diff --git a/h b/h new file mode 100644 index 000000000..f55a9eac8 --- /dev/null +++ b/h @@ -0,0 +1,8846 @@ +commit 9bd48d488919a55a0e2228677ef57b3e1f273ba9 (HEAD -> qc_type_web_also_smime) +Author: mtgag +Date: Thu Feb 27 09:35:06 2025 +0100 + + updated test config for new lint + +commit 1b69c403f1e1cde9bcb193d043f6da64706d1556 +Author: mtgag +Date: Thu Feb 27 09:26:39 2025 +0100 + + considering SMIME certificates + +commit d5aec9bd93fa361e4a276a4c0ece53d286303193 (origin/master, origin/HEAD, master) +Author: mtgag +Date: Tue Feb 18 15:33:26 2025 +0100 + + synchronised with project + +commit 6662edf0e1159a5c025e284c47ae58e123302e71 +Merge: f0991f98 04d863f7 +Author: mtgag +Date: Tue Jun 18 05:55:48 2024 +0200 + + Merge https://github.com/zmap/zlint + +commit 04d863f7660edfe0498162334524742397226fb2 +Author: Martijn Katerbarg +Date: Mon Jun 17 16:17:27 2024 +0200 + + cabfOrganizationIdentifier extension for VAT and PSD based organizationIdentifiers cannot have referenceStateOrProvince (#848) + + * cabfOrganizationIdentifier lint for PSD based QWAC certificates + + * cabfOrganizationIdentifier referenceStateOrProvince lint for PSD and VAT based QWAC certificates + + * Provide Bad Test Cert + + * Add "e_" to lint name + + * Also add "e_" to test case + + * Update lint_cabf_org_identifier_psd_vat_has_state.go + + * Reference v1.7.0 section 9.2.8 + + --------- + + Co-authored-by: Christopher Henderson + +commit e5da476b15be77968e50510f819a54ab1fa3b952 +Author: Adriano Santoni +Date: Sun Jun 16 21:23:03 2024 +0200 + + Improve the util.IsServerAuthCert() function (#856) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Update ca.go + + * Update config.json + + * Update config.json + + --------- + + Co-authored-by: Christopher Henderson + +commit 5b73e7b8fdcbabe138c745f1e6151fb18737f3c6 +Author: Mathew Hodson +Date: Sun Jun 16 15:12:28 2024 -0400 + + Fix ExpectedDetails of passing invalid subject test (#846) + + Co-authored-by: Christopher Henderson + +commit 899709e95046383a8f6bdd52bd61c45b9eab279e +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 16 20:22:02 2024 +0200 + + Aia ca issuers must have http only (#852) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * fixed merge error + + * synchronised with project + + * synchronised with project + + * Revert "synchronised with project" + + This reverts commit bad73ee2d5669394cde3053d300f285a91f75fd6. + + * Revert "synchronised with project" + + This reverts commit 2cd7d087f4a812d4ef3640560edf1d07cce2ea56. + + * new lint; The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate; removed unnecessary assertion from older lint. + + * update to consider HTTPS (not only HTTP) URLs also. + + * this is already covered by PR #846 + + * addressing issues in PR discussion + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit ae8d59405f1926eb418d496cd0415b8a4fa88e04 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Wed Jun 12 23:52:44 2024 -0400 + + util: gtld_map autopull updates for 2024-06-12T22:19:30 UTC (#854) + + Co-authored-by: GitHub + +commit b14a83bb192056a51b26cb9d66370fa7d978f373 +Author: Martijn Katerbarg +Date: Sun Jun 9 19:30:35 2024 +0200 + + fix: Only apply CN check for Subscriber certificates (#851) + + Co-authored-by: Christopher Henderson + +commit bf3764c2b225b5942bea7e96de3d429e1a4cb093 +Author: Phil Porada +Date: Sun Jun 9 13:21:44 2024 -0400 + + Cleanup some unnecessary allocations (#849) + + Co-authored-by: Christopher Henderson + +commit f0991f985f5ceb4797b7de39c236bdfe62c47ed3 +Merge: 4d467299 26ca0f3b +Author: mtgag +Date: Thu Jun 6 07:11:46 2024 +0200 + + Merge https://github.com/zmap/zlint + +commit 26ca0f3bed092ef6e6b34f546f68068ae9d808a1 +Author: Adriano Santoni +Date: Sun Jun 2 22:07:35 2024 +0200 + + Add lint to check for duplicate subject attributes (ATVs) (#850) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Add files via upload + + * Add files via upload + + --------- + + Co-authored-by: Christopher Henderson + +commit c8164d8a086ff6e3dd419b2ace95784d32f49c57 +Author: Adriano Santoni +Date: Sun May 26 18:32:55 2024 +0200 + + Add lint to check that SubCA certificates do not have illegal values in their EKU extension (#840) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Add files via upload + + * Add files via upload + + * Update config.json + + * Update lint_ca_invalid_eku.go + + --------- + + Co-authored-by: Christopher Henderson + +commit 068ae82324696a6f484be9baa6085318e7851112 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sat May 25 17:12:33 2024 +0200 + + Avoid warning dv cn (#843) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * fixed merge error + + * synchronised with project + + * synchronised with project + + * Revert "synchronised with project" + + This reverts commit bad73ee2d5669394cde3053d300f285a91f75fd6. + + * Revert "synchronised with project" + + This reverts commit 2cd7d087f4a812d4ef3640560edf1d07cce2ea56. + + * avoiding warning when CN is present. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 8523152e2c47c83321a145b1e777a9996bd714dd +Author: Rob Stradling +Date: Fri May 24 22:58:46 2024 +0100 + + Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated (#845) + + * Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated + + * Add test case for no commonName attribute present + +commit 456dc01dad591ddaaf005f6a955fbca032379c0f +Author: Adriano Santoni +Date: Sun May 19 20:09:35 2024 +0200 + + Add lint to check that an SCT list is not empty (#837) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + --------- + + Co-authored-by: Christopher Henderson + +commit c73f78bfa648887dffe592f02fd6519b514fbb36 +Author: Adriano Santoni +Date: Sun May 19 19:09:17 2024 +0200 + + Add lint to check that precertificates do not contain an SCT list (#841) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_precert_with_sct_list.go + + * Update source.go + + As per Chris' request + + * Update source.go + + * Update registration_test.go + + * Update registration_test.go + + --------- + + Co-authored-by: Christopher Henderson + +commit 26ab5b0a05d2a70c1a5e98c38fc8a08794fcf950 +Author: Adriano Santoni +Date: Sat May 11 20:04:08 2024 +0200 + + Add lint for checking that the 'critical' field is properly DER-encoded in extensions (#839) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/rfc/lint_empty_sct_list.go + + * Delete v3/lints/rfc/lint_empty_sct_list_test.go + + * Delete v3/testdata/empty_sct_list_ko_01.pem + + * Delete v3/testdata/empty_sct_list_na_01.pem + + * Delete v3/testdata/empty_sct_list_na_02.pem + + * Delete v3/testdata/empty_sct_list_ok_01.pem + + * Delete v3/testdata/empty_sct_list_ok_02.pem + + * Update source.go + + * Update time.go + + --------- + + Co-authored-by: Christopher Henderson + +commit 208af03b5346578ba252fed89c93ceda0d6dc62e +Author: Adriano Santoni +Date: Sun Apr 28 20:33:13 2024 +0200 + + Add lint for checking that a CRL contains the CRL Number extension (#834) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update oid.go + + Add OID for CRL Number + + * Update v3/util/oid.go + + --------- + + Co-authored-by: Christopher Henderson + +commit d5a09f841725281fd65d0003dea004fd75e31d8c +Author: Paul van Brouwershaven +Date: Sun Apr 28 21:14:06 2024 +0300 + + Add lint to cover TLS BR v2 EKU checks (#833) + + * Add EV policy and Pre Certiicate Signing Certificate EKU + + * Apply serverAuth to certificates with CA/B TLS policy OID + + * lint subscriber EKU according to TLS BR v2 + + * Make lint ineffective since TLS BR v2 + + These lints are covered by the new `e_sub_cert_eku_check` lint that will lint according to the TLS BR v2 language. + + * Correct expected result + + * Correct numbers as result of CA/B policy inclusion in additon to serverAuth + + The `util.IsServerAuthCert` did not consider certificates that attest the CA/Browser Forum policy OIDs but do not include the `serverAuth` EKU. This has been addressed and caused some mintor changes in the test corpus. + + * Check if subscriber certificate with EKU extension + + * Pass certificate in subscriber certificate check + + * Remove unnecessary len check + + * Format + + --------- + + Co-authored-by: Christopher Henderson + +commit 63e3f8654d742ba9e7b36881b1f8c003a426f201 +Author: Adriano Santoni +Date: Sun Apr 28 17:02:34 2024 +0200 + + Add lint to detect invalid cps uri (#828) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go + + * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go + + * Delete v3/testdata/orgid_subj_and_ext_ko_01.pem + + * Delete v3/testdata/orgid_subj_and_ext_ko_02.pem + + * Delete v3/testdata/orgid_subj_and_ext_ko_03.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_01.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_02.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_03.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_04.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_05.pem + + * Update time.go + + --------- + + Co-authored-by: Christopher Henderson + +commit 2988620fc3db96938dbfb71ca2afe8f5b2010920 +Author: Adriano Santoni +Date: Sun Apr 28 16:09:22 2024 +0200 + + Add lint to check that a CRL does not contain an empty revokedCertificates element (#831) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go + + * Delete v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext_test.go + + * Delete v3/testdata/orgid_subj_and_ext_ko_01.pem + + * Delete v3/testdata/orgid_subj_and_ext_ko_02.pem + + * Delete v3/testdata/orgid_subj_and_ext_ko_03.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_01.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_02.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_03.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_04.pem + + * Delete v3/testdata/orgid_subj_and_ext_ok_05.pem + + * Add files via upload + + * Add files via upload + + * Update time.go + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/crl_empty_revoked_certificates_ko.pem + + * Delete v3/lints/cabf_br/crl_empty_revoked_certificates_ok.pem + + * Update lint_crl_revoked_certificates_field_empty.go + + --------- + + Co-authored-by: Christopher Henderson + Co-authored-by: Zakir Durumeric + +commit 61c73edc6b2a2cf3e6eae6a5fb5f67dd334829ee +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Apr 21 10:10:35 2024 -0700 + + build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 in /v3 (#835) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. + - [Commits](https://github.com/golang/net/compare/v0.17.0...v0.23.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit a0112345dbd9d39f2f637edcecb2f313d56b7a35 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Apr 21 09:47:49 2024 -0700 + + build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#836) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.23.0. + - [Commits](https://github.com/golang/net/compare/v0.17.0...v0.23.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 6c7d024812dfb2f25143f31e4655240d66e4058a +Author: Phil Porada +Date: Thu Apr 18 13:27:59 2024 -0400 + + Add lint to verify CRL TBSCertList.revokedCertificates field is absent when there are no revoked certificates (#832) + + * Working lint and tests + + * Add negative test + + * Rename test crl + + * DER, PEM, vim smuggled inside testdata just like xz, you pick + + * Add more negative test cases and run through all of the files + + --------- + + Co-authored-by: Zakir Durumeric + +commit 4b2f38b56132eda5017d637ed07ef9be59ab6976 +Author: Adriano Santoni +Date: Sun Apr 14 21:49:41 2024 +0200 + + Lint for checking that organizationIdentifier Subject attribute and CABFOrganizationIdentifier extension are consistent as per EVG 9.2.8 (#820) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + * Update time.go + + Added CABFEV_Sec9_2_8_Date + + * Add files via upload + + * Add files via upload + + * Revised according to Chris and Corey suggestions + + * Add files via upload + + * Add files via upload + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go + + * Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go + + * Delete v3/testdata/invalid_cps_uri_ko_01.pem + + * Delete v3/testdata/invalid_cps_uri_ko_02.pem + + * Delete v3/testdata/invalid_cps_uri_ko_03.pem + + * Delete v3/testdata/invalid_cps_uri_ok_01.pem + + * Delete v3/testdata/invalid_cps_uri_ok_02.pem + + * Delete v3/testdata/invalid_cps_uri_ok_03.pem + + --------- + + Co-authored-by: Christopher Henderson + +commit 5de620c50c0621fffce102d391475f78e0fe3e89 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Apr 14 19:58:33 2024 +0200 + + Subject rdns correct encoding (#824) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * fixed merge error + + * synchronised with project + + * goimports + + * trying to decrease cyclomatic complexity + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit ae3b1f32c23bdbb29998329b7e2fb13f0d00a015 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Tue Apr 9 21:24:34 2024 +0200 + + Correct test descriptions (#829) + + Mark lint.NA expected results as lint.NA, not pass. + + https://github.com/zmap/zlint/pull/829 + +commit 4d4672997c53cdfe417d85a0abd6091d59deeb89 +Merge: b3a86b3c 308a138e +Author: mtgag +Date: Tue Apr 9 11:48:05 2024 +0200 + + Merge https://github.com/zmap/zlint + +commit b3a86b3c0f6658a402f3a81dfb32b534e1abba3e +Author: mtgag +Date: Tue Apr 9 11:45:06 2024 +0200 + + Revert "synchronised with project" + + This reverts commit 2cd7d087f4a812d4ef3640560edf1d07cce2ea56. + +commit 63cf8e862a490ebd8769ffbc516d882449d67741 +Author: mtgag +Date: Tue Apr 9 11:44:43 2024 +0200 + + Revert "synchronised with project" + + This reverts commit bad73ee2d5669394cde3053d300f285a91f75fd6. + +commit 2cd7d087f4a812d4ef3640560edf1d07cce2ea56 +Author: mtgag +Date: Tue Apr 9 11:40:00 2024 +0200 + + synchronised with project + +commit 308a138ee20193335072c10b9b6ce7dec3d950c9 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Apr 7 15:04:05 2024 +0200 + + Limit scope for cn checking in SAN (#825) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * fixed merge error + + * synchronised with project + + * address comments of PR #809 + + * trying to decrease cyclomatic complexity + + * reverted commit in this branch + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 2980c72629aaf86b440644d13a9d7e2f36c0f350 +Author: David Adrian +Date: Sat Apr 6 18:16:01 2024 -0400 + + Add ineffective date to DSA lints. (#827) + + DSA is prohibited, so we can't maintain an up-to-date reference for how + a DSA key should be structured. Instead of checking prohibited DSA certs + against the old requirements, rely on lint_prohibit_dsa_usage.go + +commit bad73ee2d5669394cde3053d300f285a91f75fd6 +Author: mtgag +Date: Fri Apr 5 07:40:36 2024 +0200 + + synchronised with project + +commit 795d2068ca83cd2f08bb866ee4c367b09e444489 +Merge: f1a66db9 f9496fad +Author: mtgag +Date: Fri Apr 5 07:40:35 2024 +0200 + + Merge https://github.com/zmap/zlint + +commit f9496fada52af23e776f898362b4074cb082f44b +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Thu Mar 28 18:17:32 2024 +0100 + + Use help Method beforeoron instead of (#717) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * using the help method BeforeOrOn instead of simple Before, added certificates that cover the edge cases + + * update in integration data + + * reverted commit, kept certificates, changed assertion, after discussion in the pull request + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + Co-authored-by: Zakir Durumeric + +commit 92917299fd81f3247a1bbc69643d31a3a3e1552c +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Thu Mar 28 09:55:29 2024 -0700 + + util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817) + + Co-authored-by: GitHub + +commit e99e725e9aff1a9e9af427a1bf288389f693751b +Author: Martijn Katerbarg +Date: Wed Mar 27 23:14:26 2024 +0100 + + feat: Test EKU Criticality (#816) + + * feat: Test EKU Criticality + + * Correct capitalization + + * Correct capitalization + +commit 38cfd72bd88b8688173ac63d408cfdfefb46801a +Author: Martijn Katerbarg +Date: Sun Mar 24 20:21:39 2024 +0100 + + cRLIssuer MUST NOT be present (#814) + + * cRLIssuer MUST NOT be present lint + + * Also cover Reason + + --------- + + Co-authored-by: Christopher Henderson + +commit 990a074c32c8899e935552724fc773de8765ceef +Author: Adam +Date: Sun Mar 24 08:44:09 2024 -0700 + + Add lints for S/MIME BR 7.1.2.3l (#805) + + * Add lints for S/MIME BR 7.1.2.3l + + * Save results of util functions as variables to make logic clearer. + + --------- + + Co-authored-by: Christopher Henderson + +commit 32bba7aeb74f82f604f99ee78d08aae1cb7e4985 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Mar 17 18:10:55 2024 +0100 + + Update single email if present (#808) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * added same lint for subject values instead of SAN values + + * resolved conflict issue + + * addressed review comments and hint to citation from #795 + + * addressing issue #795 and review comments of PR #802 + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit e33bae9c194cff0acf80026363f7f36c45d42fd7 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Mar 17 18:02:26 2024 +0100 + + Update single email subject if present (#802) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * added same lint for subject values instead of SAN values + + * resolved conflict issue + + * addressed review comments and hint to citation from #795 + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + Co-authored-by: Zakir Durumeric + +commit 7c899eaaaa534b10489f457ffbea808235d4fc71 +Author: Adam +Date: Mon Mar 11 15:04:47 2024 -0700 + + Add lint for BR 7.1.4.2.2a mailbox-validated (#806) + + * Add lint for BR 7.1.4.2.2a mailbox-validated + + * Remove test code + + * Update citation description + + --------- + + Co-authored-by: Christopher Henderson + +commit e6650ebd433bea8cbe73b96c9d0d66015c0cd7e2 +Author: Adam +Date: Mon Mar 11 14:39:27 2024 -0700 + + Add lints for S/MIME BR 7.1.4.2.2n country name (#807) + + Co-authored-by: Christopher Henderson + +commit 8d2c57948e697330fc81c865f449e6922b7bc0bb +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Mar 10 18:59:15 2024 +0100 + + Lint for 7.1.2.7.2 BR (#810) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * added lint to check values of subjectDN in