Aia ca issuers must have http only

v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go

@@ -0,0 +1,78 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIACAIssuersHasHTTPOnly struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+id-ad-caIssuers
+1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD  A HTTP URL of the
+Issuing CA’s certificate
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_ca_issuers_must_have_http_only",
+			Description:   "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIACAIssuersHasHTTPOnly,
+	})
+}
+
+func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface {
+	return &bRAIACAIssuersHasHTTPOnly{}
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
+	return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c)
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, u := range c.IssuingCertificateURL {
+		purl, err := url.Parse(u)
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."}
+		}
+		if purl.Scheme != "http" {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only_test.go

@@ -0,0 +1,92 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestBRAIACAIssuersHasHTTPOnly(t *testing.T) {
+	testCases := []struct {
+		Name          string
+		InputFilename string
+
+		ExpectedResult  lint.LintStatus
+		ExpectedDetails string
+	}{
+		{
+			Name:          "error - AIA has an FTP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersFTPOnly.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme ftp in caIssuers of AIA, which is not allowed.",
+		},
+		{
+			Name:          "error - AIA has an HTTP and an LDAP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHTTPAndLDAP.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme ldap in caIssuers of AIA, which is not allowed.",
+		},
+		{
+			Name:          "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHTTPOnly.pem",
+
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:          "error - AIA has only one HTTPS URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHttpsOnly.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme https in caIssuers of AIA, which is not allowed.",
+		},
+		{
+			Name:          "NE - AIA has only one HTTP URI for id-ad-caIssuers accessMethod and it is issued before September 15th 2023.",
+			InputFilename: "aiaCaIssuersHttpOnlyNE.pem",
+
+			ExpectedResult: lint.NE,
+		},
+		{
+			Name:          "NA - AIA has only an id-ad-ocsp accessMethod.",
+			InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem",
+
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:          "error - AIA has an LDAP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersLDAPOnly.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme ldap in caIssuers of AIA, which is not allowed.",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_aia_ca_issuers_must_have_http_only", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status)
+			}
+
+			if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details {
+				t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details)
+			}
+		})
+	}
+}

v3/testdata/aiaCaIssuersFTPOnly.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            a4:f4:6d:4f:10:ca:7e:ef:f9:e3:c0:85
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:8f:74:a1:d5:84:f6:c9:04:2a:ef:8d:3a:91:9c:
+                    35:d7:17:7a:ac:99:09:31:97:93:42:41:d2:81:51:
+                    ff:59:82:62:7c:8e:30:b8:ec:52:a5:c3:6e:bf:73:
+                    22:b7:01:22:1b:da:cb:8b:0a:7c:ab:35:ab:6a:b6:
+                    81:8f:0c:33:de
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+            Authority Information Access: 
+                CA Issuers - URI:ftp://issuers.example.com/
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:46:02:21:00:a5:9f:fc:9d:ed:7f:10:2d:5f:ea:c2:ee:f9:
+         92:62:56:52:63:fe:f3:12:27:5f:1d:81:e0:01:c3:dc:aa:bd:
+         2e:02:21:00:db:a7:aa:01:00:8d:53:c4:5f:d5:46:b2:42:31:
+         87:03:77:f5:ad:83:49:e2:31:38:58:7d:8e:d9:03:d0:11:34
+-----BEGIN CERTIFICATE-----
+MIIBeTCCAR6gAwIBAgINAKT0bU8Qyn7v+ePAhTAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASPdKHVhPbJBCrvjTqRnDXXF3qsmQkxl5NCQdKBUf9ZgmJ8jjC47FKlw26/
+cyK3ASIb2suLCnyrNatqtoGPDDPeo08wTTATBgNVHSAEDDAKMAgGBmeBDAECATA2
+BggrBgEFBQcBAQQqMCgwJgYIKwYBBQUHMAKGGmZ0cDovL2lzc3VlcnMuZXhhbXBs
+ZS5jb20vMAoGCCqGSM49BAMCA0kAMEYCIQCln/yd7X8QLV/qwu75kmJWUmP+8xIn
+Xx2B4AHD3Kq9LgIhANunqgEAjVPEX9VGskIxhwN39a2DSeIxOFh9jtkD0BE0
+-----END CERTIFICATE-----

