diff --git a/go.mod b/go.mod index 20f7bd7ee..00cac72e3 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/mattn/go-sqlite3 v1.14.20 github.com/prometheus/client_golang v1.18.0 github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 - github.com/zmap/zlint/v3 v3.5.0 + github.com/zmap/zlint/v3 v3.6.0 golang.org/x/crypto v0.18.0 ) diff --git a/go.sum b/go.sum index 520edb4da..553257bf3 100644 --- a/go.sum +++ b/go.sum @@ -365,8 +365,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300 h1:DZH5n7L3L8RxKdSyJHZt7WePgwdhHnPhQFdQSJaHF+o= github.com/zmap/zcrypto v0.0.0-20230310154051-c8b263fd8300/go.mod h1:mOd4yUMgn2fe2nV9KXsa9AyQBFZGzygVPovsZR+Rl5w= github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= -github.com/zmap/zlint/v3 v3.5.0 h1:Eh2B5t6VKgVH0DFmTwOqE50POvyDhUaU9T2mJOe1vfQ= -github.com/zmap/zlint/v3 v3.5.0/go.mod h1:JkNSrsDJ8F4VRtBZcYUQSvnWFL7utcjDIn+FE64mlBI= +github.com/zmap/zlint/v3 v3.6.0 h1:vTEaDRtYN0d/1Ax60T+ypvbLQUHwHxbvYRnUMVr35ug= +github.com/zmap/zlint/v3 v3.6.0/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= diff --git a/vendor/github.com/zmap/zlint/v3/.goreleaser.yml b/vendor/github.com/zmap/zlint/v3/.goreleaser.yml index 2b84be004..cdd316399 100644 --- a/vendor/github.com/zmap/zlint/v3/.goreleaser.yml +++ b/vendor/github.com/zmap/zlint/v3/.goreleaser.yml @@ -18,11 +18,14 @@ builds: archives: - wrap_in_directory: true - replacements: - darwin: Darwin - linux: Linux - windows: Windows - amd64: x86_64 + name_template: >- + {{- .ProjectName }}_ + {{- .Version }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end -}} snapshot: name_template: "{{ .Tag }}-next" release: diff --git a/vendor/github.com/zmap/zlint/v3/lint/base.go b/vendor/github.com/zmap/zlint/v3/lint/base.go index 6c6e5f514..9753d9bea 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/base.go +++ b/vendor/github.com/zmap/zlint/v3/lint/base.go @@ -221,6 +221,9 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } + if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { + return &LintResult{Status: NA} + } lint := l.Lint() err := config.MaybeConfigure(lint, l.Name) if err != nil { diff --git a/vendor/github.com/zmap/zlint/v3/lint/result.go b/vendor/github.com/zmap/zlint/v3/lint/result.go index ca3d6db0e..fe2a89d5c 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/result.go +++ b/vendor/github.com/zmap/zlint/v3/lint/result.go @@ -62,8 +62,9 @@ var ( // LintResult contains a LintStatus, and an optional human-readable description. // The output of a lint is a LintResult. type LintResult struct { - Status LintStatus `json:"result"` - Details string `json:"details,omitempty"` + Status LintStatus `json:"result"` + Details string `json:"details,omitempty"` + LintMetadata LintMetadata `json:"-"` } // MarshalJSON implements the json.Marshaler interface. diff --git a/vendor/github.com/zmap/zlint/v3/lint/source.go b/vendor/github.com/zmap/zlint/v3/lint/source.go index c1808c063..e0b19d941 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/source.go +++ b/vendor/github.com/zmap/zlint/v3/lint/source.go @@ -27,18 +27,19 @@ import ( type LintSource string const ( - UnknownLintSource LintSource = "Unknown" - RFC3279 LintSource = "RFC3279" - RFC5280 LintSource = "RFC5280" - RFC5480 LintSource = "RFC5480" - RFC5891 LintSource = "RFC5891" - RFC8813 LintSource = "RFC8813" - CABFBaselineRequirements LintSource = "CABF_BR" - CABFEVGuidelines LintSource = "CABF_EV" - MozillaRootStorePolicy LintSource = "Mozilla" - AppleRootStorePolicy LintSource = "Apple" - Community LintSource = "Community" - EtsiEsi LintSource = "ETSI_ESI" + UnknownLintSource LintSource = "Unknown" + RFC3279 LintSource = "RFC3279" + RFC5280 LintSource = "RFC5280" + RFC5480 LintSource = "RFC5480" + RFC5891 LintSource = "RFC5891" + RFC8813 LintSource = "RFC8813" + CABFBaselineRequirements LintSource = "CABF_BR" + CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" + CABFEVGuidelines LintSource = "CABF_EV" + MozillaRootStorePolicy LintSource = "Mozilla" + AppleRootStorePolicy LintSource = "Apple" + Community LintSource = "Community" + EtsiEsi LintSource = "ETSI_ESI" ) // UnmarshalJSON implements the json.Unmarshaler interface. It ensures that the @@ -50,7 +51,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error { } switch LintSource(throwAway) { - case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: + case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: *s = LintSource(throwAway) return nil default: @@ -78,6 +79,8 @@ func (s *LintSource) FromString(src string) { *s = CABFBaselineRequirements case CABFEVGuidelines: *s = CABFEVGuidelines + case CABFSMIMEBaselineRequirements: + *s = CABFSMIMEBaselineRequirements case MozillaRootStorePolicy: *s = MozillaRootStorePolicy case AppleRootStorePolicy: diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go index 0f2eb822b..0849f22bd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go @@ -27,13 +27,15 @@ import ( type sctPolicyCount struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ct_sct_policy_count_unsatisfied", - Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy", - Citation: "https://support.apple.com/en-us/HT205280", - Source: lint.AppleRootStorePolicy, - EffectiveDate: util.AppleCTPolicyDate, - Lint: NewSctPolicyCount, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ct_sct_policy_count_unsatisfied", + Description: "Check if certificate has enough embedded SCTs to meet Apple CT Policy", + Citation: "https://support.apple.com/en-us/HT205280", + Source: lint.AppleRootStorePolicy, + EffectiveDate: util.AppleCTPolicyDate, + }, + Lint: NewSctPolicyCount, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go index b953c1b74..307b6f153 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go @@ -25,14 +25,16 @@ import ( type serverCertValidityTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_tls_server_cert_valid_time_longer_than_398_days", - Description: "TLS server certificates issued on or after September 1, 2020 " + - "00:00 GMT/UTC must not have a validity period greater than 398 days", - Citation: "https://support.apple.com/en-us/HT211025", - Source: lint.AppleRootStorePolicy, - EffectiveDate: util.AppleReducedLifetimeDate, - Lint: NewServerCertValidityTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_tls_server_cert_valid_time_longer_than_398_days", + Description: "TLS server certificates issued on or after September 1, 2020 " + + "00:00 GMT/UTC must not have a validity period greater than 398 days", + Citation: "https://support.apple.com/en-us/HT211025", + Source: lint.AppleRootStorePolicy, + EffectiveDate: util.AppleReducedLifetimeDate, + }, + Lint: NewServerCertValidityTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go index 532b84683..eb0a22c8c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go @@ -25,14 +25,16 @@ import ( type serverCertValidityAlmostTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_tls_server_cert_valid_time_longer_than_397_days", - Description: "TLS server certificates issued on or after September 1, 2020 " + - "00:00 GMT/UTC should not have a validity period greater than 397 days", - Citation: "https://support.apple.com/en-us/HT211025", - Source: lint.AppleRootStorePolicy, - EffectiveDate: util.AppleReducedLifetimeDate, - Lint: NewServerCertValidityAlmostTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_tls_server_cert_valid_time_longer_than_397_days", + Description: "TLS server certificates issued on or after September 1, 2020 " + + "00:00 GMT/UTC should not have a validity period greater than 397 days", + Citation: "https://support.apple.com/en-us/HT211025", + Source: lint.AppleRootStorePolicy, + EffectiveDate: util.AppleReducedLifetimeDate, + }, + Lint: NewServerCertValidityAlmostTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go index 4a350a245..e72bb4d72 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go @@ -23,13 +23,15 @@ import ( type caCommonNameMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_common_name_missing", - Description: "CA Certificates common name MUST be included.", - Citation: "BRs: 7.1.4.3.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV148Date, - Lint: NewCaCommonNameMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_common_name_missing", + Description: "CA Certificates common name MUST be included.", + Citation: "BRs: 7.1.4.3.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV148Date, + }, + Lint: NewCaCommonNameMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go index 0c1ce0534..55d193329 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go @@ -31,13 +31,15 @@ in which the CA’s place of business is located. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_country_name_invalid", - Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaCountryNameInvalid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_country_name_invalid", + Description: "Root and Subordinate CA certificates MUST have a two-letter country code specified in ISO 3166-1", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaCountryNameInvalid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go index a5fdb48f2..5ed709a9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go @@ -31,13 +31,15 @@ in which the CA’s place of business is located. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_country_name_missing", - Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaCountryNameMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_country_name_missing", + Description: "Root and Subordinate CA certificates MUST have a countryName present in subject information", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaCountryNameMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go index fac3e3e90..ac68b3f07 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go @@ -30,13 +30,15 @@ signing OCSP responses, then the digitalSignature bit MUST be set. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_crl_sign_not_set", - Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaCRLSignNotSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_crl_sign_not_set", + Description: "Root and Subordinate CA certificate keyUsage extension's crlSign bit MUST be set", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaCRLSignNotSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go index f76531643..d525423c6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go @@ -33,13 +33,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_ca_digital_signature_not_set", - Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaDigSignNotSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_ca_digital_signature_not_set", + Description: "Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaDigSignNotSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go index 170beb261..3cd27d26f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go @@ -24,13 +24,15 @@ import ( type caIsCA struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_is_ca", - Description: "Root and Sub CA Certificate: The CA field MUST be set to true.", - Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaIsCA, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_is_ca", + Description: "Root and Sub CA Certificate: The CA field MUST be set to true.", + Citation: "BRs: 7.1.2.1, BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaIsCA, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go index 9fe92b638..a1a94db28 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go @@ -29,13 +29,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_key_cert_sign_not_set", - Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaKeyCertSignNotSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_key_cert_sign_not_set", + Description: "Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaKeyCertSignNotSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go index 84e0a9db5..2b7665061 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go @@ -31,13 +31,15 @@ Conforming CAs MUST include this extension in certificates that ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_key_usage_missing", - Description: "Root and Subordinate CA certificate keyUsage extension MUST be present", - Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC3280Date, - Lint: NewCaKeyUsageMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_key_usage_missing", + Description: "Root and Subordinate CA certificate keyUsage extension MUST be present", + Citation: "BRs: 7.1.2.1, RFC 5280: 4.2.1.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewCaKeyUsageMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go index 11a03b78e..c7e5226f4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go @@ -29,13 +29,15 @@ If the Root CA Private Key is used for signing OCSP responses, then the digitalS ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_key_usage_not_critical", - Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaKeyUsageNotCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_key_usage_not_critical", + Description: "Root and Subordinate CA certificate keyUsage extension MUST be marked as critical", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaKeyUsageNotCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go index e4a686c7d..123ccad25 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go @@ -28,13 +28,15 @@ The Certificate Subject MUST contain the following: organizationName (OID 2.5.4. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_organization_name_missing", - Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCaOrganizationNameMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_organization_name_missing", + Description: "Root and Subordinate CA certificates MUST have a organizationName present in subject information", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCaOrganizationNameMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go index e4776b6b1..62564f1da 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go @@ -24,13 +24,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_locality", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject", - Citation: "BRs: 7.1.6.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithLocality, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_locality", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, locality name MUST NOT be included in subject", + Citation: "BRs: 7.1.6.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithLocality, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go index 648cb03a8..189f3edd9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_org", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithOrg, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_org", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, organization name MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithOrg, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go index 27e1997e3..d41ec7909 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_postal", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithPostal, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_postal", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, postalCode MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithPostal, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go index f26fdbc49..23a5377e8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_province", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithProvince, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_province", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, stateOrProvinceName MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithProvince, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go index e842d6d5d..a7ab3eb8f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go @@ -33,13 +33,15 @@ field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_dv_conflicts_with_street", - Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyConflictsWithStreet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_conflicts_with_street", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, streetAddress MUST NOT be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyConflictsWithStreet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go index 4c7a758d4..5ccfb1297 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go @@ -34,13 +34,15 @@ the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_iv_requires_personal_name", - Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: NewCertPolicyRequiresPersonalName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_iv_requires_personal_name", + Description: "If certificate policy 2.23.140.1.2.3 is included, either organizationName or givenName and surname MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV131Date, + }, + Lint: NewCertPolicyRequiresPersonalName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go index c73b7665b..a3f1035bc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go @@ -33,13 +33,15 @@ required under Section 7.1.4.2.2), and countryName in the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cab_ov_requires_org", - Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyRequiresOrg, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_ov_requires_org", + Description: "If certificate policy 2.23.140.1.2.2 is included, organizationName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyRequiresOrg, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go new file mode 100644 index 000000000..2147fc446 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go @@ -0,0 +1,60 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlReasonCodeNotCritical struct{} + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_crl_reason_code_not_critical", + Description: "If present, CRL Reason Code extension MUST NOT be marked critical.", + Citation: "BRs: 7.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCrlReasonCodeNotCritical, + }) +} + +func NewCrlReasonCodeNotCritical() lint.RevocationListLintInterface { + return &crlReasonCodeNotCritical{} +} + +func (l *crlReasonCodeNotCritical) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +func (l *crlReasonCodeNotCritical) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + for _, ext := range c.Extensions { + if ext.Id.Equal(util.ReasonCodeOID) { + if ext.Critical { + return &lint.LintResult{Status: lint.Error, Details: "CRL Reason Code extension MUST NOT be marked as critical."} + } + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go new file mode 100644 index 000000000..70aea45eb --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go @@ -0,0 +1,68 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlHasValidReasonCodes struct{} + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_crl_has_valid_reason_code", + Description: "Only the following CRLReasons MAY be present: 1, 3, 4, 5, 9.", + Citation: "BRs: 7.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_8_7_Date, + }, + Lint: NewCrlHasValidReasonCode, + }) +} + +func NewCrlHasValidReasonCode() lint.RevocationListLintInterface { + return &crlHasValidReasonCodes{} +} + +func (l *crlHasValidReasonCodes) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +var validReasons = map[int]bool{ + 1: true, + 3: true, + 4: true, + 5: true, + 9: true, +} + +func (l *crlHasValidReasonCodes) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + code := *c.ReasonCode + if code == 0 { + return &lint.LintResult{Status: lint.Error, Details: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value."} + } + if _, ok := validReasons[code]; !ok { + return &lint.LintResult{Status: lint.Error, Details: "Reason code not included in BR: 7.2.2"} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go index a33dcaa55..f851b8971 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go @@ -34,13 +34,15 @@ the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_iv_requires_country", - Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: NewCertPolicyIVRequiresCountry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_iv_requires_country", + Description: "If certificate policy 2.23.140.1.2.3 is included, countryName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV131Date, + }, + Lint: NewCertPolicyIVRequiresCountry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go index 5e423bb0e..cef1df45b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go @@ -35,13 +35,15 @@ the Subject field. // 7.1.4.2.2 applies only to subscriber certificates. func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_iv_requires_province_or_locality", - Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV131Date, - Lint: NewCertPolicyIVRequiresProvinceOrLocal, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_iv_requires_province_or_locality", + Description: "If certificate policy 2.23.140.1.2.3 is included, localityName or stateOrProvinceName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV131Date, + }, + Lint: NewCertPolicyIVRequiresProvinceOrLocal, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go index 7ef68f93e..7c3562e8f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go @@ -33,13 +33,15 @@ required under Section 7.1.4.2.2), and countryName in the Subject field. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_ov_requires_country", - Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyOVRequiresCountry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_ov_requires_country", + Description: "If certificate policy 2.23.140.1.2.2 is included, countryName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyOVRequiresCountry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go index 99cfb6d46..85d9bc961 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go @@ -35,13 +35,15 @@ Note: 7.1.4.2.2 applies only to subscriber certificates. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_policy_ov_requires_province_or_locality", - Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject", - Citation: "BRs: 7.1.6.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCertPolicyOVRequiresProvinceOrLocal, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_policy_ov_requires_province_or_locality", + Description: "If certificate policy 2.23.140.1.2.2 is included, localityName or stateOrProvinceName MUST be included in subject", + Citation: "BRs: 7.1.6.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCertPolicyOVRequiresProvinceOrLocal, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go index 244d2376c..ea6472e59 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go @@ -25,14 +25,16 @@ import ( type dsaParamsMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_params_missing", - Description: "DSA: Certificates MUST include all domain parameters", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - IneffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewDsaParamsMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_params_missing", + Description: "DSA: Certificates MUST include all domain parameters", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewDsaParamsMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go index ebf317840..7f4d6d3b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go @@ -27,13 +27,15 @@ type DNSNameProperCharacters struct { } func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_bad_character_in_label", - Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *", - Citation: "BRs: 7.1.4.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameProperCharacters, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_bad_character_in_label", + Description: "Characters in labels of DNSNames MUST be alphanumeric, - , _ or *", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameProperCharacters, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go index b829d19e0..1169cbec1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go @@ -25,13 +25,15 @@ import ( type DNSNameLeftLabelWildcardCheck struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_left_label_wildcard_correct", - Description: "Wildcards in the left label of DNSName should only be *", - Citation: "BRs: 1.6.1, Wildcard Certificate and Wildcard Domain Name", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameLeftLabelWildcardCheck, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_left_label_wildcard_correct", + Description: "Wildcards in the left label of DNSName should only be *", + Citation: "BRs: 1.6.1, Wildcard Certificate and Wildcard Domain Name", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameLeftLabelWildcardCheck, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go index 57405f324..d60b6160e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go @@ -23,13 +23,15 @@ import ( type dnsNameContainsBareIANASuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_contains_bare_iana_suffix", - Description: "DNSNames should not contain a bare IANA suffix.", - Citation: "BRs: 1.6.1, Base Domain Name", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDnsNameContainsBareIANASuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_contains_bare_iana_suffix", + Description: "DNSNames should not contain a bare IANA suffix.", + Citation: "BRs: 1.6.1, Base Domain Name", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDnsNameContainsBareIANASuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go index e5be883f9..834235f32 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go @@ -25,13 +25,15 @@ import ( type DNSNameEmptyLabel struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_empty_label", - Description: "DNSNames should not have an empty label.", - Citation: "BRs: 7.1.4.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameEmptyLabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_empty_label", + Description: "DNSNames should not have an empty label.", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameEmptyLabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go index ef9d4a191..dc2ddd5f3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go @@ -23,13 +23,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_contains_prohibited_reserved_label", - Description: "FQDNs MUST consist solely of Domain Labels that are P‐Labels or Non‐Reserved LDH Labels", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.NoReservedDomainLabelsDate, - Lint: NewDNSNameContainsProhibitedReservedLabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_contains_prohibited_reserved_label", + Description: "FQDNs MUST consist solely of Domain Labels that are P‐Labels or Non‐Reserved LDH Labels", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.NoReservedDomainLabelsDate, + }, + Lint: NewDNSNameContainsProhibitedReservedLabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go index 83c00642c..c64677e99 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go @@ -25,13 +25,15 @@ import ( type DNSNameHyphenInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_hyphen_in_sld", - Description: "DNSName should not have a hyphen beginning or ending the SLD", - Citation: "BRs 7.1.4.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameHyphenInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_hyphen_in_sld", + Description: "DNSName should not have a hyphen beginning or ending the SLD", + Citation: "BRs 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameHyphenInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go index e103b7c4a..f129b64a1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go @@ -25,13 +25,15 @@ import ( type DNSNameLabelLengthTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_label_too_long", - Description: "DNSName labels MUST be less than or equal to 63 characters", - Citation: "RFC 1035", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameLabelLengthTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_label_too_long", + Description: "DNSName labels MUST be less than or equal to 63 characters", + Citation: "RFC 1035", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameLabelLengthTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go index 7d36e69d1..e8e29a642 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go @@ -23,13 +23,15 @@ import ( type DNSNameValidTLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_not_valid_tld", - Description: "DNSNames must have a valid TLD.", - Citation: "BRs: 3.2.2.4", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameValidTLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_not_valid_tld", + Description: "DNSNames must have a valid TLD.", + Citation: "BRs: 3.2.2.4", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameValidTLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go index f024ace59..fdb69a6a6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_underscore_in_sld", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_underscore_in_sld", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go index b6266573a..03a7c4ab0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInTRD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_dnsname_underscore_in_trd", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInTRD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_dnsname_underscore_in_trd", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInTRD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go index 3277e3e6d..5d12c5779 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go @@ -23,13 +23,15 @@ import ( type DNSNameWildcardLeftofPublicSuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_dnsname_wildcard_left_of_public_suffix", - Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registry‐controlled” label or “public suffix”", - Citation: "BRs: 3.2.2.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameWildcardLeftofPublicSuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_dnsname_wildcard_left_of_public_suffix", + Description: "the CA MUST establish and follow a documented procedure[^pubsuffix] that determines if the wildcard character occurs in the first label position to the left of a “registry‐controlled” label or “public suffix”", + Citation: "BRs: 3.2.2.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameWildcardLeftofPublicSuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go index 4d6338d39..e8b09ea45 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go @@ -25,13 +25,15 @@ import ( type DNSNameWildcardOnlyInLeftlabel struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dnsname_wildcard_only_in_left_label", - Description: "DNSName should not have wildcards except in the left-most label", - Citation: "BRs: 1.6.1, Wildcard Domain Name", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDNSNameWildcardOnlyInLeftlabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dnsname_wildcard_only_in_left_label", + Description: "DNSName should not have wildcards except in the left-most label", + Citation: "BRs: 1.6.1, Wildcard Domain Name", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDNSNameWildcardOnlyInLeftlabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go index 03183614f..f0e28050f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go @@ -27,13 +27,15 @@ import ( type dsaSubgroup struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_correct_order_in_subgroup", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDsaSubgroup, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_correct_order_in_subgroup", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDsaSubgroup, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go index 149373cb3..d979b6dd1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go @@ -25,13 +25,15 @@ import ( type dsaImproperSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_improper_modulus_or_divisor_size", - Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256", - Citation: "BRs v1.7.0: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewDsaImproperSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_improper_modulus_or_divisor_size", + Description: "Certificates MUST meet the following requirements for DSA algorithm type and key size: L=2048 and N=224,256 or L=3072 and N=256", + Citation: "BRs v1.7.0: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewDsaImproperSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go index f7084b79e..690a96039 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go @@ -25,14 +25,16 @@ import ( type dsaTooShort struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_shorter_than_2048_bits", - Description: "DSA modulus size must be at least 2048 bits", - Citation: "BRs v1.7.0: 6.1.5", - // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewDsaTooShort, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_shorter_than_2048_bits", + Description: "DSA modulus size must be at least 2048 bits", + Citation: "BRs v1.7.0: 6.1.5", + // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewDsaTooShort, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go index 8ed63b848..5016a83fc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go @@ -27,13 +27,15 @@ import ( type dsaUniqueCorrectRepresentation struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_dsa_unique_correct_representation", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewDsaUniqueCorrectRepresentation, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_dsa_unique_correct_representation", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewDsaUniqueCorrectRepresentation, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go index 8d8e038b2..2e6373828 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go @@ -31,14 +31,16 @@ marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP res ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_aia_missing", - Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - IneffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewCaAiaMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_aia_missing", + Description: "Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewCaAiaMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go index 711c11a09..5c6c78012 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go @@ -31,14 +31,16 @@ ECC Curve: NIST P-256, P-384, or P-521 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ec_improper_curves", - Description: "Only one of NIST P‐256, P‐384, or P‐521 can be used", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - EffectiveDate: util.ZeroDate, - Lint: NewEcImproperCurves, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ec_improper_curves", + Description: "Only one of NIST P‐256, P‐384, or P‐521 can be used", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally + EffectiveDate: util.ZeroDate, + }, + Lint: NewEcImproperCurves, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go index 47b3e714a..838c6eedb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go @@ -34,13 +34,15 @@ Subject commonName field containing a Reserved IP Address or Internal Name. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_nc_intersects_reserved_ip", - Description: "iPAddress name constraint intersects an IANA reserved network", - Citation: "BRs: 7.1.5 / 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewNCReservedIPNet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_nc_intersects_reserved_ip", + Description: "iPAddress name constraint intersects an IANA reserved network", + Citation: "BRs: 7.1.5 / 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewNCReservedIPNet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go index 74cf1ae16..e65f71552 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go @@ -23,13 +23,15 @@ import ( type SANReservedIP struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_contains_reserved_ip", - Description: "CAs SHALL NOT issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANReservedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_contains_reserved_ip", + Description: "CAs SHALL NOT issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANReservedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go index eb965fc95..90d2dcf0f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go @@ -34,13 +34,15 @@ Further, if the only subject identity included in the certificate is an ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_san_critical_with_subject_dn", - Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANCriticalWithSubjectDN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_san_critical_with_subject_dn", + Description: "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANCriticalWithSubjectDN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go index 5f402c7c5..57d048375 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_directory_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANDirName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_directory_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANDirName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go index 4c9196f3c..ace3eb211 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_edi_party_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANEDI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_edi_party_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANEDI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go index d97caf02a..70f2c4e82 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go @@ -30,13 +30,15 @@ Required/Optional: Required ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_missing", - Description: "Subscriber certificates MUST contain the Subject Alternate Name extension", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_missing", + Description: "Subscriber certificates MUST contain the Subject Alternate Name extension", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go index 7b792ded5..a54cff296 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_other_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANOtherName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_other_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANOtherName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go index 37fcee954..ad9e44edd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_registered_id_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANRegId, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_registered_id_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANRegId, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go index caf2ca23d..62da4b795 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_rfc822_name_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANRfc822, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_rfc822_name_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types.", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANRfc822, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go index 707ee7e00..8a070caf0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go @@ -34,13 +34,15 @@ Wildcard FQDNs are permitted. *************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uniform_resource_identifier_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSANURI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uniform_resource_identifier_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' and 'ipaddress' name types", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSANURI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go index 4d63e7776..f288831b9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go @@ -27,13 +27,15 @@ import ( type torServiceDescHashInvalid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_tor_service_descriptor_hash_invalid", - Description: "certificates with v2 .onion names need valid TorServiceDescriptors in extension", - Citation: "BRs: Ballot 201, Ballot SC27", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV201Date, - Lint: NewTorServiceDescHashInvalid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_tor_service_descriptor_hash_invalid", + Description: "certificates with v2 .onion names need valid TorServiceDescriptors in extension", + Citation: "BRs: Ballot 201, Ballot SC27", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV201Date, + }, + Lint: NewTorServiceDescHashInvalid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go index 03cc2a2a6..824ceed4a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go @@ -23,13 +23,15 @@ import ( type extraSubjectCommonNames struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_extra_subject_common_names", - Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewExtraSubjectCommonNames, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_extra_subject_common_names", + Description: "if present the subject commonName field MUST contain a single IP address or Fully-Qualified Domain Name", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewExtraSubjectCommonNames, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go index f66f6b4de..aeaf8a55d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go @@ -27,13 +27,15 @@ Certificates MUST be of type X.509 v3. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_invalid_certificate_version", - Description: "Certificates MUST be of type X.590 v3", - Citation: "BRs: 7.1.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV130Date, - Lint: NewInvalidCertificateVersion, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_certificate_version", + Description: "Certificates MUST be of type X.590 v3", + Citation: "BRs: 7.1.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV130Date, + }, + Lint: NewInvalidCertificateVersion, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go index 316c835b4..8ce71e649 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go @@ -24,14 +24,16 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_no_underscores_before_1_6_2", - Description: "Before explicitly stating as such in CABF 1.6.2, the stance of RFC5280 is adopted that DNSNames MUST NOT contain an underscore character.", - Citation: "BR 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - IneffectiveDate: util.CABFBRs_1_6_2_Date, - Lint: func() lint.LintInterface { return &NoUnderscoreBefore1_6_2{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_no_underscores_before_1_6_2", + Description: "Before explicitly stating as such in CABF 1.6.2, the stance of RFC5280 is adopted that DNSNames MUST NOT contain an underscore character.", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + IneffectiveDate: util.CABFBRs_1_6_2_Date, + }, + Lint: func() lint.LintInterface { return &NoUnderscoreBefore1_6_2{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go index 8601321ee..2539f590b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go @@ -23,14 +23,16 @@ import ( type OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth", - Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" + - " defined by RFC6960", - Citation: "BRs: 4.9.9", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth", + Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" + + " defined by RFC6960", + Citation: "BRs: 4.9.9", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go index 527f8c94c..a1637a5f7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go @@ -25,13 +25,15 @@ import ( type rootCaModSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_old_root_ca_rsa_mod_less_than_2048_bits", - Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewRootCaModSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_old_root_ca_rsa_mod_less_than_2048_bits", + Description: "In a validity period beginning on or before 31 Dec 2010, root CA certificates using RSA public key algorithm MUST use a 2048 bit modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRootCaModSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go index dfe5c41de..8cd670ddf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go @@ -27,14 +27,16 @@ import ( type subCaModSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits", - Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test - EffectiveDate: util.ZeroDate, - Lint: NewSubCaModSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_old_sub_ca_rsa_mod_less_than_1024_bits", + Description: "In a validity period beginning on or before 31 Dec 2010 and ending on or before 31 Dec 2013, subordinate CA certificates using RSA public key algorithm MUST use a 1024 bit modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubCaModSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go index 3d742fe19..d27c4c0ad 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go @@ -25,14 +25,16 @@ import ( type subModSize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits", - Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test - EffectiveDate: util.ZeroDate, - Lint: NewSubModSize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_old_sub_cert_rsa_mod_less_than_1024_bits", + Description: "In a validity period ending on or before 31 Dec 2013, subscriber certificates using RSA public key algorithm MUST use a 1024 bit modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + // since effective date should be checked against end date in this specific case, putting time check into checkApplies instead, ZeroDate here to automatically pass NE test + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubModSize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go index e485adea5..62a666dc6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go @@ -21,13 +21,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_organizational_unit_name_prohibited", - Description: "OrganizationalUnitName is prohibited if...the certificate was issued on or after September 1, 2022", - Citation: "BRs: 7.1.4.2.2-i", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_OU_Prohibited_Date, - Lint: NewOrganizationalUnitNameProhibited, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_organizational_unit_name_prohibited", + Description: "OrganizationalUnitName is prohibited if...the certificate was issued on or after September 1, 2022", + Citation: "BRs: 7.1.4.2.2-i", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_OU_Prohibited_Date, + }, + Lint: NewOrganizationalUnitNameProhibited, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go new file mode 100644 index 000000000..29e4585ac --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go @@ -0,0 +1,58 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_policy_qualifiers_other_than_cps_not_permitted", + Description: "Policy Qualifiers other than id-qt-cps MUST NOT be present for certificates issued on or after September 15, 2023", + Citation: "BRs: 7.1.2.7.9", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewPolicyQualifiersOtherThanCpsNotPermitted, + }) +} + +type PolicyQualifiersOtherThanCpsNotPermitted struct{} + +func NewPolicyQualifiersOtherThanCpsNotPermitted() lint.LintInterface { + return &PolicyQualifiersOtherThanCpsNotPermitted{} +} + +func (l *PolicyQualifiersOtherThanCpsNotPermitted) CheckApplies(c *x509.Certificate) bool { + + return util.IsExtInCert(c, util.CertPolicyOID) + +} + +func (l *PolicyQualifiersOtherThanCpsNotPermitted) Execute(c *x509.Certificate) *lint.LintResult { + for _, qualifiers := range c.QualifierId { + for _, qt := range qualifiers { + if !qt.Equal(util.CpsOID) { + return &lint.LintResult{Status: lint.Error} + } + } + } + return &lint.LintResult{Status: lint.Pass} + +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go index 95c06d3ea..6263e6cc6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go @@ -23,13 +23,15 @@ import ( type prohibitDSAUsage struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_br_prohibit_dsa_usage", - Description: "DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1.", - Citation: "BRs: v1.7.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewProhibitDSAUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_br_prohibit_dsa_usage", + Description: "DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1.", + Citation: "BRs: v1.7.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewProhibitDSAUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go index 83146b83f..7fce2e798 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go @@ -23,13 +23,15 @@ import ( type publicKeyAllowed struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_public_key_type_not_allowed", - Description: "Certificates MUST have RSA, DSA, or ECDSA public key type", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewPublicKeyAllowed, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_public_key_type_not_allowed", + Description: "Certificates MUST have RSA, DSA, or ECDSA public key type", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewPublicKeyAllowed, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go index 6360e6f0f..e00bec696 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go @@ -30,13 +30,15 @@ This extension MUST appear as a critical extension. The cA field MUST be set tru ***********************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_root_ca_basic_constraints_path_len_constraint_field_present", - Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewRootCaPathLenPresent, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_root_ca_basic_constraints_path_len_constraint_field_present", + Description: "Root CA certificate basicConstraint extension pathLenConstraint field SHOULD NOT be present", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewRootCaPathLenPresent, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go index 655a190fa..91a1692c3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go @@ -28,13 +28,15 @@ This extension SHOULD NOT be present. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_root_ca_contains_cert_policy", - Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewRootCAContainsCertPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_root_ca_contains_cert_policy", + Description: "Root CA Certificate: certificatePolicies SHOULD NOT be present.", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewRootCAContainsCertPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go index adf06b02f..14ba991af 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go @@ -28,13 +28,15 @@ This extension MUST NOT be present. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_root_ca_extended_key_usage_present", - Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewRootCAContainsEKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_root_ca_extended_key_usage_present", + Description: "Root CA Certificate: extendedKeyUsage MUST NOT be present.t", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewRootCAContainsEKU, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go index 89e181a3a..3768d0801 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go @@ -23,13 +23,15 @@ import ( type rootCAKeyUsageMustBeCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_root_ca_key_usage_must_be_critical", - Description: "Root CA certificates MUST have Key Usage Extension marked critical", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC2459Date, - Lint: NewRootCAKeyUsageMustBeCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_root_ca_key_usage_must_be_critical", + Description: "Root CA certificates MUST have Key Usage Extension marked critical", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewRootCAKeyUsageMustBeCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go index 7fdf2468d..65ec01fcd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go @@ -23,13 +23,15 @@ import ( type rootCAKeyUsagePresent struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_root_ca_key_usage_present", - Description: "Root CA certificates MUST have Key Usage Extension Present", - Citation: "BRs: 7.1.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.RFC2459Date, - Lint: NewRootCAKeyUsagePresent, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_root_ca_key_usage_present", + Description: "Root CA certificates MUST have Key Usage Extension Present", + Citation: "BRs: 7.1.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewRootCAKeyUsagePresent, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go index 7b6700839..1c983ba6b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go @@ -30,13 +30,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number **************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rsa_mod_factors_smaller_than_752", - Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaModSmallFactor, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rsa_mod_factors_smaller_than_752", + Description: "RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaModSmallFactor, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go index 9431e7a16..66745bdb9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go @@ -25,13 +25,15 @@ import ( type rsaParsedTestsKeySize struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_mod_less_than_2048_bits", - Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewRsaParsedTestsKeySize, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_mod_less_than_2048_bits", + Description: "For certificates valid after 31 Dec 2013, all certificates using RSA public key algorithm MUST have 2048 bits of modulus", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRsaParsedTestsKeySize, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go index 6f71c19fc..e18e9baa3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go @@ -31,13 +31,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rsa_mod_not_odd", - Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsKeyModOdd, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rsa_mod_not_odd", + Description: "RSA: Modulus SHOULD also have the following characteristics: an odd number", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsKeyModOdd, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go index 79e1d3a3c..e95f173b3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go @@ -33,13 +33,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rsa_public_exponent_not_in_range", - Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsExpInRange, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rsa_public_exponent_not_in_range", + Description: "RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsExpInRange, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go index 597a3efd6..19aab90e8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go @@ -30,13 +30,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_public_exponent_not_odd", - Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsKeyExpOdd, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_public_exponent_not_odd", + Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsKeyExpOdd, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go index 7750879d5..41c33f156 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go @@ -30,13 +30,15 @@ RSA: The CA SHALL confirm that the value of the public exponent is an odd number *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_public_exponent_too_small", - Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", - Citation: "BRs: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV113Date, - Lint: NewRsaParsedTestsExpBounds, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_public_exponent_too_small", + Description: "RSA: Value of public exponent is an odd number equal to 3 or more.", + Citation: "BRs: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV113Date, + }, + Lint: NewRsaParsedTestsExpBounds, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go index c169e55a8..7455bfa6f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go @@ -78,13 +78,15 @@ See also https://github.com/cabforum/documents/issues/191 *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_onion_invalid", - Description: "certificates with a .onion subject name must be issued in accordance with the Tor address/rendezvous specification", - Citation: "RFC 7686, EVGs v1.7.2: Appendix F, BRs v1.6.9: Appendix C", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewOnionNotValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_onion_invalid", + Description: "certificates with a .onion subject name must be issued in accordance with the Tor address/rendezvous specification", + Citation: "RFC 7686, EVGs v1.7.2: Appendix F, BRs v1.6.9: Appendix C", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewOnionNotValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go index 806496396..0376d4dcf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go @@ -25,13 +25,15 @@ import ( type onionNotEV struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_onion_not_ev_cert", - Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines", - Citation: "CABF Ballot 144", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewOnionNotEV, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_onion_not_ev_cert", + Description: "certificates with a .onion subject name must be issued in accordance with EV Guidelines", + Citation: "CABF Ballot 144", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewOnionNotEV, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go index 045f6a06f..87c82c686 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go @@ -55,13 +55,15 @@ var ( type signatureAlgorithmNotSupported struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_signature_algorithm_not_supported", - Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512", - Citation: "BRs: 6.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewSignatureAlgorithmNotSupported, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_signature_algorithm_not_supported", + Description: "Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512", + Citation: "BRs: 6.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSignatureAlgorithmNotSupported, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go index 44a5569ed..d10c2efde 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go @@ -33,13 +33,15 @@ It SHOULD contain the HTTP URL of the Issuing CA’s certificate (accessMethod = ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url", - Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCaIssuerUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_aia_does_not_contain_issuing_ca_url", + Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCaIssuerUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go index 7cc7f0342..1dec74e97 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go @@ -23,13 +23,15 @@ import ( type subCaAIAMarkedCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_aia_marked_critical", - Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, - Lint: NewSubCaAIAMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_aia_marked_critical", + Description: "Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubCaAIAMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go index fab68b54a..9bf3bac2b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go @@ -28,13 +28,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_certificate_policies_marked_critical", - Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACertPolicyCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_certificate_policies_marked_critical", + Description: "Subordinate CA certificates certificatePolicies extension should not be marked as critical", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACertPolicyCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go index 74829dc41..68742d27b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go @@ -28,13 +28,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_certificate_policies_missing", - Description: "Subordinate CA certificates must have a certificatePolicies extension", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACertPolicyMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_certificate_policies_missing", + Description: "Subordinate CA certificates must have a certificatePolicies extension", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACertPolicyMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go index 78a4e4ac7..7d0cf98cb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go @@ -31,13 +31,15 @@ It MUST contain the HTTP URL of the CA’s CRL service. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_crl_distribution_points_does_not_contain_url", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACRLDistNoUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_crl_distribution_points_does_not_contain_url", + Description: "Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACRLDistNoUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go index 5c7314565..332745ea9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go @@ -29,13 +29,15 @@ It MUST contain the HTTP URL of the CA’s CRL service. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_crl_distribution_points_marked_critical", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACRLDistCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_crl_distribution_points_marked_critical", + Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACRLDistCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go index f6d58a77f..6e94546b6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go @@ -29,13 +29,15 @@ It MUST contain the HTTP URL of the CA’s CRL service. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_ca_crl_distribution_points_missing", - Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCACRLDistMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_ca_crl_distribution_points_missing", + Description: "Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCACRLDistMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go index 8210ee8be..5b03cce46 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go @@ -31,13 +31,15 @@ If present, this extension SHOULD be marked non‐critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_eku_critical", - Description: "Subordinate CA certificate extkeyUsage extension should be marked non-critical if present", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV116Date, - Lint: NewSubCAEKUCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_eku_critical", + Description: "Subordinate CA certificate extkeyUsage extension should be marked non-critical if present", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV116Date, + }, + Lint: NewSubCAEKUCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go index 913005eda..b641ac719 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go @@ -23,13 +23,15 @@ import ( type subCAEKUMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_sub_ca_eku_missing", - Description: "To be considered Technically Constrained, the Subordinate CA certificate MUST have extkeyUsage extension", - Citation: "BRs: 7.1.5", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCAEKUMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_sub_ca_eku_missing", + Description: "To be considered Technically Constrained, the Subordinate CA certificate MUST have extkeyUsage extension", + Citation: "BRs: 7.1.5", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCAEKUMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go index 6cecabb37..d4f72bf21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go @@ -23,13 +23,15 @@ import ( type subCAEKUValidFields struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_sub_ca_eku_not_technically_constrained", - Description: "Subordinate CA extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present to be technically constrained.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV116Date, - Lint: NewSubCAEKUValidFields, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_sub_ca_eku_not_technically_constrained", + Description: "Subordinate CA extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present to be technically constrained.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV116Date, + }, + Lint: NewSubCAEKUValidFields, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go index 9df044f06..9b1623458 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go @@ -34,13 +34,15 @@ substantial portion of Relying Parties worldwide ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_name_constraints_not_critical", - Description: "Subordinate CA Certificate: NameConstraints if present, SHOULD be marked critical.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABV102Date, - Lint: NewSubCANameConstraintsNotCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_name_constraints_not_critical", + Description: "Subordinate CA Certificate: NameConstraints if present, SHOULD be marked critical.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABV102Date, + }, + Lint: NewSubCANameConstraintsNotCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go new file mode 100644 index 000000000..049c22edb --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go @@ -0,0 +1,79 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net/url" + "time" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subCertAIAInternalName struct{} + +/************************************************************************ +BRs: 7.1.2.10.3 +CA Certificate Authority Information Access +This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the +HTTP URL of the CA’s CRL service. + +id-ad-ocsp A HTTP URL of the Issuing CA's OCSP responder. +id-ad-caIssuers A HTTP URL of the Issuing CA's Certificate. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_aia_contains_internal_names", + Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate, for public certificates this should not be an internal name", + Citation: "BRs: 7.1.2.10.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertAIAInternalName, + }) +} + +func NewSubCertAIAInternalName() lint.LintInterface { + return &subCertAIAInternalName{} +} + +func (l *subCertAIAInternalName) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go index 3c1b6de60..c7d6b8fad 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go @@ -32,13 +32,15 @@ HTTP URL of the CA’s CRL service. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_aia_does_not_contain_issuing_ca_url", - Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertIssuerUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_aia_does_not_contain_issuing_ca_url", + Description: "Subscriber certificates authorityInformationAccess extension should contain the HTTP URL of the issuing CA’s certificate", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertIssuerUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go index 6c7812c8e..6c3a73559 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go @@ -34,13 +34,15 @@ It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMet ***************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_aia_does_not_contain_ocsp_url", - Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertOcspUrl, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_aia_does_not_contain_ocsp_url", + Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertOcspUrl, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go index 2b626eb7f..de6eb1550 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go @@ -23,13 +23,15 @@ import ( type subCertAiaMarkedCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_aia_marked_critical", - Description: "Subscriber Certificate: authorityInformationAccess MUST NOT be marked critical", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertAiaMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_aia_marked_critical", + Description: "Subscriber Certificate: authorityInformationAccess MUST NOT be marked critical", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertAiaMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go index 86303f65a..43f813356 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go @@ -32,13 +32,15 @@ marked critical, and it MUST contain the HTTP URL of the Issuing CA’s OCSP res ***************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_aia_missing", - Description: "Subscriber Certificate: authorityInformationAccess MUST be present.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertAiaMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_aia_missing", + Description: "Subscriber Certificate: authorityInformationAccess MUST be present.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertAiaMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go new file mode 100644 index 000000000..fc67dfd34 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go @@ -0,0 +1,65 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subCertBasicConstCrit struct{} + +/************************************************ +CA/Browser Forum BRs: 7.1.2.7.6 Subscriber Certificate Extensions + +| __Extension__ | __Presence__ | __Critical__ | __Description__ | +| ---- | - | - | ----- | +| `basicConstraints` | MAY | Y | See [Section 7.1.2.7.8](#71278-subscriber-certificate-basic-constraints) | +************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_basic_constraints_not_critical", + Description: "basicConstraints MAY appear in the certificate, and when it is included MUST be marked as critical", + Citation: "CA/Browser Forum BRs: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubCertBasicConstCrit, + }) +} + +func NewSubCertBasicConstCrit() lint.LintInterface { + return &subCertBasicConstCrit{} +} + +func (l *subCertBasicConstCrit) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.BasicConstOID) +} + +func (l *subCertBasicConstCrit) Execute(c *x509.Certificate) *lint.LintResult { + if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil { + if e.Critical { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Basic Constraints extension is present (%v) and marked as non-critical", e.Id)} + } + } + return &lint.LintResult{Status: lint.Fatal, Details: "Error processing Basic Constraints extension"} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go index 740d96b16..18ad66830 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go @@ -23,13 +23,15 @@ import ( type subCertPolicyEmpty struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_cert_policy_empty", - Description: "Subscriber certificates must contain at least one policy identifier that indicates adherence to CAB standards", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertPolicyEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_cert_policy_empty", + Description: "Subscriber certificates must contain at least one policy identifier that indicates adherence to CAB standards", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertPolicyEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go index b89fb0c60..59c1e5c00 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go @@ -29,13 +29,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ******************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_certificate_policies_marked_critical", - Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertPolicyCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_certificate_policies_marked_critical", + Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertPolicyCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go index 012a32d57..d97365c6e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go @@ -29,13 +29,15 @@ This extension MUST be present and SHOULD NOT be marked critical. ******************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_certificate_policies_missing", - Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_certificate_policies_missing", + Description: "Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go index 1b6a6499d..db0ddb057 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go @@ -23,13 +23,15 @@ import ( type subCertCountryNameMustAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_country_name_must_appear", - Description: "Subscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertCountryNameMustAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_country_name_must_appear", + Description: "Subscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertCountryNameMustAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go index d81ae5fb6..facab3aaf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go @@ -32,13 +32,15 @@ URL of the CA’s CRL service. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_crl_distribution_points_does_not_contain_url", - Description: "Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCRLDistNoURL, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_crl_distribution_points_does_not_contain_url", + Description: "Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCRLDistNoURL, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go index 074472a94..763ed5694 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go @@ -30,13 +30,15 @@ URL of the CA’s CRL service. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_crl_distribution_points_marked_critical", - Description: "Subscriber Certificate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCrlDistCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_crl_distribution_points_marked_critical", + Description: "Subscriber Certificate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCrlDistCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go index 5c13ca7ff..8e324a457 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go @@ -32,13 +32,15 @@ present. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_eku_extra_values", - Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubExtKeyUsageLegalUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_eku_extra_values", + Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubExtKeyUsageLegalUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go index b3ac8a7e9..7efd18e4a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go @@ -31,13 +31,15 @@ present. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_eku_missing", - Description: "Subscriber certificates MUST have the extended key usage extension present", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubExtKeyUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_eku_missing", + Description: "Subscriber certificates MUST have the extended key usage extension present", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubExtKeyUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go index 1173e594a..050418891 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go @@ -32,13 +32,15 @@ present. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_eku_server_auth_client_auth_missing", - Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubExtKeyUsageClientOrServer, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_eku_server_auth_client_auth_missing", + Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubExtKeyUsageClientOrServer, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go index 2bb02bcc8..b408defe2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go @@ -23,13 +23,15 @@ import ( type subCertSubjectGnOrSnContainsPolicy struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_given_name_surname_contains_correct_policy", - Description: "Subscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertSubjectGnOrSnContainsPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_given_name_surname_contains_correct_policy", + Description: "Subscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertSubjectGnOrSnContainsPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go index 67359e5a0..401a83ab2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go @@ -24,13 +24,15 @@ import ( type subCertNotCA struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_not_is_ca", - Description: "Subscriber Certificate: basicContrainsts cA field MUST NOT be true.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertNotCA, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_not_is_ca", + Description: "Subscriber Certificate: basicContrainsts cA field MUST NOT be true.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertNotCA, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go index 499c7b084..c3834393c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go @@ -29,13 +29,15 @@ If present, bit positions for keyCertSign and cRLSign MUST NOT be set. ***************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_key_usage_cert_sign_bit_set", - Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCertKeyUsageBitSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_key_usage_cert_sign_bit_set", + Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCertKeyUsageBitSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go index dc67297b8..fa71a4128 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go @@ -29,13 +29,15 @@ If present, bit positions for keyCertSign and cRLSign MUST NOT be set. ***************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_key_usage_crl_sign_bit_set", - Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubCrlSignAllowed, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_key_usage_crl_sign_bit_set", + Description: "Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubCrlSignAllowed, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go index 8744f1855..9e239dd9e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go @@ -23,13 +23,15 @@ import ( type subCertLocalityNameMustAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_locality_name_must_appear", - Description: "Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertLocalityNameMustAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_locality_name_must_appear", + Description: "Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertLocalityNameMustAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go index ea2f96f57..fb46a5a20 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go @@ -23,13 +23,15 @@ import ( type subCertLocalityNameMustNotAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_locality_name_must_not_appear", - Description: "Subscriber Certificate: subject:localityName MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertLocalityNameMustNotAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_locality_name_must_not_appear", + Description: "Subscriber Certificate: subject:localityName MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertLocalityNameMustNotAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go index df6e4774a..f0a5f2fe9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go @@ -28,13 +28,15 @@ SHA‐1 MAY be used with RSA keys in accordance with the criteria defined in Sec **************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_or_sub_ca_using_sha1", - Description: "CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016", - Citation: "BRs: 7.1.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.NO_SHA1, - Lint: NewSigAlgTestsSHA1, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_or_sub_ca_using_sha1", + Description: "CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016", + Citation: "BRs: 7.1.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.NO_SHA1, + }, + Lint: NewSigAlgTestsSHA1, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go index aae8d28e7..98b843c75 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go @@ -23,13 +23,15 @@ import ( type subCertPostalCodeMustNotAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_postal_code_must_not_appear", - Description: "Subscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertPostalCodeMustNotAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_postal_code_must_not_appear", + Description: "Subscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertPostalCodeMustNotAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go index 0dd5a7076..b4acd756e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go @@ -23,13 +23,15 @@ import ( type subCertProvinceMustAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_province_must_appear", - Description: "Subscriber Certificate: subject:stateOrProvinceName MUST appear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertProvinceMustAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_province_must_appear", + Description: "Subscriber Certificate: subject:stateOrProvinceName MUST appear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertProvinceMustAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go index d33d85644..0413acacc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go @@ -23,13 +23,15 @@ import ( type subCertProvinceMustNotAppear struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_province_must_not_appear", - Description: "Subscriber Certificate: subject:stateOrProvinceName MUST NOT appear if the subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertProvinceMustNotAppear, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_province_must_not_appear", + Description: "Subscriber Certificate: subject:stateOrProvinceName MUST NOT appear if the subject:organizationName, subject:givenName, and subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertProvinceMustNotAppear, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go index 5f4a59f2a..931c4a09c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go @@ -32,13 +32,15 @@ CAs and Subscribers using such certificates do so at their own risk. ****************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_cert_sha1_expiration_too_long", - Description: "Subscriber certificates using the SHA-1 algorithm SHOULD NOT have an expiration date later than 1 Jan 2017", - Citation: "BRs: 7.1.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_2_1_Date, - Lint: NewSha1ExpireLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_cert_sha1_expiration_too_long", + Description: "Subscriber certificates using the SHA-1 algorithm SHOULD NOT have an expiration date later than 1 Jan 2017", + Citation: "BRs: 7.1.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_2_1_Date, + }, + Lint: NewSha1ExpireLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go index 4c09cd1a6..508ebe18a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go @@ -23,13 +23,15 @@ import ( type subCertStreetAddressShouldNotExist struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_street_address_should_not_exist", - Description: "Subscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABGivenNameDate, - Lint: NewSubCertStreetAddressShouldNotExist, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_street_address_should_not_exist", + Description: "Subscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABGivenNameDate, + }, + Lint: NewSubCertStreetAddressShouldNotExist, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go index fbba31e95..6d508b143 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go @@ -23,13 +23,15 @@ import ( type subCertValidTimeLongerThan39Months struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_valid_time_longer_than_39_months", - Description: "Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.", - Citation: "BRs: 6.3.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.SubCert39Month, - Lint: NewSubCertValidTimeLongerThan39Months, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_valid_time_longer_than_39_months", + Description: "Subscriber Certificates issued after 1 July 2016 but prior to 1 March 2018 MUST have a Validity Period no greater than 39 months.", + Citation: "BRs: 6.3.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SubCert39Month, + }, + Lint: NewSubCertValidTimeLongerThan39Months, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go index eb8ae16a3..289f99278 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go @@ -23,13 +23,15 @@ import ( type subCertValidTimeLongerThan825Days struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_sub_cert_valid_time_longer_than_825_days", - Description: "Subscriber Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity Period greater than 825 days.", - Citation: "BRs: 6.3.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.SubCert825Days, - Lint: NewSubCertValidTimeLongerThan825Days, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_valid_time_longer_than_825_days", + Description: "Subscriber Certificates issued after 1 March 2018, but prior to 1 September 2020, MUST NOT have a Validity Period greater than 825 days.", + Citation: "BRs: 6.3.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SubCert825Days, + }, + Lint: NewSubCertValidTimeLongerThan825Days, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go index bf7f1d04d..4b2b0fd81 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go @@ -28,13 +28,16 @@ Required/Optional: Deprecated (Discouraged, but not prohibited) ***************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_subject_common_name_included", - Description: "Subscriber Certificate: commonName is deprecated.", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCommonNames, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_subject_common_name_included", + Description: "Subscriber Certificate: commonName is deprecated.", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCommonNames, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go new file mode 100644 index 000000000..999ba86ce --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go @@ -0,0 +1,57 @@ +package cabf_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type commonNamesSC62 struct{} + +/*************************************************************** +BRs: 7.1.2.7.1 +Required/Optional: NOT RECOMMENDED +***************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_common_name_included", + Description: "Subscriber Certificate: commonName is NOT RECOMMENDED.", + Citation: "BRs: 7.1.2.7.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCommonNamesSC62, + }) +} + +func NewCommonNamesSC62() lint.LintInterface { + return &commonNamesSC62{} +} + +func (l *commonNamesSC62) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *commonNamesSC62) Execute(c *x509.Certificate) *lint.LintResult { + if c.Subject.CommonName == "" { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Warn} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go index ceb77fe71..f30852edf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go @@ -34,13 +34,15 @@ the subjectAltName extension. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_common_name_not_exactly_from_san", - Description: "The common name field in subscriber certificates must include only names from the SAN extension", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_8_0_Date, - Lint: NewSubjectCommonNameNotExactlyFromSAN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_common_name_not_exactly_from_san", + Description: "The common name field in subscriber certificates must include only names from the SAN extension", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_8_0_Date, + }, + Lint: NewSubjectCommonNameNotExactlyFromSAN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go index 4f6fe3fde..24dc16c44 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go @@ -32,14 +32,16 @@ contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_common_name_not_from_san", - Description: "The common name field in subscriber certificates must include only names from the SAN extension", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - IneffectiveDate: util.CABFBRs_1_8_0_Date, - Lint: NewSubjectCommonNameNotFromSAN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_common_name_not_from_san", + Description: "The common name field in subscriber certificates must include only names from the SAN extension", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_8_0_Date, + }, + Lint: NewSubjectCommonNameNotFromSAN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go index d2f6a2752..894d09126 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go @@ -32,23 +32,25 @@ import ( type arpaMalformedIP struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_contains_malformed_arpa_ip", - Description: "Checks no subject domain name contains a rDNS entry in the " + - "registry-controlled .arpa zone with the wrong number of labels, or " + - "an invalid IP address (RFC 3596, BCP49)", - // NOTE(@cpu): 3.2.2.6 is particular to wildcard domain validation for names - // in a registry controlled zone (like .arpa), which would be an appropriate - // citation for when this lint finds a rDNS entry with the wrong - // number of labels/invalid IP because of the presence of a wildcard - // character. There is a larger on-going discussion[0] on the BRs stance on - // the .arpa zone entries that may produce a better citation to use here. - // - // [0]: https://github.com/cabforum/documents/issues/153 - Citation: "BRs: 3.2.2.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewArpaMalformedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_contains_malformed_arpa_ip", + Description: "Checks no subject domain name contains a rDNS entry in the " + + "registry-controlled .arpa zone with the wrong number of labels, or " + + "an invalid IP address (RFC 3596, BCP49)", + // NOTE(@cpu): 3.2.2.6 is particular to wildcard domain validation for names + // in a registry controlled zone (like .arpa), which would be an appropriate + // citation for when this lint finds a rDNS entry with the wrong + // number of labels/invalid IP because of the presence of a wildcard + // character. There is a larger on-going discussion[0] on the BRs stance on + // the .arpa zone entries that may produce a better citation to use here. + // + // [0]: https://github.com/cabforum/documents/issues/153 + Citation: "BRs: 3.2.2.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewArpaMalformedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go index 00ae9daa7..15cd0578a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go @@ -34,13 +34,15 @@ be used. **********************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_noninformational_value", - Description: "Subject name fields must not contain '.','-',' ' or any other indication that the field has been omitted", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewIllegalChar, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_noninformational_value", + Description: "Subject name fields must not contain '.','-',' ' or any other indication that the field has been omitted", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewIllegalChar, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go index b5aced626..f44d1fa8a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go @@ -32,13 +32,15 @@ This lint check the first requirement, i.e.: Prohibited if the subject:organizat ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_organizational_unit_name_and_no_organization_name", - Description: "If a subject organization name is absent then an organizational unit name MUST NOT be included in subject", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_9_Date, - Lint: NewSubjectContainsOrganizationalUnitNameButNoOrganizationName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_organizational_unit_name_and_no_organization_name", + Description: "If a subject organization name is absent then an organizational unit name MUST NOT be included in subject", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_9_Date, + }, + Lint: NewSubjectContainsOrganizationalUnitNameButNoOrganizationName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go index df93f9c26..590352cae 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go @@ -55,13 +55,15 @@ const ( type arpaReservedIP struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_reserved_arpa_ip", - Description: "Checks no subject domain name contains a rDNS entry in an .arpa zone specifying a reserved IP address", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewArpaReservedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_reserved_arpa_ip", + Description: "Checks no subject domain name contains a rDNS entry in an .arpa zone specifying a reserved IP address", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewArpaReservedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go index 39cba99e7..a9b84ca18 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go @@ -34,13 +34,15 @@ Address or Internal Name. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_contains_reserved_ip", - Description: "Certificates expiring later than 11 Jan 2015 MUST NOT contain a reserved IP address in the common name field", - Citation: "BRs: 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewSubjectReservedIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_contains_reserved_ip", + Description: "Certificates expiring later than 11 Jan 2015 MUST NOT contain a reserved IP address in the common name field", + Citation: "BRs: 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewSubjectReservedIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go index 8d1aff75f..097f743f3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go @@ -33,13 +33,15 @@ place of business is located. **************************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_country_not_iso", - Description: "The country name field MUST contain the two-letter ISO code for the country or XX", - Citation: "BRs: 7.1.4.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, - Lint: NewCountryNotIso, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_country_not_iso", + Description: "The country name field MUST contain the two-letter ISO code for the country or XX", + Citation: "BRs: 7.1.4.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewCountryNotIso, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go index a8c017581..62cb64c17 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go @@ -42,14 +42,16 @@ For P‐521 keys: 301006072a8648ce3d020106052b81040023 *********************************************** */ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_algorithm_identifier_improper_encoding", - Description: "Encoded AlgorithmObjectIdentifier objects inside a SubjectPublicKeyInfo field " + - "MUST comply with specified byte sequences.", - Citation: "BRs: 7.1.3.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewAlgorithmObjectIdentifierEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_algorithm_identifier_improper_encoding", + Description: "Encoded AlgorithmObjectIdentifier objects inside a SubjectPublicKeyInfo field " + + "MUST comply with specified byte sequences.", + Citation: "BRs: 7.1.3.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewAlgorithmObjectIdentifierEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go index 525fff4a6..bd861da8a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go @@ -25,13 +25,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_underscore_not_permissible_in_dnsname", - Description: "DNSNames MUST NOT contain underscore characters", - Citation: "BR 7.1.4.2.1", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, - Lint: func() lint.LintInterface { return &UnderscoreNotPermissibleInDNSName{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_underscore_not_permissible_in_dnsname", + Description: "DNSNames MUST NOT contain underscore characters", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, + }, + Lint: func() lint.LintInterface { return &UnderscoreNotPermissibleInDNSName{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go new file mode 100644 index 000000000..269cd07bb --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go @@ -0,0 +1,59 @@ +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_underscore_permissible_in_dnsname_if_valid_when_replaced", + Description: "From December 10th 2018 to April 1st 2019 DNSNames may contain underscores if-and-only-if every label within each DNS name is a valid LDH label after replacing all underscores with hyphens", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_6_2_Date, + IneffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, + }, + Lint: func() lint.LintInterface { return &UnderscorePermissibleInDNSNameIfValidWhenReplaced{} }, + }) +} + +type UnderscorePermissibleInDNSNameIfValidWhenReplaced struct{} + +func (l *UnderscorePermissibleInDNSNameIfValidWhenReplaced) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.DNSNamesExist(c) +} + +func (l *UnderscorePermissibleInDNSNameIfValidWhenReplaced) Execute(c *x509.Certificate) *lint.LintResult { + for _, dns := range c.DNSNames { + for _, label := range strings.Split(dns, ".") { + if !strings.Contains(label, "_") || label == "*" { + continue + } + replaced := strings.ReplaceAll(label, "_", "-") + if !util.IsLDHLabel(replaced) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("When all underscores (_) in %q are replaced with hypens (-) the result is %q which not a valid LDH label", label, replaced)} + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go new file mode 100644 index 000000000..71c010ec0 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go @@ -0,0 +1,61 @@ +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_underscore_present_with_too_long_validity", + Description: "From 2018-12-10 to 2019-04-01, DNSNames may contain underscores if-and-only-if the certificate is valid for less than thirty days.", + Citation: "BR 7.1.4.2.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_6_2_Date, + IneffectiveDate: util.CABFBRs_1_6_2_UnderscorePermissibilitySunsetDate, + }, + Lint: func() lint.LintInterface { return &UnderscorePresentWithTooLongValidity{} }, + }) +} + +type UnderscorePresentWithTooLongValidity struct{} + +func (l *UnderscorePresentWithTooLongValidity) CheckApplies(c *x509.Certificate) bool { + longValidity := util.BeforeOrOn(c.NotBefore.AddDate(0, 0, 30), c.NotAfter) + return util.IsSubscriberCert(c) && util.DNSNamesExist(c) && longValidity +} + +func (l *UnderscorePresentWithTooLongValidity) Execute(c *x509.Certificate) *lint.LintResult { + for _, dns := range c.DNSNames { + if strings.Contains(dns, "_") { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf( + "The DNSName '%s' contains an underscore character which is only permissible if the certiticate is valid for less than 30 days (this certificate is valid for %d days)", + dns, + c.NotAfter.Sub(c.NotBefore)/util.DurationDay, + ), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go index c366a815e..d257039b9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go @@ -31,13 +31,15 @@ It SHOULD contain the HTTP URL of the Issuing CA’s certificate (accessMethod = ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_sub_ca_aia_missing", - Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD be present.", - Citation: "BRs: 7.1.2.2", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABFBRs_1_7_1_Date, - Lint: NewCaAiaShouldNotBeMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_sub_ca_aia_missing", + Description: "Subordinate CA Certificate: authorityInformationAccess SHOULD be present.", + Citation: "BRs: 7.1.2.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewCaAiaShouldNotBeMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go index ece50bfac..5eadf688c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go @@ -23,13 +23,15 @@ import ( type evNoBiz struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_business_category_missing", - Description: "EV certificates must include businessCategory in subject", - Citation: "EVGs: 9.2.3", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvNoBiz, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_business_category_missing", + Description: "EV certificates must include businessCategory in subject", + Citation: "EVGs: 9.2.3", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvNoBiz, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go index 869089954..94ac320a1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go @@ -23,13 +23,15 @@ import ( type evCountryMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_country_name_missing", - Description: "EV certificates must include countryName in subject", - Citation: "EVGs: 9.2.4", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvCountryMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_country_name_missing", + Description: "EV certificates must include countryName in subject", + Citation: "EVGs: 9.2.4", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvCountryMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go index da1e8c845..ce982fb61 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go @@ -24,13 +24,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_not_wildcard", - Description: "Wildcard certificates are not allowed for EV Certificates except for those with .onion as the TLD.", - Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewEvNotWildCard, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_not_wildcard", + Description: "Wildcard certificates are not allowed for EV Certificates except for those with .onion as the TLD.", + Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewEvNotWildCard, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go index 50ed6dab8..c10274e77 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go @@ -23,14 +23,16 @@ import ( type evOrgIdExtMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_organization_id_missing", - Description: "Effective January 31, 2020, if the subject:organizationIdentifier field is " + - "present, this [cabfOrganizationIdentifier] field MUST be present.", - Citation: "CA/Browser Forum EV Guidelines v1.7.0, Sec. 9.8.2", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.CABFEV_9_8_2, - Lint: NewEvOrgIdExtMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_organization_id_missing", + Description: "Effective January 31, 2020, if the subject:organizationIdentifier field is " + + "present, this [cabfOrganizationIdentifier] field MUST be present.", + Citation: "CA/Browser Forum EV Guidelines v1.7.0, Sec. 9.8.2", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.CABFEV_9_8_2, + }, + Lint: NewEvOrgIdExtMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go index c3d877acc..d4c202f28 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go @@ -23,13 +23,15 @@ import ( type evOrgMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_organization_name_missing", - Description: "EV certificates must include organizationName in subject", - Citation: "EVGs: 9.2.1", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvOrgMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_organization_name_missing", + Description: "EV certificates must include organizationName in subject", + Citation: "EVGs: 9.2.1", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvOrgMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go index 591715f15..3123bce5f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go @@ -21,13 +21,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_san_ip_address_present", - Description: "The Subject Alternate Name extension MUST contain only 'dnsName' name types.", - Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvSanIpAddressPresent, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_san_ip_address_present", + Description: "The Subject Alternate Name extension MUST contain only 'dnsName' name types.", + Citation: "CABF EV Guidelines 1.7.8 Section 9.8.1", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvSanIpAddressPresent, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go index f9938da7d..f65114edb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go @@ -23,13 +23,15 @@ import ( type evSNMissing struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_serial_number_missing", - Description: "EV certificates must include serialNumber in subject", - Citation: "EVGs: 9.2.6", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvSNMissing, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_serial_number_missing", + Description: "EV certificates must include serialNumber in subject", + Citation: "EVGs: 9.2.6", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvSNMissing, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go index b207d027c..a66203177 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go @@ -23,13 +23,15 @@ import ( type evValidTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ev_valid_time_too_long", - Description: "EV certificates must be 27 months in validity or less", - Citation: "EVGs 1.0: 8(a), EVGs 1.6.1: 9.4", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.ZeroDate, - Lint: NewEvValidTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_valid_time_too_long", + Description: "EV certificates must be 27 months in validity or less", + Citation: "EVGs 1.0: 8(a), EVGs 1.6.1: 9.4", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewEvValidTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go index 40f619616..2a7a74c10 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go @@ -33,15 +33,17 @@ const ( type torValidityTooLarge struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_onion_subject_validity_time_too_large", - Description: fmt.Sprintf( - "certificates with .onion names can not be valid for more than %d months", - maxOnionValidityMonths), - Citation: "EVGs: Appendix F", - Source: lint.CABFEVGuidelines, - EffectiveDate: util.OnionOnlyEVDate, - Lint: NewTorValidityTooLarge, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_onion_subject_validity_time_too_large", + Description: fmt.Sprintf( + "certificates with .onion names can not be valid for more than %d months", + maxOnionValidityMonths), + Citation: "EVGs: Appendix F", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.OnionOnlyEVDate, + }, + Lint: NewTorValidityTooLarge, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go new file mode 100644 index 000000000..bbcc56f51 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go @@ -0,0 +1,63 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_adobe_extensions_legacy_multipurpose_criticality", + Description: "If present, Adobe Time‐stamp X509 extension (1.2.840.113583.1.1.9.1) or the Adobe ArchiveRevInfo extension (1.2.840.113583.1.1.9.2) SHALL NOT be marked as critical for multipurpose/legacy SMIME certificates", + Citation: "7.1.2.3.m", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAdobeExtensionsLegacyMultipurposeCriticality, + }) +} + +type adobeExtensionsLegacyMultipurposeCriticality struct{} + +// NewAdobeExtensionsLegacyMultipurposeCriticality creates a new linter to enforce adobe x509 extensions requirements for multipurpose or legacy SMIME certs +func NewAdobeExtensionsLegacyMultipurposeCriticality() lint.CertificateLintInterface { + return &adobeExtensionsLegacyMultipurposeCriticality{} +} + +// CheckApplies returns true if for any subscriber certificate the certificate's policies assert that it conforms to the multipurpose or legacy policy requirements defined in the SMIME BRs +// and the certificate contains one of the adobe x509 extensions +func (l *adobeExtensionsLegacyMultipurposeCriticality) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && hasAdobeX509Extensions(c) +} + +// Execute applies the requirements of adobe x509 extensions not being marked as critical, if present, for multipurpose or legacy SMIME certificates +func (l *adobeExtensionsLegacyMultipurposeCriticality) Execute(c *x509.Certificate) *lint.LintResult { + adobeTimeStampExt := util.GetExtFromCert(c, util.AdobeTimeStampOID) + if adobeTimeStampExt != nil && adobeTimeStampExt.Critical { + return &lint.LintResult{Status: lint.Error} + } + + adobeArchRevInfoExt := util.GetExtFromCert(c, util.AdobeArchiveRevInfoOID) + if adobeArchRevInfoExt != nil && adobeArchRevInfoExt.Critical { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go new file mode 100644 index 000000000..85b45c239 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_adobe_extensions_strict_presence", + Description: "Adobe Time‐stamp X509 extension (1.2.840.113583.1.1.9.1) and the Adobe ArchiveRevInfo extension (1.2.840.113583.1.1.9.2) are prohibited for strict SMIME certificates", + Citation: "7.1.2.3.m", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAdobeExtensionsStrictPresence, + }) +} + +type adobeExtensionsStrictPresence struct{} + +// NewAdobeExtensionsStrictPresence creates a new linter to enforce adobe x509 extensions requirements for strict SMIME certs +func NewAdobeExtensionsStrictPresence() lint.CertificateLintInterface { + return &adobeExtensionsStrictPresence{} +} + +// CheckApplies returns true if for any subscriber certificate the certificate's policies assert that it conforms to the strict policy requirements defined in the SMIME BRs +func (l *adobeExtensionsStrictPresence) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsStrictSMIMECertificate(c) +} + +// Execute applies the requirements of adobe x509 extensions not being allowed for strict SMIME certificates +func (l *adobeExtensionsStrictPresence) Execute(c *x509.Certificate) *lint.LintResult { + if hasAdobeX509Extensions(c) { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} + +func hasAdobeX509Extensions(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.AdobeTimeStampOID) || util.IsExtInCert(c, util.AdobeArchiveRevInfoOID) +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go new file mode 100644 index 000000000..987871fe9 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go @@ -0,0 +1,91 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net" + "net/url" + "time" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type smimeAIAContainsInternalNames struct{} + +/************************************************************************ +BRs: 7.1.2.3c +CA Certificate Authority Information Access +The authorityInformationAccess extension MAY contain one or more accessMethod +values for each of the following types: + +id-ad-ocsp specifies the URI of the Issuing CA's OCSP responder. +id-ad-caIssuers specifies the URI of the Issuing CA's Certificate. + +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_smime_aia_contains_internal_names", + Description: "SMIME certificates authorityInformationAccess. Internal domain names should not be included.", + Citation: "BRs: 7.1.2.3c", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSMIMEAIAInternalName, + }) +} + +func NewSMIMEAIAInternalName() lint.LintInterface { + return &smimeAIAContainsInternalNames{} +} + +func (l *smimeAIAContainsInternalNames) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.AiaOID) && util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *smimeAIAContainsInternalNames) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + + if net.ParseIP(purl.Host) != nil { + continue + } + + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + + if net.ParseIP(purl.Host) != nil { + continue + } + + if !util.HasValidTLD(purl.Hostname(), time.Now()) { + return &lint.LintResult{Status: lint.Warn} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go new file mode 100644 index 000000000..bfe8e45d0 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go @@ -0,0 +1,85 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ecpublickey_key_usages", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment.For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewECPublicKeyKeyUsages, + }) +} + +type ecPublicKeyKeyUsages struct{} + +func NewECPublicKeyKeyUsages() lint.LintInterface { + return &ecPublicKeyKeyUsages{} +} + +func (l *ecPublicKeyKeyUsages) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.ECDSA +} + +func (l *ecPublicKeyKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyAgreement) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyAgreement | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go new file mode 100644 index 000000000..79efb32ce --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go @@ -0,0 +1,56 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ec_other_key_usages", + Description: "Other bit positions SHALL NOT be set.