass - cert with only HTTP CRL distribution points", InputFilename: "smime/subscriber_with_http_crl_distribution_point.pem", ExpectedResult: lint.Pass, }, { - Name: "error - cert without a non-HTTP CRL distribution point", - InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem", - ExpectedResult: lint.Error, + Name: "error - cert with a non-HTTP CRL distribution point", + InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem", + ExpectedResult: lint.Error, + ExpectedDetails: "SMIME certificate contains invalid URL scheme in CRL distribution point", }, { - Name: "error - cert without no HTTP CRL distribution points", - InputFilename: "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem", - ExpectedResult: lint.Error, + Name: "error - legacy cert with no HTTP CRL distribution points", + InputFilename: "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem", + ExpectedResult: lint.Error, + ExpectedDetails: "SMIME certificate contains no HTTP URL schemes as CRL distribution points", + }, + { + Name: "pass - legacy cert with HTTP and non-HTTP CRL distribution points", + InputFilename: "smime/legacy_subscriber_with_mixed_crl_distribution_points.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "error - cert with HTTP and non-HTTP CRL distribution points", + InputFilename: "smime/subscriber_with_mixed_crl_distribution_points.pem", + ExpectedResult: lint.Error, + ExpectedDetails: "SMIME certificate contains invalid URL scheme in CRL distribution point", }, } for _, tc := range testCases { @@ -35,6 +49,10 @@ func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { if result.Status != tc.ExpectedResult { t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) } + + if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details { + t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details) + } }) } } diff --git a/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem b/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem new file mode 100644 index 000000000..d082d6ab9 --- /dev/null +++ b/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem @@ -0,0 +1,47 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Feb 13 19:15:27 2024 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:df:e4:01:1a:7b:25:62:45:ce:af:1a:0c:f6:34: + 35:ca:c6:25:a8:7a:b2:de:2e:13:6c:8e:82:96:57: + 1e:7b:a4:ab:b4:42:4b:25:8a:ec:13:2b:77:67:96: + fe:b4:c5:32:c4:e3:8f:9f:17:fd:3c:a4:e1:fb:2f: + f4:f5:b7:fe:99 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + X509v3 CRL Distribution Points: + Full Name: + URI:ldap://example.com + Full Name: + URI:http://example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:21:00:e1:7e:f6:31:49:1b:5d:ca:70:cc:b4:a7:3a: + 50:57:21:1f:77:ee:d1:49:c1:06:51:1d:a3:ce:fd:30:47:a8: + 5d:02:20:51:b7:49:53:5f:4d:2e:87:d3:0d:c0:ea:51:64:0e: + 7c:46:e2:30:18:1a:ac:80:4a:2a:9f:2d:3b:0f:7f:a5:67 +-----BEGIN CERTIFICATE----- +MIIBXTCCAQOgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTI0MDIxMzE5MTUyN1oY +Dzk5OTgxMTMwMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3+QB +GnslYkXOrxoM9jQ1ysYlqHqy3i4TbI6Cllcee6SrtEJLJYrsEyt3Z5b+tMUyxOOP +nxf9PKTh+y/09bf+maNsMGowEwYDVR0lBAwwCgYIKwYBBQUHAwQwFAYDVR0gBA0w +CzAJBgdngQwBBQEBMD0GA1UdHwQ2MDQwGKAWoBSGEmxkYXA6Ly9leGFtcGxlLmNv +bTAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDh +fvYxSRtdynDMtKc6UFchH3fu0UnBBlEdo879MEeoXQIgUbdJU19NLofTDcDqUWQO +fEbiMBgarIBKKp8tOw9/pWc= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem b/v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem new file mode 100644 index 000000000..94add5a01 --- /dev/null +++ b/v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem @@ -0,0 +1,47 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Feb 13 19:20:31 2024 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:7d:26:16:25:1e:57:16:05:f0:e2:95:77:56:b8: + f6:66:c0:ba:1a:35:fd:6c:57:3d:07:16:c7:fc:44: + 67:32:41:b9:f6:1e:94:91:ad:37:90:28:34:45:70: + 32:c0:9e:64:e8:9a:14:55:41:ff:19:87:fb:43:0b: + 25:c2:8d:3d:f5 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.3 + X509v3 CRL Distribution Points: + Full Name: + URI:ldap://example.com + Full Name: + URI:http://example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:21:00:eb:f3:1b:63:15:c8:38:41:05:24:c1:29:51: + 12:23:99:d6:aa:86:a2:5e:37:eb:48:13:8b:51:19:33:97:f4: + c1:02:20:7b:02:fd:c7:4f:7d:ff:fd:1b:b2:7e:66:f8:b9:d5: + e5:be:8b:18:8a:f2:3e:55:33:84:dd:cb:ae:19:ad:c8:c0 +-----BEGIN CERTIFICATE----- +MIIBXTCCAQOgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTI0MDIxMzE5MjAzMVoY +Dzk5OTgxMTMwMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfSYW +JR5XFgXw4pV3Vrj2ZsC6GjX9bFc9BxbH/ERnMkG59h6Uka03kCg0RXAywJ5k6JoU +VUH/GYf7Qwslwo099aNsMGowEwYDVR0lBAwwCgYIKwYBBQUHAwQwFAYDVR0gBA0w +CzAJBgdngQwBBQEDMD0GA1UdHwQ2MDQwGKAWoBSGEmxkYXA6Ly9leGFtcGxlLmNv +bTAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDr +8xtjFcg4QQUkwSlREiOZ1qqGol4360gTi1EZM5f0wQIgewL9x099//0bsn5m+LnV +5b6LGIryPlUzhN3LrhmtyMA= +-----END CERTIFICATE----- \ No newline at end of file From 46e01a7fa340c2f8286a8c282e5c58ffc913f6b5 Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 20 Feb 2024 13:10:13 -0800 Subject: [PATCH 07/10] URL -> URI --- .../lint_subscribers_crl_distribution_points_are_http.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go index 76da5daef..b00067080 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -25,7 +25,7 @@ import ( func init() { lint.RegisterLint(&lint.Lint{ Name: "e_subscribers_crl_distribution_points_are_http", - Description: "cRLDistributionPoints SHALL have URL scheme HTTP.", + Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", Citation: "7.1.2.3.b", Source: lint.CABFSMIMEBaselineRequirements, EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, @@ -61,13 +61,13 @@ func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) { return &lint.LintResult{ Status: lint.Error, - Details: "SMIME certificate contains invalid URL scheme in CRL distribution point", + Details: "SMIME certificate contains invalid URI scheme in CRL distribution point", } } if util.IsLegacySMIMECertificate(c) && httpCount == 0 { return &lint.LintResult{ Status: lint.Error, - Details: "SMIME certificate contains no HTTP URL schemes as CRL distribution points", + Details: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", } } From 56e6648fb4ca2680a84dfe0e674ee033f2eaf066 Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 20 Feb 2024 13:27:09 -0800 Subject: [PATCH 08/10] Fix text --- ...int_subscribers_crl_distribution_points_are_http_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go index d7342761a..2fb3d386b 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go @@ -23,13 +23,13 @@ func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { Name: "error - cert with a non-HTTP CRL distribution point", InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem", ExpectedResult: lint.Error, - ExpectedDetails: "SMIME certificate contains invalid URL scheme in CRL distribution point", + ExpectedDetails: "SMIME certificate contains invalid URI scheme in CRL distribution point", }, { Name: "error - legacy cert with no HTTP CRL distribution points", InputFilename: "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem", ExpectedResult: lint.Error, - ExpectedDetails: "SMIME certificate contains no HTTP URL schemes as CRL distribution points", + ExpectedDetails: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", }, { Name: "pass - legacy cert with HTTP and non-HTTP CRL distribution points", @@ -40,7 +40,7 @@ func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { Name: "error - cert with HTTP and non-HTTP CRL distribution points", InputFilename: "smime/subscriber_with_mixed_crl_distribution_points.pem", ExpectedResult: lint.Error, - ExpectedDetails: "SMIME certificate contains invalid URL scheme in CRL distribution point", + ExpectedDetails: "SMIME certificate contains invalid URI scheme in CRL distribution point", }, } for _, tc := range testCases { From 6b152fefd947916814c4e546e5a65b0af762a8eb Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Tue, 20 Feb 2024 13:36:35 -0800 Subject: [PATCH 09/10] UseCertificateLint --- ...bscribers_crl_distribution_points_are_http.go | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go index b00067080..3333e36ba 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -23,13 +23,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subscribers_crl_distribution_points_are_http", - Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", - Citation: "7.1.2.3.b", - Source: lint.CABFSMIMEBaselineRequirements, - EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, - Lint: NewSubscriberCrlDistributionPointsHTTP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subscribers_crl_distribution_points_are_http", + Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubscriberCrlDistributionPointsHTTP, }) } From 5aa47f6e2a8b6418ee52a667f2ccc93f32046534 