Mailbox addresses from san for all br (#809)

* lint about the encoding of qcstatements for PSD2

* Revert "lint about the encoding of qcstatements for PSD2"

This reverts commit 6c23670.

* util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC

* always check and perform the operation in the execution

* synchronised with project

* synchronised with project

* synchronised with project

* synchronised with project

* refactored lint to cover all SMIME BR certificates

* fixed git merge issue

---------

Co-authored-by: mtg <[email protected]>
Co-authored-by: GitHub <[email protected]>
Co-authored-by: Christopher Henderson <[email protected]>

v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go

@@ -44,7 +44,7 @@ func init() {
 	lint.RegisterCertificateLint(&lint.CertificateLint{
 		LintMetadata: lint.LintMetadata{
 			Name:          "w_ext_subject_key_identifier_not_recommended_subscriber",
-			Description:   "Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED",
+			Description:   "Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED",
 			Citation:      "BRs v2: 7.1.2.7.6",
 			Source:        lint.CABFBaselineRequirements,
 			EffectiveDate: util.SC62EffectiveDate,

v3/lints/cabf_smime_br/mailbox_address_from_san.go

@@ -44,11 +44,7 @@ func NewMailboxAddressFromSAN() lint.LintInterface {
 
 // CheckApplies is returns true if the certificate's policies assert that it conforms to the SMIME BRs
 func (l *MailboxAddressFromSAN) CheckApplies(c *x509.Certificate) bool {
-	if util.HasEKU(c, x509.ExtKeyUsageEmailProtection) || util.HasEKU(c, x509.ExtKeyUsageAny) {
-		return true
-	}
-
-	return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c)
+	return util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c)
 }
 
 // Execute checks all the places where Mailbox Addresses may be found in an SMIME certificate and confirms that they are present in the SAN rfc822Name or SAN otherName

v3/lints/cabf_smime_br/mailbox_address_from_san_test.go

@@ -86,6 +86,19 @@ func TestMailboxAddressFromSANLint(t *testing.T) {
 			ExpectedResult:  lint.Error,
 			ExpectedDetails: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear",
 		},
+		{
+			Name:          "fail - subject:commonName email address does not match san:emailAddress, certificate is sponsor validated",
+			InputFilename: "sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem",
+
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear",
+		},
+		{
+			Name:          "pass - subject:commonName is personal name, san:emailAddress contains an email",
+			InputFilename: "sponsorValidatedMultipurposePersonalNameInCN.pem",
+
+			ExpectedResult: lint.Pass,
+		},
 	}
 