DV certificates + + * fixed errors + + * fixed merge error + + * addressing review comment + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit e76cc77296612b97bb8df7a525b7cec68f77070f +Author: Adriano Santoni +Date: Sun Mar 10 18:36:37 2024 +0100 + + Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813) + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Add files via upload + + * Update lint_invalid_subject_rdn_order_test.go + + Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment + + * Update lint_invalid_subject_rdn_order.go + + Fixed import block + + * Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go + + Fine to me. + + Co-authored-by: Christopher Henderson + + * Update lint_invalid_subject_rdn_order.go + + As per Chris Henderson's suggestion, to "improve readability". + + * Update lint_invalid_subject_rdn_order_test.go + + As per Chris Henderson's suggestion. + + --------- + + Co-authored-by: Christopher Henderson + +commit f1a66db99213a6363d024c0108bb592d49094032 +Merge: 53b911ef a063d317 +Author: mtgag +Date: Sun Mar 10 10:17:34 2024 +0100 + + Merge https://github.com/zmap/zlint + +commit a063d317122dce598d26ac03b4975cbb6469f8e4 +Author: Adam +Date: Sat Mar 9 10:55:49 2024 -0800 + + Add lints for S/MIME BR 7.1.2.3.b (#779) + + * Add lints for S/MIME BR 7.1.2.3.b + + * remove logging + + * Update logic to include legacy certs + + * Add test for legacy certs + + * add test + + * Add tests with mixed HTTP and non-HTTP + + * URL -> URI + + * Fix text + + * UseCertificateLint + + * Rename testdata files to reflect their type + + --------- + + Co-authored-by: Christopher Henderson + +commit a72ff4ec44ebff74248e6631940c1b44f9bbffda +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Mar 9 10:30:35 2024 -0800 + + util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811) + + Co-authored-by: GitHub + +commit 5501be19e0a5da8b260cc06474f09961d1423eb3 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sat Mar 9 18:59:39 2024 +0100 + + Mailbox addresses from san for all br (#809) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * refactored lint to cover all SMIME BR certificates + + * fixed git merge issue + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 9c67bdb4bde793753f7d98b78d089a49ddf83b7b +Author: Adam +Date: Sat Mar 9 08:58:05 2024 -0800 + + Fix typo (#804) + + Co-authored-by: Christopher Henderson + +commit 53b911ef750ff906e9749252b599e8253fa84594 +Author: mtgag +Date: Tue Mar 5 11:05:05 2024 +0100 + + fixed merge error + +commit d10444e4b15dcd252a2f18a583a7d4348e8ba659 +Merge: 31e18450 83b5f8d6 +Author: mtgag +Date: Mon Mar 4 07:51:14 2024 +0100 + + Merge https://github.com/zmap/zlint + +commit 83b5f8d6b7c243880a3dab6c95d954d681bf2e3f +Author: Adam +Date: Sun Mar 3 07:51:11 2024 -0800 + + Add lint for S/MIME BR 7.1.2.3 (k) (#799) + + * Add line for S/MIME BR 7.1.2.3.k. + + * Add tests generated by christopher-henderson + + --------- + + Co-authored-by: Christopher Henderson + +commit b9ff71f1ec90d82ee01aabf5272b40b6ce1cf154 +Author: toddgaunt-gs +Date: Sun Mar 3 10:32:24 2024 -0500 + + Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800) + + * Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addresses + + All mailbox addresses appearing in subjectDN or dirName must be repeated + in san:rfc822Name or san:otherName. This lint does its best to detect + mailbox address values in the subjectDN or dirName and if any are + detected ensures they are repeated. + + * Add expected integration failures for new lint e_mailbox_address_shall_contain_an_rfc822_name + + The failures all have email addresses that don't have an **exact** match + in the SAN. + + How the integration tests were run: + `make integration INT_FLAGS="-lintSummary -fingerprintSummary -lintFilter='e_mailbox_address_shall_contain_an_rfc822_name'"` + + Fingerprints of the relevant certificates: + 3087f97b6cff020b5320e18d3e326074cbaa128142660f2debe4564ab1ab0179 + 5f3fcccca91a7b39e8995f79c35cb5e604d4ee0487ea1a41993c84304c0a5c99 + 63d23132c2511f33bb947f27c398bb824109ccf2d6a2037e3713fe9f7a43b15d + b034fa1aa9e501dc14b43d43dfe2210de3e5551744494b55d5f0abd865c67efc + c6ac841c78191101725ca7d5ed499be47c15ebeece7d74e6d095e2925e7bb404 + e4dbfc94e616ffb59904e394d9dcdd3ab55c26c5586440f37c058eecb907a344 + + * Revert "Add expected integration failures for new lint e_mailbox_address_shall_contain_an_rfc822_name" + + This reverts commit 037b5ec8918805bdb989726750c00d7d74e0d66a. + + * Add expected integration failures for new lint e_mailbox_address_shall_contain_an_rfc822_name + + This commit is a proper version of the previously reverted one. It was + reverted because I accidently ran the script to update the config only + for the failing lint, rather than lints. + + The failures all have email addresses that don't have an **exact** match + in the SAN. + + How the integration tests were run: + `make integration INT_FLAGS="-lintSummary -fingerprintSummary -lintFilter='e_mailbox_address_shall_contain_an_rfc822_name'"` + + Fingerprints of the relevant certificates: + 3087f97b6cff020b5320e18d3e326074cbaa128142660f2debe4564ab1ab0179 + 5f3fcccca91a7b39e8995f79c35cb5e604d4ee0487ea1a41993c84304c0a5c99 + 63d23132c2511f33bb947f27c398bb824109ccf2d6a2037e3713fe9f7a43b15d + b034fa1aa9e501dc14b43d43dfe2210de3e5551744494b55d5f0abd865c67efc + c6ac841c78191101725ca7d5ed499be47c15ebeece7d74e6d095e2925e7bb404 + e4dbfc94e616ffb59904e394d9dcdd3ab55c26c5586440f37c058eecb907a344 + + * Use effective date from SMIME BR for mailbox_address_from_san lint + + * Address code style to fit with established conventions + + * Revert accidental changes to genTestCerts + + * Apply DeMorgan's law to fix incorrect code simplification + + * Remove redundant function literal + + * Run gofmt + + --------- + + Co-authored-by: Christopher Henderson + +commit a23de3d51cddfc5e355bd6231f83103e86d936da +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Feb 25 08:55:00 2024 -0800 + + util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794) + + Co-authored-by: GitHub + +commit bf84ed888ec0a3f0ac99220e14b12c31b53ccb94 