Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates #713

Merged
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions v3/lint/base.go
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,9 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration)
if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
return &LintResult{Status: NA}
}
if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opening salvo!

return &LintResult{Status: NA}
}
lint := l.Lint()
err := config.MaybeConfigure(lint, l.Name)
if err != nil {
Expand Down
25 changes: 13 additions & 12 deletions v3/lint/source.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,18 +27,19 @@ import (
type LintSource string

const (
UnknownLintSource LintSource = "Unknown"
RFC3279 LintSource = "RFC3279"
RFC5280 LintSource = "RFC5280"
RFC5480 LintSource = "RFC5480"
RFC5891 LintSource = "RFC5891"
RFC8813 LintSource = "RFC8813"
CABFBaselineRequirements LintSource = "CABF_BR"
CABFEVGuidelines LintSource = "CABF_EV"
MozillaRootStorePolicy LintSource = "Mozilla"
AppleRootStorePolicy LintSource = "Apple"
Community LintSource = "Community"
EtsiEsi LintSource = "ETSI_ESI"
UnknownLintSource LintSource = "Unknown"
RFC3279 LintSource = "RFC3279"
RFC5280 LintSource = "RFC5280"
RFC5480 LintSource = "RFC5480"
RFC5891 LintSource = "RFC5891"
RFC8813 LintSource = "RFC8813"
CABFBaselineRequirements LintSource = "CABF_BR"
CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR"
CABFEVGuidelines LintSource = "CABF_EV"
MozillaRootStorePolicy LintSource = "Mozilla"
AppleRootStorePolicy LintSource = "Apple"
Community LintSource = "Community"
EtsiEsi LintSource = "ETSI_ESI"
)

// UnmarshalJSON implements the json.Unmarshaler interface. It ensures that the
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
package cabf_smime_br

/*
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"fmt"

"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)

// mailboxValidatedEnforceSubjectFieldRestrictions - linter to enforce MAY/SHALL NOT requirements for mailbox validated SMIME certificates
type mailboxValidatedEnforceSubjectFieldRestrictions struct {
robplee marked this conversation as resolved.
Show resolved Hide resolved
forbiddenSubjectFields map[string]string
allowedSubjectFields map[string]string
}

func init() {
lint.RegisterLint(&lint.Lint{
robplee marked this conversation as resolved.
Show resolved Hide resolved
Name: "e_mailbox_validated_enforce_subject_field_restrictions",
Description: "SMIME certificates complying to mailbox validated profiles MAY only contain commonName, serialNumber or emailAddress attributes in the Subject DN",
Citation: "SMIME BRs: 7.1.4.2.3",
Source: lint.CABFSMIMEBaselineRequirements,
EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
Lint: func() lint.LintInterface {
robplee marked this conversation as resolved.
Show resolved Hide resolved
return NewMailboxValidatedEnforceSubjectFieldRestrictions()
},
})
}

// NewMailboxValidatedEnforceSubjectFieldRestrictions creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs
func NewMailboxValidatedEnforceSubjectFieldRestrictions() lint.LintInterface {
return &mailboxValidatedEnforceSubjectFieldRestrictions{
forbiddenSubjectFields: map[string]string{
"0.9.2342.19200300.100.1.25": "subject:domainComponent",
"1.3.6.1.4.1.311.60.2.1.1": "subject:jurisdictionLocality",
"1.3.6.1.4.1.311.60.2.1.2": "subject:jurisdictionProvince",
"1.3.6.1.4.1.311.60.2.1.3": "subject:jurisdictionCountry",
"2.5.4.4": "subject:surname",
"2.5.4.6": "subject:countryName",
"2.5.4.7": "subject:localityName",
"2.5.4.8": "subject:stateOrProvinceName",
"2.5.4.9": "subject:streetAddress",
"2.5.4.10": "subject:organizationName",
"2.5.4.11": "subject:organizationalUnitName",
"2.5.4.12": "subject:title",
"2.5.4.17": "subject:postalCode",
"2.5.4.42": "subject:givenName",
"2.5.4.65": "subject:pseudonym",
"2.5.4.97": "subject:organizationIdentifier",
},
allowedSubjectFields: map[string]string{
"1.2.840.113549.1.9.1": "subject:emailAddress",
"2.5.4.3": "subject:commonName",
"2.5.4.5": "subject:serialNumber",
},
}
}

// CheckApplies is returns true if the certificate's policies assert that it conforms to the mailbox validated SMIME BRs
robplee marked this conversation as resolved.
Show resolved Hide resolved
func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool {
return util.IsMailboxValidatedCertificate(c)
}

