Add lints for S/MIME BR 7.1.2.3.b

v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go

@@ -0,0 +1,75 @@
+/*
+ * ZLint Copyright 2023 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_smime_br
+
+import (
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterLint(&lint.Lint{
+		Name:          "e_subscribers_crl_distribution_points_are_http",
+		Description:   "cRLDistributionPoints SHALL have URL scheme HTTP.",
+		Citation:      "7.1.2.3.b",
+		Source:        lint.CABFSMIMEBaselineRequirements,
+		EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		Lint:          NewSubscriberCrlDistributionPointsHTTP,
+	})
+}
+
+type subscriberCrlDistributionPointsHTTP struct{}
+
+func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface {
+	return &subscriberCrlDistributionPointsHTTP{}
+}
+
+func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c)
+}
+
+func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult {
+	httpCount := 0
+	for _, dp := range c.CRLDistributionPoints {
+		parsed, err := url.Parse(dp)
+		if err != nil {
+			return &lint.LintResult{
+				Status:  lint.Error,
+				Details: "SMIME certificate contains invalid CRL distribution point",
+			}
+		}
+		if parsed.Scheme == "http" {
+			httpCount++
+		}
+	}
+
+	if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "SMIME certificate contains invalid URL scheme in CRL distribution point",
+		}
+	}
+	if util.IsLegacySMIMECertificate(c) && httpCount == 0 {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "SMIME certificate contains no HTTP URL schemes as CRL distribution points",
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http_test.go

@@ -0,0 +1,40 @@
+package cabf_smime_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestSubscriberCrlDistributionPointsAreHTTP(t *testing.T) {
+	testCases := []struct {
+		Name           string
+		InputFilename  string
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - cert with HTTP CRL distribution point",
+			InputFilename:  "smime/subscriber_with_http_crl_distribution_point.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "error - cert without a non-HTTP CRL distribution point",
+			InputFilename:  "smime/subscriber_with_non_http_crl_distribution_point.pem",
+			ExpectedResult: lint.Error,
+		},
+		{
+			Name:           "error - cert without no HTTP CRL distribution points",
+			InputFilename:  "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem",
+			ExpectedResult: lint.Error,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_subscribers_crl_distribution_points_are_http", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}

v3/testdata/smime/legacy_subscriber_with_non_http_crl_distribution_point.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Dec 19 17:22:50 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:4c:6f:d1:2b:55:07:e8:4c:93:9f:89:29:eb:c5:
+                    3f:e1:d5:61:14:43:39:5f:ac:f7:db:af:3c:68:37:
+                    ca:b4:94:d9:b6:06:da:d8:39:4e:d3:58:19:29:60:
+                    5a:32:f3:9e:20:df:2a:51:e8:c1:ca:1d:d0:be:c5:
+                    77:06:b5:09:6c
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.1
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:ldap://example.com
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:44:02:20:37:8f:bc:61:b8:09:d3:bb:6e:c0:b6:ae:2a:64:
+        1e:8e:02:60:dc:28:4a:74:88:bd:fb:a9:6f:e2:a8:3d:a1:b4:
+        02:20:4e:db:12:05:79:b3:09:17:9b:66:b3:a3:d6:6b:45:52:
+        7f:df:9b:58:93:36:13:1c:73:fb:78:95:4e:7f:ee:56
+-----BEGIN CERTIFICATE-----
+MIIBQTCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjE5MTcyMjUwWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARMb9Er
+VQfoTJOfiSnrxT/h1WEUQzlfrPfbrzxoN8q0lNm2BtrYOU7TWBkpYFoy854g3ypR
+6MHKHdC+xXcGtQlso1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAQEwIwYDVR0fBBwwGjAYoBagFIYSbGRhcDovL2V4YW1wbGUuY29t
+MAoGCCqGSM49BAMCA0cAMEQCIDePvGG4CdO7bsC2ripkHo4CYNwoSnSIvfupb+Ko
+PaG0AiBO2xIFebMJF5tms6PWa0VSf9+bWJM2Exxz+3iVTn/uVg==
+-----END CERTIFICATE-----