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewECOtherKeyUsages, + }) +} + +type ecOtherKeyUsages struct{} + +func NewECOtherKeyUsages() lint.LintInterface { + return &ecOtherKeyUsages{} +} + +func (l *ecOtherKeyUsages) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.ECDSA +} + +func (l *ecOtherKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !(util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) || util.HasKeyUsage(c, x509.KeyUsageKeyAgreement)) { + if c.KeyUsage != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go new file mode 100644 index 000000000..cd277034c --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go @@ -0,0 +1,58 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_edwardspublickey_key_usages", + Description: "Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewEdwardsPublicKeyKeyUsages, + }) +} + +type edwardsPublicKeyKeyUsages struct{} + +func NewEdwardsPublicKeyKeyUsages() lint.LintInterface { + return &edwardsPublicKeyKeyUsages{} +} + +func (l *edwardsPublicKeyKeyUsages) CheckApplies(c *x509.Certificate) bool { + // TODO add support for curve448 certificate linting + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) && c.PublicKeyAlgorithm == x509.Ed25519 +} + +func (l *edwardsPublicKeyKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + return &lint.LintResult{Status: lint.Error} + } + + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go new file mode 100644 index 000000000..49552916b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go @@ -0,0 +1,54 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_key_usage_criticality", + Description: "keyUsage... This extension SHOULD be marked critical", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewKeyUsageCriticality, + }) +} + +type keyUsageCriticality struct{} + +func NewKeyUsageCriticality() lint.LintInterface { + return &keyUsageCriticality{} +} + +func (l *keyUsageCriticality) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID) + +} + +func (l *keyUsageCriticality) Execute(c *x509.Certificate) *lint.LintResult { + kuExt := util.GetExtFromCert(c, util.KeyUsageOID) + if !kuExt.Critical { + return &lint.LintResult{Status: lint.Warn} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go new file mode 100644 index 000000000..da996722d --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go @@ -0,0 +1,52 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_key_usage_presence", + Description: "keyUsage (SHALL be present)", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewKeyUsagePresence, + }) +} + +type keyUsagePresence struct{} + +func NewKeyUsagePresence() lint.LintInterface { + return &keyUsagePresence{} +} + +func (l *keyUsagePresence) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *keyUsagePresence) Execute(c *x509.Certificate) *lint.LintResult { + if util.HasKeyUsageOID(c) { + return &lint.LintResult{Status: lint.Pass} + } + + return &lint.LintResult{Status: lint.Error} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go new file mode 100644 index 000000000..cb741ae1c --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go @@ -0,0 +1,90 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type smimeLegacyAIAHasOneHTTP struct{} + +/************************************************************************ +BRs: 7.1.2.3c +CA Certificate Authority Information Access +The authorityInformationAccess extension MAY contain one or more accessMethod +values for each of the following types: + +id-ad-ocsp specifies the URI of the Issuing CA's OCSP responder. +id-ad-caIssuers specifies the URI of the Issuing CA's Certificate. + +For Legacy: When provided, at least one accessMethod SHALL have the URI scheme HTTP. Other schemes (LDAP, FTP, ...) MAY be present. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_legacy_aia_shall_have_one_http", + Description: "SMIME Legacy certificates authorityInformationAccess When provided, at least one accessMethod SHALL have the URI scheme HTTP. Other schemes (LDAP, FTP, ...) MAY be present.", + Citation: "BRs: 7.1.2.3c", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSMIMELegacyAIAHasOneHTTP, + }) +} + +func NewSMIMELegacyAIAHasOneHTTP() lint.LintInterface { + return &smimeLegacyAIAHasOneHTTP{} +} + +func (l *smimeLegacyAIAHasOneHTTP) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) && util.IsLegacySMIMECertificate(c) +} + +func (l *smimeLegacyAIAHasOneHTTP) Execute(c *x509.Certificate) *lint.LintResult { + atLeastOneHttp := false + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme == "http" { + atLeastOneHttp = true + } + } + if !atLeastOneHttp && len(c.OCSPServer) != 0 { + return &lint.LintResult{Status: lint.Error, Details: "at least one id-ad-ocsp accessMethod MUST have the URI scheme HTTP"} + } + + atLeastOneHttp = false + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme == "http" { + atLeastOneHttp = true + } + } + if !atLeastOneHttp && len(c.IssuingCertificateURL) != 0 { + return &lint.LintResult{Status: lint.Error, Details: "at least one id-ad-caIssuers accessMethod MUST have the URI scheme HTTP"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go new file mode 100644 index 000000000..2d421c785 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go @@ -0,0 +1,106 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "regexp" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// Regex to match the start of an organization identifier: 3 character registration scheme identifier and 2 character ISO 3166 country code +var countryRegex = regexp.MustCompile(`^([A-Z]{3})([A-Z]{2})`) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_registration_scheme_id_matches_subject_country", + Description: "The country code used in the Registration Scheme identifier SHALL match that of the subject:countryName in the Certificate as specified in Section 7.1.4.2.2", + Citation: "Appendix A.1", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRegistrationSchemeIDMatchesSubjectCountry, + }) +} + +type registrationSchemeIDMatchesSubjectCountry struct{} + +// NewRegistrationSchemeIDMatchesSubjectCountry creates a new linter to enforce SHALL requirements for registration scheme identifiers matching subject:countryName +func NewRegistrationSchemeIDMatchesSubjectCountry() lint.CertificateLintInterface { + return ®istrationSchemeIDMatchesSubjectCountry{} +} + +// CheckApplies returns true if the provided certificate contains subject:countryName 2 characters in length, a partially valid subject.organizationID and an Organization or Sponsor Validated policy OID +func (l *registrationSchemeIDMatchesSubjectCountry) CheckApplies(c *x509.Certificate) bool { + if c.Subject.Country == nil { + return false + } + + if len(c.Subject.Country[0]) != 2 { + return false + } + + orgIDsAreInternational := true + for _, id := range c.Subject.OrganizationIDs { + submatches := countryRegex.FindStringSubmatch(id) + if len(submatches) < 3 { + return false + } + + orgIDsAreInternational = orgIDsAreInternational && (submatches[1] == "INT" || submatches[1] == "LEI") + } + + if orgIDsAreInternational { + return false + } + + return util.IsOrganizationValidatedCertificate(c) || util.IsSponsorValidatedCertificate(c) +} + +// Execute applies the requirements on matching subject:countryName with registration scheme identifiers +func (l *registrationSchemeIDMatchesSubjectCountry) Execute(c *x509.Certificate) *lint.LintResult { + country := c.Subject.Country[0] + + for _, id := range c.Subject.OrganizationIDs { + if err := verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id, country); err != nil { + return &lint.LintResult{Status: lint.Error, Details: err.Error()} + } + } + return &lint.LintResult{Status: lint.Pass} +} + +// verifySMIMEOrganizationIdentifierContainSubjectNameCountry verifies that the country code used in the subject:organizationIdentifier matches subject:countryName +func verifySMIMEOrganizationIdentifierContainsSubjectNameCountry(id string, country string) error { + submatches := countryRegex.FindStringSubmatch(id) + + if submatches[1] == "INT" || submatches[1] == "LEI" { + return nil + } + + // Captures the country code from the organization identifier + // Note that this raw indexing into the second position is only safe + // due to a length check done in CheckApplies + identifierCountry := submatches[2] + + if identifierCountry != country { + return fmt.Errorf("the country code used in the Registration Scheme identifier SHALL match that of the subject:countryName") + } + + return nil +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go new file mode 100644 index 000000000..cf17470a1 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go @@ -0,0 +1,92 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_key_usage_legacy_multipurpose", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment and MAY be set for dataEncipherment. For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation and dataEncipherment.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRSAKeyUsageLegacyMultipurpose, + }) +} + +type rsaKeyUsageLegacyMultipurpose struct{} + +func NewRSAKeyUsageLegacyMultipurpose() lint.LintInterface { + return &rsaKeyUsageLegacyMultipurpose{} +} + +func (l *rsaKeyUsageLegacyMultipurpose) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaKeyUsageLegacyMultipurpose) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go new file mode 100644 index 000000000..8815b5b9f --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go @@ -0,0 +1,92 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_key_usage_strict", + Description: "For signing only, bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. For key management only, bit positions SHALL be set for keyEncipherment. For dual use, bit positions SHALL be set for digitalSignature and keyEncipherment and MAY be set for nonRepudiation.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRSAKeyUsageStrict, + }) +} + +type rsaKeyUsageStrict struct{} + +func NewRSAKeyUsageStrict() lint.LintInterface { + return &rsaKeyUsageStrict{} +} + +func (l *rsaKeyUsageStrict) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && util.IsStrictSMIMECertificate(c) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaKeyUsageStrict) Execute(c *x509.Certificate) *lint.LintResult { + const ( + signing = iota + 1 + keyManagement + dualUsage + ) + + certType := 0 + if util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) { + certType |= signing + } + if util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment) { + certType |= keyManagement + } + + switch certType { + case signing: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case keyManagement: + mask := 0x1FF ^ (x509.KeyUsageKeyEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + case dualUsage: + mask := 0x1FF ^ (x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment) + if c.KeyUsage&mask != 0 { + return &lint.LintResult{Status: lint.Error} + } + + default: + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go new file mode 100644 index 000000000..8182cc533 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go @@ -0,0 +1,63 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_other_key_usages", + Description: "Other bit positions SHALL NOT be set.", + Citation: "7.1.2.3.e", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewRSAOtherKeyUsages, + }) +} + +type rsaOtherKeyUsages struct{} + +func NewRSAOtherKeyUsages() lint.LintInterface { + return &rsaOtherKeyUsages{} +} + +func (l *rsaOtherKeyUsages) CheckApplies(c *x509.Certificate) bool { + if !(util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) && util.IsExtInCert(c, util.KeyUsageOID)) { + return false + } + + _, ok := c.PublicKey.(*rsa.PublicKey) + return ok && c.PublicKeyAlgorithm == x509.RSA +} + +func (l *rsaOtherKeyUsages) Execute(c *x509.Certificate) *lint.LintResult { + if !(util.HasKeyUsage(c, x509.KeyUsageDigitalSignature) || util.HasKeyUsage(c, x509.KeyUsageKeyEncipherment)) { + if c.KeyUsage != 0 { + return &lint.LintResult{Status: lint.Error} + } + + return &lint.LintResult{Status: lint.NA} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go new file mode 100644 index 000000000..bbd5aa91b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_shall_be_present", + Description: "Subject alternative name SHALL be present", + Citation: "7.1.2.3.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectAlternativeNameShallBePresent, + }) +} + +type subjectAlternativeNameShallBePresent struct{} + +func NewSubjectAlternativeNameShallBePresent() lint.LintInterface { + return &subjectAlternativeNameShallBePresent{} +} + +func (l *subjectAlternativeNameShallBePresent) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *subjectAlternativeNameShallBePresent) Execute(c *x509.Certificate) *lint.LintResult { + if !util.IsExtInCert(c, util.SubjectAlternateNameOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate does not have a subject alternative name extension", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go new file mode 100644 index 000000000..6d8a00964 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go @@ -0,0 +1,66 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "reflect" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_san_should_not_be_critical", + Description: "subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence.", + Citation: "7.1.2.3.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectAlternativeNameNotCritical, + }) +} + +type SubjectAlternativeNameNotCritical struct{} + +func NewSubjectAlternativeNameNotCritical() lint.LintInterface { + return &SubjectAlternativeNameNotCritical{} +} + +func (l *SubjectAlternativeNameNotCritical) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.SubjectAlternateNameOID) && util.IsSMIMEBRCertificate(c) +} + +func (l *SubjectAlternativeNameNotCritical) Execute(c *x509.Certificate) *lint.LintResult { + san := util.GetExtFromCert(c, util.SubjectAlternateNameOID) + isCritical := san.Critical + emptySubject := reflect.DeepEqual(c.Subject, pkix.Name{OriginalRDNS: pkix.RDNSequence{}}) + if isCritical && emptySubject { + // "...unless the subject field is an empty sequence" + return &lint.LintResult{Status: lint.Pass} + } else if isCritical && !emptySubject { + // Critical, but there's a non-empty SAN. + return &lint.LintResult{ + Status: lint.Warn, + Details: "subject is not empty, but subjectAlternativeName is marked critical", + } + } else { + // Not critical, not empty SAN. + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go new file mode 100644 index 000000000..82b6b5c70 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_single_email_if_present", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", + Citation: "7.1.4.2.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: func() lint.LintInterface { return &singleEmailIfPresent{} }, + }) +} + +type singleEmailIfPresent struct{} + +func NewSingleEmailIfPresent() lint.LintInterface { + return &singleEmailIfPresent{} +} + +func (l *singleEmailIfPresent) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && c.EmailAddresses != nil && len(c.EmailAddresses) != 0 && util.IsSMIMEBRCertificate(c) +} + +func (l *singleEmailIfPresent) Execute(c *x509.Certificate) *lint.LintResult { + if len(c.EmailAddresses) == 1 { + return &lint.LintResult{ + Status: lint.Pass, + } + } else { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("subject:emailAddress was present and contained %d names (%s)", len(c.EmailAddresses), c.EmailAddresses), + LintMetadata: lint.LintMetadata{}, + } + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go new file mode 100644 index 000000000..e47da6a31 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go @@ -0,0 +1,80 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type smimeStrictAIAHasHTTPOnly struct{} + +/************************************************************************ +BRs: 7.1.2.3c +CA Certificate Authority Information Access +The authorityInformationAccess extension MAY contain one or more accessMethod +values for each of the following types: + +id-ad-ocsp specifies the URI of the Issuing CA's OCSP responder. +id-ad-caIssuers specifies the URI of the Issuing CA's Certificate. + +For Strict and Multipurpose: When provided, every accessMethod SHALL have the URI scheme HTTP. Other schemes SHALL NOT be present. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_strict_aia_shall_have_http_only", + Description: "SMIME Strict certificates authorityInformationAccess. When provided, every accessMethod SHALL have the URI scheme HTTP. Other schemes SHALL NOT be present.", + Citation: "BRs: 7.1.2.3c", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSMIMEStrictAIAHasHTTPOnly, + }) +} + +func NewSMIMEStrictAIAHasHTTPOnly() lint.LintInterface { + return &smimeStrictAIAHasHTTPOnly{} +} + +func (l *smimeStrictAIAHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.AiaOID) && util.IsSubscriberCert(c) && (util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) +} + +func (l *smimeStrictAIAHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error} + } + } + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go new file mode 100644 index 000000000..67e7dedcf --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subscribers_shall_have_crl_distribution_points", + Description: "cRLDistributionPoints SHALL be present.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubscriberCrlDistributionPoints, + }) +} + +type SubscriberCrlDistributionPoints struct{} + +func NewSubscriberCrlDistributionPoints() lint.LintInterface { + return &SubscriberCrlDistributionPoints{} +} + +func (l *SubscriberCrlDistributionPoints) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *SubscriberCrlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult { + if len(c.CRLDistributionPoints) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains zero CRL distribution points", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go new file mode 100644 index 000000000..782d35ef6 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -0,0 +1,100 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// mailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates +type mailboxValidatedEnforceSubjectFieldRestrictions struct { + forbiddenSubjectFields map[string]string + allowedSubjectFields map[string]string +} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mailbox_validated_enforce_subject_field_restrictions", + Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN", + Citation: "SMIME BRs: 7.1.4.2.3", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: func() lint.CertificateLintInterface { + return NewMailboxValidatedEnforceSubjectFieldRestrictions() + }, + }) +} + +// NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { + return &mailboxValidatedEnforceSubjectFieldRestrictions{ + forbiddenSubjectFields: map[string]string{ + "0.9.2342.19200300.100.1.25": "subject:domainComponent", + "1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", + "1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince", + "1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry", + "2.5.4.4": "subject:surname", + "2.5.4.6": "subject:countryName", + "2.5.4.7": "subject:localityName", + "2.5.4.8": "subject:stateOrProvinceName", + "2.5.4.9": "subject:streetAddress", + "2.5.4.10": "subject:organizationName", + "2.5.4.11": "subject:organizationalUnitName", + "2.5.4.12": "subject:title", + "2.5.4.17": "subject:postalCode", + "2.5.4.42": "subject:givenName", + "2.5.4.65": "subject:pseudonym", + "2.5.4.97": "subject:organizationIdentifier", + }, + allowedSubjectFields: map[string]string{ + "1.2.840.113549.1.9.1": "subject:emailAddress", + "2.5.4.3": "subject:commonName", + "2.5.4.5": "subject:serialNumber", + }, + } +} + +// CheckApplies returns true if the provided certificate is a subscriber certificate and contains one-or-more of the following +// SMIME BR policy identifiers: +// - Mailbox Validated Legacy +// - Mailbox Validated Multipurpose +// - Mailbox Validated Strict +func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *mailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult { + for _, rdnSeq := range c.Subject.OriginalRDNS { + for _, field := range rdnSeq { + oidStr := field.Type.String() + + if _, ok := l.allowedSubjectFields[oidStr]; !ok { + if fieldName, knownField := l.forbiddenSubjectFields[oidStr]; knownField { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)} + } + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go new file mode 100644 index 000000000..a3257ca55 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go @@ -0,0 +1,80 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// shallHaveCrlDistributionPoints - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU +type legacyMultipurposeEKUCheck struct { +} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_legacy_multipurpose_eku_check", + Description: "Strict/Multipurpose and Legacy: id-kp-emailProtection SHALL be present. Other values MAY be present. The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present.", + Citation: "SMIME BRs: 7.1.2.3.f", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewLegacyMultipurposeEKUCheck, + }) +} + +// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface { + return &legacyMultipurposeEKUCheck{} +} + +// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: +// - Mailbox Validated Legacy +// - Mailbox Validated Multipurpose +// - Organization Validated Legacy +// - Organization Validated Multipurpose +// - Sponsor Validated Legacy +// - Sponsor Validated Multipurpose +// - Individual Validated Legacy +// - Individual Validated Multipurpose +func (l *legacyMultipurposeEKUCheck) CheckApplies(c *x509.Certificate) bool { + return (util.IsLegacySMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) && util.IsSubscriberCert(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *legacyMultipurposeEKUCheck) Execute(c *x509.Certificate) *lint.LintResult { + hasEmailProtectionEKU := false + ekusOK := true + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageEmailProtection { + hasEmailProtectionEKU = true + } else if eku == x509.ExtKeyUsageServerAuth || eku == x509.ExtKeyUsageCodeSigning || eku == x509.ExtKeyUsageTimeStamping || eku == x509.ExtKeyUsageAny { + ekusOK = false + } + } + + if !hasEmailProtectionEKU { + return &lint.LintResult{Status: lint.Error, Details: "id-kp-emailProtection SHALL be present"} + } + + if !ekusOK { + return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go new file mode 100644 index 000000000..a7bc1a9af --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go @@ -0,0 +1,71 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// strictEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU +type strictEKUCheck struct { +} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_strict_eku_check", + Description: "Strict: id-kp-emailProtection SHALL be present. Other values SHALL NOT be present", + Citation: "SMIME BRs: 7.1.2.3.f", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewStrictEKUCheck, + }) +} + +// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +func NewStrictEKUCheck() lint.CertificateLintInterface { + return &strictEKUCheck{} +} + +// CheckApplies returns true if the provided certificate contains one-or-more of the following SMIME BR policy identifiers: +// - Mailbox Validated Strict +// - Organization Validated Strict +// - Sponsor Validated Strict +// - Individual Validated Strict +func (l *strictEKUCheck) CheckApplies(c *x509.Certificate) bool { + return util.IsStrictSMIMECertificate(c) && util.IsSubscriberCert(c) +} + +// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates +func (l *strictEKUCheck) Execute(c *x509.Certificate) *lint.LintResult { + hasEmailProtectionEKU := false + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageEmailProtection { + hasEmailProtectionEKU = true + } else { + return &lint.LintResult{Status: lint.Error} + } + } + + if hasEmailProtectionEKU { + return &lint.LintResult{Status: lint.Pass} + } + + return &lint.LintResult{Status: lint.Error} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go index 5a25d8d9a..3e0ed613f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go @@ -25,13 +25,15 @@ import ( type brIANBareWildcard struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_bare_wildcard", - Description: "A wildcard MUST be accompanied by other data to its right (Only checks IANDNSNames)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewBrIANBareWildcard, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_bare_wildcard", + Description: "A wildcard MUST be accompanied by other data to its right (Only checks IANDNSNames)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewBrIANBareWildcard, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go index d6f10fca3..bc6c46681 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go @@ -23,13 +23,15 @@ import ( type IANDNSNull struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_dns_name_includes_null_char", - Description: "DNSName MUST NOT include a null character", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIANDNSNull, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_dns_name_includes_null_char", + Description: "DNSName MUST NOT include a null character", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIANDNSNull, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go index afa9085de..7e816446e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go @@ -25,13 +25,15 @@ import ( type IANDNSPeriod struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_dns_name_starts_with_period", - Description: "DNSName MUST NOT start with a period", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIANDNSPeriod, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_dns_name_starts_with_period", + Description: "DNSName MUST NOT start with a period", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIANDNSPeriod, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go index cfbcd04d4..1b3df4a85 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go @@ -25,13 +25,15 @@ import ( type IANPubSuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ian_iana_pub_suffix_empty", - Description: "Domain SHOULD NOT have a bare public suffix", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIANPubSuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ian_iana_pub_suffix_empty", + Description: "Domain SHOULD NOT have a bare public suffix", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIANPubSuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go index 807c20ef5..9cf2197a6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go @@ -23,13 +23,15 @@ import ( type brIANWildcardFirst struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ian_wildcard_not_first", - Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks IANDNSNames)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewBrIANWildcardFirst, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ian_wildcard_not_first", + Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks IANDNSNames)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewBrIANWildcardFirst, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go index 686f08a62..9c326d7e7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go @@ -25,13 +25,15 @@ import ( type DNSNameRedacted struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_contains_redacted_dnsname", - Description: "Some precerts are redacted and of the form ?.?.a.com or *.?.a.com", - Source: lint.Community, - Citation: "IETF Draft: https://tools.ietf.org/id/draft-strad-trans-redaction-00.html", - EffectiveDate: util.ZeroDate, - Lint: NewDNSNameRedacted, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_contains_redacted_dnsname", + Description: "Some precerts are redacted and of the form ?.?.a.com or *.?.a.com", + Source: lint.Community, + Citation: "IETF Draft: https://tools.ietf.org/id/draft-strad-trans-redaction-00.html", + EffectiveDate: util.ZeroDate, + }, + Lint: NewDNSNameRedacted, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go index aa99a67a2..b7c71ecbb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go @@ -23,13 +23,15 @@ import ( type IssuerDNLeadingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_issuer_dn_leading_whitespace", - Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerDNLeadingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_issuer_dn_leading_whitespace", + Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerDNLeadingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go index 39122541f..1a4928a75 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go @@ -23,13 +23,15 @@ import ( type IssuerDNTrailingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_issuer_dn_trailing_whitespace", - Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerDNTrailingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_issuer_dn_trailing_whitespace", + Description: "AttributeValue in issuer RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerDNTrailingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go index 9affa1473..cfa69fcfe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go @@ -25,13 +25,15 @@ import ( type IssuerRDNHasMultipleAttribute struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_multiple_issuer_rdn", - Description: "Certificates should not have multiple attributes in a single RDN (issuer)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerRDNHasMultipleAttribute, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_multiple_issuer_rdn", + Description: "Certificates should not have multiple attributes in a single RDN (issuer)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerRDNHasMultipleAttribute, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go index f4ff1f236..c22626e6f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go @@ -25,13 +25,15 @@ import ( type rsaExpNegative struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_exp_negative", - Description: "RSA public key exponent MUST be positive", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewRsaExpNegative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_exp_negative", + Description: "RSA public key exponent MUST be positive", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRsaExpNegative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go index 3a9be265b..0238c26a4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go @@ -29,15 +29,17 @@ type fermatFactorization struct { } func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_fermat_factorization", - Description: "RSA key pairs that are too close to each other are susceptible to the Fermat Factorization " + - "Method (for more information please see https://en.wikipedia.org/wiki/Fermat%27s_factorization_method " + - "and https://fermatattack.secvuln.info/)", - Citation: "Pierre de Fermat", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewFermatFactorization, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_fermat_factorization", + Description: "RSA key pairs that are too close to each other are susceptible to the Fermat Factorization " + + "Method (for more information please see https://en.wikipedia.org/wiki/Fermat%27s_factorization_method " + + "and https://fermatattack.secvuln.info/)", + Citation: "Pierre de Fermat", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewFermatFactorization, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go index 255114773..c56df61d8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go @@ -25,13 +25,15 @@ import ( type rsaParsedPubKeyExist struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_no_public_key", - Description: "The RSA public key should be present", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewRsaParsedPubKeyExist, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_no_public_key", + Description: "The RSA public key should be present", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewRsaParsedPubKeyExist, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go index 5bc95ff57..645b672c7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go @@ -25,13 +25,15 @@ import ( type brSANBareWildcard struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_bare_wildcard", - Description: "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewBrSANBareWildcard, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_bare_wildcard", + Description: "A wildcard MUST be accompanied by other data to its right (Only checks DNSName)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewBrSANBareWildcard, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go index bc3205e91..f120bbcd1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go @@ -25,13 +25,15 @@ import ( type SANDNSDuplicate struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_san_dns_name_duplicate", - Description: "SAN DNSName contains duplicate values", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANDNSDuplicate, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_san_dns_name_duplicate", + Description: "SAN DNSName contains duplicate values", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANDNSDuplicate, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go index a1a35a11f..3e0c55251 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go @@ -23,13 +23,15 @@ import ( type SANDNSNull struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_includes_null_char", - Description: "DNSName MUST NOT include a null character", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANDNSNull, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_includes_null_char", + Description: "DNSName MUST NOT include a null character", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANDNSNull, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go index 9e0388804..ef5739f7b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go @@ -25,13 +25,15 @@ import ( type SANDNSPeriod struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_dns_name_starts_with_period", - Description: "DNSName MUST NOT start with a period", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANDNSPeriod, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_dns_name_starts_with_period", + Description: "DNSName MUST NOT start with a period", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANDNSPeriod, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go index 5749c4987..9c84d970e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go @@ -26,13 +26,15 @@ import ( type pubSuffix struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_san_iana_pub_suffix_empty", - Description: "The domain SHOULD NOT have a bare public suffix", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewPubSuffix, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_san_iana_pub_suffix_empty", + Description: "The domain SHOULD NOT have a bare public suffix", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewPubSuffix, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go index 49a2c6f0a..0c1f0ba05 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go @@ -23,13 +23,15 @@ import ( type SANWildCardFirst struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_san_wildcard_not_first", - Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)", - Citation: "awslabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSANWildCardFirst, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_san_wildcard_not_first", + Description: "A wildcard MUST be in the first label of FQDN (ie not: www.