Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add lint for checking that a CRL contains the CRL Number extension #834

Merged
merged 36 commits into from
Apr 28, 2024
Merged
Show file tree
Hide file tree
Changes from 35 commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
0d4a7d5
Add files via upload
defacto64 Mar 8, 2024
9ae1760
Add files via upload
defacto64 Mar 8, 2024
c66f6f6
Add files via upload
defacto64 Mar 8, 2024
3bd2334
Add files via upload
defacto64 Mar 8, 2024
95e89c8
Update lint_invalid_subject_rdn_order_test.go
defacto64 Mar 9, 2024
7230486
Update lint_invalid_subject_rdn_order.go
defacto64 Mar 9, 2024
983a0df
Merge branch 'master' into master
christopher-henderson Mar 9, 2024
36682ed
Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go
defacto64 Mar 10, 2024
fc81ece
Update lint_invalid_subject_rdn_order.go
defacto64 Mar 10, 2024
9e54f08
Update lint_invalid_subject_rdn_order_test.go
defacto64 Mar 10, 2024
e61235c
Merge branch 'master' into master
defacto64 Mar 10, 2024
8ca486a
Update time.go
defacto64 Mar 30, 2024
1df8c9b
Add files via upload
defacto64 Mar 30, 2024
ae29a40
Add files via upload
defacto64 Mar 30, 2024
9f657b2
Merge branch 'zmap:master' into master
defacto64 Mar 30, 2024
faa938d
Revised according to Chris and Corey suggestions
defacto64 Apr 7, 2024
d2aa5b1
Add files via upload
defacto64 Apr 8, 2024
b827d18
Add files via upload
defacto64 Apr 8, 2024
89e0ed1
Merge branch 'zmap:master' into master
defacto64 Apr 8, 2024
e2f2f0e
Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go
defacto64 Apr 8, 2024
126e1ac
Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go
defacto64 Apr 8, 2024
a7fbe52
Delete v3/testdata/invalid_cps_uri_ko_01.pem
defacto64 Apr 8, 2024
b289660
Delete v3/testdata/invalid_cps_uri_ko_02.pem
defacto64 Apr 8, 2024
b5af6be
Delete v3/testdata/invalid_cps_uri_ko_03.pem
defacto64 Apr 8, 2024
d9fea03
Delete v3/testdata/invalid_cps_uri_ok_01.pem
defacto64 Apr 8, 2024
a324160
Delete v3/testdata/invalid_cps_uri_ok_02.pem
defacto64 Apr 8, 2024
9ef6f60
Delete v3/testdata/invalid_cps_uri_ok_03.pem
defacto64 Apr 8, 2024
949d3ca
Merge branch 'master' into master
christopher-henderson Apr 14, 2024
c827e99
Merge branch 'zmap:master' into master
defacto64 Apr 18, 2024
e0e1bdf
Add files via upload
defacto64 Apr 18, 2024
86ef81d
Add files via upload
defacto64 Apr 18, 2024
2c70763
Add files via upload
defacto64 Apr 18, 2024
782ea66
Add files via upload
defacto64 Apr 18, 2024
14203a3
Update oid.go
defacto64 Apr 18, 2024
9366be3
Merge branch 'master' into e_crl_missing_crl_number
christopher-henderson Apr 28, 2024
281aeba
Update v3/util/oid.go
christopher-henderson Apr 28, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions v3/lints/rfc/lint_crl_missing_crl_number.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

/*
* Contributed by Adriano Santoni <adriano.santoni@staff.aruba.it>
* of ACTALIS S.p.A. (www.actalis.com).
*/

package rfc

import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

func init() {
lint.RegisterRevocationListLint(&lint.RevocationListLint{
LintMetadata: lint.LintMetadata{
Name: "e_crl_missing_crl_number",
Description: "CRL issuers conforming to this profile MUST include this extension in all CRLs",
Citation: "RFC5280 §5.2.3",
Source: lint.RFC5280,
EffectiveDate: util.RFC5280Date,
},
Lint: NewMissingCRLNumber,
})
}

type missingCRLNumber struct{}

func NewMissingCRLNumber() lint.RevocationListLintInterface {
return &missingCRLNumber{}
}

func (l *missingCRLNumber) CheckApplies(c *x509.RevocationList) bool {
return true
}

func (l *missingCRLNumber) Execute(c *x509.RevocationList) *lint.LintResult {
for _, e := range c.Extensions {
if e.Id.Equal(util.CRLNumberOID) {
return &lint.LintResult{Status: lint.Pass}
}
}

return &lint.LintResult{
Status: lint.Error,
Details: "This CRL lacks the mandatory CRL Number extension",
}
}
40 changes: 40 additions & 0 deletions v3/lints/rfc/lint_crl_missing_crl_number_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package rfc

