Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add lints for S/MIME BR 7.1.2.3.b #779

Merged
merged 13 commits into from
Mar 9, 2024
Merged

Conversation

bitlux
Copy link
Contributor

@bitlux bitlux commented Dec 13, 2023

This addresses the first open task of #712.

}
}
}
return &lint.LintResult{Status: lint.Pass}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like it passes if a CRL distribution point is not present.

b. cRLDistributionPoints (SHALL be present

This extension SHOULD NOT be marked critical. It SHALL contain at least one distributionPoint...

I realize this requirement doesn't perfectly match the lint name, but it is part of 7.1.2.3.b. Is the intention to follow this up with another PR that finishes 7.1.2.3.b?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is covered separately in #742.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rest of 7.1.2.3.b is handled by #742.

}

func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c) && (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c))
Copy link
Contributor

@jdkasten jdkasten Dec 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to handle Legacy certificates in this PR or acknowledge that the work has not yet been completed.

Edit: Requirement - "Legacy - At least one uniformResourceIdentifier SHALL have the URI scheme HTTP. Other schemes (LDAP, FTP, ...) MAY be present."
https://github.com/cabforum/smime/blob/main/SBR.md#7123-subscriber-certificates

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that the original bug (#712) did not mention the legacy requirement. I think that is a gap on the requirements, but presumably this could be left as a followup.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO the challenge with that is that it leaves a gap in the requirement the lint is fulfilling. From purely a tracking perspective, we'd have to add another task to the checklist for handling the legacy version of the same lint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated this PR to handle legacy certificates.

Copy link
Contributor

@robplee robplee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only minor complaints, I doubt it'll take you long at all to address them

Name: "error - cert without a non-HTTP CRL distribution point",
InputFilename: "smime/subscriber_with_non_http_crl_distribution_point.pem",
ExpectedResult: lint.Error,
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an expected details check to ensure the lint is failing for the right reasons in your test cases?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Thanks for the review.

InputFilename: "smime/legacy_subscriber_with_non_http_crl_distribution_point.pem",
ExpectedResult: lint.Error,
},
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also add a test case for a legacy certificate with one http CRL distribution point and one non-HTTP distribution point? It wouldn't hurt to add a failing case on non-legacy with the same setup although it's not strictly required it would show that your lint is effectively covering it's multipurpose(s)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I commented "Done" on your other comment twice when I meant to comment it on both comments (including this one). I'm still kinda new to GitHub.

func init() {
lint.RegisterLint(&lint.Lint{
Name: "e_subscribers_crl_distribution_points_are_http",
Description: "cRLDistributionPoints SHALL have URL scheme HTTP.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor, but the BR uses 'URI' rather than 'URL' in this section.

Suggested change
Description: "cRLDistributionPoints SHALL have URL scheme HTTP.",
Description: "cRLDistributionPoints SHALL have URI scheme HTTP.",

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest a similar change to the details of the error if you opt to make this change. Otherwise the PR looks good to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Thanks for the review.

@zakird
Copy link
Member

zakird commented Feb 25, 2024

It looks like changes have been made to address raised concerns. @robplee and @jdkasten , does this now look good to you?

Copy link
Contributor

@jdkasten jdkasten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Adam! Just two nits.

@christopher-henderson christopher-henderson merged commit a063d31 into zmap:master Mar 9, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants