synchronised with project

.github/workflows/release.yml

@@ -23,7 +23,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v2
         with:
           version: latest
-          args: release --rm-dist
+          args: release --clean
           workdir: v3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -251,7 +251,7 @@ Here are some projects/CAs known to integrate with ZLint in some fashion:
 * [Microsoft](https://www.microsoft.com)
 * [Nexus Certificate Manager](https://doc.nexusgroup.com/display/PUB/Smart+ID+Certificate+Manager)
 * [QuoVadis](https://www.quovadisglobal.com/)
-* [Sectigo](https://sectigo.com/) and [crt.sh](https://crt.sh)
+* [Sectigo](https://sectigo.com/), [crt.sh](https://crt.sh/), and [pkimetal](https://github.com/pkimetal/pkimetal)
 * [Siemens](https://siemens.com/pki)
 * [SSL.com](https://www.ssl.com/)
 * [PKI Insights](https://www.codegic.com/pki-insights-health-monitoring-for-microsoft-ca/)

v3/integration/config.json

@@ -426,6 +426,9 @@
       "ErrCount": 2
     },
     "e_ev_country_name_missing": {},
+    "e_ev_invalid_business_category": {
+      "ErrCount": 10957
+    },
     "e_ev_not_wildcard": {
       "ErrCount": 1
     },
@@ -839,6 +842,9 @@
       "ErrCount": 12
     },
     "e_cab_dv_subject_invalid_values": {},
+    "e_aia_must_contain_permitted_access_method": {},
+    "e_aia_ocsp_must_have_http_only": {},
+    "e_aia_unique_access_locations": {},
     "n_ca_digital_signature_not_set": {
       "NoticeCount": 1405
     },
@@ -986,8 +992,6 @@
     "w_subject_surname_recommended_max_length": {},
     "w_tls_server_cert_valid_time_longer_than_397_days": {
       "WarnCount": 223
-<<<<<<< HEAD
-<<<<<<< HEAD
     },
     "w_qcstatem_psd2_psd2statem_ncaid_eulist": {
       "WarnCount": 2
@@ -997,14 +1001,12 @@
     },
     "w_sub_cert_aia_contains_internal_names": {
       "WarnCount": 210
-=======
->>>>>>> 4b2f38b56132eda5017d637ed07ef9be59ab6976
-    }
-=======
     },
     "e_ca_invalid_eku": {
         "ErrCount": 1
-    }    
->>>>>>> 04d863f7660edfe0498162334524742397226fb2
+    },
+    "e_subj_country_not_uppercase": {
+        "ErrCount": 1303
+    }
   }
 }

v3/integration/small.config.json

@@ -329,6 +329,9 @@
     "n_ca_digital_signature_not_set": {
       "NoticeCount": 29
     },
+    "e_aia_must_contain_permitted_access_method": {},
+    "e_aia_ocsp_must_have_http_only": {},
+    "e_aia_unique_access_locations": {},
     "n_contains_redacted_dnsname": {
       "NoticeCount": 8
     },

v3/lint/base.go

@@ -221,7 +221,10 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
 	if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
 		return &LintResult{Status: NA}
 	}
-	if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
+	if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {
+		return &LintResult{Status: NA}
+	}
+	if l.Source == CABFCSBaselineRequirements && !util.IsCodeSigning(cert.PolicyIdentifiers) {
 		return &LintResult{Status: NA}
 	}
 	lint := l.Lint()

v3/lint/source.go

@@ -35,6 +35,7 @@ const (
 	RFC6962                       LintSource = "RFC6962"
 	RFC8813                       LintSource = "RFC8813"
 	CABFBaselineRequirements      LintSource = "CABF_BR"
+	CABFCSBaselineRequirements    LintSource = "CABF_CS_BR"
 	CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR"
 	CABFEVGuidelines              LintSource = "CABF_EV"
 	MozillaRootStorePolicy        LintSource = "Mozilla"

v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go

@@ -0,0 +1,113 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+
+	"github.com/zmap/zcrypto/encoding/asn1"
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIAAccessMethodAllowed struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+Each AccessDescription MUST only contain a permitted accessMethod, as detailed below,
+and each accessLocation MUST be encoded as the specified GeneralName type.
+
+This lint checks that only the id-ad-ocsp or id-ad-caIssuers accessMethod is present
+and that the value is a uniformResourceIdentifier GeneralName.
+
+GeneralName ::= CHOICE {
+     otherName                 [0]  AnotherName,
+     rfc822Name                [1]  IA5String,
+     dNSName                   [2]  IA5String,
+     x400Address               [3]  ORAddress,
+     directoryName             [4]  Name,
+     ediPartyName              [5]  EDIPartyName,
+     uniformResourceIdentifier [6]  IA5String,
+     iPAddress                 [7]  OCTET STRING,
+     registeredID              [8]  OBJECT IDENTIFIER }
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_must_contain_permitted_access_method",
+			Description:   "The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIAAccessMethodAllowed,
+	})
+}
+
+func NewBRAIAAccessMethodAllowed() lint.LintInterface {
+	return &bRAIAAccessMethodAllowed{}
+}
+
+func (l *bRAIAAccessMethodAllowed) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID)
+}
+
+func (l *bRAIAAccessMethodAllowed) Execute(c *x509.Certificate) *lint.LintResult {
+
+	// see x509.go
+	for _, ext := range c.Extensions {
+		if ext.Id.Equal(util.AiaOID) {
+			var aia []authorityInfoAccess
+			_, err := asn1.Unmarshal(ext.Value, &aia)
+			if err != nil {
+				return &lint.LintResult{Status: lint.Fatal}
+			}
+			for _, v := range aia {
+				if v.Location.Tag != 6 {
+					return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid GeneralName with tag %d in an accessLocation.", v.Location.Tag)}
+				}
+
+				if !(v.Method.Equal(idAdCaIssuers) || v.Method.Equal(idAdOCSP)) {
+					return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid accessMethod with OID %s.", v.Method)}
+				}
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
+
+type authorityInfoAccess struct {
+	Method   asn1.ObjectIdentifier
+	Location asn1.RawValue
+}
+
+var (
+	idAdOCSP      = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1}
+	idAdCaIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2}
+)