Mon Sep 17 00:00:00 2001 From: Adam Bender Date: Mon, 4 Mar 2024 13:52:12 -0800 Subject: [PATCH 10/10] Rename testdata files to reflect their type --- ...scribers_crl_distribution_points_are_http_test.go | 12 ++++++------ ...subscriber_with_mixed_crl_distribution_points.pem | 2 +- ..._subscriber_with_http_crl_distribution_point.pem} | 0 ...ubscriber_with_mixed_crl_distribution_points.pem} | 2 +- ...scriber_with_non_http_crl_distribution_point.pem} | 0 5 files changed, 8 insertions(+), 8 deletions(-) rename v3/testdata/smime/{subscriber_with_http_crl_distribution_point.pem => strict_subscriber_with_http_crl_distribution_point.pem} (100%) rename v3/testdata/smime/{subscriber_with_mixed_crl_distribution_points.pem => strict_subscriber_with_mixed_crl_distribution_points.pem} (98%) rename v3/testdata/smime/{subscriber_with_non_http_crl_distribution_point.pem => strict_subscriber_with_non_http_crl_distribution_point.pem} (100%) diff --git a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go index 2fb3d386b..15b133f7d 100644 --- a/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go +++ b/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go @@ -15,13 +15,13 @@ func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { ExpectedDetails string }{ { - Name: "pass - cert with only HTTP CRL distribution points", - InputFilename: "smime/subscriber_with_http_crl_distribution_point.pem", + Name: "pass - strict cert with only HTTP CRL distribution points", + InputFilename: "smime/strict_subscriber_with_http_crl_distribution_point.pem", ExpectedResult: lint.Pass, }, { - Name: "error - cert with a non-HTTP CRL distribution point", - InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem", + Name: "error - strict cert with a non-HTTP CRL distribution point", + InputFilename: "smime/strict_subscriber_with_non_http_crl_distribution_point.pem", ExpectedResult: lint.Error, ExpectedDetails: "SMIME certificate contains invalid URI scheme in CRL distribution point", }, @@ -37,8 +37,8 @@ func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) { ExpectedResult: lint.Pass, }, { - Name: "error - cert with HTTP and non-HTTP CRL distribution points", - InputFilename: "smime/subscriber_with_mixed_crl_distribution_points.pem", + Name: "error - strict cert with HTTP and non-HTTP CRL distribution points", + InputFilename: "smime/strict_subscriber_with_mixed_crl_distribution_points.pem", ExpectedResult: lint.Error, ExpectedDetails: "SMIME certificate contains invalid URI scheme in CRL distribution point", }, diff --git a/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem b/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem index d082d6ab9..f65ce5d29 100644 --- a/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem +++ b/v3/testdata/smime/legacy_subscriber_with_mixed_crl_distribution_points.pem @@ -44,4 +44,4 @@ CzAJBgdngQwBBQEBMD0GA1UdHwQ2MDQwGKAWoBSGEmxkYXA6Ly9leGFtcGxlLmNv bTAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDh fvYxSRtdynDMtKc6UFchH3fu0UnBBlEdo879MEeoXQIgUbdJU19NLofTDcDqUWQO fEbiMBgarIBKKp8tOw9/pWc= ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem b/v3/testdata/smime/strict_subscriber_with_http_crl_distribution_point.pem similarity index 100% rename from v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem rename to v3/testdata/smime/strict_subscriber_with_http_crl_distribution_point.pem diff --git a/v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem b/v3/testdata/smime/strict_subscriber_with_mixed_crl_distribution_points.pem similarity index 98% rename from v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem rename to v3/testdata/smime/strict_subscriber_with_mixed_crl_distribution_points.pem index 94add5a01..b70d8b27e 100644 --- a/v3/testdata/smime/subscriber_with_mixed_crl_distribution_points.pem +++ b/v3/testdata/smime/strict_subscriber_with_mixed_crl_distribution_points.pem @@ -44,4 +44,4 @@ CzAJBgdngQwBBQEDMD0GA1UdHwQ2MDQwGKAWoBSGEmxkYXA6Ly9leGFtcGxlLmNv bTAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIQDr 8xtjFcg4QQUkwSlREiOZ1qqGol4360gTi1EZM5f0wQIgewL9x099//0bsn5m+LnV 5b6LGIryPlUzhN3LrhmtyMA= ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem b/v3/testdata/smime/strict_subscriber_with_non_http_crl_distribution_point.pem similarity index 100% rename from v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem rename to v3/testdata/smime/strict_subscriber_with_non_http_crl_distribution_point.pem