Merge https://github.com/zmap/zlint

v3/integration/config.json

@@ -345,7 +345,7 @@
       "ErrCount": 1
     },
     "e_ca_key_usage_missing": {
-      "ErrCount": 13
+      "ErrCount": 9
     },
     "e_ca_key_usage_not_critical": {
       "ErrCount": 40
@@ -677,7 +677,7 @@
       "ErrCount": 292
     },
     "e_sub_ca_certificate_policies_missing": {
-      "ErrCount": 59
+      "ErrCount": 50
     },
     "e_sub_ca_crl_distribution_points_does_not_contain_url": {
       "ErrCount": 2
@@ -751,7 +751,7 @@
       "ErrCount": 2
     },
     "e_subject_common_name_not_from_san": {
-      "ErrCount": 94979
+      "ErrCount": 94978
     },
     "e_subject_contains_noninformational_value": {
       "ErrCount": 338
@@ -818,7 +818,7 @@
     },
     "e_cab_dv_subject_invalid_values": {},
     "n_ca_digital_signature_not_set": {
-      "NoticeCount": 1411
+      "NoticeCount": 1405
     },
     "n_contains_redacted_dnsname": {
       "NoticeCount": 464
@@ -845,10 +845,10 @@
       "NoticeCount": 1415
     },
     "n_sub_ca_eku_not_technically_constrained": {
-      "NoticeCount": 12
+      "NoticeCount": 2
     },
     "n_subject_common_name_included": {
-      "NoticeCount": 712866
+      "NoticeCount": 712865
     },
     "w_ct_sct_policy_count_unsatisfied": {
       "NoticeCount": 5003
@@ -925,14 +925,14 @@
     "w_san_should_not_be_critical": {},
     "w_smime_aia_contains_internal_names": {},
     "w_sub_ca_aia_does_not_contain_issuing_ca_url": {
-      "WarnCount": 990
+      "WarnCount": 989
     },
     "w_sub_ca_aia_missing": {
       "WarnCount": 4
     },
     "w_sub_ca_certificate_policies_marked_critical": {},
     "w_sub_ca_eku_critical": {
-      "WarnCount": 9
+      "WarnCount": 0
     },
     "w_sub_ca_name_constraints_not_critical": {
       "WarnCount": 116

v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go

@@ -0,0 +1,78 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIACAIssuersHasHTTPOnly struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+id-ad-caIssuers
+1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD  A HTTP URL of the
+Issuing CA’s certificate
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_ca_issuers_must_have_http_only",
+			Description:   "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIACAIssuersHasHTTPOnly,
+	})
+}
+
+func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface {
+	return &bRAIACAIssuersHasHTTPOnly{}
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
+	return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c)
+}
+
+func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, u := range c.IssuingCertificateURL {
+		purl, err := url.Parse(u)
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."}
+		}
+		if purl.Scheme != "http" {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only_test.go

@@ -0,0 +1,92 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestBRAIACAIssuersHasHTTPOnly(t *testing.T) {
+	testCases := []struct {
+		Name          string
+		InputFilename string
+
+		ExpectedResult  lint.LintStatus
+		ExpectedDetails string
+	}{
+		{
+			Name:          "error - AIA has an FTP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersFTPOnly.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme ftp in caIssuers of AIA, which is not allowed.",
+		},
+		{
+			Name:          "error - AIA has an HTTP and an LDAP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHTTPAndLDAP.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme ldap in caIssuers of AIA, which is not allowed.",
+		},
+		{
+			Name:          "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHTTPOnly.pem",
+
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:          "error - AIA has only one HTTPS URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHttpsOnly.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme https in caIssuers of AIA, which is not allowed.",
+		},
+		{
+			Name:          "NE - AIA has only one HTTP URI for id-ad-caIssuers accessMethod and it is issued before September 15th 2023.",
+			InputFilename: "aiaCaIssuersHttpOnlyNE.pem",
+
+			ExpectedResult: lint.NE,
+		},
+		{
+			Name:          "NA - AIA has only an id-ad-ocsp accessMethod.",
+			InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem",
+
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:          "error - AIA has an LDAP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersLDAPOnly.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Found scheme ldap in caIssuers of AIA, which is not allowed.",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_aia_ca_issuers_must_have_http_only", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status)
+			}
+
+			if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details {
+				t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details)
+			}
+		})
+	}
+}