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Feb 25 17:24:52 2024 +0100 + + Add test case for smime ext subject directory attr (#801) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * added test case + + * resolved conflict issue + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 31e18450ec45e7aaa559d20d470450957092fcd7 +Merge: 51d498f8 060b3850 +Author: mtgag +Date: Sun Feb 25 11:01:49 2024 +0100 + + Merge https://github.com/zmap/zlint + +commit 060b3850760d832415fc7b82113f1117ef93e285 +Author: Adam +Date: Tue Feb 20 12:58:54 2024 -0800 + + Lint for S/MIME BR 7.1.2.3.g (#797) + + * Lint for S/MIME BR 7.1.2.3.g + + * Remove printf + + * Addresss rewview comments. Check for presence of AuthkeyOID extension. Use error details. + + --------- + + Co-authored-by: Zakir Durumeric + Co-authored-by: Christopher Henderson + +commit a4b46ef6a8969ffbc0c41e72f8f2b21294a1cccd +Author: Adam +Date: Mon Feb 19 09:35:52 2024 -0800 + + Add lint for subject directory attributes extension (#798) + +commit 1baec6eef208984b13b55d0f9545afab9c2315e8 +Author: Adam +Date: Wed Feb 14 07:03:31 2024 -0800 + + Fix copy/paste error (#796) + + Co-authored-by: Zakir Durumeric + +commit 51d498f89ff4d5e8877465a6f43f85d6879d2529 +Merge: e77fae15 8deb02ba +Author: mtgag +Date: Tue Feb 13 08:05:33 2024 +0100 + + synchronised with project + +commit 8deb02ba189e5f89d7f1e8a5bf2f75e86f81690e +Author: Arthur Gautier +Date: Sun Feb 11 07:29:20 2024 -0800 + + Subject Key Identifier is not recommended by CABF BR v2 (#790) + + * Subject Key Identifier is not recommended by CABF BR v2 + + With SC62, the CABF BR now lists SKI as not recommended. + + Per discussion in #762, zlint should provide two lints, one for rfc5280 + behavior and one for CABF BR. + + Both lint will conflict with each other, users are expected to select + (or ignore) which behavior they mean to follow. + + Fixes #749 + + * Test data for SKI not recommnended + + Co-Authored-By: Christopher Henderson + + --------- + + Co-authored-by: Christopher Henderson + +commit fa85598bd69a2c2aa0238a394cd74542bf3c6691 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sat Feb 10 19:08:40 2024 +0100 + + Handle ips in aia internal names (#791) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * if the AIA contains an IP then pass instead of warn + + * fixed merge message + + * trying to resolve conflicts + + * enhancement; lint only if extension is present otherwise not applicable + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 82d733e4dceb5e69296c9ac9dd4d1747182ebe26 +Author: BJ Cardon +Date: Fri Feb 9 14:32:23 2024 -0700 + + Fix a bug in the check for 7.1.4.2.h - single email address in subject:emailAddress (#792) + + * fix bug in the email address checking in the smime package to allow multiple email address subject fields, but dsisallow multiple values in a single email address field + + fixes a comment on #753 + + * fix typo + +commit 5501b4fcf4f9891a1eaf463fb72b8d582d2684d2 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Jan 27 11:11:24 2024 -0800 + + util: gtld_map autopull updates for 2024-01-22T23:19:16 UTC (#789) + + Co-authored-by: GitHub + +commit e77fae15e50dcbfc6c214557cac40c94ddd465c1 +Author: mtgag +Date: Wed Jan 24 07:11:55 2024 +0100 + + synchronised with project + +commit ddd1a81ca77fbcb75a5c787d41b8b307762f7246 +Author: Christopher Henderson +Date: Sat Jan 20 09:57:02 2024 -0800 + + Update copyright notices to 2024 (#787) + + * Update copyright notices to 2024 + + * touched the gen test cert script and need to update the test file template + +commit 8a61dfa6b62eb8caee5daa9cab97b4c1e6757f21 +Author: Christopher Henderson +Date: Sat Jan 20 09:16:10 2024 -0800 + + Refactor and improve the new lint creation bash script (#786) + + * Improving the new lint creation bash scripts + + * fixed typo + +commit be8dd6a629e36c9a9a34aeb7b34ed06327151ce3 +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Mon Jan 1 18:15:24 2024 +0000 + + Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781) + + * fix issue where e_registration_scheme_id_matches_subject_country was applying to LEI and INT certs where not required by the SMIME BRs + + * fix execution of e_registration_scheme_id_matches_subject_country lint in case where some organizationIdentifiers are subject to the check and others are not + + --------- + + Co-authored-by: Christopher Henderson + +commit dfb985b620b4fcdc536885fbb12a6d99b582604d +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jan 1 10:01:24 2024 -0800 + + build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784) + + Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. + - [Commits](https://github.com/golang/crypto/compare/v0.14.0...v0.17.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/crypto + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 832a1eae0de3256f99472d85f752fdcc9a4f024f +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Mon Jan 1 09:44:24 2024 -0800 + + build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785) + + Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.14.0 to 0.17.0. + - [Commits](https://github.com/golang/crypto/compare/v0.14.0...v0.17.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/crypto + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit d4e2de02f88f8ce38b06f1835b8bcbda72bb2ca9 +Author: Christopher Henderson +Date: Sat Dec 16 06:49:58 2023 -0800 + + Fix goreleaser deprecation (#783) + + * Fix goreleaser deprecation + + * correction example syntax + +commit f830602323170ee78c35dee0c6fb5218a667a247 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sat Dec 16 15:07:29 2023 +0100 + + Added IsSMIMEBRCertificate in checkApplies where missing (#780) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * synchronised with project + + * added util.IsSMIMEBRCertificate(c) where missing, updated test data + + * removed GIT merge hints + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit c1aacb0afe4c5dd97d1542c27e9d4f2cfc21ecbf +Author: Christopher Henderson +Date: Sat Dec 16 05:56:03 2023 -0800 + + golangci-lint update and fixes (#782) + + * Code Linter