*.com) (Only checks DNSName)", + Citation: "awslabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSANWildCardFirst, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go index 57683e517..4f1e44c36 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go @@ -23,13 +23,15 @@ import ( type SubjectDNLeadingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_dn_leading_whitespace", - Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNLeadingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_dn_leading_whitespace", + Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have leading whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNLeadingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go index 1aadefe28..7fe70c988 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go @@ -23,13 +23,15 @@ import ( type SubjectDNTrailingSpace struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_dn_trailing_whitespace", - Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNTrailingSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_dn_trailing_whitespace", + Description: "AttributeValue in subject RelativeDistinguishedName sequence SHOULD NOT have trailing whitespace", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNTrailingSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go index 32b255042..3794ee3c8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go @@ -25,13 +25,15 @@ import ( type SubjectRDNHasMultipleAttribute struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_multiple_subject_rdn", - Description: "Certificates typically do not have multiple attributes in a single RDN (subject). This may be an error.", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectRDNHasMultipleAttribute, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_multiple_subject_rdn", + Description: "Certificates typically do not have multiple attributes in a single RDN (subject). This may be an error.", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectRDNHasMultipleAttribute, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go index 02c61ff7d..79e6ccf19 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go @@ -23,13 +23,15 @@ import ( type validityNegative struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_validity_time_not_positive", - Description: "Certificates MUST have a positive time for which they are valid", - Citation: "lint.AWSLabs certlint", - Source: lint.Community, - EffectiveDate: util.ZeroDate, - Lint: NewValidityNegative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_validity_time_not_positive", + Description: "Certificates MUST have a positive time for which they are valid", + Citation: "lint.AWSLabs certlint", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewValidityNegative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go index 1e465a8a9..3c2bb02ea 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go @@ -23,13 +23,15 @@ import ( type qcStatemQcEtsiPresentQcsCritical struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_etsi_present_qcs_critical", - Description: "Checks that a QC Statement which contains any of the id-etsi-qcs-... QC Statements is not marked critical", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.1", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcEtsiPresentQcsCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_etsi_present_qcs_critical", + Description: "Checks that a QC Statement which contains any of the id-etsi-qcs-... QC Statements is not marked critical", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.1", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcEtsiPresentQcsCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go index 2952aa72b..b7df51635 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go @@ -26,13 +26,15 @@ import ( type qcStatemEtsiTypeAsStatem struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_etsi_type_as_statem", - Description: "Checks for erroneous QC Statement OID that actually are represented by ETSI ESI QC type OID.", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemEtsiTypeAsStatem, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_etsi_type_as_statem", + Description: "Checks for erroneous QC Statement OID that actually are represented by ETSI ESI QC type OID.", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemEtsiTypeAsStatem, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go index 099f244d6..abed3568e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go @@ -24,13 +24,15 @@ import ( type qcStatemQcmandatoryEtsiStatems struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_mandatory_etsi_statems", - Description: "Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 5", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcmandatoryEtsiStatems, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_mandatory_etsi_statems", + Description: "Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 5", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcmandatoryEtsiStatems, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go index 61a3fae1a..67440ae3a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go @@ -24,13 +24,15 @@ import ( type qcStatemQcComplianceValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qccompliance_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcCompliance has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.1", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcComplianceValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qccompliance_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcCompliance has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.1", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcComplianceValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go index a589ed6bf..aaa8e1fbd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go @@ -26,13 +26,15 @@ import ( type qcStatemQcLimitValueValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qclimitvalue_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcLimitValue has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.2", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcLimitValueValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qclimitvalue_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcLimitValue has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.2", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcLimitValueValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go index 63111891e..83aa604f1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go @@ -27,13 +27,15 @@ import ( type qcStatemQcPdsLangCase struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_qcstatem_qcpds_lang_case", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS features a language code comprised of only lower case letters", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcPdsLangCase, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_qcstatem_qcpds_lang_case", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS features a language code comprised of only lower case letters", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcPdsLangCase, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go index b10d75e2d..70ac2d9a3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go @@ -27,13 +27,15 @@ import ( type qcStatemQcPdsValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qcpds_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcPdsValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qcpds_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcPDS has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.3.4", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcPdsValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go index 27700805a..ef3f8d3bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go @@ -24,13 +24,15 @@ import ( type qcStatemQcRetentionPeriodValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qcretentionperiod_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcRetentionPeriod has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11)/ Section 4.3.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcRetentionPeriodValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qcretentionperiod_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcRetentionPeriod has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11)/ Section 4.3.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcRetentionPeriodValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go index 70efac551..0951efdc3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go @@ -24,13 +24,15 @@ import ( type qcStatemQcSscdValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qcsscd_valid", - Description: "Checks that a QC Statement of the type id-etsi-qcs-QcSSCD has the correct form", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.2", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQcSscdValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qcsscd_valid", + Description: "Checks that a QC Statement of the type id-etsi-qcs-QcSSCD has the correct form", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.2", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQcSscdValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go index 5e63b86c4..6338f6dc8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go @@ -26,13 +26,15 @@ import ( type qcStatemQctypeValid struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_qcstatem_qctype_valid", - Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features a non-empty list of only the allowed QcType OIDs", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQctypeValid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_qctype_valid", + Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features a non-empty list of only the allowed QcType OIDs", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQctypeValid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go index d6969a5fd..a3a5f4a0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go @@ -26,13 +26,15 @@ import ( type qcStatemQctypeWeb struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_qcstatem_qctype_web", - Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least the type IdEtsiQcsQctWeb", - Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", - Source: lint.EtsiEsi, - EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, - Lint: NewQcStatemQctypeWeb, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_qcstatem_qctype_web", + Description: "Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least the type IdEtsiQcsQctWeb", + Citation: "ETSI EN 319 412 - 5 V2.2.1 (2017 - 11) / Section 4.2.3", + Source: lint.EtsiEsi, + EffectiveDate: util.EtsiEn319_412_5_V2_2_1_Date, + }, + Lint: NewQcStatemQctypeWeb, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go index 3382f92b7..50f0c3469 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go @@ -35,13 +35,15 @@ Root certificates in our root program, and any certificate which chains up to th ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_prohibit_dsa_usage", - Description: "DSA is not an explicitly allowed signature algorithm, therefore it is forbidden.", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy241Date, - Lint: NewProhibitDSAUsage, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_prohibit_dsa_usage", + Description: "DSA is not an explicitly allowed signature algorithm, therefore it is forbidden.", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy241Date, + }, + Lint: NewProhibitDSAUsage, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go index fe586cb02..9e578da86 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go @@ -37,13 +37,15 @@ intermediates. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_mp_allowed_eku", - Description: "A SubCA certificate must not have key usage that allows for both server auth and email protection, and must not use anyExtendedKeyUsage", - Citation: "Mozilla Root Store Policy / Section 5.3", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), - Lint: NewAllowedEKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_mp_allowed_eku", + Description: "A SubCA certificate must not have key usage that allows for both server auth and email protection, and must not use anyExtendedKeyUsage", + Citation: "Mozilla Root Store Policy / Section 5.3", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: time.Date(2019, time.January, 1, 0, 0, 0, 0, time.UTC), + }, + Lint: NewAllowedEKU, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go index 1e2ae7eb6..6bf0f20f4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go @@ -39,13 +39,15 @@ CAs MUST NOT issue certificates that have: ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_authority_key_identifier_correct", - Description: "CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number", - Citation: "Mozilla Root Store Policy / Section 5.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy22Date, - Lint: NewAuthorityKeyIdentifierCorrect, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_authority_key_identifier_correct", + Description: "CAs MUST NOT issue certificates that have authority key IDs that include both the key ID and the issuer's issuer name and serial number", + Citation: "Mozilla Root Store Policy / Section 5.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy22Date, + }, + Lint: NewAuthorityKeyIdentifierCorrect, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go index 9dc5f2505..e9dab7b8d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go @@ -44,13 +44,15 @@ curve OID. Certificates MUST NOT use the implicit or specified curve forms. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_ecdsa_pub_key_encoding_correct", - Description: "The encoded algorithm identifiers for ECDSA public keys MUST match specific bytes", - Citation: "Mozilla Root Store Policy / Section 5.1.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewEcdsaPubKeyAidEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_ecdsa_pub_key_encoding_correct", + Description: "The encoded algorithm identifiers for ECDSA public keys MUST match specific bytes", + Citation: "Mozilla Root Store Policy / Section 5.1.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewEcdsaPubKeyAidEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go index 9c97622b7..c3c11f0ab 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go @@ -45,13 +45,15 @@ an explicit NULL. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_ecdsa_signature_encoding_correct", - Description: "The encoded algorithm identifiers for ECDSA signatures MUST match specific hex-encoded bytes", - Citation: "Mozilla Root Store Policy / Section 5.1.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewEcdsaSignatureAidEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_ecdsa_signature_encoding_correct", + Description: "The encoded algorithm identifiers for ECDSA signatures MUST match specific hex-encoded bytes", + Citation: "Mozilla Root Store Policy / Section 5.1.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewEcdsaSignatureAidEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go index 010741499..105a9b8c0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go @@ -31,13 +31,15 @@ CAs MUST NOT issue certificates that have: ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_exponent_cannot_be_one", - Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", - Citation: "Mozilla Root Store Policy / Section 5.2", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: NewExponentCannotBeOne, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_exponent_cannot_be_one", + Description: "CAs MUST NOT issue certificates that have invalid public keys (e.g., RSA certificates with public exponent equal to 1)", + Citation: "Mozilla Root Store Policy / Section 5.2", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + }, + Lint: NewExponentCannotBeOne, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go index bd0da2470..632494f9f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -30,13 +30,15 @@ RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_modulus_must_be_2048_bits_or_more", - Description: "RSA keys must have modulus size of at least 2048 bits", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: NewModulus2048OrMore, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_modulus_must_be_2048_bits_or_more", + Description: "RSA keys must have modulus size of at least 2048 bits", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + }, + Lint: NewModulus2048OrMore, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go index aed4a8d50..ba3111565 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go @@ -30,13 +30,15 @@ RSA keys whose modulus size in bits is divisible by 8, and is at least 2048. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_modulus_must_be_divisible_by_8", - Description: "RSA keys must have a modulus size divisible by 8", - Citation: "Mozilla Root Store Policy / Section 5.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy24Date, - Lint: NewModulusDivisibleBy8, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_modulus_must_be_divisible_by_8", + Description: "RSA keys must have a modulus size divisible by 8", + Citation: "Mozilla Root Store Policy / Section 5.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy24Date, + }, + Lint: NewModulusDivisibleBy8, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go index 03ba32b00..e9e784169 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go @@ -58,13 +58,15 @@ The encoded AlgorithmIdentifier MUST match the following hex-encoded bytes: ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct", - Description: "The encoded AlgorithmIdentifier for RSASSA-PSS in the signature algorithm MUST match specific bytes", - Citation: "Mozilla Root Store Policy / Section 5.1.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewRsaPssAidEncoding, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct", + Description: "The encoded AlgorithmIdentifier for RSASSA-PSS in the signature algorithm MUST match specific bytes", + Citation: "Mozilla Root Store Policy / Section 5.1.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewRsaPssAidEncoding, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go index 9a4e842c6..6d580c243 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go @@ -33,13 +33,15 @@ CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectP ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_mp_rsassa-pss_in_spki", - Description: "CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectPublicKeyInfo to represent a RSA key.", - Citation: "Mozilla Root Store Policy / Section 5.1.1", - Source: lint.MozillaRootStorePolicy, - EffectiveDate: util.MozillaPolicy27Date, - Lint: NewRsaPssInSPKI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_mp_rsassa-pss_in_spki", + Description: "CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectPublicKeyInfo to represent a RSA key.", + Citation: "Mozilla Root Store Policy / Section 5.1.1", + Source: lint.MozillaRootStorePolicy, + EffectiveDate: util.MozillaPolicy27Date, + }, + Lint: NewRsaPssInSPKI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go index 4d6b8dabf..276f20e61 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go @@ -35,13 +35,15 @@ management public keys used with certificate. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_basic_constraints_not_critical", - Description: "basicConstraints MUST appear as a critical extension", - Citation: "RFC 5280: 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewBasicConstCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_basic_constraints_not_critical", + Description: "basicConstraints MUST appear as a critical extension", + Citation: "RFC 5280: 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewBasicConstCrit, }) } @@ -58,9 +60,8 @@ func (l *basicConstCrit) Execute(c *x509.Certificate) *lint.LintResult { if e.Critical { return &lint.LintResult{Status: lint.Pass} } else { - return &lint.LintResult{Status: lint.Error} + return &lint.LintResult{Status: lint.Error, Details: "Basic Constraints extension is marked as non-critical"} } - } else { - return &lint.LintResult{Status: lint.NA} } + return &lint.LintResult{Status: lint.Error, Details: "Error processing Basic Constraints extension"} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go index 55ddd8833..d43e75400 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go @@ -35,13 +35,15 @@ The subject field identifies the entity associated with the public ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ca_subject_field_empty", - Description: "CA Certificates subject field MUST not be empty and MUST have a non-empty distinguished name", - Citation: "RFC 5280: 4.1.2.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewCaSubjectEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_subject_field_empty", + Description: "The subject field of a CA certificate MUST have a non-empty distinguished name", + Citation: "RFC 5280: 4.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewCaSubjectEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go index 0184d4496..840ce8bba 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go @@ -36,13 +36,15 @@ type CertContainsUniqueIdentifier struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_contains_unique_identifier", - Description: "CAs MUST NOT generate certificate with unique identifiers", - Source: lint.RFC5280, - Citation: "RFC 5280: 4.1.2.8", - EffectiveDate: util.RFC5280Date, - Lint: NewCertContainsUniqueIdentifier, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_contains_unique_identifier", + Description: "CAs MUST NOT generate certificate with unique identifiers", + Source: lint.RFC5280, + Citation: "RFC 5280: 4.1.2.8", + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertContainsUniqueIdentifier, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go index 48ada489a..5e2491f14 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go @@ -42,13 +42,15 @@ type CertExtensionsVersonNot3 struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_extensions_version_not_3", - Description: "The extensions field MUST only appear in version 3 certificates", - Citation: "RFC 5280: 4.1.2.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewCertExtensionsVersonNot3, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_extensions_version_not_3", + Description: "The extensions field MUST only appear in version 3 certificates", + Citation: "RFC 5280: 4.1.2.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewCertExtensionsVersonNot3, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go index 01bbef59b..d03b4c8a1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go @@ -37,13 +37,15 @@ RFC 5280: 4.1.2.8 ****************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_unique_identifier_version_not_2_or_3", - Description: "Unique identifiers MUST only appear if the X.509 version is 2 or 3", - Citation: "RFC 5280: 4.1.2.8", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewCertUniqueIdVersion, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_unique_identifier_version_not_2_or_3", + Description: "Unique identifiers MUST only appear if the X.509 version is 2 or 3", + Citation: "RFC 5280: 4.1.2.8", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertUniqueIdVersion, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go new file mode 100644 index 000000000..602ec1823 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go @@ -0,0 +1,73 @@ +package rfc + +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type crlHasValidReasonCode struct{} + +/* +*********************************************** +RFC 5280: 5.3.1 + + CRL issuers are strongly + encouraged to include meaningful reason codes in CRL entries; + however, the reason code CRL entry extension SHOULD be absent instead + of using the unspecified (0) reasonCode value. + +*********************************************** +*/ +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_has_valid_reason_code", + Description: "If a CRL entry has a reason code, it MUST be in RFC5280 section 5.3.1 and SHOULD be absent instead of using unspecified (0)", + Citation: "RFC 5280: 5.3.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCrlHasValidReasonCode, + }) +} + +func NewCrlHasValidReasonCode() lint.RevocationListLintInterface { + return &crlHasValidReasonCode{} +} + +func (l *crlHasValidReasonCode) CheckApplies(c *x509.RevocationList) bool { + return len(c.RevokedCertificates) > 0 +} + +func (l *crlHasValidReasonCode) Execute(c *x509.RevocationList) *lint.LintResult { + for _, c := range c.RevokedCertificates { + if c.ReasonCode == nil { + continue + } + code := *c.ReasonCode + if code == 0 { + return &lint.LintResult{Status: lint.Warn, Details: "The reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value."} + } + if code == 7 || code > 10 { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Reason code, %v, not included in RFC 5280 section 5.3.1", code)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go index 5a7324919..e14577c79 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go @@ -49,13 +49,15 @@ the distributionPoint field. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_distribution_point_incomplete", - Description: "A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present", - Citation: "RFC 5280: 4.2.1.13", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewDpIncomplete, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_distribution_point_incomplete", + Description: "A DistributionPoint from the CRLDistributionPoints extension MUST NOT consist of only the reasons field; either distributionPoint or CRLIssuer must be present", + Citation: "RFC 5280: 4.2.1.13", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewDpIncomplete, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go index f381a1fe9..7629b249b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go @@ -30,13 +30,15 @@ When present, DistributionPointName SHOULD include at least one LDAP or HTTP URI ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_distribution_point_missing_ldap_or_uri", - Description: "When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI", - Citation: "RFC 5280: 4.2.1.13", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDistribNoLDAPorURI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_distribution_point_missing_ldap_or_uri", + Description: "When present in the CRLDistributionPoints extension, DistributionPointName SHOULD include at least one LDAP or HTTP URI", + Citation: "RFC 5280: 4.2.1.13", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDistribNoLDAPorURI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go index 4e094e45f..a26991cc4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go @@ -25,13 +25,15 @@ import ( type DNSNameEmptyLabel struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_empty_label", - Description: "DNSNames should not have an empty label.", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameEmptyLabel, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_empty_label", + Description: "DNSNames should not have an empty label.", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameEmptyLabel, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go index 11e8db068..26b47ecd4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go @@ -25,13 +25,15 @@ import ( type DNSNameHyphenInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_hyphen_in_sld", - Description: "DNSName should not have a hyphen beginning or ending the SLD", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameHyphenInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_hyphen_in_sld", + Description: "DNSName should not have a hyphen beginning or ending the SLD", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameHyphenInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go index 23d33441b..d1f97f933 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go @@ -25,13 +25,15 @@ import ( type DNSNameLabelLengthTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_label_too_long", - Description: "DNSName labels MUST be less than or equal to 63 characters", - Citation: "RFC 5280: 4.2.1.6, citing RFC 1035", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameLabelLengthTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_label_too_long", + Description: "DNSName labels MUST be less than or equal to 63 characters", + Citation: "RFC 5280: 4.2.1.6, citing RFC 1035", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameLabelLengthTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go index 1c2686167..b213b416f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInSLD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rfc_dnsname_underscore_in_sld", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInSLD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rfc_dnsname_underscore_in_sld", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInSLD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go index c5e404206..a7849fff4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go @@ -25,13 +25,15 @@ import ( type DNSNameUnderscoreInTRD struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_rfc_dnsname_underscore_in_trd", - Description: "DNSName MUST NOT contain underscore characters", - Citation: "RFC5280: 4.1.2.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewDNSNameUnderscoreInTRD, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_rfc_dnsname_underscore_in_trd", + Description: "DNSName MUST NOT contain underscore characters", + Citation: "RFC5280: 4.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewDNSNameUnderscoreInTRD, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go index 46e5f5c9d..61653c929 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go @@ -40,13 +40,15 @@ If the keyUsage extension is present in a certificate that indicates *********************************************** */ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ecdsa_allowed_ku", - Description: "Key usage values keyEncipherment or dataEncipherment MUST NOT be present in certificates with ECDSA public keys", - Citation: "RFC 8813 Section 3", - Source: lint.RFC8813, - EffectiveDate: util.RFC8813Date, - Lint: NewEcdsaAllowedKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ecdsa_allowed_ku", + Description: "Key usage values keyEncipherment or dataEncipherment MUST NOT be present in certificates with ECDSA public keys", + Citation: "RFC 8813 Section 3", + Source: lint.RFC8813, + EffectiveDate: util.RFC8813Date, + }, + Lint: NewEcdsaAllowedKU, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go index 05811eb28..c7b263ac0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go @@ -27,13 +27,15 @@ import ( type ecdsaInvalidKU struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "n_ecdsa_ee_invalid_ku", - Description: "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement", - Citation: "RFC 5480 Section 3", - Source: lint.RFC5480, - EffectiveDate: util.CABEffectiveDate, - Lint: NewEcdsaInvalidKU, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "n_ecdsa_ee_invalid_ku", + Description: "ECDSA end-entity certificates MAY have key usages: digitalSignature, nonRepudiation and keyAgreement", + Citation: "RFC 5480 Section 3", + Source: lint.RFC5480, + EffectiveDate: util.CABEffectiveDate, + }, + Lint: NewEcdsaInvalidKU, }) } @@ -46,7 +48,7 @@ func NewEcdsaInvalidKU() lint.LintInterface { // CheckApplies returns true when the certificate is a subscriber cert using an // ECDSA public key algorithm. func (l *ecdsaInvalidKU) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA + return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA && util.HasKeyUsageOID(c) } // Execute returns a Notice level lint.LintResult if the ECDSA end entity certificate diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go index 4d4536092..4969fd2d9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go @@ -36,13 +36,15 @@ If a CA includes extended key usages to satisfy such applications, ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_eku_critical_improperly", - Description: "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present", - Citation: "RFC 5280: 4.2.1.12", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewEkuBadCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_eku_critical_improperly", + Description: "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present", + Citation: "RFC 5280: 4.2.1.12", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewEkuBadCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go index fd39686cd..6a1f321b6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go @@ -36,13 +36,15 @@ An authorityInfoAccess extension may include multiple instances of ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_aia_access_location_missing", - Description: "When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI", - Citation: "RFC 5280: 4.2.2.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewAiaNoHTTPorLDAP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_aia_access_location_missing", + Description: "When the id-ad-caIssuers accessMethod is used, at least one instance SHOULD specify an accessLocation that is an HTTP or LDAP URI", + Citation: "RFC 5280: 4.2.2.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewAiaNoHTTPorLDAP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go index df491a346..c8d221f93 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go @@ -29,13 +29,15 @@ Authority Information Access //See also: BRs: 7.1.2.3 & CAB: 7.1.2.2 func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_aia_marked_critical", - Description: "Conforming CAs must mark the Authority Information Access extension as non-critical", - Citation: "RFC 5280: 4.2.2.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtAiaMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_aia_marked_critical", + Description: "Conforming CAs must mark the Authority Information Access extension as non-critical", + Citation: "RFC 5280: 4.2.2.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtAiaMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go index a15092077..04703e518 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go @@ -28,13 +28,15 @@ Conforming CAs MUST mark this extension as non-critical. **********************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_authority_key_identifier_critical", - Description: "The authority key identifier extension must be non-critical", - Citation: "RFC 5280: 4.2.1.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewAuthorityKeyIdCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_authority_key_identifier_critical", + Description: "The authority key identifier extension must be non-critical", + Citation: "RFC 5280: 4.2.1.