diff --git a/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go b/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go index 6c50ab612..73d0d24c5 100644 --- a/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go +++ b/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go @@ -44,7 +44,7 @@ func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ Name: "w_ext_subject_key_identifier_not_recommended_subscriber", - Description: "Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED", + Description: "Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED", Citation: "BRs v2: 7.1.2.7.6", Source: lint.CABFBaselineRequirements, EffectiveDate: util.SC62EffectiveDate, diff --git a/v3/lints/cabf_smime_br/mailbox_address_from_san.go b/v3/lints/cabf_smime_br/mailbox_address_from_san.go index 0374003a4..9e2c75c2b 100644 --- a/v3/lints/cabf_smime_br/mailbox_address_from_san.go +++ b/v3/lints/cabf_smime_br/mailbox_address_from_san.go @@ -44,11 +44,7 @@ func NewMailboxAddressFromSAN() lint.LintInterface { // CheckApplies is returns true if the certificate's policies assert that it conforms to the SMIME BRs func (l *MailboxAddressFromSAN) CheckApplies(c *x509.Certificate) bool { - if util.HasEKU(c, x509.ExtKeyUsageEmailProtection) || util.HasEKU(c, x509.ExtKeyUsageAny) { - return true - } - - return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c) + return util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c) } // Execute checks all the places where Mailbox Addresses may be found in an SMIME certificate and confirms that they are present in the SAN rfc822Name or SAN otherName diff --git a/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go b/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go index f8a80270d..3d3d23542 100644 --- a/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go +++ b/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go @@ -86,6 +86,19 @@ func TestMailboxAddressFromSANLint(t *testing.T) { ExpectedResult: lint.Error, ExpectedDetails: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear", }, + { + Name: "fail - subject:commonName email address does not match san:emailAddress, certificate is sponsor validated", + InputFilename: "sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem", + + ExpectedResult: lint.Error, + ExpectedDetails: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear", + }, + { + Name: "pass - subject:commonName is personal name, san:emailAddress contains an email", + InputFilename: "sponsorValidatedMultipurposePersonalNameInCN.pem", + + ExpectedResult: lint.Pass, + }, } for _, tc := range testCases { diff --git a/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANEmail.pem b/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANEmail.pem index 8994e8986..7d86210d4 100644 --- a/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANEmail.pem +++ b/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANEmail.pem @@ -1,42 +1,43 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 