 	for _, tc := range testCases {

v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANEmail.pem

@@ -1,42 +1,43 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 3 (0x3)
+        Serial Number:
+            cd:06:4c:49:cc:33:16:20:51:36:00:f5
         Signature Algorithm: ecdsa-with-SHA256
-        Issuer: 
+        Issuer: CN = Lint CA, O = Lint, C = DE
         Validity
             Not Before: Sep  1 00:00:00 2023 GMT
-            Not After : Nov 30 00:00:00 9998 GMT
+            Not After : Sep  1 00:00:00 2024 GMT
         Subject: 
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:8e:4d:90:a7:a0:3f:15:e0:6a:de:89:e1:19:74:
-                    23:51:db:37:5d:9c:21:13:db:7a:65:96:10:43:e5:
-                    77:f6:dd:52:99:e1:5c:b9:08:81:07:71:cf:59:95:
-                    2c:13:6a:bc:34:15:8a:b7:17:99:4c:d4:0d:b0:54:
-                    8a:0a:6d:a7:60
+                    04:f3:ba:54:14:60:f2:4a:81:3a:fd:9e:e1:ca:aa:
+                    02:70:3a:f9:eb:cc:cb:09:aa:57:c1:f7:40:9b:8e:
+                    ac:ff:1e:5c:5e:cc:9e:b3:d6:7e:15:2d:35:3f:b4:
+                    04:05:60:e9:27:bc:7f:86:3d:23:66:cc:96:be:e7:
+                    4a:da:f2:90:3e
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
-            X509v3 Extended Key Usage: 
-                E-mail Protection
-            X509v3 Subject Alternative Name: 
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.3.2
+            X509v3 Subject Alternative Name: critical
                 email:[email protected]
     Signature Algorithm: ecdsa-with-SHA256
     Signature Value:
-        30:44:02:20:63:fe:50:25:07:b3:7c:f1:cb:1a:3f:da:e4:17:
-        d8:ec:95:33:08:65:c5:da:d2:4d:af:9d:fb:34:05:80:cb:2b:
-        02:20:63:c7:3b:dd:13:d7:3a:60:86:7a:34:c7:a0:a4:35:2b:
-        fa:b9:03:37:14:75:cb:e9:8f:db:f9:85:ef:f9:4b:74
+        30:45:02:20:5b:48:5a:9e:f1:34:fb:bb:52:68:1e:2d:dc:32:
+        94:95:58:c4:66:b6:53:25:96:e7:91:30:b2:6d:61:bd:7a:da:
+        02:21:00:a4:78:63:87:01:7e:4a:ae:1b:7e:52:4c:0f:32:09:
+        86:fa:55:93:64:ec:13:22:cb:45:0c:80:2a:7e:b0:f8:e6
 -----BEGIN CERTIFICATE-----
-MIIBIzCBy6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAxMDAwMDAwWhgP
-OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOTZCn
-oD8V4GreieEZdCNR2zddnCET23pllhBD5Xf23VKZ4Vy5CIEHcc9ZlSwTarw0FYq3
-F5lM1A2wVIoKbadgozQwMjATBgNVHSUEDDAKBggrBgEFBQcDBDAbBgNVHREEFDAS
-gRB0ZXN0QGV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGP+UCUHs3zxyxo/
-2uQX2OyVMwhlxdrSTa+d+zQFgMsrAiBjxzvdE9c6YIZ6NMegpDUr+rkDNxR1y+mP
-2/mF7/lLdA==
+MIIBYTCCAQegAwIBAgINAM0GTEnMMxYgUTYA9TAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MDEwMDAwMDBaFw0yNDA5MDEwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAATzulQUYPJKgTr9nuHKqgJwOvnrzMsJqlfB90Cbjqz/HlxezJ6z1n4VLTU/
+tAQFYOknvH+GPSNmzJa+50ra8pA+ozgwNjAUBgNVHSAEDTALMAkGB2eBDAEFAwIw
+HgYDVR0RAQH/BBQwEoEQdGVzdEBleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF
+AiBbSFqe8TT7u1JoHi3cMpSVWMRmtlMllueRMLJtYb162gIhAKR4Y4cBfkquG35S
+TA8yCYb6VZNk7BMiy0UMgCp+sPjm
 -----END CERTIFICATE-----
-