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewAuthorityKeyIdCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_missing.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_missing.go deleted file mode 100644 index 663c23b15..000000000 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_missing.go +++ /dev/null @@ -1,65 +0,0 @@ -package rfc - -/* - * ZLint Copyright 2023 Regents of the University of Michigan - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may not - * use this file except in compliance with the License. You may obtain a copy - * of the License at http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - * implied. See the License for the specific language governing - * permissions and limitations under the License. - */ - -import ( - "github.com/zmap/zcrypto/x509" - "github.com/zmap/zlint/v3/lint" - "github.com/zmap/zlint/v3/util" -) - -type authorityKeyIdMissing struct{} - -/*********************************************************************** -RFC 5280: 4.2.1.1 -The keyIdentifier field of the authorityKeyIdentifier extension MUST - be included in all certificates generated by conforming CAs to - facilitate certification path construction. There is one exception; - where a CA distributes its public key in the form of a "self-signed" - certificate, the authority key identifier MAY be omitted. The - signature on a self-signed certificate is generated with the private - key associated with the certificate's subject public key. (This - proves that the issuer possesses both the public and private keys.) - In this case, the subject and authority key identifiers would be - identical, but only the subject key identifier is needed for - certification path building. -***********************************************************************/ - -func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_authority_key_identifier_missing", - Description: "CAs must support key identifiers and include them in all certificates", - Citation: "RFC 5280: 4.2 & 4.2.1.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewAuthorityKeyIdMissing, - }) -} - -func NewAuthorityKeyIdMissing() lint.LintInterface { - return &authorityKeyIdMissing{} -} - -func (l *authorityKeyIdMissing) CheckApplies(c *x509.Certificate) bool { - return !util.IsRootCA(c) -} - -func (l *authorityKeyIdMissing) Execute(c *x509.Certificate) *lint.LintResult { - if !util.IsExtInCert(c, util.AuthkeyOID) && !util.IsSelfSigned(c) { - return &lint.LintResult{Status: lint.Error} - } else { - return &lint.LintResult{Status: lint.Pass} - } -} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go index 115287660..da91e5667 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go @@ -38,13 +38,15 @@ The keyIdentifier field of the authorityKeyIdentifier extension MUST ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_authority_key_identifier_no_key_identifier", - Description: "CAs must include keyIdentifer field of AKI in all non-self-issued certificates", - Citation: "RFC 5280: 4.2.1.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewAuthorityKeyIdNoKeyIdField, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_authority_key_identifier_no_key_identifier", + Description: "CAs must include keyIdentifer field of AKI in all non-self-issued certificates", + Citation: "RFC 5280: 4.2.1.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewAuthorityKeyIdNoKeyIdField, }) } @@ -57,9 +59,9 @@ func (l *authorityKeyIdNoKeyIdField) CheckApplies(c *x509.Certificate) bool { } func (l *authorityKeyIdNoKeyIdField) Execute(c *x509.Certificate) *lint.LintResult { - if c.AuthorityKeyId == nil && !util.IsSelfSigned(c) { //will be nil by default if not found in x509.parseCert - return &lint.LintResult{Status: lint.Error} - } else { + if c.AuthorityKeyId != nil || util.IsCACert(c) && util.IsSelfSigned(c) { return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} } } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go index 79e4b468b..0f954f130 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go @@ -29,13 +29,15 @@ option. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_contains_noticeref", - Description: "Compliant certificates SHOULD NOT use the noticeRef option", - Citation: "RFC 5280: 4.2.1.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNoticeRefPres, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_contains_noticeref", + Description: "Compliant certificates SHOULD NOT use the noticeRef option", + Citation: "RFC 5280: 4.2.1.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNoticeRefPres, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go index d67cd3ebd..4ab2ece9a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go @@ -15,6 +15,9 @@ package rfc */ import ( + "errors" + + "github.com/zmap/zcrypto/encoding/asn1" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" @@ -22,6 +25,11 @@ import ( type unrecommendedQualifier struct{} +type policyInformation struct { + policyIdentifier asn1.ObjectIdentifier + policyQualifiersBytes asn1.RawValue +} + /******************************************************************* RFC 5280: 4.2.1.4 To promote interoperability, this profile RECOMMENDS that policy @@ -34,13 +42,15 @@ qualifiers returned as a result of path validation are considered. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_disallowed_any_policy_qualifier", - Description: "When qualifiers are used with the special policy anyPolicy, they must be limited to qualifiers identified in this section: (4.2.1.4)", - Citation: "RFC 5280: 4.2.1.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewUnrecommendedQualifier, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_disallowed_any_policy_qualifier", + Description: "When qualifiers are used with the special policy anyPolicy, they must be limited to qualifiers identified in this section: (4.2.1.4)", + Citation: "RFC 5280: 4.2.1.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewUnrecommendedQualifier, }) } @@ -49,16 +59,113 @@ func NewUnrecommendedQualifier() lint.LintInterface { } func (l *unrecommendedQualifier) CheckApplies(c *x509.Certificate) bool { - return util.IsExtInCert(c, util.CertPolicyOID) + + // TODO? extract to util method: HasAnyPolicyOID(c) + if !util.IsExtInCert(c, util.CertPolicyOID) { + return false + } + + for _, policyIds := range c.PolicyIdentifiers { + if policyIds.Equal(util.AnyPolicyOID) { + return true + } + } + return false } func (l *unrecommendedQualifier) Execute(c *x509.Certificate) *lint.LintResult { - for _, firstLvl := range c.QualifierId { - for _, qualifierId := range firstLvl { - if !qualifierId.Equal(util.CpsOID) && !qualifierId.Equal(util.UserNoticeOID) { + + var err, certificatePolicies = getCertificatePolicies(c) + + if err != nil { + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} + } + + for _, policyInformation := range certificatePolicies { + + if !policyInformation.policyIdentifier.Equal(util.AnyPolicyOID) { // if the policyIdentifier is not anyPolicy do not examine further + continue + } + + if len(policyInformation.policyQualifiersBytes.Bytes) == 0 { // this policy information does not have any policyQualifiers + continue + } + + var policyQualifiersSeq, policyQualifierInfoSeq asn1.RawValue + + empty, err := asn1.Unmarshal(policyInformation.policyQualifiersBytes.Bytes, &policyQualifiersSeq) + + if err != nil || len(empty) != 0 || policyQualifiersSeq.Class != 0 || policyQualifiersSeq.Tag != 16 || !policyQualifiersSeq.IsCompound { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policyQualifiers sequence."} + } + + //iterate over policyQualifiers ... SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL + for policyQualifierInfoSeqProcessed := false; !policyQualifierInfoSeqProcessed; { + // these bytes belong to the next PolicyQualifierInfo + policyQualifiersSeq.Bytes, err = asn1.Unmarshal(policyQualifiersSeq.Bytes, &policyQualifierInfoSeq) + if err != nil || policyQualifierInfoSeq.Class != 0 || policyQualifierInfoSeq.Tag != 16 || !policyQualifierInfoSeq.IsCompound { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policy qualifiers"} + } + if len(policyQualifiersSeq.Bytes) == 0 { // no further PolicyQualifierInfo exists + policyQualifierInfoSeqProcessed = true + } + + var policyQualifierId asn1.ObjectIdentifier + _, err = asn1.Unmarshal(policyQualifierInfoSeq.Bytes, &policyQualifierId) + if err != nil { + return &lint.LintResult{Status: lint.Fatal, Details: "policyExtensions: Could not unmarshal policyQualifierId."} + } + + if !policyQualifierId.Equal(util.CpsOID) && !policyQualifierId.Equal(util.UserNoticeOID) { return &lint.LintResult{Status: lint.Error} } } } + return &lint.LintResult{Status: lint.Pass} } + +func getCertificatePolicies(c *x509.Certificate) (error, []policyInformation) { + + extVal := util.GetExtFromCert(c, util.CertPolicyOID).Value + + // adjusted code taken from v3/util/oid.go GetMappedPolicies, see comments there + var certificatePoliciesSeq, policyInformationSeq asn1.RawValue + + empty, err := asn1.Unmarshal(extVal, &certificatePoliciesSeq) + + if err != nil || len(empty) != 0 || certificatePoliciesSeq.Class != 0 || certificatePoliciesSeq.Tag != 16 || !certificatePoliciesSeq.IsCompound { + return errors.New("policyExtensions: Could not unmarshal certificatePolicies sequence."), nil + } + + var certificatePolicies []policyInformation + + // iterate over certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation + for policyInformationSeqProcessed := false; !policyInformationSeqProcessed; { + + // these bytes belong to the next PolicyInformation + certificatePoliciesSeq.Bytes, err = asn1.Unmarshal(certificatePoliciesSeq.Bytes, &policyInformationSeq) + if err != nil || policyInformationSeq.Class != 0 || policyInformationSeq.Tag != 16 || !policyInformationSeq.IsCompound { + return errors.New("policyExtensions: Could not unmarshal policyInformation sequence."), nil + } + + if len(certificatePoliciesSeq.Bytes) == 0 { // no further PolicyInformation exists + policyInformationSeqProcessed = true + } + + //PolicyInformation ::= SEQUENCE { + // policyIdentifier CertPolicyId, + // policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } + + var certPolicyId asn1.ObjectIdentifier + var policyQualifiers asn1.RawValue + policyQualifiers.Bytes, err = asn1.Unmarshal(policyInformationSeq.Bytes, &certPolicyId) + if err != nil { + return errors.New("policyExtensions: Could not unmarshal certPolicyId."), nil + } + + information := policyInformation{certPolicyId, policyQualifiers} + certificatePolicies = append(certificatePolicies, information) + } + return nil, certificatePolicies +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go index e1da6d26a..9c2e0a5ab 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go @@ -31,13 +31,15 @@ type ExtCertPolicyDuplicate struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_duplicate", - Description: "A certificate policy OID must not appear more than once in the extension", - Citation: "RFC 5280: 4.2.1.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtCertPolicyDuplicate, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_duplicate", + Description: "A certificate policy OID must not appear more than once in the extension", + Citation: "RFC 5280: 4.2.1.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtCertPolicyDuplicate, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go index 08e28247d..4919a7098 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go @@ -37,13 +37,15 @@ to Unicode normalization form C (NFC) [NFC]. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_explicit_text_ia5_string", - Description: "Compliant certificates must not encode explicitTest as an IA5String", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExplicitTextIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_explicit_text_ia5_string", + Description: "Compliant certificates must not encode explicitTest as an IA5String", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExplicitTextIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go index 89316938c..60d260d5f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go @@ -35,13 +35,15 @@ normalized according to Unicode normalization form C (NFC) [NFC]. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_explicit_text_includes_control", - Description: "Explicit text should not include any control characters", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewControlChar, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_explicit_text_includes_control", + Description: "Explicit text should not include any control characters", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewControlChar, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go index 9b22a8fc7..976cde025 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go @@ -29,13 +29,15 @@ type ExtCertPolicyExplicitTextNotNFC struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_explicit_text_not_nfc", - Description: "When utf8string or bmpstring encoding is used for explicitText field in certificate policy, it SHOULD be normalized by NFC format", - Citation: "RFC6181 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExtCertPolicyExplicitTextNotNFC, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_explicit_text_not_nfc", + Description: "When utf8string or bmpstring encoding is used for explicitText field in certificate policy, it SHOULD be normalized by NFC format", + Citation: "RFC6181 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExtCertPolicyExplicitTextNotNFC, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go index e7334c520..26ed42561 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go @@ -38,13 +38,15 @@ to Unicode normalization form C (NFC) [NFC]. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_cert_policy_explicit_text_not_utf8", - Description: "Compliant certificates should use the utf8string encoding for explicitText", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExplicitTextUtf8, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_cert_policy_explicit_text_not_utf8", + Description: "Compliant certificates should use the utf8string encoding for explicitText", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExplicitTextUtf8, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go index bbea96b3d..a5b12b137 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go @@ -36,13 +36,15 @@ to Unicode normalization form C (NFC) [NFC]. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_cert_policy_explicit_text_too_long", - Description: "Explicit text has a maximum size of 200 characters", - Citation: "RFC 6818: 3", - Source: lint.RFC5280, - EffectiveDate: util.RFC6818Date, - Lint: NewExplicitTextTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_cert_policy_explicit_text_too_long", + Description: "Explicit text has a maximum size of 200 characters", + Citation: "RFC 6818: 3", + Source: lint.RFC5280, + EffectiveDate: util.RFC6818Date, + }, + Lint: NewExplicitTextTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go index 7b56a22a5..7e827bfd3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go @@ -27,13 +27,15 @@ The CRL distribution points extension identifies how CRL information is obtained ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_crl_distribution_marked_critical", - Description: "If included, the CRL Distribution Points extension SHOULD NOT be marked critical", - Citation: "RFC 5280: 4.2.1.13", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtCrlDistributionMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_crl_distribution_marked_critical", + Description: "If included, the CRL Distribution Points extension SHOULD NOT be marked critical", + Citation: "RFC 5280: 4.2.1.13", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtCrlDistributionMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go index 8f036eec8..e76f47fd9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go @@ -30,13 +30,15 @@ type extDuplicateExtension struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_duplicate_extension", - Description: "A certificate MUST NOT include more than one instance of a particular extension", - Citation: "RFC 5280: 4.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtDuplicateExtension, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_duplicate_extension", + Description: "A certificate MUST NOT include more than one instance of a particular extension", + Citation: "RFC 5280: 4.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtDuplicateExtension, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go index a6d34ae68..d710b9a17 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go @@ -28,13 +28,15 @@ The freshest CRL extension identifies how delta CRL information is obtained. The ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_freshest_crl_marked_critical", - Description: "Freshest CRL MUST be marked as non-critical by conforming CAs", - Citation: "RFC 5280: 4.2.1.15", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewExtFreshestCrlMarkedCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_freshest_crl_marked_critical", + Description: "Freshest CRL MUST be marked as non-critical by conforming CAs", + Citation: "RFC 5280: 4.2.1.15", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewExtFreshestCrlMarkedCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go index 6479d5722..5a79abda3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go @@ -29,13 +29,15 @@ Issuer Alternative Name ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_ian_critical", - Description: "Issuer alternate name should be marked as non-critical", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtIANCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_ian_critical", + Description: "Issuer alternate name should be marked as non-critical", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtIANCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go index f1d31d876..ff4ab8170 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go @@ -39,13 +39,15 @@ encoding internationalized domain names are specified in Section 7.2. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_dns_not_ia5_string", - Description: "DNSNames MUST be IA5 strings", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANDNSNotIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_dns_not_ia5_string", + Description: "DNSNames MUST be IA5 strings", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANDNSNotIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go index 2d812a843..ffcd291e1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go @@ -36,13 +36,15 @@ path is not defined by this profile. ******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_empty_name", - Description: "General name fields must not be empty in IAN", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANEmptyName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_empty_name", + Description: "General name fields must not be empty in IAN", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANEmptyName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go index 63995b387..473d9bf2f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go @@ -35,13 +35,15 @@ If the issuerAltName extension is present, the sequence MUST contain ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_no_entries", - Description: "If present, the IAN extension must contain at least one entry", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANNoEntry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_no_entries", + Description: "If present, the IAN extension must contain at least one entry", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANNoEntry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go index 7266a8ac1..1bb41766b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go @@ -37,13 +37,15 @@ RFC 5280: 4.2.1.6 ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_rfc822_format_invalid", - Description: "Email must not be surrounded with `<>`, and there MUST NOT be trailing comments in `()`", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANEmail, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_rfc822_format_invalid", + Description: "Email must not be surrounded with `<>`, and there MUST NOT be trailing comments in `()`", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANEmail, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go index 3f7f88a1f..369008d1d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go @@ -39,13 +39,15 @@ encoding internationalized domain names are specified in Section 7.2. **********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_space_dns_name", - Description: "dNSName ' ' MUST NOT be used", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIANSpace, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_space_dns_name", + Description: "dNSName ' ' MUST NOT be used", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIANSpace, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go index c5afd3745..4843bb6b9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go @@ -30,13 +30,15 @@ scheme (e.g., "http" or "ftp") and a scheme-specific-part. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_format_invalid", - Description: "URIs in the subjectAltName extension MUST have a scheme and scheme specific part", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewIANURIFormat, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_format_invalid", + Description: "URIs in the subjectAltName extension MUST have a scheme and scheme specific part", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewIANURIFormat, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go index 2ee7450ca..fd6977aea 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go @@ -37,13 +37,15 @@ Section 7.4. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_host_not_fqdn_or_ip", - Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewIANURIFQDNOrIP, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_host_not_fqdn_or_ip", + Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewIANURIFQDNOrIP, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go index 4d4602b8e..b459bf3f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go @@ -30,13 +30,15 @@ stored in the uniformResourceIdentifier (an IA5String). ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_not_ia5", - Description: "When issuer alternative name contains a URI, the name MUST be an IA5 string", - Citation: "RFC5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewIANURIIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_not_ia5", + Description: "When issuer alternative name contains a URI, the name MUST be an IA5 string", + Citation: "RFC5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewIANURIIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go index bf5e2d7c7..c4e61b09d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go @@ -37,13 +37,15 @@ Section 7.4. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_ian_uri_relative", - Description: "When issuerAltName extension is present and the URI is used, the name MUST NOT be a relative URI", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewUriRelative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_ian_uri_relative", + Description: "When issuerAltName extension is present and the URI is used, the name MUST NOT be a relative URI", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewUriRelative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go index 226da4f46..f8dfcb4b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go @@ -34,13 +34,15 @@ The cA boolean indicates whether the certified public key may be used ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_key_usage_cert_sign_without_ca", - Description: "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted", - Citation: "RFC 5280: 4.2.1.3 & 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewKeyUsageCertSignNoCa, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_key_usage_cert_sign_without_ca", + Description: "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted", + Citation: "RFC 5280: 4.2.1.3 & 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewKeyUsageCertSignNoCa, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go index 0b11d39d5..74067d6b0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go @@ -25,13 +25,15 @@ type checkKeyUsageCritical struct{} // "When present, conforming CAs SHOULD mark this extension as critical." func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_key_usage_not_critical", - Description: "The keyUsage extension SHOULD be critical", - Citation: "RFC 5280: 4.2.1.3", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewCheckKeyUsageCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_key_usage_not_critical", + Description: "The keyUsage extension SHOULD be critical", + Citation: "RFC 5280: 4.2.1.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewCheckKeyUsageCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go index dc93976a7..fe30ad81c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go @@ -32,13 +32,15 @@ type keyUsageBitsSet struct{} ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_key_usage_without_bits", - Description: "When the keyUsage extension is included, at least one bit MUST be set to 1", - Citation: "RFC 5280: 4.2.1.3", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewKeyUsageBitsSet, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_key_usage_without_bits", + Description: "When the keyUsage extension is included, at least one bit MUST be set to 1", + Citation: "RFC 5280: 4.2.1.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewKeyUsageBitsSet, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go index ea5e456a7..2a6c5120b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go @@ -35,13 +35,15 @@ Restrictions are defined in terms of permitted or excluded name ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_name_constraints_not_critical", - Description: "If it is included, conforming CAs MUST mark the name constraints extension as critical", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstraintCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_name_constraints_not_critical", + Description: "If it is included, conforming CAs MUST mark the name constraints extension as critical", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstraintCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go index 1f1ba618d..edc5ae098 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go @@ -34,13 +34,15 @@ The name constraints extension, which MUST be used only in a CA ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_name_constraints_not_in_ca", - Description: "The name constraints extension MUST only be used in CA certificates", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstraintNotCa, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_name_constraints_not_in_ca", + Description: "The name constraints extension MUST only be used in CA certificates", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstraintNotCa, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go index e9d0d2096..30f9577c9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go @@ -33,13 +33,15 @@ Conforming CAs MUST NOT issue certificates where policy constraints *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_policy_constraints_empty", - Description: "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present", - Citation: "RFC 5280: 4.2.1.11", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewPolicyConstraintsContents, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_policy_constraints_empty", + Description: "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present", + Citation: "RFC 5280: 4.2.1.11", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewPolicyConstraintsContents, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go index df3a03508..f3e680bd3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go @@ -28,13 +28,15 @@ Conforming CAs MUST mark this extension as critical. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_policy_constraints_not_critical", - Description: "Conforming CAs MUST mark the policy constraints extension as critical", - Citation: "RFC 5280: 4.2.1.11", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewPolicyConstraintsCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_policy_constraints_not_critical", + Description: "Conforming CAs MUST mark the policy constraints extension as critical", + Citation: "RFC 5280: 4.2.1.11", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewPolicyConstraintsCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go index 9d009bbb7..64fed3d7f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go @@ -31,13 +31,15 @@ Each issuerDomainPolicy named in the policy mappings extension SHOULD ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_policy_map_any_policy", - Description: "Policies must not be mapped to or from the anyPolicy value", - Citation: "RFC 5280: 4.2.1.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewPolicyMapAnyPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_policy_map_any_policy", + Description: "Policies must not be mapped to or from the anyPolicy value", + Citation: "RFC 5280: 4.2.1.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewPolicyMapAnyPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go index ce9e87e2e..08b307116 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go @@ -29,13 +29,15 @@ This extension MAY be supported by CAs and/or applications. **********************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_policy_map_not_critical", - Description: "Policy mappings should be marked as critical", - Citation: "RFC 5280: 4.2.1.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewPolicyMapCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_policy_map_not_critical", + Description: "Policy mappings should be marked as critical", + Citation: "RFC 5280: 4.2.1.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewPolicyMapCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go index c9efdc466..c0b46d83b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go @@ -31,13 +31,15 @@ Each issuerDomainPolicy named in the policy mapping extension SHOULD *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_policy_map_not_in_cert_policy", - Description: "Each issuerDomainPolicy named in the policy mappings extension should also be asserted in a certificate policies extension", - Citation: "RFC 5280: 4.2.1.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewPolicyMapMatchesCertPolicy, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_policy_map_not_in_cert_policy", + Description: "Each issuerDomainPolicy named in the policy mappings extension should also be asserted in a certificate policies extension", + Citation: "RFC 5280: 4.2.1.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewPolicyMapMatchesCertPolicy, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go index 612c3de33..34228b648 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go @@ -23,13 +23,15 @@ import ( type SANDNSTooLong struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_dns_name_too_long", - Description: "DNSName must be less than or equal to 253 bytes", - Citation: "RFC 5280", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewSANDNSTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_dns_name_too_long", + Description: "DNSName must be less than or equal to 253 bytes", + Citation: "RFC 5280", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewSANDNSTooLong, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go index 31fa30470..de3953e2c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go @@ -39,13 +39,15 @@ encoding internationalized domain names are specified in Section 7.2. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_dns_not_ia5_string", - Description: "dNSNames MUST be IA5 strings", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANDNSNotIA5String, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_dns_not_ia5_string", + Description: "dNSNames MUST be IA5 strings", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANDNSNotIA5String, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go index 0c4911466..86db09f40 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go @@ -36,13 +36,15 @@ path is not defined by this profile. ******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_empty_name", - Description: "General name fields MUST NOT be empty in subjectAlternateNames", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANEmptyName, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_empty_name", + Description: "General name fields MUST NOT be empty in subjectAlternateNames", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANEmptyName, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go index 25495715b..5f51e09ac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go @@ -35,13 +35,15 @@ If the subjectAltName extension is present, the sequence MUST contain ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_no_entries", - Description: "If present, the SAN extension MUST contain at least one entry", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANNoEntry, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_no_entries", + Description: "If present, the SAN extension MUST contain at least one entry", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANNoEntry, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go index cd2686727..034d52f53 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go @@ -36,13 +36,15 @@ Further, if the only subject identity included in the certificate is ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_not_critical_without_subject", - Description: "If there is an empty subject field, then the SAN extension MUST be critical", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewExtSANNotCritNoSubject, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_not_critical_without_subject", + Description: "If there is an empty subject field, then the SAN extension MUST be critical", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewExtSANNotCritNoSubject, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go index 0a09cd560..a6d179335 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go @@ -37,13 +37,15 @@ RFC 5280: 4.2.1.6 ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_rfc822_format_invalid", - Description: "Email MUST NOT be surrounded with `<>`, and there must be no trailing comments in `()`", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewInvalidEmail, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_rfc822_format_invalid", + Description: "Email MUST NOT be surrounded with `<>`, and there must be no trailing comments in `()`", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewInvalidEmail, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go index b58d5c835..3fa4a3040 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go @@ -39,13 +39,15 @@ When the subjectAltName extension contains a domain name system ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_space_dns_name", - Description: "The dNSName ` ` MUST NOT be used", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSANIsSpaceDNS, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_space_dns_name", + Description: "The dNSName ` ` MUST NOT be used", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSANIsSpaceDNS, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go index dac113af8..60c556534 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go @@ -30,13 +30,15 @@ scheme (e.g., "http" or "ftp") and a scheme-specific-part. ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_format_invalid", - Description: "URIs in SAN extension must have a scheme and scheme specific part", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANURIFormatInvalid, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_format_invalid", + Description: "URIs in SAN extension must have a scheme and scheme specific part", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANURIFormatInvalid, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go index b1a72bab9..6eb42763b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go @@ -37,13 +37,15 @@ Section 7.4. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_host_not_fqdn_or_ip", - Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", - Citation: "RFC 5280: 4.2.1.7", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewSANURIHost, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_host_not_fqdn_or_ip", + Description: "URIs that include an authority ([RFC3986], Section 3.2) MUST include a fully qualified domain name or IP address as the host", + Citation: "RFC 5280: 4.2.1.7", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewSANURIHost, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go index d91812421..d0cad9208 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go @@ -30,13 +30,15 @@ stored in the uniformResourceIdentifier (an IA5String). ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_not_ia5", - Description: "When subjectAlternateName contains a URI, the name MUST be an IA5 string", - Citation: "RFC5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANURINotIA5, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_not_ia5", + Description: "When subjectAlternateName contains a URI, the name MUST be an IA5 string", + Citation: "RFC5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANURINotIA5, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go index 0e9db95f6..6d0f66e95 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go @@ -37,13 +37,15 @@ Section 7.4. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_san_uri_relative", - Description: "When the subjectAlternateName extension is present and a URI is used, the name MUST NOT be a relative URI", - Citation: "RFC 5280: 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewExtSANURIRelative, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_san_uri_relative", + Description: "When the subjectAlternateName extension is present and a URI is used, the name MUST NOT be a relative URI", + Citation: "RFC 5280: 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewExtSANURIRelative, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go index 82925fde0..75edd8bda 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go @@ -31,13 +31,15 @@ The subject directory attributes extension is used to convey ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_subject_directory_attr_critical", - Description: "Conforming CAs MUST mark the Subject Directory Attributes extension as not critical", - Citation: "RFC 5280: 4.2.1.8", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubDirAttrCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_subject_directory_attr_critical", + Description: "Conforming CAs MUST mark the Subject Directory Attributes extension as not critical", + Citation: "RFC 5280: 4.2.1.8", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubDirAttrCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go index 15cd21839..495777f50 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go @@ -28,13 +28,15 @@ RFC 5280: 4.2.1.2 **********************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_subject_key_identifier_critical", - Description: "The subject key identifier extension MUST be non-critical", - Citation: "RFC 5280: 4.2.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectKeyIdCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_subject_key_identifier_critical", + Description: "The subject key identifier extension MUST be non-critical", + Citation: "RFC 5280: 4.2.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectKeyIdCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go index 7adae089e..6c4e2a8e5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go @@ -43,13 +43,15 @@ type subjectKeyIdMissingCA struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_ext_subject_key_identifier_missing_ca", - Description: "CAs MUST include a Subject Key Identifier in all CA certificates", - Citation: "RFC 5280: 4.2 & 4.2.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectKeyIdMissingCA, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ext_subject_key_identifier_missing_ca", + Description: "CAs MUST include a Subject Key Identifier in all CA certificates", + Citation: "RFC 5280: 4.2 & 4.2.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectKeyIdMissingCA, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go index c8ba38a12..fc66e1b39 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go @@ -43,13 +43,15 @@ type subjectKeyIdMissingSubscriber struct{} **********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_ext_subject_key_identifier_missing_sub_cert", - Description: "Sub certificates SHOULD include Subject Key Identifier in end entity certs", - Citation: "RFC 5280: 4.2 & 4.2.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectKeyIdMissingSubscriber, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_subject_key_identifier_missing_sub_cert", + Description: "Sub certificates SHOULD include Subject Key Identifier in end entity certs", + Citation: "RFC 5280: 4.2 & 4.2.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectKeyIdMissingSubscriber, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go index c3496008a..312dc9dda 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go @@ -38,13 +38,15 @@ is zero. GeneralizedTime values MUST NOT include fractional seconds. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_generalized_time_does_not_include_seconds", - Description: "Generalized time values MUST include seconds", - Citation: "RFC 5280: 4.1.2.5.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedNoSeconds, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_generalized_time_does_not_include_seconds", + Description: "Generalized time values MUST include seconds", + Citation: "RFC 5280: 4.1.2.5.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedNoSeconds, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go index 57221f928..c6c4ed992 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go @@ -38,13 +38,15 @@ is zero. GeneralizedTime values MUST NOT include fractional seconds. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_generalized_time_includes_fraction_seconds", - Description: "Generalized time values MUST NOT include fractional seconds", - Citation: "RFC 5280: 4.1.2.5.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedTimeFraction, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_generalized_time_includes_fraction_seconds", + Description: "Generalized time values MUST NOT include fractional seconds", + Citation: "RFC 5280: 4.1.2.5.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedTimeFraction, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go index 289ee4ae0..492513dc0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go @@ -37,13 +37,15 @@ is zero. GeneralizedTime values MUST NOT include fractional seconds. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_generalized_time_not_in_zulu", - Description: "Generalized time values MUST be expressed in Greenwich Mean Time (Zulu)", - Citation: "RFC 5280: 4.1.2.5.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedNotZulu, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_generalized_time_not_in_zulu", + Description: "Generalized time values MUST be expressed in Greenwich Mean Time (Zulu)", + Citation: "RFC 5280: 4.1.2.5.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedNotZulu, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go index daaf1e473..3b7b19472 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go @@ -25,13 +25,15 @@ import ( type IDNMalformedUnicode struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_international_dns_name_not_unicode", - Description: "Internationalized DNSNames punycode not valid Unicode", - Citation: "RFC 3490", - EffectiveDate: util.RFC3490Date, - Source: lint.RFC5280, - Lint: NewIDNMalformedUnicode, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_international_dns_name_not_unicode", + Description: "Internationalized DNSNames punycode not valid Unicode", + Citation: "RFC 3490", + EffectiveDate: util.RFC3490Date, + Source: lint.RFC5280, + }, + Lint: NewIDNMalformedUnicode, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go index 74c64f33c..8b3917df6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go @@ -26,13 +26,15 @@ import ( type IDNNotNFC struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_international_dns_name_not_nfc", - Description: "Internationalized DNSNames must be normalized by Unicode normalization form C", - Citation: "RFC 8399", - Source: lint.RFC5891, - EffectiveDate: util.RFC8399Date, - Lint: NewIDNNotNFC, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_international_dns_name_not_nfc", + Description: "Internationalized DNSNames must be normalized by Unicode normalization form C", + Citation: "RFC 8399", + Source: lint.RFC5891, + EffectiveDate: util.RFC8399Date, + }, + Lint: NewIDNNotNFC, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go index 6c0342261..55ed709c1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go @@ -25,13 +25,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_incorrect_ku_encoding", - Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself defines that all trailing 0 bits be counted as being \"unused\".", - Citation: "Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: func() lint.LintInterface { return &incorrectKuEncoding{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_incorrect_ku_encoding", + Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself defines that all trailing 0 bits be counted as being \"unused\".", + Citation: "Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 21.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: func() lint.LintInterface { return &incorrectKuEncoding{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go index 4bd5a23e0..e7e81dbfe 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go @@ -38,13 +38,15 @@ type InhibitAnyPolicyNotCritical struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_inhibit_any_policy_not_critical", - Description: "CAs MUST mark the inhibitAnyPolicy extension as critical", - Citation: "RFC 5280: 4.2.1.14", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewInhibitAnyPolicyNotCritical, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_inhibit_any_policy_not_critical", + Description: "CAs MUST mark the inhibitAnyPolicy extension as critical", + Citation: "RFC 5280: 4.2.1.14", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewInhibitAnyPolicyNotCritical, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go index 5a85d5923..ed442e47d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go @@ -24,13 +24,15 @@ import ( type IssuerDNCountryNotPrintableString struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_issuer_dn_country_not_printable_string", - Description: "X520 Distinguished Name Country MUST BE encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewIssuerDNCountryNotPrintableString, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_issuer_dn_country_not_printable_string", + Description: "X520 Distinguished Name Country MUST BE encoded as PrintableString", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewIssuerDNCountryNotPrintableString, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go index 9429101ac..5041e88cc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go @@ -31,13 +31,15 @@ The issuer field identifies the entity that has signed and issued the ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_issuer_field_empty", - Description: "Certificate issuer field MUST NOT be empty and must have a non-empty distinguished name", - Citation: "RFC 5280: 4.1.2.4", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewIssuerFieldEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_issuer_field_empty", + Description: "Certificate issuer field MUST NOT be empty and must have a non-empty distinguished name", + Citation: "RFC 5280: 4.1.2.4", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewIssuerFieldEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go new file mode 100644 index 000000000..df017fc6c --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go @@ -0,0 +1,215 @@ +package rfc + +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "sort" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type KUAndEKUInconsistent struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_key_usage_and_extended_key_usage_inconsistent", + Description: "The certificate MUST only be used for a purpose consistent with both key usage extension and extended key usage extension.", + Citation: "RFC 5280, Section 4.2.1.12.", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewKUAndEKUInconsistent, + }) +} + +func NewKUAndEKUInconsistent() lint.LintInterface { + return &KUAndEKUInconsistent{} +} + +func (l *KUAndEKUInconsistent) Initialize() error { + return nil +} + +// CheckApplies returns true when the certificate contains both a key usage +// extension and an extended key usage extension. +func (l *KUAndEKUInconsistent) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) && util.IsExtInCert(c, util.KeyUsageOID) +} + +// Execute returns an Error level lint.LintResult if the purposes of the certificate +// being linted is not consistent with both extensions. +func (l *KUAndEKUInconsistent) Execute(c *x509.Certificate) *lint.LintResult { + if len(c.ExtKeyUsage) > 1 { + return l.multiPurpose(c) + } + return l.strictPurpose(c) +} + +// RFC 5280 4.2.1.12 on multiple purposes: +// +// If multiple purposes are indicated the application need not recognize all purposes +// indicated, as long as the intended purpose is present. +func (l *KUAndEKUInconsistent) multiPurpose(c *x509.Certificate) *lint.LintResult { + // Create a map with each KeyUsage combination that is authorized for the + // included extKeyUsage(es). + var mp = map[x509.KeyUsage]bool{} + for _, extKeyUsage := range c.ExtKeyUsage { + var i int + if _, ok := eku[extKeyUsage]; !ok { + return &lint.LintResult{Status: lint.Pass} + } + for ku := range eku[extKeyUsage] { + // There is nothing to merge for the first EKU. + if i > 0 { + // We could see this EKU combined with any other EKU so + // create that possibility. + for mpku := range mp { + mp[mpku|ku] = true + } + } + + mp[ku] = true + i++ + } + } + if !mp[c.KeyUsage] { + // Sort the included KeyUsage strings for consistent error messages + // The order does not matter for this lint, but the consistency makes + // it easier to identify common errors. + keyUsage := util.GetKeyUsageStrings(c.KeyUsage) + sort.Strings(keyUsage) + + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("KeyUsage %v (%08b) inconsistent with multiple purpose ExtKeyUsage %v", keyUsage, c.KeyUsage, util.GetEKUStrings(c.ExtKeyUsage)), + } + } + return &lint.LintResult{Status: lint.Pass} +} + +// strictPurpose checks if the Key Usages (KU) included are permitted for each +// indicated Extended Key Usage (EKU) +func (l *KUAndEKUInconsistent) strictPurpose(c *x509.Certificate) *lint.LintResult { + for _, extKeyUsage := range c.ExtKeyUsage { + if _, ok := eku[extKeyUsage]; !ok { + continue + } + if !eku[extKeyUsage][c.KeyUsage] { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("KeyUsage %v (%08b) inconsistent with ExtKeyUsage %s", util.GetKeyUsageStrings(c.KeyUsage), c.KeyUsage, util.GetEKUString(extKeyUsage)), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} + +var eku = map[x509.ExtKeyUsage]map[x509.KeyUsage]bool{ + + // KU combinations with Server Authentication EKU: + // RFC 5280 4.2.1.12 on KU consistency with Server Authentication EKU: + // -- TLS WWW server authentication + // -- Key usage bits that may be consistent: digitalSignature, + // -- keyEncipherment or keyAgreement + + // (digitalSignature OR (keyEncipherment XOR keyAgreement)) + x509.ExtKeyUsageServerAuth: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageKeyAgreement: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement: true, + }, + + // KU combinations with Client Authentication EKU: + // RFC 5280 4.2.1.12 on KU consistency with Client Authentication EKU: + // -- TLS WWW client authentication + // -- Key usage bits that may be consistent: digitalSignature + // -- and/or keyAgreement + + // (digitalSignature OR keyAgreement) + x509.ExtKeyUsageClientAuth: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageKeyAgreement: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement: true, + }, + + // KU combinations with Code Signing EKU: + // RFC 5280 4.2.1.12 on KU consistency with Code Signing EKU: + // -- Signing of downloadable executable code + // -- Key usage bits that may be consistent: digitalSignature + + // (digitalSignature) + x509.ExtKeyUsageCodeSigning: { + x509.KeyUsageDigitalSignature: true, + }, + + // KU combinations with Email Protection EKU: + // RFC 5280 4.2.1.12 on KU consistency with Email Protection EKU: + // -- Email protection + // -- Key usage bits that may be consistent: digitalSignature, + // -- nonRepudiation, and/or (keyEncipherment or keyAgreement) + // Note: Recent editions of X.509 have renamed nonRepudiation bit to contentCommitment + + // (digitalSignature OR nonRepudiation OR (keyEncipherment XOR keyAgreement)) + x509.ExtKeyUsageEmailProtection: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageContentCommitment: true, + x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageKeyAgreement: true, + + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement: true, + + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement: true, + + x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment: true, + x509.KeyUsageContentCommitment | x509.KeyUsageKeyAgreement: true, + }, + + // KU combinations with Time Stamping EKU: + // RFC 5280 4.2.1.12 on KU consistency with Time Stamping EKU: + // -- Binding the hash of an object to a time + // -- Key usage bits that may be consistent: digitalSignature + // -- and/or nonRepudiation + // Note: Recent editions of X.509 have renamed nonRepudiation bit to contentCommitment + + // (digitalSignature OR nonRepudiation) + x509.ExtKeyUsageTimeStamping: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageContentCommitment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment: true, + }, + + // KU combinations with Ocsp Signing EKU: + // RFC 5280 4.2.1.12 on KU consistency with Ocsp Signing EKU: + // -- Signing OCSP responses + // -- Key usage bits that may be consistent: digitalSignature + // -- and/or nonRepudiation + // Note: Recent editions of X.509 have renamed nonRepudiation bit to contentCommitment + + // (digitalSignature OR nonRepudiation) + x509.ExtKeyUsageOcspSigning: { + x509.KeyUsageDigitalSignature: true, + x509.KeyUsageContentCommitment: true, + x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment: true, + }, +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go index 1f85c1a82..1a875568d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go @@ -29,13 +29,15 @@ import ( type keyUsageIncorrectLength struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_key_usage_incorrect_length", - Description: "The key usage is a bit string with exactly nine possible flags", - Citation: "RFC 5280: 4.2.1.3", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewKeyUsageIncorrectLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_key_usage_incorrect_length", + Description: "The key usage is a bit string with exactly nine possible flags", + Citation: "RFC 5280: 4.2.1.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewKeyUsageIncorrectLength, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go index a82cce491..8fcc372bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go @@ -36,13 +36,15 @@ type nameConstraintEmpty struct{} ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_empty", - Description: "Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtree or excludedSubtree fields must be present", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintEmpty, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_empty", + Description: "Conforming CAs MUST NOT issue certificates where name constraints is an empty sequence. That is, either the permittedSubtree or excludedSubtree fields must be present", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintEmpty, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go index b24ec5f9f..78b0029d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go @@ -34,13 +34,15 @@ certificate. ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_maximum_not_absent", - Description: "Within the name constraints name form, the maximum field is not used and therefore MUST be absent", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstraintMax, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_maximum_not_absent", + Description: "Within the name constraints name form, the maximum field is not used and therefore MUST be absent", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstraintMax, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go index c52467411..113ce13ec 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go @@ -34,13 +34,15 @@ certificate. ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_minimum_non_zero", - Description: "Within the name constraints name forms, the minimum field is not used and therefore MUST be zero", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewNameConstMin, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_minimum_non_zero", + Description: "Within the name constraints name forms, the minimum field is not used and therefore MUST be zero", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewNameConstMin, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go index d9ca2cd71..38a352d19 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go @@ -37,13 +37,15 @@ type nameConstraintNotFQDN struct{} ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_name_constraint_not_fqdn", - Description: "For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintNotFQDN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_name_constraint_not_fqdn", + Description: "For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintNotFQDN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go index b1111aae4..ed34a08f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go @@ -36,13 +36,15 @@ be present. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_name_constraint_on_edi_party_name", - Description: "The name constraints extension SHOULD NOT impose constraints on the ediPartyName name form", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintOnEDI, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_name_constraint_on_edi_party_name", + Description: "The name constraints extension SHOULD NOT impose constraints on the ediPartyName name form", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintOnEDI, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go index 0e2912a80..16371bd80 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go @@ -36,13 +36,15 @@ be present. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_name_constraint_on_registered_id", - Description: "The name constraints extension SHOULD NOT impose constraints on the registeredID name form", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintOnRegisteredId, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_name_constraint_on_registered_id", + Description: "The name constraints extension SHOULD NOT impose constraints on the registeredID name form", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintOnRegisteredId, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go index b9d2dae56..dcd2b5d3a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go @@ -36,13 +36,15 @@ be present. *******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_name_constraint_on_x400", - Description: "The name constraints extension SHOULD NOT impose constraints on the x400Address name form", - Citation: "RFC 5280: 4.2.1.10", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewNameConstraintOnX400, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_name_constraint_on_x400", + Description: "The name constraints extension SHOULD NOT impose constraints on the x400Address name form", + Citation: "RFC 5280: 4.2.1.10", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewNameConstraintOnX400, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go index 465c967ca..a229cfcca 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go @@ -31,13 +31,15 @@ keyCertSign bit. ******************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_path_len_constraint_improperly_included", - Description: "CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set", - Citation: "RFC 5280: 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewPathLenIncluded, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_path_len_constraint_improperly_included", + Description: "CAs MUST NOT include the pathLenConstraint field unless the CA boolean is asserted and the keyCertSign bit is set", + Citation: "RFC 5280: 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewPathLenIncluded, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go index 51a613890..c2441ea85 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go @@ -46,13 +46,15 @@ not appear, no limit is imposed. ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_path_len_constraint_zero_or_less", - Description: "Where it appears, the pathLenConstraint field MUST be greater than or equal to zero", - Citation: "RFC 5280: 4.2.1.9", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewPathLenNonPositive, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_path_len_constraint_zero_or_less", + Description: "Where it appears, the pathLenConstraint field MUST be greater than or equal to zero", + Citation: "RFC 5280: 4.2.1.9", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewPathLenNonPositive, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go index 931620bfc..aff892a3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go @@ -41,13 +41,15 @@ RFC 3279: 2.3.1 RSA Keys ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_allowed_ku_ca", - Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, and cRLSign may only be present in a CA certificate with an RSA key", - Citation: "RFC 3279: 2.3.1", - Source: lint.RFC3279, - EffectiveDate: util.RFC3279Date, - Lint: NewRsaAllowedKUCa, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_allowed_ku_ca", + Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, and cRLSign may only be present in a CA certificate with an RSA key", + Citation: "RFC 3279: 2.3.1", + Source: lint.RFC3279, + EffectiveDate: util.RFC3279Date, + }, + Lint: NewRsaAllowedKUCa, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go index 85e9e3269..d15134a47 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go @@ -39,13 +39,15 @@ RFC 3279: 2.3.1 RSA Keys ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_allowed_ku_ee", - Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment may only be present in an end entity certificate with an RSA key", - Citation: "RFC 3279: 2.3.1", - Source: lint.RFC3279, - EffectiveDate: util.RFC3279Date, - Lint: NewRsaAllowedKUEe, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_allowed_ku_ee", + Description: "Key usage values digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment may only be present in an end entity certificate with an RSA key", + Citation: "RFC 3279: 2.3.1", + Source: lint.RFC3279, + EffectiveDate: util.RFC3279Date, + }, + Lint: NewRsaAllowedKUEe, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go index 7df5b2020..f35f25955 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go @@ -41,13 +41,15 @@ RFC 3279: 2.3.1 RSA Keys ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_rsa_allowed_ku_no_encipherment_ca", - Description: "If Key usage value keyCertSign or cRLSign is present in a CA certificate both keyEncipherment and dataEncipherment SHOULD NOT be present", - Citation: "RFC 3279: 2.3.1", - Source: lint.RFC3279, - EffectiveDate: util.RFC3279Date, - Lint: NewRsaAllowedKUCaNoEncipherment, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_rsa_allowed_ku_no_encipherment_ca", + Description: "If Key usage value keyCertSign or cRLSign is present in a CA certificate both keyEncipherment and dataEncipherment SHOULD NOT be present", + Citation: "RFC 3279: 2.3.1", + Source: lint.RFC3279, + EffectiveDate: util.RFC3279Date, + }, + Lint: NewRsaAllowedKUCaNoEncipherment, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go index 2c86528fa..20114ae1f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go @@ -43,13 +43,15 @@ RFC 5280: 4.1.2.2. Serial Number ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_serial_number_longer_than_20_octets", - Description: "Certificates must not have a DER encoded serial number longer than 20 octets", - Citation: "RFC 5280: 4.1.2.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewSerialNumberTooLong, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_serial_number_longer_than_20_octets", + Description: "Certificates must not have a DER encoded serial number longer than 20 octets", + Citation: "RFC 5280: 4.1.2.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewSerialNumberTooLong, }) } @@ -68,12 +70,12 @@ func (l *serialNumberTooLong) Execute(c *x509.Certificate) *lint.LintResult { // DER encoded lengths are without having to guess. encoding, err := asn1.Marshal(c.SerialNumber) if err != nil { - return &lint.LintResult{Status: lint.Fatal, Details: fmt.Sprint(err)} + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} } serial := new(asn1.RawValue) _, err = asn1.Unmarshal(encoding, serial) if err != nil { - return &lint.LintResult{Status: lint.Fatal, Details: fmt.Sprint(err)} + return &lint.LintResult{Status: lint.Fatal, Details: err.Error()} } length := len(serial.Bytes) if length > 20 { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go index 4493b4bd5..0efb8f078 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go @@ -40,13 +40,15 @@ type SerialNumberNotPositive struct{} ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_serial_number_not_positive", - Description: "Certificates must have a positive serial number", - Citation: "RFC 5280: 4.1.2.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewSerialNumberNotPositive, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_serial_number_not_positive", + Description: "Certificates must have a positive serial number", + Citation: "RFC 5280: 4.1.2.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewSerialNumberNotPositive, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go index 0aff82047..b5bf7317b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go @@ -30,13 +30,15 @@ RSA: Encoded algorithm identifier MUST have NULL parameters. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_spki_rsa_encryption_parameter_not_null", - Description: "RSA: Encoded public key algorithm identifier MUST have NULL parameters", - Citation: "RFC 4055, Section 1.2", - Source: lint.RFC5280, // RFC4055 is referenced in lint.RFC5280, Section 1 - EffectiveDate: util.RFC5280Date, - Lint: NewRsaSPKIEncryptionParamNotNULL, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_spki_rsa_encryption_parameter_not_null", + Description: "RSA: Encoded public key algorithm identifier MUST have NULL parameters", + Citation: "RFC 4055, Section 1.2", + Source: lint.RFC5280, // RFC4055 is referenced in lint.RFC5280, Section 1 + EffectiveDate: util.RFC5280Date, + }, + Lint: NewRsaSPKIEncryptionParamNotNULL, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go index 49cc4eded..1d8e4f147 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_common_name_max_length", - Description: "The commonName field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectCommonNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_common_name_max_length", + Description: "The commonName field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectCommonNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectCommonNameMaxLength() lint.LintInterface { } func (l *subjectCommonNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.CommonName) > 0 } func (l *subjectCommonNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go index bf7b2e3bd..e996906f4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go @@ -24,13 +24,15 @@ import ( type SubjectDNCountryNotPrintableString struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_country_not_printable_string", - Description: "X520 Distinguished Name Country MUST be encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNCountryNotPrintableString, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_country_not_printable_string", + Description: "X520 Distinguished Name Country MUST be encoded as PrintableString", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNCountryNotPrintableString, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go index 5e75ae9e0..347f51402 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go @@ -26,13 +26,15 @@ import ( type subjectDNNotPrintableCharacters struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_not_printable_characters", - Description: "X520 Subject fields MUST only contain printable control characters", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNNotPrintableCharacters, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_not_printable_characters", + Description: "X520 Subject fields MUST only contain printable control characters", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNNotPrintableCharacters, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go index 0095cdbc3..c448d1d02 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go @@ -25,13 +25,15 @@ import ( type SubjectDNSerialNumberMaxLength struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_serial_number_max_length", - Description: "The 'Serial Number' field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNSerialNumberMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_serial_number_max_length", + Description: "The 'Serial Number' field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNSerialNumberMaxLength, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go index 4f1bf6e42..a0595a868 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go @@ -24,13 +24,15 @@ import ( type SubjectDNSerialNumberNotPrintableString struct{} func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_dn_serial_number_not_printable_string", - Description: "X520 Distinguished Name SerialNumber MUST be encoded as PrintableString", - Citation: "RFC 5280: Appendix A", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: NewSubjectDNSerialNumberNotPrintableString, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_dn_serial_number_not_printable_string", + Description: "X520 Distinguished Name SerialNumber MUST be encoded as PrintableString", + Citation: "RFC 5280: Appendix A", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjectDNSerialNumberNotPrintableString, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go index 351951782..6c57dd073 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go @@ -39,13 +39,15 @@ ub-emailaddress-length INTEGER ::= 255 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_email_max_length", - Description: "The 'Email' field of the subject MUST be less than 256 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectEmailMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_email_max_length", + Description: "The 'Email' field of the subject MUST be less than 256 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectEmailMaxLength, }) } @@ -54,7 +56,7 @@ func NewSubjectEmailMaxLength() lint.LintInterface { } func (l *subjectEmailMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.EmailAddress) > 0 } func (l *subjectEmailMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go index c8b92ef20..62d578f1d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go @@ -36,13 +36,15 @@ subjectAltName extension as non-critical. *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_empty_without_san", - Description: "CAs MUST support subject alternative name if the subject field is an empty sequence", - Citation: "RFC 5280: 4.2 & 4.2.1.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewEmptyWithoutSAN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_empty_without_san", + Description: "CAs MUST support subject alternative name if the subject field is an empty sequence", + Citation: "RFC 5280: 4.2 & 4.2.1.