v3/testdata/aiaCaIssuersHTTPAndLDAP.pem

@@ -0,0 +1,46 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            cf:1d:3e:98:ec:3f:f1:df:cf:85:a6:75
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:ae:5e:8e:a1:a7:00:e1:75:66:4f:b8:b0:35:70:
+                    2c:cb:6e:fb:83:fc:9c:f8:7b:67:cf:2d:71:e3:2d:
+                    f2:1f:30:ea:ef:63:09:8b:ee:df:f2:ae:54:2d:5f:
+                    9d:47:17:4d:09:2f:6e:bb:d2:5f:0a:f8:83:26:6c:
+                    df:4f:6e:f3:39
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+            Authority Information Access: 
+                CA Issuers - URI:http://issuers.example.com/ca
+                CA Issuers - URI:ldap://issuers.example.com/
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:28:e6:e6:7c:c9:b7:6a:af:ba:ae:ab:d3:39:39:
+         48:2d:da:d4:a9:79:b0:e1:51:bf:10:70:6b:2b:90:4e:fd:db:
+         02:21:00:9e:0d:0e:42:a1:19:38:e9:b8:72:e5:c2:25:bc:fd:
+         ef:15:93:65:20:f9:75:3f:41:8f:2b:ad:77:52:70:e7:6d
+-----BEGIN CERTIFICATE-----
+MIIBpDCCAUqgAwIBAgINAM8dPpjsP/Hfz4WmdTAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAASuXo6hpwDhdWZPuLA1cCzLbvuD/Jz4e2fPLXHjLfIfMOrvYwmL7t/yrlQt
+X51HF00JL2670l8K+IMmbN9PbvM5o3sweTATBgNVHSAEDDAKMAgGBmeBDAECATBi
+BggrBgEFBQcBAQRWMFQwKQYIKwYBBQUHMAKGHWh0dHA6Ly9pc3N1ZXJzLmV4YW1w
+bGUuY29tL2NhMCcGCCsGAQUFBzAChhtsZGFwOi8vaXNzdWVycy5leGFtcGxlLmNv
+bS8wCgYIKoZIzj0EAwIDSAAwRQIgKObmfMm3aq+6rqvTOTlILdrUqXmw4VG/EHBr
+K5BO/dsCIQCeDQ5CoRk46bhy5cIlvP3vFZNlIPl1P0GPK613UnDnbQ==
+-----END CERTIFICATE-----

v3/testdata/aiaCaIssuersHTTPOnly.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e6:d6:fc:e0:b2:b6:a4:38:42:83:b0:2c
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:bf:30:2a:6f:9d:8c:bf:17:ce:e6:b5:6c:a6:2a:
+                    a0:44:c8:22:62:09:d2:0f:b3:48:70:e3:b8:8a:f3:
+                    75:78:4b:4f:b6:ae:31:13:3e:e3:27:3f:2b:7c:89:
+                    61:cb:07:eb:3d:99:30:15:36:e9:2f:ba:92:0b:ef:
+                    ee:07:d2:63:90
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+            Authority Information Access: 
+                CA Issuers - URI:http://ocsp.example.com/ocsp
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:21:00:a0:69:ca:bb:32:bd:b4:49:4a:e1:81:93:25:
+         38:34:34:77:8a:bf:d8:5e:08:af:8a:f6:f3:66:b3:a9:e2:76:
+         fa:02:20:33:35:c3:07:ec:11:92:9a:02:a0:cb:7b:11:a0:84:
+         e6:28:1d:0d:6c:f7:09:d8:76:a5:e1:09:36:e9:48:de:b2
+-----BEGIN CERTIFICATE-----
+MIIBejCCASCgAwIBAgINAObW/OCytqQ4QoOwLDAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAS/MCpvnYy/F87mtWymKqBEyCJiCdIPs0hw47iK83V4S0+2rjETPuMnPyt8
+iWHLB+s9mTAVNukvupIL7+4H0mOQo1EwTzATBgNVHSAEDDAKMAgGBmeBDAECATA4
+BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAKGHGh0dHA6Ly9vY3NwLmV4YW1wbGUu
+Y29tL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIhAKBpyrsyvbRJSuGBkyU4NDR3ir/Y
+XgivivbzZrOp4nb6AiAzNcMH7BGSmgKgy3sRoITmKB0NbPcJ2Hal4Qk26Ujesg==
+-----END CERTIFICATE-----

