Add lint to check that EV certificates contain only allowed attribute…

…s in the Subject (#902) * Add files via upload * Add files via upload * Add files via upload * Add files via upload * Update lint_invalid_subject_rdn_order_test.go Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment * Update lint_invalid_subject_rdn_order.go Fixed import block * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go Fine to me. Co-authored-by: Christopher Henderson <[email protected]> * Update lint_invalid_subject_rdn_order.go As per Chris Henderson's suggestion, to "improve readability". * Update lint_invalid_subject_rdn_order_test.go As per Chris Henderson's suggestion. * Update time.go Added CABFEV_Sec9_2_8_Date * Add files via upload * Add files via upload * Revised according to Chris and Corey suggestions * Add files via upload * Add files via upload * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go * Delete v3/testdata/invalid_cps_uri_ko_01.pem * Delete v3/testdata/invalid_cps_uri_ko_02.pem * Delete v3/testdata/invalid_cps_uri_ko_03.pem * Delete v3/testdata/invalid_cps_uri_ok_01.pem * Delete v3/testdata/invalid_cps_uri_ok_02.pem * Delete v3/testdata/invalid_cps_uri_ok_03.pem * Add files via upload * Add files via upload * Update config.json * Add files via upload * Update lint_extra_subject_attribs.go * Update time.go --------- Co-authored-by: Christopher Henderson <[email protected]>
zmap · Dec 8, 2024 · 82c722b · 82c722b
1 parent 529e5e5
commit 82c722b
Show file tree

Hide file tree

Showing 9 changed files with 723 additions and 0 deletions.
diff --git a/v3/integration/config.json b/v3/integration/config.json
@@ -976,6 +976,9 @@
     },
     "e_subj_country_not_uppercase": {
         "ErrCount": 1303
+    },
+    "e_ev_extra_subject_attribs": {
+        "ErrCount": 63
     }
   }
 }
diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs.go b/v3/lints/cabf_ev/lint_extra_subject_attribs.go
@@ -0,0 +1,100 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <[email protected]>
+ */
+
+package cabf_ev
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"fmt"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_ev_extra_subject_attribs",
+			Description:   "CAs SHALL NOT include any Subject Distinguished Name attributes except as specified...",
+			Citation:      "EVGs §7.1.4.2.9",
+			Source:        lint.CABFEVGuidelines,
+			EffectiveDate: util.SC16EffectiveDate,
+		},
+		Lint: NewExtraSubjectAttribs,
+	})
+}
+
+type extraSubjectAttribs struct{}
+
+func NewExtraSubjectAttribs() lint.LintInterface {
+	return &extraSubjectAttribs{}
+}
+
+func (l *extraSubjectAttribs) CheckApplies(c *x509.Certificate) bool {
+	return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c)
+}
+
+/*
+ * We also include the OU attribute here, even though it is now banned, because this lint
+ * deals with a more general requirement that came into force long before the OU ban,
+ * and there is already another lint that deals with the OU attribute specifically.
+ *
+ * The organizationIdentifier attribute is only permitted starting from 21-may-2019 (EVGL 1.7.0),
+ * which is slightly after SC16 came into force, however any certificates that contain this
+ * attribute and were issued before that date have long since expired, so it makes no difference.