v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANOtherName.pem

@@ -1,42 +1,43 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 3 (0x3)
+        Serial Number:
+            6e:77:64:8f:2d:ca:f7:67:b9:66:ea:33
         Signature Algorithm: ecdsa-with-SHA256
-        Issuer: 
+        Issuer: CN = Lint CA, O = Lint, C = DE
         Validity
             Not Before: Sep  1 00:00:00 2023 GMT
-            Not After : Nov 30 00:00:00 9998 GMT
+            Not After : Sep  1 00:00:00 2024 GMT
         Subject: 
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:a5:21:3a:ef:c4:e4:dd:5d:ad:17:c4:b5:1a:6e:
-                    43:72:02:a0:f5:a2:85:e6:56:1e:c7:fe:07:6b:c0:
-                    0d:89:14:8e:8c:45:f4:32:24:22:62:d2:48:cc:b7:
-                    3e:14:7f:10:d5:95:7f:45:b6:b6:93:40:a9:f6:8a:
-                    d6:07:64:0b:c6
+                    04:bc:08:e7:53:65:a4:14:04:48:b0:2c:35:bb:59:
+                    62:b5:4e:86:2b:d6:a5:0e:33:37:0f:83:a4:a2:8f:
+                    4d:63:70:19:1c:a0:4b:1d:45:b1:f4:12:b8:9f:27:
+                    56:71:0f:d1:af:02:bb:a2:9f:35:c3:14:cd:13:68:
+                    04:40:ec:89:b6
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
-            X509v3 Extended Key Usage: 
-                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.3.2
             X509v3 Subject Alternative Name: critical
                 othername: SmtpUTF8Mailbox::[email protected]
     Signature Algorithm: ecdsa-with-SHA256
     Signature Value:
-        30:45:02:21:00:b1:e6:48:b7:2d:ef:dc:ec:ca:ae:bb:4a:39:
-        61:d0:32:9e:e5:1f:6f:e0:64:bb:75:dd:50:27:ca:6e:f7:75:
-        cf:02:20:77:33:c7:f4:79:96:99:5d:be:6b:e4:45:7b:11:18:
-        82:05:df:db:29:8d:83:5c:d1:91:81:cf:15:0b:2f:4f:8f
+        30:45:02:20:20:d3:d2:af:09:14:23:91:a6:2a:10:ce:9b:9f:
+        32:d8:f9:43:7c:a0:7e:b4:1a:c8:5e:0a:90:6f:d6:d5:ba:c8:
+        02:21:00:f4:d7:50:77:27:12:3e:31:d7:4a:60:44:c6:8b:f7:
+        0d:5d:a0:d6:e2:12:02:a5:ce:21:92:e4:ef:19:c9:86:c8
 -----BEGIN CERTIFICATE-----
-MIIBNTCB3KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAxMDAwMDAwWhgP
-OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASlITrv
-xOTdXa0XxLUabkNyAqD1ooXmVh7H/gdrwA2JFI6MRfQyJCJi0kjMtz4UfxDVlX9F
-traTQKn2itYHZAvGo0UwQzATBgNVHSUEDDAKBggrBgEFBQcDBDAsBgNVHREBAf8E
-IjAgoB4GCCsGAQUFBwgJoBIMEHRlc3RAZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
-SAAwRQIhALHmSLct79zsyq67Sjlh0DKe5R9v4GS7dd1QJ8pu93XPAiB3M8f0eZaZ
-Xb5r5EV7ERiCBd/bKY2DXNGRgc8VCy9Pjw==
+MIIBbjCCARSgAwIBAgIMbndkjy3K92e5ZuozMAoGCCqGSM49BAMCMC4xEDAOBgNV
+BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkw
+MTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABLwI51NlpBQESLAsNbtZYrVOhivWpQ4zNw+DpKKPTWNwGRygSx1FsfQSuJ8n
+VnEP0a8Cu6KfNcMUzRNoBEDsibajRjBEMBQGA1UdIAQNMAswCQYHZ4EMAQUDAjAs
+BgNVHREBAf8EIjAgoB4GCCsGAQUFBwgJoBIMEHRlc3RAZXhhbXBsZS5jb20wCgYI
+KoZIzj0EAwIDSAAwRQIgINPSrwkUI5GmKhDOm58y2PlDfKB+tBrIXgqQb9bVusgC
+IQD011B3JxI+MddKYETGi/cNXaDW4hICpc4hkuTvGcmGyA==
 -----END CERTIFICATE-----
-

