-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates #713
Merged
christopher-henderson
merged 13 commits into
zmap:master
from
robplee:mailbox_validated_fields_check
Aug 13, 2023
Merged
Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates #713
Changes from 5 commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
f491844
Add lint enforcing the restrictions on subject DN fields for mailbox …
robplee cad8906
Add zlint copyright text to new files.
robplee 9dbd012
Add cabf_smime_br lint source to TestNotMissingAnyLintSources
robplee 10c5ef1
refactor lint to add lists of allowed and forbidden fields into the l…
robplee 745d87a
rename mailboxValidatedEnforceSubjectFieldRestrictions lint to no lon…
robplee 69d4a67
Update mailbox lint to use new certificatelint interface
robplee 1840f44
fix mailbox validated field lint unit tests, reorganise smime testdat…
robplee 01b00bb
Update v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field…
robplee 23ad0f5
attempt to address lint complaint with comment describing CheckApplie…
robplee a9fe5fb
Add explanatory comment to IsEmailProtectionCert
robplee 85ec757
Merge branch 'master' into mailbox_validated_fields_check
christopher-henderson 0b55900
Merge branch 'master' into mailbox_validated_fields_check
christopher-henderson 8634dce
Fix styling in time.go
christopher-henderson File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
94 changes: 94 additions & 0 deletions
94
v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
package cabf_smime_br | ||
|
||
/* | ||
* ZLint Copyright 2021 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import ( | ||
"fmt" | ||
|
||
"github.com/zmap/zcrypto/x509" | ||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/util" | ||
) | ||
|
||
// mailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates | ||
type mailboxValidatedEnforceSubjectFieldRestrictions struct { | ||
robplee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
forbiddenSubjectFields map[string]string | ||
allowedSubjectFields map[string]string | ||
} | ||
|
||
func init() { | ||
lint.RegisterLint(&lint.Lint{ | ||
robplee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Name: "e_mailbox_validated_enforce_subject_field_restrictions", | ||
Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN", | ||
Citation: "SMIME BRs: 7.1.4.2.3", | ||
Source: lint.CABFSMIMEBaselineRequirements, | ||
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, | ||
Lint: func() lint.LintInterface { | ||
robplee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
return NewMailboxValidatedEnforceSubjectFieldRestrictions() | ||
}, | ||
}) | ||
} | ||
|
||
// NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs | ||
func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface { | ||
return &mailboxValidatedEnforceSubjectFieldRestrictions{ | ||
forbiddenSubjectFields: map[string]string{ | ||
"0.9.2342.19200300.100.1.25": "subject:domainComponent", | ||
"1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality", | ||
"1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince", | ||
"1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry", | ||
"2.5.4.4": "subject:surname", | ||
"2.5.4.6": "subject:countryName", | ||
"2.5.4.7": "subject:localityName", | ||
"2.5.4.8": "subject:stateOrProvinceName", | ||
"2.5.4.9": "subject:streetAddress", | ||
"2.5.4.10": "subject:organizationName", | ||
"2.5.4.11": "subject:organizationalUnitName", | ||
"2.5.4.12": "subject:title", | ||
"2.5.4.17": "subject:postalCode", | ||
"2.5.4.42": "subject:givenName", | ||
"2.5.4.65": "subject:pseudonym", | ||
"2.5.4.97": "subject:organizationIdentifier", | ||
}, | ||
allowedSubjectFields: map[string]string{ | ||
"1.2.840.113549.1.9.1": "subject:emailAddress", | ||
"2.5.4.3": "subject:commonName", | ||
"2.5.4.5": "subject:serialNumber", | ||
}, | ||