Update + + * linter suggestions + + * fixing code lints + +commit f90a51ecb3d36a190d0ca90ed3e5c5d80203ac72 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Dec 16 04:54:37 2023 -0800 + + util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778) + + * util: gtld_map autopull updates for 2023-12-12T16:20:34 UTC + + * Triggering CICD + + --------- + + Co-authored-by: GitHub + Co-authored-by: christopher-henderson + +commit 67537e945e1e8008157589a05a03f94ec57f031b +Merge: 24085437 45de8804 +Author: mtgag +Date: Thu Dec 14 07:04:42 2023 +0100 + + synchronised with project + +commit 24085437aa4e9a39b1f3ac86350774d68432055a +Author: mtgag +Date: Thu Dec 14 07:02:35 2023 +0100 + + synchronised with project + +commit 45de88040a22e2db4d962de9ec3847dcac59be92 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Tue Dec 12 17:10:21 2023 +0100 + + refactor of SMIME aia contains (#777) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * synchronised with project + + * changed date, added check for existent extension + + * updates in config after tests + + * removed accidentally commited file + + * removed internal names part, kept only has http only + + * changes addressing discussion in PR. Internal names are checked, IP addresses are skipped. + + * the check for HTTP scheme is not needed here. This is covered by the other lint + + * fixed test + + * renamed file + + * one lint for internal names in AIA covers all S/MIME generations, legacy AIA has one HTTP moved to a new lint, added isSubscriberCert for all checkApplies + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit bc2c0fda0533178d96e8be0c73b01168a47e6304 +Author: Eliot <145681652+eliot-gs@users.noreply.github.com> +Date: Mon Dec 4 15:01:51 2023 +0000 + + CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768) + + * lint and unit test subject country in organization id + + * add lints and unit test for matching country in format id + + * deletes accidential workflow additions + + * updates according to PR comments + + * fixes indentation + + * updates following PR comments + + * updates comment and formatting + + --------- + + Co-authored-by: Christopher Henderson + +commit 7f6ef92e44f595d537ca8f0df6a7770090c11a50 +Author: Christopher Henderson +Date: Sun Dec 3 10:58:28 2023 -0800 + + Metalint for checking against the deprecaetd lint.RegisterLint function (#775) + + * Metalint for checking against the deprecaetd lint.RegisterLint function + + * go imports + +commit ebf2071ba0d7adb820a50b52fce8ea42df6b8e0b +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Dec 3 07:47:25 2023 -0800 + + util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773) + + Co-authored-by: GitHub + +commit cee805f2b497508dfbf118a3d654072273b62bdb +Merge: 88c933e1 c35c9b9a +Author: mtgag +Date: Sun Dec 3 10:25:36 2023 +0100 + + Merge https://github.com/zmap/zlint + +commit c35c9b9a6aefebe6dcc4b1f003820776637561be +Author: Martijn Katerbarg +Date: Mon Nov 27 17:04:44 2023 +0100 + + Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774) + + * feat: User Notice is no longer allowed as per CABF BRs + + * fix: Set proper title and description + + * fix: Rename files and align function names + +commit 1bb58f0cc7b6b31cda2e93b6ffdbd038866ea136 +Author: Christopher Henderson +Date: Sun Nov 19 13:10:22 2023 -0800 + + Updating certificate lint template to use the new certificate specific interface (#772) + + * Updating certificate lint template to use new interface + + * use tabs instead of space + +commit 96a479935c3e90699e3f5e1f96a3386488af856b +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Nov 19 12:48:38 2023 -0800 + + util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771) + + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit a08efa8121dc8e72c23bed0cf9dc473b9dfa32b7 +Author: mara-soldan <87363716+mara-soldan@users.noreply.github.com> +Date: Sun Nov 19 20:40:15 2023 +0000 + + CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763) + + * add lints for adobe extensions presence and criticality in smime certs + + * move adobe extensions to preserve alphabetical order + + * update timestamp references and use new CertificateLint type + + * Update v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go + + Co-authored-by: Rob <3725956+robplee@users.noreply.github.com> + + * Update v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go + + Co-authored-by: Rob <3725956+robplee@users.noreply.github.com> + + * Update v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go + + Co-authored-by: Rob <3725956+robplee@users.noreply.github.com> + + * update comments + + --------- + + Co-authored-by: marahrehorciuc + Co-authored-by: Rob <3725956+robplee@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 45e62047222f1ac864c5ad5c2afbb8d0c1bcd10e +Author: Amir Omidi +Date: Sun Nov 19 15:20:10 2023 -0500 + + Convert all Lints to CertificateLints (#767) + +commit 43b6954c46a5e9475c827a837d67932a31ed0b0e +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Nov 12 22:41:06 2023 +0000 + + address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764) + + Co-authored-by: Christopher Henderson + +commit e8c0c248cc6815a9b69b2c5cfe8eb7377392d57c +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Fri Nov 10 06:23:02 2023 -0500 + + util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756) + + Co-authored-by: GitHub + +commit 64533b5c98de1b52db665bbaee9cd4992d4c3519 +Author: BJ Cardon +Date: Mon Nov 6 15:49:28 2023 -0700 + + Ensure AIA URLs point to public paths (#760) + + * added lints to check if the aia has likely internal names + + * add tests for all aia path combinations + + * use Hostname instead of Host to account for ports, triage integration test results and update integration config + + * address code review feedback (Fatal->Error, handling for http schemes) + + * handle https as well + + * enforce http scheme, fix test data + + * don't require any OCSPServer to exist + + * also don't require IssuingCertificateURLs + +commit 89231704f987ed5002618333c59d8004882aa1d6 +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Nov 5 