v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e7:55:11:47:5d:8f:22:0b:ef:3b:81:c3
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep  1 00:00:00 2023 GMT
+            Not After : Sep  1 00:00:00 2024 GMT
+        Subject: emailAddress = [email protected], O = Lint, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:04:fe:3e:21:f9:28:32:5b:1b:dd:01:ef:44:43:
+                    fa:0d:40:a0:44:36:14:52:a8:2b:93:c8:b0:5f:5f:
+                    16:49:b6:dc:84:29:ec:2a:cd:8f:d8:6e:21:1c:d0:
+                    ca:df:fb:a5:48:7a:da:1f:84:97:5d:99:1e:5c:ef:
+                    18:8e:90:94:c6
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.3.2
+            X509v3 Subject Alternative Name: 
+                email:[email protected]
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:44:02:20:2d:bd:d5:2d:dc:d9:ad:7d:8d:29:52:83:56:f0:
+        f5:1e:6d:ec:51:55:c8:93:1e:13:19:4d:66:c3:a6:74:23:19:
+        02:20:43:30:15:b7:e8:69:6c:cf:4e:20:c6:18:45:f2:32:5a:
+        80:68:fb:b1:27:43:83:5c:f8:e3:1f:3c:10:cf:68:40
+-----BEGIN CERTIFICATE-----
+MIIBmzCCAUKgAwIBAgINAOdVEUddjyIL7zuBwzAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MDEwMDAwMDBaFw0yNDA5MDEwMDAwMDBaMD4xIDAeBgkqhkiG9w0BCQEWEXpsaW50
+QGV4YW1wbGUuY29tMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABAT+PiH5KDJbG90B70RD+g1AoEQ2FFKoK5PIsF9f
+Fkm23IQp7CrNj9huIRzQyt/7pUh62h+El12ZHlzvGI6QlMajNTAzMBQGA1UdIAQN
+MAswCQYHZ4EMAQUDAjAbBgNVHREEFDASgRBkaWZmQGV4YW1wbGUuY29tMAoGCCqG
+SM49BAMCA0cAMEQCIC291S3c2a19jSlSg1bw9R5t7FFVyJMeExlNZsOmdCMZAiBD
+MBW36Glsz04gxhhF8jJagGj7sSdDg1z44x88EM9oQA==
+-----END CERTIFICATE-----

v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposePersonalNameInCN.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            aa:18:43:0a:7d:61:0d:76:55:87:b4:e2
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = Lint CA, O = Lint, C = DE
+        Validity
+            Not Before: Sep  1 00:00:00 2023 GMT
+            Not After : Sep  1 00:00:00 2024 GMT
+        Subject: CN = Personal Name, O = Lint, C = DE
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:47:d8:e7:1c:93:d7:42:b2:b1:ce:36:0b:68:c1:
+                    b7:78:c8:12:37:12:35:9a:c9:05:b8:f5:2e:d9:c1:
+                    fe:4f:11:07:b7:21:11:14:a4:66:29:bc:47:7a:44:
+                    98:1a:13:88:45:1c:46:80:0d:75:75:32:2f:4d:5d:
+                    3d:0f:b4:2b:04
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.3.2
+            X509v3 Subject Alternative Name: 
+                email:[email protected]
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:62:8f:48:b0:70:38:0c:a9:f1:5a:59:ab:6b:a5:
+        54:75:24:1f:4b:14:5e:c6:27:dc:b1:48:b5:cb:77:51:04:2d:
+        02:21:00:dd:bd:d3:5b:1d:0e:47:15:34:45:4c:a2:43:bb:0b:
+        de:58:39:d2:ee:75:10:c5:5e:59:19:05:85:b4:43:cd:9f
+-----BEGIN CERTIFICATE-----
+MIIBlTCCATugAwIBAgINAKoYQwp9YQ12VYe04jAKBggqhkjOPQQDAjAuMRAwDgYD
+VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5
+MDEwMDAwMDBaFw0yNDA5MDEwMDAwMDBaMDQxFjAUBgNVBAMMDVBlcnNvbmFsIE5h
+bWUxDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAER9jnHJPXQrKxzjYLaMG3eMgSNxI1mskFuPUu2cH+TxEHtyERFKRm
+KbxHekSYGhOIRRxGgA11dTIvTV09D7QrBKM4MDYwFAYDVR0gBA0wCzAJBgdngQwB
+BQMCMB4GA1UdEQQXMBWBE3Nhbm9ubHlAZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID
+SAAwRQIgYo9IsHA4DKnxWlmra6VUdSQfSxRexifcsUi1y3dRBC0CIQDdvdNbHQ5H
+FTRFTKJDuwveWDnS7nUQxV5ZGQWFtEPNnw==
+-----END CERTIFICATE-----