} | ||
} | ||
|
||
// CheckApplies is returns true if the certificate's policies assert that it conforms to the mailbox validated SMIME BRs | ||
robplee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { | ||
return util.IsMailboxValidatedCertificate(c) | ||
} | ||
|
||
// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates | ||
func (l *mailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult { | ||
for _, rdnSeq := range c.Subject.OriginalRDNS { | ||
for _, field := range rdnSeq { | ||
oidStr := field.Type.String() | ||
christopher-henderson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
if _, ok := l.allowedSubjectFields[oidStr]; !ok { | ||
if fieldName, knownField := l.forbiddenSubjectFields[oidStr]; knownField { | ||
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)} | ||
} | ||
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)} | ||
} | ||
} | ||
} | ||
|
||
return &lint.LintResult{Status: lint.Pass} | ||
} |
73 changes: 73 additions & 0 deletions
73
v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package cabf_smime_br | ||
|
||
/* | ||
* ZLint Copyright 2021 Regents of the University of Michigan | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not | ||
* use this file except in compliance with the License. You may obtain a copy | ||
* of the License at http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or | ||
* implied. See the License for the specific language governing | ||
* permissions and limitations under the License. | ||
*/ | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/zmap/zlint/v3/lint" | ||
"github.com/zmap/zlint/v3/test" | ||
) | ||
|
||
func TestMailboxValidatedEnforceSubjectFieldRestrictions(t *testing.T) { | ||
testCases := []struct { | ||
Name string | ||
InputFilename string | ||
|
||
ExpectedResult lint.LintStatus | ||
ExpectedDetails string | ||
}{ | ||
{ | ||
Name: "ok - certificate with commonName", | ||
InputFilename: "mailboxValidatedLegacyWithCommonName.pem", | ||
ExpectedResult: lint.Pass, | ||
}, | ||
{ | ||
Name: "ok - certificate without mailbox validated policy", | ||
InputFilename: "domainValidatedWithEmailCommonName.pem", | ||
ExpectedResult: lint.NA, | ||
}, | ||
{ | ||
Name: "ok - certificate with NotBefore before effective date of lint", | ||
InputFilename: "mailboxValidatedLegacyWithCommonNameMay2023.pem", | ||
ExpectedResult: lint.NE, | ||
}, | ||
{ | ||
Name: "error - certificate with countryName", | ||
InputFilename: "mailboxValidatedLegacyWithCountryName.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "subject DN contains forbidden field: subject:countryName (2.5.4.6)", | ||
}, | ||
{ | ||
Name: "error - certificate containing nonsense subject field (1.2.3.4.5.6.7.8.9.0)", | ||
InputFilename: "mailboxValidatedMultipurposeWithNonsenseSubjectField.pem", | ||
ExpectedResult: lint.Error, | ||
ExpectedDetails: "subject DN contains forbidden field: 1.2.3.4.5.6.7.8.9.0", | ||
}, | ||
} | ||
|
||
for _, tc := range testCases { | ||
t.Run(tc.Name, func(t *testing.T) { | ||
result := test.TestLint("e_mailbox_validated_enforce_subject_field_restrictions", tc.InputFilename) | ||
if result.Status != tc.ExpectedResult { | ||
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) | ||
} | ||
|
||
if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details { | ||
t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details) | ||
} | ||
}) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Sep 2 00:00:00 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: CN = [email protected] | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:0d:74:25:fa:6f:5f:3a:2f:ff:16:bf:a3:be:f1: | ||
02:ac:59:ed:e9:22:4e:5e:31:11:31:89:d1:2e:7c: | ||
c6:df:e0:43:65:8a:24:aa:67:83:ae:82:46:16:e8: | ||
66:1a:ce:b2:e7:55:ef:63:7c:d7:13:ac:ca:27:dc: | ||
c8:3e:cf:1f:bd | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.2.1 | ||