v3/testdata/aiaCaIssuersHttpOnlyNE.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            ba:05:bc:a4:0a:2a:63:34:48:e4:43:32
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 14 23:59:59 2023 GMT
+            Not After : Sep 14 23:59:59 2024 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:b5:35:3a:dd:12:97:00:f4:d2:59:df:2f:8b:50:
+                    92:a2:b8:e8:1c:a7:0b:cb:c0:b1:fd:0b:28:af:9c:
+                    aa:a0:84:14:5a:b0:fb:d0:f2:19:ff:46:73:0d:48:
+                    a6:e8:c8:f0:11:f1:df:61:46:f6:e0:26:f9:c4:1a:
+                    d6:e7:82:2e:24
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+            Authority Information Access: 
+                CA Issuers - URI:http://issuers.example.com/
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:44:02:20:1e:a4:c4:b3:68:4c:fd:e4:13:c2:c6:35:d0:49:
+         cd:9f:70:22:af:79:02:c5:58:a0:f1:fa:ba:e8:3b:4c:2d:09:
+         02:20:4c:52:61:be:dc:ad:61:f1:98:08:0f:d4:40:0a:9a:b3:
+         ba:80:c6:8d:4d:1d:0b:8e:39:79:a7:b9:b9:9d:c2:c6
+-----BEGIN CERTIFICATE-----
+MIIBeDCCAR+gAwIBAgINALoFvKQKKmM0SORDMjAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTQyMzU5NTlaFw0yNDA5MTQyMzU5NTlaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAS1NTrdEpcA9NJZ3y+LUJKiuOgcpwvLwLH9CyivnKqghBRasPvQ8hn/RnMN
+SKboyPAR8d9hRvbgJvnEGtbngi4ko1AwTjATBgNVHSAEDDAKMAgGBmeBDAECATA3
+BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUHMAKGG2h0dHA6Ly9pc3N1ZXJzLmV4YW1w
+bGUuY29tLzAKBggqhkjOPQQDAgNHADBEAiAepMSzaEz95BPCxjXQSc2fcCKveQLF
+WKDx+rroO0wtCQIgTFJhvtytYfGYCA/UQAqas7qAxo1NHQuOOXmnubmdwsY=
+-----END CERTIFICATE-----

v3/testdata/aiaCaIssuersHttpOnlyNoCAIssuers.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            af:a9:43:14:a9:7a:a0:5d:2c:45:49:7b
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep 15 00:00:00 2023 GMT
+            Not After : Sep 15 00:00:00 2024 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:3c:16:95:eb:6d:bc:30:86:2f:16:32:94:43:d3:
+                    fc:44:d9:b9:29:83:d1:7c:e3:58:b4:4b:80:bf:98:
+                    79:e2:51:cc:3f:c0:55:c7:8b:da:d3:0d:a5:da:6e:
+                    42:75:12:aa:56:65:e9:d0:00:dc:f4:94:34:b4:33:
+                    ee:ef:3f:45:70
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.1
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.example.com/ocsp
+
+    Signature Algorithm: ecdsa-with-SHA256
+         30:45:02:20:70:53:45:99:31:5a:4f:bd:2e:28:59:7e:6b:e5:
+         e0:a7:eb:bc:ef:ac:51:eb:e7:e9:c3:58:65:4b:42:14:a5:85:
+         02:21:00:fd:b4:78:6d:7f:05:6d:04:b4:ba:b9:53:5b:ef:74:
+         ea:4b:8e:75:56:fc:e0:fb:ec:59:fe:1e:7c:c5:43:2c:1c
+-----BEGIN CERTIFICATE-----
+MIIBejCCASCgAwIBAgINAK+pQxSpeqBdLEVJezAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MTUwMDAwMDBaFw0yNDA5MTUwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAQ8FpXrbbwwhi8WMpRD0/xE2bkpg9F841i0S4C/mHniUcw/wFXHi9rTDaXa
+bkJ1EqpWZenQANz0lDS0M+7vP0Vwo1EwTzATBgNVHSAEDDAKMAgGBmeBDAECATA4
+BggrBgEFBQcBAQQsMCowKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmV4YW1wbGUu
+Y29tL29jc3AwCgYIKoZIzj0EAwIDSAAwRQIgcFNFmTFaT70uKFl+a+Xgp+u876xR
+6+fpw1hlS0IUpYUCIQD9tHhtfwVtBLS6uVNb73TqS451Vvzg++xZ/h58xUMsHA==
+-----END CERTIFICATE-----