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

func TestMissingCRLNumberOK(t *testing.T) {
inputPath := "crl_missing_crl_number_ok.pem"
expected := lint.Pass
out := test.TestRevocationListLint(t, "e_crl_missing_crl_number", inputPath)
if out.Status != expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
}
}

func TestMissingCRLNumberKO(t *testing.T) {
inputPath := "crl_missing_crl_number_ko.pem"
expected := lint.Error
out := test.TestRevocationListLint(t, "e_crl_missing_crl_number", inputPath)
if out.Status != expected {
t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
}
}
12 changes: 12 additions & 0 deletions v3/testdata/crl_missing_crl_number_ko.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
-----BEGIN X509 CRL-----

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to keep consistent with the rest of our test certs which print the human readable version.

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing
        Last Update: Apr 18 07:20:34 2024 GMT
        Next Update: Apr 19 07:20:34 2024 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                01:02:03:04:05
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        8b:46:da:b3:8b:ec:a9:e5:28:23:a7:13:06:61:d4:35:0c:19:
        bd:51:f4:c1:9a:99:0b:1e:63:3f:97:2e:e3:fa:30:e0:15:95:
        99:e8:ff:ad:49:8d:e6:b8:b8:a4:16:48:f7:53:5f:a8:c4:ec:
        14:d6:eb:b0:85:16:59:c5:2d:02:ee:ec:f3:83:77:aa:52:be:
        a4:68:86:fc:38:2e:b2:39:cb:ff:85:78:8a:a4:c0:63:71:40:
        ac:b1:61:47:4b:7c:2f:32:6e:8b:8a:81:01:78:4b:49:77:d6:
        80:1e:5b:ad:5f:43:84:15:87:66:cd:53:8c:bb:11:d8:0e:0e:
        6c:27:b0:88:e1:68:23:92:56:1d:b9:0a:71:06:e1:5f:d7:75:
        b6:50:85:08:e5:fd:2f:c2:e8:49:9d:da:d1:47:8f:24:5d:c4:
        09:3e:74:47:49:84:02:55:e2:9e:8f:14:65:e5:6a:9c:84:8d:
        bf:a5:4d:24:f2:fd:3b:9b:e2:1a:d5:10:98:90:b1:58:0b:5d:
        2b:19:45:90:41:ae:d4:68:c3:af:12:4b:00:b2:13:32:c3:e8:
        e6:6d:7e:35:65:e1:6d:d3:92:2a:3b:76:e7:53:10:7b:e5:2d:
        29:a8:5c:1e:d2:15:52:11:67:bf:4a:0a:1a:f2:c8:fa:2b:ae:
        38:a3:44:d0
-----BEGIN X509 CRL-----
MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID
BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse
Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo
hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7
EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV
4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt
fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA=
-----END X509 CRL-----

For reference, I got this via OpenSSL.

openssl crl -text <<EOF
-----BEGIN X509 CRL-----
MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID
BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse
Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo
hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7
EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV
4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt
fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA=
-----END X509 CRL-----
EOF

MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcyMDM0WhcNMjQwNDE5MDcyMDM0WqAUMBIwEAYDVR0jBAkwB4AFAQID
BAUwDQYJKoZIhvcNAQELBQADggEBAItG2rOL7KnlKCOnEwZh1DUMGb1R9MGamQse
Yz+XLuP6MOAVlZno/61Jjea4uKQWSPdTX6jE7BTW67CFFlnFLQLu7PODd6pSvqRo
hvw4LrI5y/+FeIqkwGNxQKyxYUdLfC8ybouKgQF4S0l31oAeW61fQ4QVh2bNU4y7
EdgODmwnsIjhaCOSVh25CnEG4V/XdbZQhQjl/S/C6Emd2tFHjyRdxAk+dEdJhAJV
4p6PFGXlapyEjb+lTSTy/Tub4hrVEJiQsVgLXSsZRZBBrtRow68SSwCyEzLD6OZt
fjVl4W3Tkio7dudTEHvlLSmoXB7SFVIRZ79KChryyPorrjijRNA=
-----END X509 CRL-----

13 changes: 13 additions & 0 deletions v3/testdata/crl_missing_crl_number_ok.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN X509 CRL-----