+ */
+var allowedAttribs = map[string]bool{
+	"1.3.6.1.4.1.311.60.2.1.1": true, // joiLocalityName
+	"1.3.6.1.4.1.311.60.2.1.2": true, // joiStateOrProvinceName
+	"1.3.6.1.4.1.311.60.2.1.3": true, // joiCountryName
+	"2.5.4.3":                  true, // commonName
+	"2.5.4.5":                  true, // serialNumber
+	"2.5.4.6":                  true, // countryName
+	"2.5.4.7":                  true, // localityName
+	"2.5.4.8":                  true, // stateOrProvinceName
+	"2.5.4.9":                  true, // streetAddress
+	"2.5.4.10":                 true, // organizationName
+	"2.5.4.11":                 true, // organizationalUnitName
+	"2.5.4.15":                 true, // businessCategory
+	"2.5.4.17":                 true, // postalCode
+	"2.5.4.97":                 true, // organizationIdentifier
+}
+
+func (l *extraSubjectAttribs) Execute(c *x509.Certificate) *lint.LintResult {
+
+	var rdnSequence pkix.RDNSequence
+	_, err := asn1.Unmarshal(c.RawSubject, &rdnSequence)
+	if err != nil {
+		return &lint.LintResult{Status: lint.Fatal}
+	}
+
+	for _, rdn := range rdnSequence {
+		for _, atv := range rdn {
+			if !allowedAttribs[atv.Type.String()] {
+				return &lint.LintResult{
+					Status:  lint.Error,
+					Details: fmt.Sprintf("Subject attribute %s is not allowed in EV certificates", atv.Type.String()),
+				}
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go b/v3/lints/cabf_ev/lint_extra_subject_attribs_test.go
@@ -0,0 +1,73 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_ev
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+/*
+ * Test cases
+ *
+ *      File                         Description
+ *      ------------------------     -------------
+ *      extra_subj_attrs_na1.pem     CA certificate
+ *      extra_subj_attrs_na2.pem     OV Subscriber certificate
+ *      extra_subj_attrs_ok1.pem     EV Subscriber certificate with valid Subject
+ *      extra_subj_attrs_ne1.pem     EV Subscriber certificate with invalid Subject, issued before effective date
+ *      extra_subj_attrs_ko1.pem     EV Subscriber certificate with invalid Subject, issued after effective date
+ *
+ */
+
+func TestExtraSubjectAttribs(t *testing.T) {
+	type Data struct {
+		input string
+		want  lint.LintStatus
+	}
+	data := []Data{
+		{
+			input: "extra_subj_attrs_na1.pem",
+			want:  lint.NA,
+		},
+		{
+			input: "extra_subj_attrs_na2.pem",
+			want:  lint.NA,
+		},
+		{
+			input: "extra_subj_attrs_ok1.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "extra_subj_attrs_ne1.pem",
+			want:  lint.NE,
+		},
+		{
+			input: "extra_subj_attrs_ko1.pem",
+			want:  lint.Error,
+		},
+	}
+	for _, testData := range data {
+		testData := testData
+		t.Run(testData.input, func(t *testing.T) {
+			out := test.TestLint("e_ev_extra_subject_attribs", testData.input)
+			if out.Status != testData.want {
+				t.Errorf("expected %s, got %s", testData.want, out.Status)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/extra_subj_attrs_ko1.pem b/v3/testdata/extra_subj_attrs_ko1.pem
@@ -0,0 +1,101 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2b:2a:cd:c0:f6:58:82:5b:9a:72:3c:9f:3b:39:6f:30
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Jul  4 04:31:44 2024 GMT
+            Not After : Jul  4 04:31:44 2025 GMT
+        Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890, postOfficeBox = 12345
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:a6:25:29:3d:58:9c:78:2b:98:c0:d0:b8:01:b6:
+                    4c:e7:1c:a4:9f:83:bb:91:1d:ad:48:08:6f:bd:23:
+                    19:ad:f8:ba:1b:16:bf:76:1e:07:78:d1:cd:8c:f5:
+                    84:ba:f5:94:fd:af:d3:cf:bf:3c:c6:4f:65:97:4a:
+                    e7:ed:04:bb:a0:6c:b4:2a:e9:8e:2b:b8:9c:41:cb:
