Add lint for checking that a CRL contains the CRL Number extension #834
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment
Fixed import block
Fine to me. Co-authored-by: Christopher Henderson <chris@chenderson.org>
As per Chris Henderson's suggestion, to "improve readability".
As per Chris Henderson's suggestion.
Added CABFEV_Sec9_2_8_Date
Add OID for CRL Number
christopher-henderson
approved these changes
Apr 21, 2024
| @@ -0,0 +1,12 @@ | |||
| -----BEGIN X509 CRL----- | |||
There was a problem hiding this comment.
Just to keep consistent with the rest of our test certs which print the human readable version.
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing
Last Update: Apr 18 07:20:34 2024 GMT
Next Update: Apr 19 07:20:34 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
01:02:03:04:05
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
8b:46:da:b3:8b:ec:a9:e5:28:23:a7:13:06:61:d4:35:0c:19:
bd:51:f4:c1:9a:99:0b:1e:63:3f:97:2e:e3:fa:30:e0:15:95:
99:e8:ff:ad:49:8d:e6:b8:b8:a4:16:48:f7:53:5f:a8:c4:ec:
14:d6:eb:b0:85:16:59:c5:2d:02:ee:ec:f3:83:77:aa:52:be:
a4:68:86:fc:38:2e:b2:39:cb:ff:85:78:8a:a4:c0:63:71:40:
ac:b1:61:47:4b:7c:2f:32:6e:8b:8a:81:01:78:4b:49:77:d6:
80:1e:5b:ad:5f:43:84:15:87:66:cd:53:8c:bb:11:d8:0e:0e:
6c:27:b0:88:e1:68:23:92:56:1d:b9:0a:71:06:e1:5f:d7:75:
b6:50:85:08:e5:fd:2f:c2:e8:49:9d:da:d1:47:8f:24:5d:c4:
09:3e:74:47:49:84:02:55:e2:9e:8f:14:65:e5:6a:9c:84:8d:
bf:a5:4d:24:f2:fd:3b:9b:e2:1a:d5:10:98:90:b1:58:0b:5d:
2b:19:45:90:41:ae:d4:68:c3:af:12:4b:00:b2:13:32:c3:e8:
e6:6d:7e:35:65:e1:6d:d3:92:2a:3b:76:e7:53:10:7b:e5:2d:
29:a8:5c:1e:d2:15:52:11:67:bf:4a:0a:1a:f2:c8:fa:2b:ae:
38:a3:44:d0
-----BEGIN X509 CRL-----
MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID
BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse
Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo
hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7
EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV
4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt
fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA=
-----END X509 CRL-----
For reference, I got this via OpenSSL.
openssl crl -text <<EOF
-----BEGIN X509 CRL-----
MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID
BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse
Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo
hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7
EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV
4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt
fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA=
-----END X509 CRL-----
EOF
| @@ -0,0 +1,13 @@ | |||
| -----BEGIN X509 CRL----- | |||
There was a problem hiding this comment.
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing
Last Update: Apr 18 07:19:09 2024 GMT
Next Update: Apr 19 07:19:09 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
01:02:03:04:05
X509v3 CRL Number:
4660
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4a:78:7b:5c:73:8b:61:9c:42:ec:e8:48:90:0a:6f:c1:bc:39:
9b:cf:a9:38:17:48:c1:11:5f:ef:31:b4:a8:9a:9d:3e:96:b3:
3c:98:90:e9:ca:8b:3f:71:4f:94:83:c1:16:81:2d:bf:ef:cf:
6e:8e:6f:9a:1c:f1:09:f3:80:3a:eb:f9:66:83:be:ff:88:96:
45:c1:3b:60:39:44:52:05:b3:26:68:47:85:2e:96:72:d5:92:
51:6c:63:a0:9f:67:35:4b:11:dc:77:b9:b8:1d:bd:41:7d:37:
b5:c8:21:5a:9e:3c:17:e9:a0:7b:45:60:d7:14:a9:69:67:be:
d5:1a:f2:d3:a9:7d:fa:31:b1:16:6a:28:9f:31:d9:ab:1f:ec:
10:db:69:e3:0e:2f:4f:4f:4a:8c:49:c3:6f:da:f6:78:b3:87:
fd:b6:34:0b:c5:69:eb:fa:6a:9e:79:98:54:e3:06:b4:ba:ff:
7c:49:6c:e8:4b:3c:7e:d2:07:4b:b0:f7:98:cb:0e:de:b6:16:
28:9c:fb:bd:90:db:0c:e8:31:01:67:a8:b5:42:3c:e2:95:1f:
1a:21:82:99:dc:93:81:e0:f6:3b:31:c3:23:23:d8:89:20:9a:
7b:d6:1a:17:01:9b:22:15:b8:4a:7b:27:6a:f9:5a:69:07:3c:
5f:06:ab:8d
-----BEGIN X509 CRL-----
MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcxOTA5WhcNMjQwNDE5MDcxOTA5WqAhMB8wEAYDVR0jBAkwB4AFAQID
BAUwCwYDVR0UBAQCAhI0MA0GCSqGSIb3DQEBCwUAA4IBAQBKeHtcc4thnELs6EiQ
Cm/BvDmbz6k4F0jBEV/vMbSomp0+lrM8mJDpyos/cU+Ug8EWgS2/789ujm+aHPEJ
84A66/lmg77/iJZFwTtgOURSBbMmaEeFLpZy1ZJRbGOgn2c1SxHcd7m4Hb1BfTe1
yCFanjwX6aB7RWDXFKlpZ77VGvLTqX36MbEWaiifMdmrH+wQ22njDi9PT0qMScNv
2vZ4s4f9tjQLxWnr+mqeeZhU4wa0uv98SWzoSzx+0gdLsPeYyw7ethYonPu9kNsM
6DEBZ6i1QjzilR8aIYKZ3JOB4PY7McMjI9iJIJp71hoXAZsiFbhKeydq+VppBzxf
BquN
-----END X509 CRL-----
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add lint for checking that CRLs contain the CRL Number extension, which is mandatory per RFC5280 §5.2.3.