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = EU, O = Some CA, CN = Fake CA for zlint testing
        Last Update: Apr 18 07:19:09 2024 GMT
        Next Update: Apr 19 07:19:09 2024 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                01:02:03:04:05
            X509v3 CRL Number: 
                4660
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4a:78:7b:5c:73:8b:61:9c:42:ec:e8:48:90:0a:6f:c1:bc:39:
        9b:cf:a9:38:17:48:c1:11:5f:ef:31:b4:a8:9a:9d:3e:96:b3:
        3c:98:90:e9:ca:8b:3f:71:4f:94:83:c1:16:81:2d:bf:ef:cf:
        6e:8e:6f:9a:1c:f1:09:f3:80:3a:eb:f9:66:83:be:ff:88:96:
        45:c1:3b:60:39:44:52:05:b3:26:68:47:85:2e:96:72:d5:92:
        51:6c:63:a0:9f:67:35:4b:11:dc:77:b9:b8:1d:bd:41:7d:37:
        b5:c8:21:5a:9e:3c:17:e9:a0:7b:45:60:d7:14:a9:69:67:be:
        d5:1a:f2:d3:a9:7d:fa:31:b1:16:6a:28:9f:31:d9:ab:1f:ec:
        10:db:69:e3:0e:2f:4f:4f:4a:8c:49:c3:6f:da:f6:78:b3:87:
        fd:b6:34:0b:c5:69:eb:fa:6a:9e:79:98:54:e3:06:b4:ba:ff:
        7c:49:6c:e8:4b:3c:7e:d2:07:4b:b0:f7:98:cb:0e:de:b6:16:
        28:9c:fb:bd:90:db:0c:e8:31:01:67:a8:b5:42:3c:e2:95:1f:
        1a:21:82:99:dc:93:81:e0:f6:3b:31:c3:23:23:d8:89:20:9a:
        7b:d6:1a:17:01:9b:22:15:b8:4a:7b:27:6a:f9:5a:69:07:3c:
        5f:06:ab:8d
-----BEGIN X509 CRL-----
MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcxOTA5WhcNMjQwNDE5MDcxOTA5WqAhMB8wEAYDVR0jBAkwB4AFAQID
BAUwCwYDVR0UBAQCAhI0MA0GCSqGSIb3DQEBCwUAA4IBAQBKeHtcc4thnELs6EiQ
Cm/BvDmbz6k4F0jBEV/vMbSomp0+lrM8mJDpyos/cU+Ug8EWgS2/789ujm+aHPEJ
84A66/lmg77/iJZFwTtgOURSBbMmaEeFLpZy1ZJRbGOgn2c1SxHcd7m4Hb1BfTe1
yCFanjwX6aB7RWDXFKlpZ77VGvLTqX36MbEWaiifMdmrH+wQ22njDi9PT0qMScNv
2vZ4s4f9tjQLxWnr+mqeeZhU4wa0uv98SWzoSzx+0gdLsPeYyw7ethYonPu9kNsM
6DEBZ6i1QjzilR8aIYKZ3JOB4PY7McMjI9iJIJp71hoXAZsiFbhKeydq+VppBzxf
BquN
-----END X509 CRL-----

MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADBDMQswCQYDVQQGEwJFVTEQMA4GA1UE
ChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBDQSBmb3IgemxpbnQgdGVzdGluZxcN
MjQwNDE4MDcxOTA5WhcNMjQwNDE5MDcxOTA5WqAhMB8wEAYDVR0jBAkwB4AFAQID
BAUwCwYDVR0UBAQCAhI0MA0GCSqGSIb3DQEBCwUAA4IBAQBKeHtcc4thnELs6EiQ
Cm/BvDmbz6k4F0jBEV/vMbSomp0+lrM8mJDpyos/cU+Ug8EWgS2/789ujm+aHPEJ
84A66/lmg77/iJZFwTtgOURSBbMmaEeFLpZy1ZJRbGOgn2c1SxHcd7m4Hb1BfTe1
yCFanjwX6aB7RWDXFKlpZ77VGvLTqX36MbEWaiifMdmrH+wQ22njDi9PT0qMScNv
2vZ4s4f9tjQLxWnr+mqeeZhU4wa0uv98SWzoSzx+0gdLsPeYyw7ethYonPu9kNsM
6DEBZ6i1QjzilR8aIYKZ3JOB4PY7McMjI9iJIJp71hoXAZsiFbhKeydq+VppBzxf
BquN
-----END X509 CRL-----

1 change: 1 addition & 0 deletions v3/util/oid.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ var (
SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax
SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier
ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code
CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number
christopher-henderson marked this conversation as resolved.
Show resolved Hide resolved
// Extended Key Usage OIDs
PreCertificateSigningCertificateEKU = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4}
// CA/B Reserved Certificate Policy Identifiers
Expand Down
Loading