// Execute applies the requirements on what fields are allowed for mailbox validated SMIME certificates
func (l *mailboxValidatedEnforceSubjectFieldRestrictions) Execute(c *x509.Certificate) *lint.LintResult {
for _, rdnSeq := range c.Subject.OriginalRDNS {
for _, field := range rdnSeq {
oidStr := field.Type.String()
christopher-henderson marked this conversation as resolved.
Show resolved Hide resolved

if _, ok := l.allowedSubjectFields[oidStr]; !ok {
if fieldName, knownField := l.forbiddenSubjectFields[oidStr]; knownField {
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s (%s)", fieldName, oidStr)}
}
return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("subject DN contains forbidden field: %s", oidStr)}
}
}
}

return &lint.LintResult{Status: lint.Pass}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
package cabf_smime_br

/*
* ZLint Copyright 2021 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

func TestMailboxValidatedEnforceSubjectFieldRestrictions(t *testing.T) {
testCases := []struct {
Name string
InputFilename string

ExpectedResult lint.LintStatus
ExpectedDetails string
}{
{
Name: "ok - certificate with commonName",
InputFilename: "mailboxValidatedLegacyWithCommonName.pem",
ExpectedResult: lint.Pass,
},
{
Name: "ok - certificate without mailbox validated policy",
InputFilename: "domainValidatedWithEmailCommonName.pem",
ExpectedResult: lint.NA,
},
{
Name: "ok - certificate with NotBefore before effective date of lint",
InputFilename: "mailboxValidatedLegacyWithCommonNameMay2023.pem",
ExpectedResult: lint.NE,
},
{
Name: "error - certificate with countryName",
InputFilename: "mailboxValidatedLegacyWithCountryName.pem",
ExpectedResult: lint.Error,
ExpectedDetails: "subject DN contains forbidden field: subject:countryName (2.5.4.6)",
},
{
Name: "error - certificate containing nonsense subject field (1.2.3.4.5.6.7.8.9.0)",
InputFilename: "mailboxValidatedMultipurposeWithNonsenseSubjectField.pem",
ExpectedResult: lint.Error,
ExpectedDetails: "subject DN contains forbidden field: 1.2.3.4.5.6.7.8.9.0",
},
}

for _, tc := range testCases {
t.Run(tc.Name, func(t *testing.T) {
result := test.TestLint("e_mailbox_validated_enforce_subject_field_restrictions", tc.InputFilename)
if result.Status != tc.ExpectedResult {
t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
}

if tc.ExpectedDetails != "" && tc.ExpectedDetails != result.Details {
t.Errorf("expected details: %s, was %s", tc.ExpectedDetails, result.Details)
}
})
}
}
16 changes: 9 additions & 7 deletions v3/profiles/profiles_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
_ "github.com/zmap/zlint/v3/lints/apple"
_ "github.com/zmap/zlint/v3/lints/cabf_br"
_ "github.com/zmap/zlint/v3/lints/cabf_ev"
_ "github.com/zmap/zlint/v3/lints/cabf_smime_br"
_ "github.com/zmap/zlint/v3/lints/community"
_ "github.com/zmap/zlint/v3/lints/etsi"
_ "github.com/zmap/zlint/v3/lints/mozilla"
Expand All @@ -45,13 +46,14 @@ func TestLintsInAllProfilesExist(t *testing.T) {
// lint source in the future that we don't miss importing it into this test file.
func TestNotMissingAnyLintSources(t *testing.T) {
expected := map[string]bool{
"apple": true,
"cabf_br": true,
"cabf_ev": true,
"community": true,
"etsi": true,
"mozilla": true,
"rfc": true,
"apple": true,
"cabf_br": true,
"cabf_ev": true,
"cabf_smime_br": true,
"community": true,
"etsi": true,
"mozilla": true,
"rfc": true,
}
dir, err := ioutil.ReadDir("../lints")
if err != nil {
Expand Down
39 changes: 39 additions & 0 deletions v3/testdata/domainValidatedWithEmailCommonName.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer:
Validity
Not Before: Sep 2 00:00:00 2023 GMT
Not After : Nov 30 00:00:00 9998 GMT
Subject: CN = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0d:74:25:fa:6f:5f:3a:2f:ff:16:bf:a3:be:f1:
02:ac:59:ed:e9:22:4e:5e:31:11:31:89:d1:2e:7c:
c6:df:e0:43:65:8a:24:aa:67:83:ae:82:46:16:e8:
66:1a:ce:b2:e7:55:ef:63:7c:d7:13:ac:ca:27:dc:
c8:3e:cf:1f:bd
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1

Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:66:73:1c:1f:93:6b:bb:2c:3a:80:49:42:3d:28:
be:18:ab:87:71:8c:60:b5:17:c6:07:3d:e0:bc:0d:5c:d4:1c:
02:20:71:11:4a:e7:31:97:c3:27:e6:ed:52:2e:60:cc:86:89:
c1:1e:47:c0:9b:ac:cf:65:31:a8:f4:a4:15:6e:a6:32
-----BEGIN CERTIFICATE-----
MIIBJzCBz6ADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQNdCX6b186L/8Wv6O+8QKsWe3p
Ik5eMRExidEufMbf4ENliiSqZ4OugkYW6GYazrLnVe9jfNcTrMon3Mg+zx+9oxcw
FTATBgNVHSAEDDAKMAgGBmeBDAECATAKBggqhkjOPQQDAgNHADBEAiBmcxwfk2u7
LDqASUI9KL4Yq4dxjGC1F8YHPeC8DVzUHAIgcRFK5zGXwyfm7VIuYMyGicEeR8Cb
rM9lMaj0pBVupjI=
-----END CERTIFICATE-----
39 changes: 39 additions & 0 deletions v3/testdata/mailboxValidatedLegacyWithCommonName.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer:
Validity
Not Before: Sep 2 00:00:00 2023 GMT
Not After : Nov 30 00:00:00 9998 GMT
Subject: CN = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8c:b9:d4:53:05:fc:2d:f5:4b:77:63:d7:2c:bf:
fc:d9:a0:d7:68:6f:ce:3c:6a:5a:1a:bb:f1:a4:3a:
ea:ad:e6:bc:90:ea:a4:70:b8:1f:3c:da:02:c6:7d:
6e:b2:93:8b:8f:4b:b2:ed:20:94:6e:6e:59:35:fc:
bc:31:7f:75:bc
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.1.1

Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:e4:9b:da:66:53:b2:f0:52:71:69:da:16:79:
09:04:12:dc:79:5b:0c:35:b6:df:46:2a:37:0b:c3:1b:15:8c:
e2:02:20:61:6e:98:a7:3a:b5:bd:32:05:aa:ee:df:fb:20:3a:
5e:a0:67:4f:6f:fe:ad:f8:2c:b2:53:05:9a:e7:c2:21:62
-----BEGIN CERTIFICATE-----
MIIBKTCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTAyMDAwMDAwWhgP
OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMudRTBfwt9Ut3Y9csv/zZoNdo
b848aloau/GkOuqt5ryQ6qRwuB882gLGfW6yk4uPS7LtIJRublk1/Lwxf3W8oxgw
FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSAAwRQIhAOSb2mZT
svBScWnaFnkJBBLceVsMNbbfRio3C8MbFYziAiBhbpinOrW9MgWq7t/7IDpeoGdP
b/6t+CyyUwWa58IhYg==
-----END CERTIFICATE-----
39 changes: 39 additions & 0 deletions v3/testdata/mailboxValidatedLegacyWithCommonNameMay2023.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer:
Validity
Not Before: May 2 00:00:00 2023 GMT
Not After : Nov 30 00:00:00 9998 GMT
Subject: CN = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ae:c3:b8:71:e1:ea:7f:8e:e7:0f:9a:f5:e0:98:
cd:a8:f3:d9:13:4d:fb:1d:1b:37:2b:56:83:5c:5c:
de:77:60:f4:f7:05:59:59:38:d3:ff:64:17:e5:da:
ef:51:03:20:81:b9:32:00:b2:6f:b6:34:6d:f8:00:
a0:ff:0f:eb:03
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Certificate Policies:
Policy: 2.23.140.1.5.1.1

Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:d4:34:07:e7:93:dc:44:6b:45:cd:8e:33:fa:
6b:68:8c:76:ff:bf:f0:69:ca:26:e3:a2:a8:4f:fd:d2:29:4a:
13:02:21:00:ad:28:cf:d7:ca:7f:a4:91:7c:ca:c3:c9:2d:fe:
7f:cc:6d:27:c5:3d:31:f6:26:70:69:da:67:bc:9a:98:c6:24
-----BEGIN CERTIFICATE-----
MIIBKjCB0KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwNTAyMDAwMDAwWhgP
OTk5ODExMzAwMDAwMDBaMCExHzAdBgNVBAMMFmJyYWluc0B0cmFjeWlzbGFuZC5j
b20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuw7hx4ep/jucPmvXgmM2o89kT
TfsdGzcrVoNcXN53YPT3BVlZONP/ZBfl2u9RAyCBuTIAsm+2NG34AKD/D+sDoxgw
FjAUBgNVHSAEDTALMAkGB2eBDAEFAQEwCgYIKoZIzj0EAwIDSQAwRgIhANQ0B+eT
3ERrRc2OM/praIx2/7/wacom46KoT/3SKUoTAiEArSjP18p/pJF8ysPJLf5/zG0n
xT0x9iZwadpnvJqYxiQ=
-----END CERTIFICATE-----
Loading