v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method_test.go

@@ -0,0 +1,102 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestBRAIAAccessMethodAllowed(t *testing.T) {
+	testCases := []struct {
+		Name          string
+		InputFilename string
+
+		ExpectedResult  lint.LintStatus
+		ExpectedDetails string
+	}{
+		{
+			Name:          "pass - AIA has only one HTTP URI for id-ad-caIssuers accessMethod.",
+			InputFilename: "aiaCaIssuersHTTPOnly.pem",
+
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:          "NA - AIA is missing.",
+			InputFilename: "subjectOCorrectEncoding.pem",
+
+			ExpectedResult: lint.NA,
+		},
+		{
+			Name:          "pass - AIA has one HTTP URL for id-ad-ocsp accessMethod.",
+			InputFilename: "aiaCaIssuersHttpOnlyNoCAIssuers.pem",
+
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:          "pass - AIA has two HTTP URLs for id-ad-ocsp accessMethod, one is HTTP the other is LDAP.",
+			InputFilename: "aiaOCSPOneHTTPOneLDAP.pem",
+
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:          "pass - AIA has one HTTPS URL for id-ad-ocsp accessMethod.",
+			InputFilename: "aiaOCSPWithHTTPSURL.pem",
+
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:          "error - AIA has one unsupported access method (OID is the DV policy OID).",
+			InputFilename: "unsupportedAccessMethod.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Certificate has an invalid accessMethod with OID 2.23.140.1.2.1.",
+		},
+		{
+			Name:          "error - AIA has the id-ad-ocsp accessMethod with an rfc822Name as value.",
+			InputFilename: "aiaWrongGeneralName.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Certificate has an invalid GeneralName with tag 1 in an accessLocation.",
+		},
+		{
+			Name:          "NE - AIA has only one HTTP URI for id-ad-ocsp accessMethod and it is issued before September 15th 2023.",
+			InputFilename: "aiaOCSPHttpOnlyNE.pem",
+
+			ExpectedResult: lint.NE,
+		},
+		{
+			Name:          "NA - CA certificate issued on September 15th 2023.",
+			InputFilename: "caCertificateAfter15092023.pem",
+
+			ExpectedResult: lint.NA,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_aia_must_contain_permitted_access_method", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status)
+			}
+
+			if tc.ExpectedResult == lint.Error && tc.ExpectedDetails != result.Details {
+				t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details)
+			}
+		})
+	}
+}

v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go

@@ -0,0 +1,78 @@
+package cabf_br
+
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+type bRAIAOCSPHasHTTPOnly struct{}
+
+/************************************************************************
+7.1.2.7.7 Subscriber Certificate Authority Information Access
+The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each
+AccessDescription MUST only contain a permitted accessMethod, as detailed below, and
+each accessLocation MUST be encoded as the specified GeneralName type.
+The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the
+same accessMethod, if permitted for that accessMethod. When multiple
+AccessDescriptions are present with the same accessMethod, each accessLocation
+MUST be unique, and each AccessDescription MUST be ordered in priority for that
+accessMethod, with the most‐preferred accessLocation being the first
+AccessDescription. No ordering requirements are given for AccessDescriptions that
+contain different accessMethods, provided that previous requirement is satisfied.
+
+id-ad-ocsp
+1.3.6.1.5.5.7.48.1 uniformResourceIdentifier MUST  A HTTP URL of the
+Issuing CA’s OCSP  responder.
+*************************************************************************/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_aia_ocsp_must_have_http_only",
+			Description:   "The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed.",
+			Citation:      "BRs: 7.1.2.7.7",
+			Source:        lint.CABFBaselineRequirements,
+			EffectiveDate: util.SC62EffectiveDate,
+		},
+		Lint: NewBRAIAOCSPHasHTTPOnly,
+	})
+}
+
+func NewBRAIAOCSPHasHTTPOnly() lint.LintInterface {
+	return &bRAIAOCSPHasHTTPOnly{}
+}
+
+func (l *bRAIAOCSPHasHTTPOnly) CheckApplies(c *x509.Certificate) bool {
+	return len(c.OCSPServer) > 0 && util.IsSubscriberCert(c)
+}
+
+func (l *bRAIAOCSPHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult {
+	for _, u := range c.OCSPServer {
+		purl, err := url.Parse(u)
+		if err != nil {
+			return &lint.LintResult{Status: lint.Error, Details: "Could not parse OCSP URL in AIA."}
+		}
+		if purl.Scheme != "http" {
+			return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in OCSP URL of AIA, which is not allowed.", purl.Scheme)}
+		}
+	}
+	return &lint.LintResult{Status: lint.Pass}
+}