v3/lints/cabf_br/lint_cab_dv_subject_invalid_values_test.go

@@ -46,10 +46,9 @@ func TestNewDvSubjectInvalidValues(t *testing.T) {
 			ExpectedDetails: "DV certificate contains the invalid attribute type 2.5.4.5",
 		},
 		{
-			Name:            "pass - DV with valid values in subjectDN, with CN, on SC62",
-			InputFilename:   "dvWithCNAndCountry.pem",
-			ExpectedResult:  lint.Pass,
-			ExpectedDetails: "DV certificate contains a subject common name, this is not recommended",
+			Name:           "pass - DV with valid values in subjectDN, with CN, on SC62",
+			InputFilename:  "dvWithCNAndCountry.pem",
+			ExpectedResult: lint.Pass,
 		},
 		{
 			Name:           "pass - DV with valid values in subjectDN, country only, on SC62",

v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go

@@ -0,0 +1,57 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_cabf_org_identifier_psd_vat_has_state",
+			Description:   "The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.",
+			Citation:      "9.2.8",
+			Source:        lint.CABFEVGuidelines,
+			EffectiveDate: util.SC17EffectiveDate,
+		},
+		Lint: NewCabfOrgIdentifierPsdVatHasState,
+	})
+}
+
+type CabfOrgIdentifierPsdVatHasState struct{}
+
+func NewCabfOrgIdentifierPsdVatHasState() lint.LintInterface {
+	return &CabfOrgIdentifierPsdVatHasState{}
+}
+
+func (l *CabfOrgIdentifierPsdVatHasState) CheckApplies(c *x509.Certificate) bool {
+	for _, ext := range c.Extensions {
+		if ext.Id.Equal(util.CabfExtensionOrganizationIdentifier) && (c.CABFOrganizationIdentifier.Scheme == "PSD" || c.CABFOrganizationIdentifier.Scheme == "VAT") {
+			return true
+		}
+	}
+	return false
+}
+
+func (l *CabfOrgIdentifierPsdVatHasState) Execute(c *x509.Certificate) *lint.LintResult {
+	if c.CABFOrganizationIdentifier.State == "" {
+		return &lint.LintResult{Status: lint.Pass}
+	} else {
+		return &lint.LintResult{Status: lint.Error}
+	}
+}

v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state_test.go

@@ -0,0 +1,31 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestCabfOrgIdentifierPsdVatHasState(t *testing.T) {
+	inputPath := "cabfOrgIdentifierPSDState.pem"
+	expected := lint.Error
+	out := test.TestLint("e_cabf_org_identifier_psd_vat_has_state", inputPath)
+	if out.Status != expected {
+		t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status)
+	}
+}

v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go

@@ -40,7 +40,7 @@ func NewCommonNameMailboxValidated() lint.LintInterface {
 }
 
 func (l *commonNameMailboxValidated) CheckApplies(c *x509.Certificate) bool {
-	return util.IsMailboxValidatedCertificate(c)
+	return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c)
 }
 
 func (l *commonNameMailboxValidated) Execute(c *x509.Certificate) *lint.LintResult {

v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go

@@ -64,23 +64,14 @@ func (l *revokedCertificates) Execute(c *x509.RevocationList) *lint.LintResult {
 	// or confirmed to be missing from the ASN.1 data structure.
 	input := cryptobyte.String(c.Raw)
 
-	// From crypto/x509/parser.go: we read the SEQUENCE including length and tag
-	// bytes so that we can populate RevocationList.Raw, before unwrapping the
-	// SEQUENCE so it can be operated on
-	if !input.ReadASN1Element(&input, cryptobyte_asn1.SEQUENCE) {
-		return &lint.LintResult{Status: lint.Fatal, Details: "malformed CRL"}
-	}
+	// Extract the CertificateList
 	if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) {
 		return &lint.LintResult{Status: lint.Fatal, Details: "malformed CRL"}
 	}
 
 	var tbs cryptobyte.String
-	// From crypto/x509/parser.go: do the same trick again as above to extract
-	// the raw bytes for Certificate.RawTBSCertificate
-	if !input.ReadASN1Element(&tbs, cryptobyte_asn1.SEQUENCE) {
-		return &lint.LintResult{Status: lint.Fatal, Details: "malformed TBS CRL"}
-	}
-	if !tbs.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) {
+	// Extract the TBSCertList from the CertificateList
+	if !input.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) {
 		return &lint.LintResult{Status: lint.Fatal, Details: "malformed TBS CRL"}
 	}