+                    d2:b7:09:b6:0b:f4:2c:e1:cc:9a:38:0e:ba:47:59:
+                    94:28:fd:73:fc:1d:1b:f3:d8:ce:57:99:81:5b:9d:
+                    d2:4b:19:ac:d5:7e:7c:84:62:ba:68:00:1c:a8:be:
+                    f7:37:b0:61:ca:cc:a0:5f:52:15:b9:af:4e:e9:53:
+                    79:68:57:2c:cc:a2:ab:5d:8e:de:f9:4a:27:12:fe:
+                    d7:63:53:54:7b:69:02:47:7b:35:cf:1f:b3:d7:59:
+                    ab:54:48:48:f8:e9:c4:66:98:75:4a:1d:bb:47:66:
+                    93:e4:e7:28:b9:75:91:56:86:a1:ae:29:ca:92:72:
+                    96:4d:49:c0:43:ad:36:35:6d:db:4a:9f:8c:0f:de:
+                    bb:68:6e:38:00:a0:e6:5c:5c:c5:2a:ba:93:1a:31:
+                    98:d6:90:44:21:5a:7f:09:41:db:15:85:0b:ae:77:
+                    84:f2:60:73:21:09:d8:0c:88:d9:09:5a:02:d2:05:
+                    42:f1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                0C:AC:27:F2:A5:94:5F:B4:9B:40:93:6B:79:E6:10:35:AE:F6:2D:CB
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.1
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         49:f5:b3:65:03:8b:cd:2b:25:83:7c:e3:9e:ed:47:fe:58:23:
+         5f:a6:78:2f:e7:89:2e:f3:d3:0b:ba:7d:76:a0:5c:83:92:56:
+         2c:9e:1b:80:c6:36:a8:90:5d:a7:99:f8:dd:d9:83:dc:dc:10:
+         bc:ca:a4:ed:c2:6d:8e:7f:35:63:0c:ba:37:cf:73:fc:44:d1:
+         43:e0:ee:df:12:21:a9:2e:a4:b9:08:83:f8:88:b2:50:ad:a2:
+         97:59:db:4f:64:79:70:c7:4b:3d:f4:bd:76:51:72:c4:91:28:
+         4f:79:38:74:95:21:16:bb:23:b6:13:01:72:5b:2c:21:b7:ec:
+         a3:15:90:87:cd:8d:c3:99:0a:8a:db:ec:bd:0d:78:26:64:da:
+         5b:94:b7:3e:f8:5c:52:3f:bd:94:ab:2a:9f:1d:9c:7e:d4:a5:
+         f7:99:56:81:c3:35:76:12:b1:8f:24:ff:73:75:b9:56:6e:17:
+         dc:db:4d:1d:d3:ed:3f:e6:70:2e:dd:a2:c6:cc:10:ed:5e:a1:
+         5e:4d:f0:72:48:8e:65:66:53:4d:66:43:c6:00:00:03:e3:e9:
+         57:9a:5a:dc:de:04:c0:c8:ee:19:75:ed:39:a7:ba:be:fc:fc:
+         d4:fd:2e:69:7c:df:a1:2f:31:3f:c3:2f:b4:c0:63:95:e6:b2:
+         c1:76:34:d2
+-----BEGIN CERTIFICATE-----
+MIIEnTCCA4WgAwIBAgIQKyrNwPZYgluacjyfOzlvMDANBgkqhkiG9w0BAQsFADBD
+MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD
+QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA3MDQwNDMxNDRaFw0yNTA3MDQwNDMx
+NDRaMIGZMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
+aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
+THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAx
+DjAMBgNVBBITBTEyMzQ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+piUpPViceCuYwNC4AbZM5xykn4O7kR2tSAhvvSMZrfi6Gxa/dh4HeNHNjPWEuvWU
+/a/Tz788xk9ll0rn7QS7oGy0KumOK7icQcvStwm2C/Qs4cyaOA66R1mUKP1z/B0b
+89jOV5mBW53SSxms1X58hGK6aAAcqL73N7BhysygX1IVua9O6VN5aFcszKKrXY7e
++UonEv7XY1NUe2kCR3s1zx+z11mrVEhI+OnEZph1Sh27R2aT5OcouXWRVoahrinK
+knKWTUnAQ602NW3bSp+MD967aG44AKDmXFzFKrqTGjGY1pBEIVp/CUHbFYULrneE
+8mBzIQnYDIjZCVoC0gVC8QIDAQABo4IBNDCCATAwDgYDVR0PAQH/BAQDAgWgMB0G
+A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4EFgQUDKwn8qWUX7Sb
+QJNreeYQNa72LcswHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU1H4Hs94NYD4wZAYI
+KwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Euc29tZWNhLWluYy5j
+b20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL3Jv
+b3QwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwEgYDVR0gBAswCTAHBgVngQwBATAt
+BgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMA0G
+CSqGSIb3DQEBCwUAA4IBAQBJ9bNlA4vNKyWDfOOe7Uf+WCNfpngv54ku89MLun12
+oFyDklYsnhuAxjaokF2nmfjd2YPc3BC8yqTtwm2OfzVjDLo3z3P8RNFD4O7fEiGp
+LqS5CIP4iLJQraKXWdtPZHlwx0s99L12UXLEkShPeTh0lSEWuyO2EwFyWywht+yj
+FZCHzY3DmQqK2+y9DXgmZNpblLc++FxSP72UqyqfHZx+1KX3mVaBwzV2ErGPJP9z
+dblWbhfc200d0+0/5nAu3aLGzBDtXqFeTfBySI5lZlNNZkPGAAAD4+lXmlrc3gTA
+yO4Zde05p7q+/PzU/S5pfN+hLzE/wy+0wGOV5rLBdjTS
+-----END CERTIFICATE-----