3 (0x3) + Serial Number: + cd:06:4c:49:cc:33:16:20:51:36:00:f5 Signature Algorithm: ecdsa-with-SHA256 - Issuer: + Issuer: CN = Lint CA, O = Lint, C = DE Validity Not Before: Sep 1 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT + Not After : Sep 1 00:00:00 2024 GMT Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: - 04:8e:4d:90:a7:a0:3f:15:e0:6a:de:89:e1:19:74: - 23:51:db:37:5d:9c:21:13:db:7a:65:96:10:43:e5: - 77:f6:dd:52:99:e1:5c:b9:08:81:07:71:cf:59:95: - 2c:13:6a:bc:34:15:8a:b7:17:99:4c:d4:0d:b0:54: - 8a:0a:6d:a7:60 + 04:f3:ba:54:14:60:f2:4a:81:3a:fd:9e:e1:ca:aa: + 02:70:3a:f9:eb:cc:cb:09:aa:57:c1:f7:40:9b:8e: + ac:ff:1e:5c:5e:cc:9e:b3:d6:7e:15:2d:35:3f:b4: + 04:05:60:e9:27:bc:7f:86:3d:23:66:cc:96:be:e7: + 4a:da:f2:90:3e ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: - X509v3 Extended Key Usage: - E-mail Protection - X509v3 Subject Alternative Name: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 + X509v3 Subject Alternative Name: critical email:test@example.com Signature Algorithm: ecdsa-with-SHA256 Signature Value: - 30:44:02:20:63:fe:50:25:07:b3:7c:f1:cb:1a:3f:da:e4:17: - d8:ec:95:33:08:65:c5:da:d2:4d:af:9d:fb:34:05:80:cb:2b: - 02:20:63:c7:3b:dd:13:d7:3a:60:86:7a:34:c7:a0:a4:35:2b: - fa:b9:03:37:14:75:cb:e9:8f:db:f9:85:ef:f9:4b:74 + 30:45:02:20:5b:48:5a:9e:f1:34:fb:bb:52:68:1e:2d:dc:32: + 94:95:58:c4:66:b6:53:25:96:e7:91:30:b2:6d:61:bd:7a:da: + 02:21:00:a4:78:63:87:01:7e:4a:ae:1b:7e:52:4c:0f:32:09: + 86:fa:55:93:64:ec:13:22:cb:45:0c:80:2a:7e:b0:f8:e6 -----BEGIN CERTIFICATE----- -MIIBIzCBy6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAxMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASOTZCn -oD8V4GreieEZdCNR2zddnCET23pllhBD5Xf23VKZ4Vy5CIEHcc9ZlSwTarw0FYq3 -F5lM1A2wVIoKbadgozQwMjATBgNVHSUEDDAKBggrBgEFBQcDBDAbBgNVHREEFDAS -gRB0ZXN0QGV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0cAMEQCIGP+UCUHs3zxyxo/ -2uQX2OyVMwhlxdrSTa+d+zQFgMsrAiBjxzvdE9c6YIZ6NMegpDUr+rkDNxR1y+mP -2/mF7/lLdA== +MIIBYTCCAQegAwIBAgINAM0GTEnMMxYgUTYA9TAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MDEwMDAwMDBaFw0yNDA5MDEwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMB +BwNCAATzulQUYPJKgTr9nuHKqgJwOvnrzMsJqlfB90Cbjqz/HlxezJ6z1n4VLTU/ +tAQFYOknvH+GPSNmzJa+50ra8pA+ozgwNjAUBgNVHSAEDTALMAkGB2eBDAEFAwIw +HgYDVR0RAQH/BBQwEoEQdGVzdEBleGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBF +AiBbSFqe8TT7u1JoHi3cMpSVWMRmtlMllueRMLJtYb162gIhAKR4Y4cBfkquG35S +TA8yCYb6VZNk7BMiy0UMgCp+sPjm -----END CERTIFICATE----- - diff --git a/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANOtherName.pem b/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANOtherName.pem index 091f41946..a6bb46a29 100644 --- a/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANOtherName.pem +++ b/v3/testdata/smime/MailboxAddressFromSAN/WithOnlySANOtherName.pem @@ -1,42 +1,43 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 3 (0x3) + Serial Number: + 6e:77:64:8f:2d:ca:f7:67:b9:66:ea:33 Signature Algorithm: ecdsa-with-SHA256 - Issuer: + Issuer: CN = Lint CA, O = Lint, C = DE Validity Not Before: Sep 1 00:00:00 2023 GMT - Not After : Nov 30 00:00:00 9998 GMT + Not After : Sep 1 00:00:00 2024 GMT Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: - 04:a5:21:3a:ef:c4:e4:dd:5d:ad:17:c4:b5:1a:6e: - 43:72:02:a0:f5:a2:85:e6:56:1e:c7:fe:07:6b:c0: - 0d:89:14:8e:8c:45:f4:32:24:22:62:d2:48:cc:b7: - 3e:14:7f:10:d5:95:7f:45:b6:b6:93:40:a9:f6:8a: - d6:07:64:0b:c6 + 04:bc:08:e7:53:65:a4:14:04:48:b0:2c:35:bb:59: + 62:b5:4e:86:2b:d6:a5:0e:33:37:0f:83:a4:a2:8f: + 4d:63:70:19:1c:a0:4b:1d:45:b1:f4:12:b8:9f:27: + 56:71:0f:d1:af:02:bb:a2:9f:35:c3:14:cd:13:68: + 04:40:ec:89:b6 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: - X509v3 Extended Key Usage: - E-mail Protection + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 X509v3 Subject Alternative Name: critical othername: SmtpUTF8Mailbox::test@example.com Signature Algorithm: ecdsa-with-SHA256 Signature Value: - 30:45:02:21:00:b1:e6:48:b7:2d:ef:dc:ec:ca:ae:bb:4a:39: - 61:d0:32:9e:e5:1f:6f:e0:64:bb:75:dd:50:27:ca:6e:f7:75: - cf:02:20:77:33:c7:f4:79:96:99:5d:be:6b:e4:45:7b:11:18: - 82:05:df:db:29:8d:83:5c:d1:91:81:cf:15:0b:2f:4f:8f + 30:45:02:20:20:d3:d2:af:09:14:23:91:a6:2a:10:ce:9b:9f: + 32:d8:f9:43:7c:a0:7e:b4:1a:c8:5e:0a:90:6f:d6:d5:ba:c8: + 02:21:00:f4:d7:50:77:27:12:3e:31:d7:4a:60:44:c6:8b:f7: + 0d:5d:a0:d6:e2:12:02:a5:ce:21:92:e4:ef:19:c9:86:c8 -----BEGIN CERTIFICATE----- -MIIBNTCB3KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAxMDAwMDAwWhgP -OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASlITrv -xOTdXa0XxLUabkNyAqD1ooXmVh7H/gdrwA2JFI6MRfQyJCJi0kjMtz4UfxDVlX9F -traTQKn2itYHZAvGo0UwQzATBgNVHSUEDDAKBggrBgEFBQcDBDAsBgNVHREBAf8E -IjAgoB4GCCsGAQUFBwgJoBIMEHRlc3RAZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID -SAAwRQIhALHmSLct79zsyq67Sjlh0DKe5R9v4GS7dd1QJ8pu93XPAiB3M8f0eZaZ -Xb5r5EV7ERiCBd/bKY2DXNGRgc8VCy9Pjw== +MIIBbjCCARSgAwIBAgIMbndkjy3K92e5ZuozMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTIzMDkw +MTAwMDAwMFoXDTI0MDkwMTAwMDAwMFowADBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABLwI51NlpBQESLAsNbtZYrVOhivWpQ4zNw+DpKKPTWNwGRygSx1FsfQSuJ8n +VnEP0a8Cu6KfNcMUzRNoBEDsibajRjBEMBQGA1UdIAQNMAswCQYHZ4EMAQUDAjAs +BgNVHREBAf8EIjAgoB4GCCsGAQUFBwgJoBIMEHRlc3RAZXhhbXBsZS5jb20wCgYI +KoZIzj0EAwIDSAAwRQIgINPSrwkUI5GmKhDOm58y2PlDfKB+tBrIXgqQb9bVusgC +IQD011B3JxI+MddKYETGi/cNXaDW4hICpc4hkuTvGcmGyA== -----END CERTIFICATE----- - diff --git a/v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem b/v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem new file mode 100644 index 000000000..abc66a5c9 --- /dev/null +++ b/v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposeEmailInSubjectNotInSAN.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e7:55:11:47:5d:8f:22:0b:ef:3b:81:c3 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 1 00:00:00 2023 GMT + Not After : Sep 1 00:00:00 2024 GMT + Subject: emailAddress = zlint@example.com, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:04:fe:3e:21:f9:28:32:5b:1b:dd:01:ef:44:43: + fa:0d:40:a0:44:36:14:52:a8:2b:93:c8:b0:5f:5f: + 16:49:b6:dc:84:29:ec:2a:cd:8f:d8:6e:21:1c:d0: + ca:df:fb:a5:48:7a:da:1f:84:97:5d:99:1e:5c:ef: + 18:8e:90:94:c6 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 + X509v3 Subject Alternative Name: + email:diff@example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:44:02:20:2d:bd:d5:2d:dc:d9:ad:7d:8d:29:52:83:56:f0: + f5:1e:6d:ec:51:55:c8:93:1e:13:19:4d:66:c3:a6:74:23:19: + 02:20:43:30:15:b7:e8:69:6c:cf:4e:20:c6:18:45:f2:32:5a: + 80:68:fb:b1:27:43:83:5c:f8:e3:1f:3c:10:cf:68:40 +-----BEGIN CERTIFICATE----- +MIIBmzCCAUKgAwIBAgINAOdVEUddjyIL7zuBwzAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MDEwMDAwMDBaFw0yNDA5MDEwMDAwMDBaMD4xIDAeBgkqhkiG9w0BCQEWEXpsaW50 +QGV4YW1wbGUuY29tMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTBZMBMGByqG +SM49AgEGCCqGSM49AwEHA0IABAT+PiH5KDJbG90B70RD+g1AoEQ2FFKoK5PIsF9f +Fkm23IQp7CrNj9huIRzQyt/7pUh62h+El12ZHlzvGI6QlMajNTAzMBQGA1UdIAQN +MAswCQYHZ4EMAQUDAjAbBgNVHREEFDASgRBkaWZmQGV4YW1wbGUuY29tMAoGCCqG +SM49BAMCA0cAMEQCIC291S3c2a19jSlSg1bw9R5t7FFVyJMeExlNZsOmdCMZAiBD +MBW36Glsz04gxhhF8jJagGj7sSdDg1z44x88EM9oQA== +-----END CERTIFICATE----- diff --git a/v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposePersonalNameInCN.pem b/v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposePersonalNameInCN.pem new file mode 100644 index 000000000..9a3c6473e --- /dev/null +++ b/v3/testdata/smime/MailboxAddressFromSAN/sponsorValidatedMultipurposePersonalNameInCN.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + aa:18:43:0a:7d:61:0d:76:55:87:b4:e2 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Sep 1 00:00:00 2023 GMT + Not After : Sep 1 00:00:00 2024 GMT + Subject: CN = Personal Name, O = Lint, C = DE + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:47:d8:e7:1c:93:d7:42:b2:b1:ce:36:0b:68:c1: + b7:78:c8:12:37:12:35:9a:c9:05:b8:f5:2e:d9:c1: + fe:4f:11:07:b7:21:11:14:a4:66:29:bc:47:7a:44: + 98:1a:13:88:45:1c:46:80:0d:75:75:32:2f:4d:5d: + 3d:0f:b4:2b:04 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.3.2 + X509v3 Subject Alternative Name: + email:sanonly@example.com + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:45:02:20:62:8f:48:b0:70:38:0c:a9:f1:5a:59:ab:6b:a5: + 54:75:24:1f:4b:14:5e:c6:27:dc:b1:48:b5:cb:77:51:04:2d: + 02:21:00:dd:bd:d3:5b:1d:0e:47:15:34:45:4c:a2:43:bb:0b: + de:58:39:d2:ee:75:10:c5:5e:59:19:05:85:b4:43:cd:9f +-----BEGIN CERTIFICATE----- +MIIBlTCCATugAwIBAgINAKoYQwp9YQ12VYe04jAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yMzA5 +MDEwMDAwMDBaFw0yNDA5MDEwMDAwMDBaMDQxFjAUBgNVBAMMDVBlcnNvbmFsIE5h +bWUxDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAER9jnHJPXQrKxzjYLaMG3eMgSNxI1mskFuPUu2cH+TxEHtyERFKRm +KbxHekSYGhOIRRxGgA11dTIvTV09D7QrBKM4MDYwFAYDVR0gBA0wCzAJBgdngQwB +BQMCMB4GA1UdEQQXMBWBE3Nhbm9ubHlAZXhhbXBsZS5jb20wCgYIKoZIzj0EAwID +SAAwRQIgYo9IsHA4DKnxWlmra6VUdSQfSxRexifcsUi1y3dRBC0CIQDdvdNbHQ5H +FTRFTKJDuwveWDnS7nUQxV5ZGQWFtEPNnw== +-----END CERTIFICATE-----