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewEmptyWithoutSAN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go index 96f21dd00..f2321dfd5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go @@ -50,13 +50,15 @@ ub-name INTEGER ::= 32768 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_given_name_max_length", - Description: "The 'GivenName' field of the subject MUST be less than 32769 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectGivenNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_given_name_max_length", + Description: "The 'GivenName' field of the subject MUST be less than 32769 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectGivenNameMaxLength, }) } @@ -65,7 +67,7 @@ func NewSubjectGivenNameMaxLength() lint.LintInterface { } func (l *subjectGivenNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.GivenName) > 0 } func (l *subjectGivenNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go index 8fa32c78e..95d0d9e58 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go @@ -30,14 +30,16 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_given_name_recommended_max_length", - Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + - "targeted this length, for compatibility purposes it may be prudent to limit given names to this length.", - Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectGivenNameRecommendedMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_given_name_recommended_max_length", + Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + + "targeted this length, for compatibility purposes it may be prudent to limit given names to this length.", + Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectGivenNameRecommendedMaxLength, }) } @@ -48,7 +50,7 @@ func NewSubjectGivenNameRecommendedMaxLength() lint.LintInterface { type SubjectGivenNameRecommendedMaxLength struct{} func (l *SubjectGivenNameRecommendedMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.GivenName) > 0 } func (l *SubjectGivenNameRecommendedMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go index 52d3b5ccb..50e3baad8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go @@ -27,13 +27,15 @@ The subject information access extension indicates how to access information and ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_info_access_marked_critical", - Description: "Conforming CAs MUST mark the Subject Info Access extension as non-critical", - Citation: "RFC 5280: 4.2.2.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC3280Date, - Lint: NewSiaCrit, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_info_access_marked_critical", + Description: "Conforming CAs MUST mark the Subject Info Access extension as non-critical", + Citation: "RFC 5280: 4.2.2.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC3280Date, + }, + Lint: NewSiaCrit, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go index a317fc4ec..677e5d9bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_locality_name_max_length", - Description: "The 'Locality Name' field of the subject MUST be less than 129 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectLocalityNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_locality_name_max_length", + Description: "The 'Locality Name' field of the subject MUST be less than 129 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectLocalityNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectLocalityNameMaxLength() lint.LintInterface { } func (l *subjectLocalityNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Locality) > 0 } func (l *subjectLocalityNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go index 43be8a466..e78026396 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go @@ -35,13 +35,15 @@ type subjectDN struct{} *************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_not_dn", - Description: "When not empty, the subject field MUST be a distinguished name", - Citation: "RFC 5280: 4.1.2.6", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectDN, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_not_dn", + Description: "When not empty, the subject field MUST be a distinguished name", + Citation: "RFC 5280: 4.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectDN, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go index 9e77e3cfd..a1b35e26d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_organization_name_max_length", - Description: "The 'Organization Name' field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectOrganizationNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_organization_name_max_length", + Description: "The 'Organization Name' field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectOrganizationNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectOrganizationNameMaxLength() lint.LintInterface { } func (l *subjectOrganizationNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Organization) > 0 } func (l *subjectOrganizationNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go index ef3a9e428..a29f7677b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_organizational_unit_name_max_length", - Description: "The 'Organizational Unit Name' field of the subject MUST be less than 65 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectOrganizationalUnitNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_organizational_unit_name_max_length", + Description: "The 'Organizational Unit Name' field of the subject MUST be less than 65 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectOrganizationalUnitNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectOrganizationalUnitNameMaxLength() lint.LintInterface { } func (l *subjectOrganizationalUnitNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.OrganizationalUnit) > 0 } func (l *subjectOrganizationalUnitNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go index 26ee9e910..8495c3179 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go @@ -33,13 +33,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_postal_code_max_length", - Description: "The 'PostalCode' field of the subject MUST be less than 17 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectPostalCodeMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_postal_code_max_length", + Description: "The 'PostalCode' field of the subject MUST be less than 17 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectPostalCodeMaxLength, }) } @@ -48,7 +50,7 @@ func NewSubjectPostalCodeMaxLength() lint.LintInterface { } func (l *subjectPostalCodeMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.PostalCode) > 0 } func (l *subjectPostalCodeMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go index b52a9ef5f..f43a9401c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go @@ -26,13 +26,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_printable_string_badalpha", - Description: "PrintableString type's alphabet only includes a-z, A-Z, 0-9, and 11 special characters", - Citation: "RFC 5280: Appendix B. ASN.1 Notes", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectPrintableStringBadAlpha, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_printable_string_badalpha", + Description: "PrintableString type's alphabet only includes a-z, A-Z, 0-9, and 11 special characters", + Citation: "RFC 5280: Appendix B. ASN.1 Notes", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectPrintableStringBadAlpha, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go index 616ee8b92..8a56d940c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go @@ -32,13 +32,15 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_state_name_max_length", - Description: "The 'State Name' field of the subject MUST be less than 129 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectStateNameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_state_name_max_length", + Description: "The 'State Name' field of the subject MUST be less than 129 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectStateNameMaxLength, }) } @@ -47,7 +49,7 @@ func NewSubjectStateNameMaxLength() lint.LintInterface { } func (l *subjectStateNameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Province) > 0 } func (l *subjectStateNameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go index a65340699..c3fea203d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go @@ -31,13 +31,15 @@ ub-street-address INTEGER ::= 128 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_street_address_max_length", - Description: "The 'StreetAddress' field of the subject MUST be less than 129 characters", - Citation: "ITU-T X.520 (02/2001) UpperBounds", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectStreetAddressMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_street_address_max_length", + Description: "The 'StreetAddress' field of the subject MUST be less than 129 characters", + Citation: "ITU-T X.520 (02/2001) UpperBounds", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectStreetAddressMaxLength, }) } @@ -46,7 +48,7 @@ func NewSubjectStreetAddressMaxLength() lint.LintInterface { } func (l *subjectStreetAddressMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.StreetAddress) > 0 } func (l *subjectStreetAddressMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go index a27fd9b37..3053f0d47 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go @@ -50,13 +50,15 @@ ub-name INTEGER ::= 32768 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_subject_surname_max_length", - Description: "The 'Surname' field of the subject MUST be less than 32769 characters", - Citation: "RFC 5280: A.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectSurnameMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_surname_max_length", + Description: "The 'Surname' field of the subject MUST be less than 32769 characters", + Citation: "RFC 5280: A.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectSurnameMaxLength, }) } @@ -65,7 +67,7 @@ func NewSubjectSurnameMaxLength() lint.LintInterface { } func (l *subjectSurnameMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Surname) > 0 } func (l *subjectSurnameMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go index 537cd3f0a..dec500954 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go @@ -30,14 +30,16 @@ RFC 5280: A.1 ************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "w_subject_surname_recommended_max_length", - Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + - "targeted this length, for compatibility purposes it may be prudent to limit surnames to this length.", - Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewSubjectSurnameRecommendedMaxLength, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_subject_surname_recommended_max_length", + Description: "X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have " + + "targeted this length, for compatibility purposes it may be prudent to limit surnames to this length.", + Citation: "ITU-T Rec. X.411 (11/1988), Annex B Reference Definition of MTS Parameter Upper Bounds", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewSubjectSurnameRecommendedMaxLength, }) } @@ -48,7 +50,7 @@ func NewSubjectSurnameRecommendedMaxLength() lint.LintInterface { type SubjectSurnameRecommendedMaxLength struct{} func (l *SubjectSurnameRecommendedMaxLength) CheckApplies(c *x509.Certificate) bool { - return true + return len(c.Subject.Surname) > 0 } func (l *SubjectSurnameRecommendedMaxLength) Execute(c *x509.Certificate) *lint.LintResult { diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go index e8f9f50ff..050247551 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go @@ -24,13 +24,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_superfluous_ku_encoding", - Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself must not have unnecessary trailing 00 bytes.", - Citation: "1.2.2 Where Rec. ITU-T X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", - Source: lint.RFC5280, - EffectiveDate: util.ZeroDate, - Lint: func() lint.LintInterface { return &superfluousKuEncoding{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_superfluous_ku_encoding", + Description: "RFC 5280 Section 4.2.1.3 describes the value of a KeyUsage to be a DER encoded BitString, which itself must not have unnecessary trailing 00 bytes.", + Citation: "1.2.2 Where Rec. ITU-T X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded.", + Source: lint.RFC5280, + EffectiveDate: util.ZeroDate, + }, + Lint: func() lint.LintInterface { return &superfluousKuEncoding{} }, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go index 2bbd0b2a8..a8ebeb0d6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go @@ -34,13 +34,15 @@ tbsCertificate ********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_cert_sig_alg_not_match_tbs_sig_alg", - Description: "Certificate signature field must match TBSCertificate signature field", - Citation: "RFC 5280, Section 4.1.1.2", - Source: lint.RFC5280, - EffectiveDate: util.RFC5280Date, - Lint: NewMismatchingSigAlg, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_sig_alg_not_match_tbs_sig_alg", + Description: "Certificate signature field must match TBSCertificate signature field", + Citation: "RFC 5280, Section 4.1.1.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewMismatchingSigAlg, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go index 0d79731f5..7b22fa75a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go @@ -32,13 +32,15 @@ RSA: Encoded algorithm identifier MUST have NULL parameters. *******************************************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_tbs_signature_rsa_encryption_parameter_not_null", - Description: "RSA: Encoded signature algorithm identifier MUST have NULL parameters", - Citation: "RFC 4055, Section 5", - Source: lint.RFC5280, // RFC4055 is referenced in RFC5280, Section 1 - EffectiveDate: util.RFC5280Date, - Lint: NewRsaTBSSignatureEncryptionParamNotNULL, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_tbs_signature_rsa_encryption_parameter_not_null", + Description: "RSA: Encoded signature algorithm identifier MUST have NULL parameters", + Citation: "RFC 4055, Section 5", + Source: lint.RFC5280, // RFC4055 is referenced in RFC5280, Section 1 + EffectiveDate: util.RFC5280Date, + }, + Lint: NewRsaTBSSignatureEncryptionParamNotNULL, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go index 913c329b6..5502b2a60 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go @@ -41,13 +41,15 @@ systems MUST interpret the year field (YY) as follows: ************************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_utc_time_does_not_include_seconds", - Description: "UTCTime values MUST include seconds", - Citation: "RFC 5280: 4.1.2.5.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewUtcNoSecond, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_utc_time_does_not_include_seconds", + Description: "UTCTime values MUST include seconds", + Citation: "RFC 5280: 4.1.2.5.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewUtcNoSecond, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go index 4db76b0da..f2d31ffe9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go @@ -44,13 +44,15 @@ type utcTimeGMT struct{} ***********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_utc_time_not_in_zulu", - Description: "UTCTime values MUST be expressed in Greenwich Mean Time (Zulu)", - Citation: "RFC 5280: 4.1.2.5.1", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewUtcTimeGMT, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_utc_time_not_in_zulu", + Description: "UTCTime values MUST be expressed in Greenwich Mean Time (Zulu)", + Citation: "RFC 5280: 4.1.2.5.1", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewUtcTimeGMT, }) } diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go index 7ecc63158..b7ff29cae 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go @@ -34,13 +34,15 @@ are encoded in either UTCTime or GeneralizedTime. *********************************************************************/ func init() { - lint.RegisterLint(&lint.Lint{ - Name: "e_wrong_time_format_pre2050", - Description: "Certificates valid through the year 2049 MUST be encoded in UTC time", - Citation: "RFC 5280: 4.1.2.5", - Source: lint.RFC5280, - EffectiveDate: util.RFC2459Date, - Lint: NewGeneralizedPre2050, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_wrong_time_format_pre2050", + Description: "Certificates valid through the year 2049 MUST be encoded in UTC time", + Citation: "RFC 5280: 4.1.2.5", + Source: lint.RFC5280, + EffectiveDate: util.RFC2459Date, + }, + Lint: NewGeneralizedPre2050, }) } diff --git a/vendor/github.com/zmap/zlint/v3/resultset.go b/vendor/github.com/zmap/zlint/v3/resultset.go index 9701e146c..343a00d9e 100644 --- a/vendor/github.com/zmap/zlint/v3/resultset.go +++ b/vendor/github.com/zmap/zlint/v3/resultset.go @@ -39,6 +39,7 @@ func (z *ResultSet) executeCertificate(o *x509.Certificate, registry lint.Regist // Run each lint from the registry. for _, lint := range registry.CertificateLints().Lints() { res := lint.Execute(o, registry.GetConfiguration()) + res.LintMetadata = lint.LintMetadata z.Results[lint.Name] = res z.updateErrorStatePresent(res) } @@ -52,6 +53,7 @@ func (z *ResultSet) executeRevocationList(o *x509.RevocationList, registry lint. // Run each lints from the registry. for _, lint := range registry.RevocationListLints().Lints() { res := lint.Execute(o, registry.GetConfiguration()) + res.LintMetadata = lint.LintMetadata z.Results[lint.Name] = res z.updateErrorStatePresent(res) } diff --git a/vendor/github.com/zmap/zlint/v3/template b/vendor/github.com/zmap/zlint/v3/template index c474cc41e..f3780cdf4 100644 --- a/vendor/github.com/zmap/zlint/v3/template +++ b/vendor/github.com/zmap/zlint/v3/template @@ -20,13 +20,15 @@ import ( ) func init() { - lint.RegisterLint(&lint.Lint{ - Name: "SUBTEST", - Description: "Fill this in...", - Citation: "Fill this in...", - Source: UnknownLintSource, - EffectiveDate: "Change this...", - Lint: func() lint.LintInterface { return &SUBST{} }, + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "SUBTEST", + Description: "Fill this in...", + Citation: "Fill this in...", + Source: UnknownLintSource, + EffectiveDate: "Change this...", + }, + Lint: NewPASCAL_CASE_SUBST, }) } diff --git a/vendor/github.com/zmap/zlint/v3/util/ca.go b/vendor/github.com/zmap/zlint/v3/util/ca.go index c24634811..8a1bb5504 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ca.go +++ b/vendor/github.com/zmap/zlint/v3/util/ca.go @@ -62,3 +62,19 @@ func IsServerAuthCert(cert *x509.Certificate) bool { } return false } + +// IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. +// A certificate is for use protecting emails if it contains the Any Purpose or emailProtection +// EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious +// and choosing to prefer false positives over false negatives. +func IsEmailProtectionCert(cert *x509.Certificate) bool { + if len(cert.ExtKeyUsage) == 0 { + return true + } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + return true + } + } + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/eku.go b/vendor/github.com/zmap/zlint/v3/util/eku.go index 9b2b53695..cd745da7d 100644 --- a/vendor/github.com/zmap/zlint/v3/util/eku.go +++ b/vendor/github.com/zmap/zlint/v3/util/eku.go @@ -1,6 +1,11 @@ package util -import "github.com/zmap/zcrypto/x509" +import ( + "fmt" + "sort" + + "github.com/zmap/zcrypto/x509" +) // HasEKU tests whether an Extended Key Usage (EKU) is present in a certificate. func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { @@ -12,3 +17,40 @@ func HasEKU(cert *x509.Certificate, eku x509.ExtKeyUsage) bool { return false } + +// GetEKUString returns a human friendly Extended Key Usage (EKU) string. +func GetEKUString(eku x509.ExtKeyUsage) string { + switch eku { + case x509.ExtKeyUsageAny: + return "any" + case x509.ExtKeyUsageServerAuth: + return "serverAuth" + case x509.ExtKeyUsageClientAuth: + return "clientAuth" + case x509.ExtKeyUsageCodeSigning: + return "codeSigning" + case x509.ExtKeyUsageEmailProtection: + return "emailProtection" + case x509.ExtKeyUsageIpsecUser: + return "ipSecUser" + case x509.ExtKeyUsageIpsecTunnel: + return "ipSecTunnel" + case x509.ExtKeyUsageOcspSigning: + return "ocspSigning" + case x509.ExtKeyUsageMicrosoftServerGatedCrypto: + return "microsoftServerGatedCrypto" + case x509.ExtKeyUsageNetscapeServerGatedCrypto: + return "netscapeServerGatedCrypto" + } + return fmt.Sprintf("unknown EKU %d", eku) +} + +// GetEKUStrings returns a list of human friendly Extended Key Usage (EKU) strings. +func GetEKUStrings(eku []x509.ExtKeyUsage) []string { + var ekuStrings []string + for _, currentEku := range eku { + ekuStrings = append(ekuStrings, GetEKUString(currentEku)) + } + sort.Strings(ekuStrings) + return ekuStrings +} diff --git a/vendor/github.com/zmap/zlint/v3/util/fqdn.go b/vendor/github.com/zmap/zlint/v3/util/fqdn.go index 4be2ffb9f..bcf3f8e23 100644 --- a/vendor/github.com/zmap/zlint/v3/util/fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/fqdn.go @@ -17,6 +17,7 @@ package util import ( "net" "net/url" + "regexp" "strings" zcutil "github.com/zmap/zcrypto/util" @@ -117,3 +118,14 @@ func CommonNameIsIP(cert *x509.Certificate) bool { return true } } + +var nonLDHCharacterRegex = regexp.MustCompile(`[^a-zA-Z0-9\-]`) + +func IsLDHLabel(label string) bool { + return len(label) > 0 && + len(label) <= 63 && + !nonLDHCharacterRegex.MatchString(label) && + !strings.HasPrefix(label, "-") && + !strings.HasSuffix(label, "-") && + !(HasReservedLabelPrefix(label) && !HasXNLabelPrefix(label)) +} diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go index 22613c3b2..6fb589b45 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go @@ -31,7 +31,7 @@ var tldMap = map[string]GTLDPeriod{ "abarth": { GTLD: "abarth", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "abb": { GTLD: "abb", @@ -116,7 +116,7 @@ var tldMap = map[string]GTLDPeriod{ "adac": { GTLD: "adac", DelegationDate: "2016-01-26", - RemovalDate: "", + RemovalDate: "2022-11-26", }, "ads": { GTLD: "ads", @@ -226,7 +226,7 @@ var tldMap = map[string]GTLDPeriod{ "alfaromeo": { GTLD: "alfaromeo", DelegationDate: "2016-08-02", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "alibaba": { GTLD: "alibaba", @@ -1161,7 +1161,7 @@ var tldMap = map[string]GTLDPeriod{ "cbs": { GTLD: "cbs", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-10-25", }, "cc": { GTLD: "cc", @@ -1321,7 +1321,7 @@ var tldMap = map[string]GTLDPeriod{ "cityeats": { GTLD: "cityeats", DelegationDate: "2015-11-10", - RemovalDate: "", + RemovalDate: "2023-10-18", }, "ck": { GTLD: "ck", @@ -1491,7 +1491,7 @@ var tldMap = map[string]GTLDPeriod{ "cookingchannel": { GTLD: "cookingchannel", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "cool": { GTLD: "cool", @@ -2061,7 +2061,7 @@ var tldMap = map[string]GTLDPeriod{ "etisalat": { GTLD: "etisalat", DelegationDate: "2017-06-01", - RemovalDate: "", + RemovalDate: "2023-11-17", }, "eu": { GTLD: "eu", @@ -2196,7 +2196,7 @@ var tldMap = map[string]GTLDPeriod{ "fiat": { GTLD: "fiat", DelegationDate: "2016-08-02", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "fidelity": { GTLD: "fidelity", @@ -2331,7 +2331,7 @@ var tldMap = map[string]GTLDPeriod{ "foodnetwork": { GTLD: "foodnetwork", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "football": { GTLD: "football", @@ -2396,7 +2396,7 @@ var tldMap = map[string]GTLDPeriod{ "frontdoor": { GTLD: "frontdoor", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-10-18", }, "frontier": { GTLD: "frontier", @@ -2876,7 +2876,7 @@ var tldMap = map[string]GTLDPeriod{ "hgtv": { GTLD: "hgtv", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "hiphop": { GTLD: "hiphop", @@ -2991,7 +2991,7 @@ var tldMap = map[string]GTLDPeriod{ "hoteles": { GTLD: "hoteles", DelegationDate: "2015-06-26", - RemovalDate: "", + RemovalDate: "2023-07-07", }, "hotels": { GTLD: "hotels", @@ -3471,7 +3471,7 @@ var tldMap = map[string]GTLDPeriod{ "kinder": { GTLD: "kinder", DelegationDate: "2015-10-09", - RemovalDate: "", + RemovalDate: "2023-11-02", }, "kindle": { GTLD: "kindle", @@ -3601,7 +3601,7 @@ var tldMap = map[string]GTLDPeriod{ "lancia": { GTLD: "lancia", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "lancome": { GTLD: "lancome", @@ -3766,7 +3766,7 @@ var tldMap = map[string]GTLDPeriod{ "linde": { GTLD: "linde", DelegationDate: "2015-09-16", - RemovalDate: "", + RemovalDate: "2023-03-17", }, "link": { GTLD: "link", @@ -3831,7 +3831,7 @@ var tldMap = map[string]GTLDPeriod{ "loft": { GTLD: "loft", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2022-12-17", }, "lol": { GTLD: "lol", @@ -3936,7 +3936,7 @@ var tldMap = map[string]GTLDPeriod{ "macys": { GTLD: "macys", DelegationDate: "2016-07-12", - RemovalDate: "", + RemovalDate: "2023-03-07", }, "madrid": { GTLD: "madrid", @@ -4006,7 +4006,7 @@ var tldMap = map[string]GTLDPeriod{ "maserati": { GTLD: "maserati", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-06-05", }, "mattel": { GTLD: "mattel", @@ -4351,7 +4351,7 @@ var tldMap = map[string]GTLDPeriod{ "mutual": { GTLD: "mutual", DelegationDate: "2016-04-05", - RemovalDate: "", + RemovalDate: "2023-08-01", }, "mutuelle": { GTLD: "mutuelle", @@ -4576,7 +4576,7 @@ var tldMap = map[string]GTLDPeriod{ "northwesternmutual": { GTLD: "northwesternmutual", DelegationDate: "2016-04-06", - RemovalDate: "", + RemovalDate: "2023-08-08", }, "norton": { GTLD: "norton", @@ -4831,7 +4831,7 @@ var tldMap = map[string]GTLDPeriod{ "passagens": { GTLD: "passagens", DelegationDate: "2016-03-02", - RemovalDate: "", + RemovalDate: "2023-07-07", }, "pay": { GTLD: "pay", @@ -5361,7 +5361,7 @@ var tldMap = map[string]GTLDPeriod{ "rocher": { GTLD: "rocher", DelegationDate: "2015-11-07", - RemovalDate: "", + RemovalDate: "2023-11-02", }, "rocks": { GTLD: "rocks", @@ -5541,7 +5541,7 @@ var tldMap = map[string]GTLDPeriod{ "sca": { GTLD: "sca", DelegationDate: "2014-08-14", - RemovalDate: "", + RemovalDate: "2023-12-11", }, "scb": { GTLD: "scb", @@ -5651,7 +5651,7 @@ var tldMap = map[string]GTLDPeriod{ "ses": { GTLD: "ses", DelegationDate: "2016-07-09", - RemovalDate: "", + RemovalDate: "2022-12-16", }, "seven": { GTLD: "seven", @@ -5746,7 +5746,7 @@ var tldMap = map[string]GTLDPeriod{ "showtime": { GTLD: "showtime", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2023-10-25", }, "shriram": { GTLD: "shriram", @@ -6286,7 +6286,7 @@ var tldMap = map[string]GTLDPeriod{ "tiffany": { GTLD: "tiffany", DelegationDate: "2016-01-21", - RemovalDate: "", + RemovalDate: "2023-07-25", }, "tips": { GTLD: "tips", @@ -6436,7 +6436,7 @@ var tldMap = map[string]GTLDPeriod{ "travelchannel": { GTLD: "travelchannel", DelegationDate: "2016-06-23", - RemovalDate: "", + RemovalDate: "2023-06-14", }, "travelers": { GTLD: "travelers", @@ -6726,7 +6726,7 @@ var tldMap = map[string]GTLDPeriod{ "volkswagen": { GTLD: "volkswagen", DelegationDate: "2016-01-09", - RemovalDate: "", + RemovalDate: "2023-11-20", }, "volvo": { GTLD: "volvo", @@ -6761,7 +6761,7 @@ var tldMap = map[string]GTLDPeriod{ "vuelos": { GTLD: "vuelos", DelegationDate: "2016-03-02", - RemovalDate: "", + RemovalDate: "2023-07-07", }, "wales": { GTLD: "wales", @@ -7366,7 +7366,7 @@ var tldMap = map[string]GTLDPeriod{ "xn--jlq61u9w7b": { GTLD: "xn--jlq61u9w7b", DelegationDate: "2015-12-18", - RemovalDate: "", + RemovalDate: "2022-12-06", }, "xn--jvr189m": { GTLD: "xn--jvr189m", @@ -7431,7 +7431,7 @@ var tldMap = map[string]GTLDPeriod{ "xn--mgbaakc7dvf": { GTLD: "xn--mgbaakc7dvf", DelegationDate: "2017-06-10", - RemovalDate: "", + RemovalDate: "2023-11-17", }, "xn--mgbaam7a8h": { GTLD: "xn--mgbaam7a8h", diff --git a/vendor/github.com/zmap/zlint/v3/util/ku.go b/vendor/github.com/zmap/zlint/v3/util/ku.go index 529e4c355..0d5e1eaa2 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ku.go +++ b/vendor/github.com/zmap/zlint/v3/util/ku.go @@ -1,6 +1,10 @@ package util -import "github.com/zmap/zcrypto/x509" +import ( + "strings" + + "github.com/zmap/zcrypto/x509" +) var ( // KeyUsageToString maps an x509.KeyUsage bitmask to its name. @@ -34,3 +38,14 @@ func HasKeyUsage(c *x509.Certificate, usage x509.KeyUsage) bool { func KeyUsageIsPresent(keyUsages x509.KeyUsage, usage x509.KeyUsage) bool { return keyUsages&usage != 0 } + +// GetKeyUsageStrings returns a list of included key usages +func GetKeyUsageStrings(keyUsages x509.KeyUsage) []string { + var keyUsageStrings []string + for ku, name := range KeyUsageToString { + if KeyUsageIsPresent(keyUsages, ku) { + keyUsageStrings = append(keyUsageStrings, strings.TrimPrefix(name, "KeyUsage")) + } + } + return keyUsageStrings +} diff --git a/vendor/github.com/zmap/zlint/v3/util/oid.go b/vendor/github.com/zmap/zlint/v3/util/oid.go index a8f976538..fd037e0a1 100644 --- a/vendor/github.com/zmap/zlint/v3/util/oid.go +++ b/vendor/github.com/zmap/zlint/v3/util/oid.go @@ -24,6 +24,8 @@ import ( var ( //extension OIDs + AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension + AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints @@ -48,12 +50,25 @@ var ( SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code // CA/B reserved policies - BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated - BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated - BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated - BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor - CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier + BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated + BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated + BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated + BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor + CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier + SMIMEBRMailboxValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy + SMIMEBRMailboxValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 2} // CA/B SMIME BR Mailbox Validated, Multipurpose + SMIMEBRMailboxValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 3} // CA/B SMIME BR Mailbox Validated, Strict + SMIMEBROrganizationValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 1} // CA/B SMIME BR Organization Validated, Legacy + SMIMEBROrganizationValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 2} // CA/B SMIME BR Organization Validated, Multipurpose + SMIMEBROrganizationValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 2, 3} // CA/B SMIME BR Organization Validated, Strict + SMIMEBRSponsorValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 1} // CA/B SMIME BR Sponsor Validated, Legacy + SMIMEBRSponsorValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 2} // CA/B SMIME BR Sponsor Validated, Multipurpose + SMIMEBRSponsorValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 3, 3} // CA/B SMIME BR Sponsor Validated, Strict + SMIMEBRIndividualValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 1} // CA/B SMIME BR Individual Validated, Legacy + SMIMEBRIndividualValidatedMultipurposeOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 2} // CA/B SMIME BR Individual Validated, Multipurpose + SMIMEBRIndividualValidatedStrictOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 4, 3} // CA/B SMIME BR Individual Validated, Strict //X.500 attribute types CommonNameOID = asn1.ObjectIdentifier{2, 5, 4, 3} SurnameOID = asn1.ObjectIdentifier{2, 5, 4, 4} @@ -67,6 +82,8 @@ var ( BusinessOID = asn1.ObjectIdentifier{2, 5, 4, 15} PostalCodeOID = asn1.ObjectIdentifier{2, 5, 4, 17} GivenNameOID = asn1.ObjectIdentifier{2, 5, 4, 42} + // SAN otherNames + OidIdOnSmtpUtf8Mailbox = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 9} // Hash algorithms - see https://golang.org/src/crypto/x509/x509.go SHA256OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 1} SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} diff --git a/vendor/github.com/zmap/zlint/v3/util/san.go b/vendor/github.com/zmap/zlint/v3/util/san.go new file mode 100644 index 000000000..d1f2f551a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/util/san.go @@ -0,0 +1,19 @@ +package util + +import "github.com/zmap/zcrypto/x509" + +func HasEmailSAN(c *x509.Certificate) bool { + for _, san := range c.EmailAddresses { + if san != "" { + return true + } + } + + for _, name := range c.OtherNames { + if name.TypeID.Equal(OidIdOnSmtpUtf8Mailbox) && len(name.Value.Bytes) != 0 { + return true + } + } + + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/smime_policies.go b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go new file mode 100644 index 000000000..afee1e234 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go @@ -0,0 +1,83 @@ +package util + +/* + * ZLint Copyright 2021 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" +) + +func IsMailboxValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { + return true + } + } + + return false +} + +func IsSMIMEBRCertificate(c *x509.Certificate) bool { + return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) +} + +func IsLegacySMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) { + return true + } + } + + return false +} + +func IsOrganizationValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedMultipurposeOID) || oid.Equal(SMIMEBROrganizationValidatedStrictOID) { + return true + } + } + + return false +} + +func IsSponsorValidatedCertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedMultipurposeOID) || oid.Equal(SMIMEBRSponsorValidatedStrictOID) { + return true + } + } + + return false +} + +func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBROrganizationValidatedMultipurposeOID) || oid.Equal(SMIMEBRSponsorValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) { + return true + } + } + + return false +} + +func IsStrictSMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedStrictOID) || oid.Equal(SMIMEBROrganizationValidatedStrictOID) || oid.Equal(SMIMEBRSponsorValidatedStrictOID) || oid.Equal(SMIMEBRIndividualValidatedStrictOID) { + return true + } + } + + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/time.go b/vendor/github.com/zmap/zlint/v3/util/time.go index 04dfeddb6..2db1b9a33 100644 --- a/vendor/github.com/zmap/zlint/v3/util/time.go +++ b/vendor/github.com/zmap/zlint/v3/util/time.go @@ -21,6 +21,10 @@ import ( "github.com/zmap/zcrypto/x509" ) +const ( + DurationDay = 24 * time.Hour +) + var ( ZeroDate = time.Date(0000, time.January, 1, 0, 0, 0, 0, time.UTC) RFC1035Date = time.Date(1987, time.January, 1, 0, 0, 0, 0, time.UTC) @@ -72,6 +76,11 @@ var ( CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) + // Enforcement date of CRL reason codes from Ballot SC 061 + CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) + // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ + SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) ) var ( diff --git a/vendor/github.com/zmap/zlint/v3/zlint.go b/vendor/github.com/zmap/zlint/v3/zlint.go index 18119340f..7cb773f88 100644 --- a/vendor/github.com/zmap/zlint/v3/zlint.go +++ b/vendor/github.com/zmap/zlint/v3/zlint.go @@ -24,6 +24,7 @@ import ( _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" + _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" _ "github.com/zmap/zlint/v3/lints/etsi" _ "github.com/zmap/zlint/v3/lints/mozilla" @@ -74,7 +75,7 @@ func LintRevocationList(r *x509.RevocationList) *ResultSet { // lints that will be run. (See lint.Registry.Filter()) // // If registry is nil then the global registry of all lints is used and this -// function is equivalent to calling LintRevocationListEx(r). +// function is equivalent to calling LintRevocationList(r). func LintRevocationListEx(r *x509.RevocationList, registry lint.Registry) *ResultSet { if r == nil { return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index b5f0c6816..869097001 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -118,13 +118,14 @@ github.com/zmap/zcrypto/util github.com/zmap/zcrypto/x509 github.com/zmap/zcrypto/x509/ct github.com/zmap/zcrypto/x509/pkix -# github.com/zmap/zlint/v3 v3.5.0 +# github.com/zmap/zlint/v3 v3.6.0 ## explicit; go 1.18 github.com/zmap/zlint/v3 github.com/zmap/zlint/v3/lint github.com/zmap/zlint/v3/lints/apple github.com/zmap/zlint/v3/lints/cabf_br github.com/zmap/zlint/v3/lints/cabf_ev +github.com/zmap/zlint/v3/lints/cabf_smime_br github.com/zmap/zlint/v3/lints/community github.com/zmap/zlint/v3/lints/etsi github.com/zmap/zlint/v3/lints/mozilla