v3/testdata/smime/subscriber_with_http_crl_distribution_point.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Dec 13 22:18:21 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:c8:dc:df:60:b9:e2:c3:90:c7:c6:03:32:04:e1:
+                    4a:de:08:08:24:4c:0c:97:ed:3a:31:0f:7b:ed:47:
+                    a0:a9:af:df:04:9d:eb:7c:df:64:87:ab:2d:f2:60:
+                    42:2d:65:3e:18:4d:cb:12:2e:fb:74:ef:7f:3b:ae:
+                    0a:e3:f3:56:d3
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.3
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:http://example.com
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:0c:0b:81:2d:9c:12:c2:86:59:1a:cd:1f:46:3c:
+        b4:22:a0:91:0c:33:3f:ad:f4:4d:a7:64:34:d8:37:ab:53:eb:
+        02:21:00:c7:d4:f1:98:29:55:db:fe:3e:21:1e:0e:db:58:57:
+        c1:04:20:2f:d8:6f:53:74:05:ce:ec:f0:c4:63:0e:4d:09
+-----BEGIN CERTIFICATE-----
+MIIBQjCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjEzMjIxODIxWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATI3N9g
+ueLDkMfGAzIE4UreCAgkTAyX7ToxD3vtR6Cpr98Enet832SHqy3yYEItZT4YTcsS
+Lvt07387rgrj81bTo1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAQMwIwYDVR0fBBwwGjAYoBagFIYSaHR0cDovL2V4YW1wbGUuY29t
+MAoGCCqGSM49BAMCA0gAMEUCIAwLgS2cEsKGWRrNH0Y8tCKgkQwzP630TadkNNg3
+q1PrAiEAx9TxmClV2/4+IR4O21hXwQQgL9hvU3QFzuzwxGMOTQk=
+-----END CERTIFICATE-----

v3/testdata/smime/subscriber_with_non_http_crl_distribution_point.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Dec 13 22:06:27 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:55:ab:f1:eb:ba:b6:de:14:c5:9f:02:33:86:2d:
+                    85:61:4a:b1:21:cf:3f:7e:95:37:fc:98:8d:21:a5:
+                    a5:26:df:51:f4:97:9d:ec:b5:d0:c4:2b:41:66:52:
+                    e0:a6:c4:a6:3f:0a:f3:fd:90:6a:2e:0a:b9:33:27:
+                    c2:56:df:ae:19
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.3
+            X509v3 CRL Distribution Points: 
+                Full Name:
+                  URI:ldap://example.com
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:05:60:ca:c3:8c:12:a6:58:6f:d3:7f:e9:82:cc:
+        38:ec:1e:dc:51:88:a1:45:f2:37:64:47:d4:96:1f:9c:1e:ef:
+        02:21:00:93:d1:b3:6a:b5:32:69:e0:14:be:8f:70:d9:1c:54:
+        7d:1a:cd:7f:5a:a5:d2:30:ad:a2:9c:fa:37:66:8a:31:61
+-----BEGIN CERTIFICATE-----
+MIIBQjCB6aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMxMjEzMjIwNjI3WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARVq/Hr
+urbeFMWfAjOGLYVhSrEhzz9+lTf8mI0hpaUm31H0l53stdDEK0FmUuCmxKY/CvP9
+kGouCrkzJ8JW364Zo1IwUDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAQMwIwYDVR0fBBwwGjAYoBagFIYSbGRhcDovL2V4YW1wbGUuY29t
+MAoGCCqGSM49BAMCA0gAMEUCIAVgysOMEqZYb9N/6YLMOOwe3FGIoUXyN2RH1JYf
+nB7vAiEAk9GzarUyaeAUvo9w2RxUfRrNf1ql0jCtopz6N2aKMWE=
+-----END CERTIFICATE-----