|
||
Signature Algorithm: ecdsa-with-SHA256 | ||
30:44:02:20:66:73:1c:1f:93:6b:bb:2c:3a:80:49:42:3d:28: | ||
be:18:ab:87:71:8c:60:b5:17:c6:07:3d:e0:bc:0d:5c:d4:1c: | ||
02:20:71:11:4a:e7:31:97:c3:27:e6:ed:52:2e:60:cc:86:89: | ||
c1:1e:47:c0:9b:ac:cf:65:31:a8:f4:a4:15:6e:a6:32 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBJzCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP | ||
OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j | ||
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQNdCX6b186L/8Wv6O+8QKsWe3p | ||
Ik5eMRExidEufMbf4ENliiSqZ4OugkYW6GYazrLnVe9jfNcTrMon3Mg+zx+9oxcw | ||
FTATBgNVHSAEDDAKMAgGBmeBDAECATAKBggqhkjOPQQDAgNHADBEAiBmcxwfk2u7 | ||
LDqASUI9KL4Yq4dxjGC1F8YHPeC8DVzUHAIgcRFK5zGXwyfm7VIuYMyGicEeR8Cb | ||
rM9lMaj0pBVupjI= | ||
-----END CERTIFICATE----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: Sep 2 00:00:00 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: CN = [email protected] | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:8c:b9:d4:53:05:fc:2d:f5:4b:77:63:d7:2c:bf: | ||
fc:d9:a0:d7:68:6f:ce:3c:6a:5a:1a:bb:f1:a4:3a: | ||
ea:ad:e6:bc:90:ea:a4:70:b8:1f:3c:da:02:c6:7d: | ||
6e:b2:93:8b:8f:4b:b2:ed:20:94:6e:6e:59:35:fc: | ||
bc:31:7f:75:bc | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.1 | ||
|
||
Signature Algorithm: ecdsa-with-SHA256 | ||
30:45:02:21:00:e4:9b:da:66:53:b2:f0:52:71:69:da:16:79: | ||
09:04:12:dc:79:5b:0c:35:b6:df:46:2a:37:0b:c3:1b:15:8c: | ||
e2:02:20:61:6e:98:a7:3a:b5:bd:32:05:aa:ee:df:fb:20:3a: | ||
5e:a0:67:4f:6f:fe:ad:f8:2c:b2:53:05:9a:e7:c2:21:62 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBKTCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP | ||
OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j | ||
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMudRTBfwt9Ut3Y9csv/zZoNdo | ||
b848aloau/GkOuqt5ryQ6qRwuB882gLGfW6yk4uPS7LtIJRublk1/Lwxf3W8oxgw | ||
FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSAAwRQIhAOSb2mZT | ||
svBScWnaFnkJBBLceVsMNbbfRio3C8MbFYziAiBhbpinOrW9MgWq7t/7IDpeoGdP | ||
b/6t+CyyUwWa58IhYg== | ||
-----END CERTIFICATE----- |
39 changes: 39 additions & 0 deletions
39
v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
Certificate: | ||
Data: | ||
Version: 3 (0x2) | ||
Serial Number: 3 (0x3) | ||
Signature Algorithm: ecdsa-with-SHA256 | ||
Issuer: | ||
Validity | ||
Not Before: May 2 00:00:00 2023 GMT | ||
Not After : Nov 30 00:00:00 9998 GMT | ||
Subject: CN = [email protected] | ||
Subject Public Key Info: | ||
Public Key Algorithm: id-ecPublicKey | ||
Public-Key: (256 bit) | ||
pub: | ||
04:ae:c3:b8:71:e1:ea:7f:8e:e7:0f:9a:f5:e0:98: | ||
cd:a8:f3:d9:13:4d:fb:1d:1b:37:2b:56:83:5c:5c: | ||
de:77:60:f4:f7:05:59:59:38:d3:ff:64:17:e5:da: | ||
ef:51:03:20:81:b9:32:00:b2:6f:b6:34:6d:f8:00: | ||
a0:ff:0f:eb:03 | ||
ASN1 OID: prime256v1 | ||
NIST CURVE: P-256 | ||
X509v3 extensions: | ||
X509v3 Certificate Policies: | ||
Policy: 2.23.140.1.5.1.1 | ||
|
||
Signature Algorithm: ecdsa-with-SHA256 | ||
30:46:02:21:00:d4:34:07:e7:93:dc:44:6b:45:cd:8e:33:fa: | ||
6b:68:8c:76:ff:bf:f0:69:ca:26:e3:a2:a8:4f:fd:d2:29:4a: | ||
13:02:21:00:ad:28:cf:d7:ca:7f:a4:91:7c:ca:c3:c9:2d:fe: | ||
7f:cc:6d:27:c5:3d:31:f6:26:70:69:da:67:bc:9a:98:c6:24 | ||
-----BEGIN CERTIFICATE----- | ||
MIIBKjCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwNTAyMDAwMDAwWhgP | ||
OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j | ||
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuw7hx4ep/jucPmvXgmM2o89kT | ||
TfsdGzcrVoNcXN53YPT3BVlZONP/ZBfl2u9RAyCBuTIAsm+2NG34AKD/D+sDoxgw | ||
FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSQAwRgIhANQ0B+eT | ||
3ERrRc2OM/praIx2/7/wacom46KoT/3SKUoTAiEArSjP18p/pJF8ysPJLf5/zG0n | ||
xT0x9iZwadpnvJqYxiQ= | ||
-----END CERTIFICATE----- |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Opening salvo!