15:40:31 2023 +0000 + + CABF SMIME BR 7.1.2.3.e - KeyUsages (#757) + + * add lints for smime ku presence and criticality, rsa KUs and ECC KUs + + * Finish lint for ECDSA key usages. Add lint for edwards curve key usages + + * strict rsa ku lint unit tests + + * rename rsa strict ku lint test data to reflect strictness of SMIME policy oid + + * add unit tests to smime rsa legacy/multipurpose ku lint + + * add unit tests to key usage presence lint. Fix present/presence typos + + * rename key usage critical lint to key usage criticality. unit tests for same + + * add unit tests to smime ecdsa key usage lint. Fix issue in check applies + + * add unit tests for smime ed25519 ku lint + + * use iota constants for signing, key management and dual use to make rsa and ec ku lints clearer to read + + * replace bit mask checks with util.HasKeyUsage calls in smime KU lints + + * Refactor RSA and EC SMIME KU lints to cover other KUs without digitalSignature and/or keyAgreement/Encipherment with separate lints. + + --------- + + Co-authored-by: Christopher Henderson + +commit f9f30bcd3fe1718c3022c7c6e45709ef7f9f0b60 +Author: Christopher Henderson +Date: Sun Nov 5 01:10:00 2023 -0700 + + Fixing lint registration for CABF SMIME (#761) + +commit 1c307f4b9ef04348f621ce0a03e2bf0d5e471fbc +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Oct 22 19:36:04 2023 +0100 + + Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747) + + * Add lints to enforce SMIME BR EKU restrictions + + * Tidy up smime_policies util file by removing some unused code. + + * Address issue raised with mailbox validated field restrictions lint checkApplies + + * Add subscriber certificate requirement to EKU lint CheckApplies functions + + --------- + + Co-authored-by: Christopher Henderson + +commit 553276dabd988e4c1645c0bed62bed516e480cd8 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Thu Oct 19 10:39:48 2023 -0700 + + util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755) + + Co-authored-by: GitHub + +commit 2f544868a7a6d13a2dcc0b9dc42db7290dfaff7d +Author: Christopher Henderson +Date: Sun Oct 15 18:14:19 2023 -0700 + + CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752) + + * CABF SMIMS 4.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address + + * go imports the files + +commit 2f0f4b8a071d4fb0699aba6e5f255336567f73c0 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Oct 15 09:30:12 2023 -0700 + + build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.17.0. + - [Commits](https://github.com/golang/net/compare/v0.7.0...v0.17.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 378c09f71e33d16f8d0d87b6bd78911902444817 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Oct 15 09:14:13 2023 -0700 + + build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.8.0 to 0.17.0. + - [Commits](https://github.com/golang/net/compare/v0.8.0...v0.17.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 88e01adce26bde53086eff8b3ec14f7207e18e62 +Author: Christopher Henderson +Date: Sun Oct 15 08:56:47 2023 -0700 + + Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746) + + * Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence. + + * removing implied warning interpretation + +commit 08a9354f3002c9eb0b8823d663cd71e7d5a14aa3 +Author: Christopher Henderson +Date: Sun Oct 15 08:28:31 2023 -0700 + + Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744) + + * Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) + + * not exporting + +commit 386a8dc413add9bb92d80badbb4d86f833f6a4e5 +Author: Christopher Henderson +Date: Sun Oct 8 08:33:38 2023 -0700 + + Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742) + + * Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present + + * adressing linter + + * correcting copying error + + * fixing typo in filename + +commit 48baa89c49e477e223ac2c4644046530869d8af7 +Author: Christopher Henderson +Date: Wed Sep 27 16:16:51 2023 -0700 + + Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661) + + Co-authored-by: David Adrian + +commit ba30b3b851aa56363f426ec4dc2377c0e43314b3 +Author: Christopher Henderson +Date: Wed Sep 27 14:11:50 2023 -0700 + + Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660) + + Co-authored-by: Ryan Sleevi + Co-authored-by: Zakir Durumeric + Co-authored-by: David Adrian + +commit 1fd1c0d6964020e389955fb582c32ab603ceed28 +Author: BJ Cardon +Date: Sun Sep 17 17:53:44 2023 -0600 + + Part 1 of SC-62 related updates to zlint (#739) + + * Updated lint for common name handling. The definition for the CN field has switched from deprecated to NOT RECOMMENDED (essentially SHOULD NOT). An IneffectiveDate was added to the original lint. + + Added a new lint for subscriber cert basic constraints checking. Post-SC62, basicConstraint MAY be included but MUST be critical if present. + + Added a date for SC62 Effective + + * fix CheckApplies + + * edited the wrong file, reverted and edited the right file. + + * add PEMs that exercise the tests properly + + * Update v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go + + Co-authored-by: Christopher Henderson + + * Update v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go + + Co-authored-by: Christopher Henderson + + * fix missing import + + --------- + + Co-authored-by: Christopher Henderson + +commit 5c4e05fe5f30e1e0b68434c077009c3f15974f77 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Sep 17 09:40:14 2023 -0700 + + util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737) + + Co-authored-by: GitHub + +commit 88c933e135487a4f39a75767e9207e880d4c040b +Merge: d4f2f9f2 71d5e4b1 +Author: mtgag +Date: Wed Aug 30 10:04:10 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit d4f2f9f20715c9d7f4c617254749917cce4834be +Author: mtgag +Date: Wed Aug 30 09:58:56 2023 +0200 + + synchronised with project + +commit 71d5e4b1cbf7636331bbf1c839d24abb4a945633 +Author: Paul van Brouwershaven +Date: Sun Aug 27 23:26:07 2023 +0200 + + Reintroduce lint for inconsistent KU and EKU (#708) + + * Add function to get human friendly KeyUsage names + + * Add lint to check for KU and EKU inconsistency + + * Add func to get EKU strings + + * Sort KeyUsage strings for consistency in messages + + * Consider multiple purposes + + * Update result for integration test + + * Fix formatting + + * Add KU/EKU inconsistent test cases + + * No error on undefined extended key usage + + * Move sort from util to lint and include comment + + * Add some comments around the cyclomatic complexity + + * Update count for test corpus incl email certs + +commit 59d4dd332041087118bbbe86f7c5870c8bad980d +Author: Christopher Henderson +Date: Sun Aug 20 09:11:06 2023 -0700 + + Inclusion of approximately 190000 email protection certificates into the test corpus (#738) + +commit d959c8318c817be31cf3e9823bfd146d7c218675 +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Aug 13 16:27:31 2023 +0100 + + Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713) + + * Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates + + * Add zlint copyright text to new files. + + * Add cabf_smime_br lint source to TestNotMissingAnyLintSources + + * refactor lint to add lists of allowed and forbidden fields into the lint struct + + * rename mailboxValidatedEnforceSubjectFieldRestrictions lint to no longer export the underlying struct as per other lints in zlint + + * Update mailbox lint to use new certificatelint interface + + * fix mailbox validated field lint unit tests, reorganise smime testdata, remove unused test certificates + + * Update v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go comment to list relevant policy OIDs + + Co-authored-by: Christopher Henderson + + * attempt to address lint complaint with comment describing CheckApplies of mailbox field presence lint + + * Add explanatory comment to IsEmailProtectionCert + + * Fix styling in time.go + + --------- + + Co-authored-by: Christopher Henderson + +commit 624744d33e68fb899766d58299f84cd1df2d680a +Author: Amir Omidi +Date: Tue Aug 1 18:58:56 2023 -0400 + + Include LintMetadata in the LintResult (#729) + + * Include LintMetadata in the LintResult + + * Don't include LintMetadata in LintResult's JSON output + +commit 38b74849c31c105e7d8469b6efa2d9f9f45281f5 +Author: Amir Omidi +Date: Tue Aug 1 16:31:49 2023 -0400 + + Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715) + + Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280. + + https://github.com/zmap/zlint/pull/715 + + Co-authored-by: Rob <3725956+robplee@users.noreply.github.com> + Co-authored-by: David Adrian + +commit 1e3cf0111c7f97688d9037d9e58423883aeb9723 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Jul 29 09:50:44 2023 -0700 + + util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736) + + Co-authored-by: GitHub + +commit b492fe7cd7618e7c1bf81217f3a9b42a6c391652 +Author: Daniel McCarney +Date: Thu Jul 20 13:09:40 2023 -0400 + + tidy: delete 'h' gitlog fragment from proj. root. (#735) + + In 4d38bfea a hunk of ANSI decorated `git log` output was committed to + the root of the repository. This commit deletes it. + +commit 4d38bfea8756d7b4fd4ebfb36aee8675a9eeeed4 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jul 9 20:50:43 2023 +0200 + + E ext cert policy disallowed any policy qualifier refactor (#732) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * synchronised with project + + * refactored implementation, tests, and testdata + + * refactored implementation + + * addressing high cyclomatic complexity + + * code format + + * code format + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 7602109a26ca74845409fd61c18f698fe01930b0 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Jul 9 11:20:36 2023 -0700 + + util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733) + + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 40f2b32c4a866076818267d9ffbf4b9baa925e74 +Author: Christopher Henderson +Date: Sun Jul 9 11:18:59 2023 -0700 + + Duplicate lints about keyIdentifier in certificates (#726) + + * Duplicate lints about keyIdentifier in certificates + + * fixed go imports styling + + * breaking up code comments to match conditional blocks + + * typo + + * simplifying check + + * Triggering GHA with empty commit + + * adding one more error cert to the corpus + + --------- + + Co-authored-by: Zakir Durumeric + +commit 3f1605e8704ade3a3f95c4b9a1392cdcf88fe3f9 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jul 9 20:05:31 2023 +0200 + + Ecdsa ee invalid ku check applies (#731) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * check applies could also check if the extension is present + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 1652cfa597d7c4c37991484d35e4a6da57a06580 +Author: mtgag +Date: Wed Jul 5 07:03:20 2023 +0200 + + synchronised with project + +commit 92902fc7d9ae7ad9f221235c74b992be6f101812 +Merge: 526f9be2 8c46bdf0 +Author: mtgag +Date: Sat Jul 1 09:28:04 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 8c46bdf0e6c8f3ccab7d3101cbf56eea9b7a856a +Author: Aaron Gable +Date: Fri Jun 30 12:56:49 2023 -0700 + + Fix typo in LintRevocationListEx comment (#730) + +commit 7ef1f8451ba9894bb27645321618de2bf9a158be +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Jun 25 16:11:22 2023 -0700 + + util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727) + + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 5e0219d2a818f0d8c71f20191d79e010890c2269 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Mon Jun 26 01:02:29 2023 +0200 + + Bc critical (#722) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * returning fatal rather than na + + * Update v3/lints/rfc/lint_basic_constraints_not_critical.go + + Error instead of fatal + + Co-authored-by: Christopher Henderson + + * adding error description. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 3746088f87cde72a751b8f8a68c9b0a9e9a6a8b0 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Jun 11 12:21:00 2023 -0700 + + util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698) + + Co-authored-by: GitHub + Co-authored-by: Zakir Durumeric + +commit 9b18bdcd8fedb5013bda10ba13de27e3bf4ed908 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 11 21:13:48 2023 +0200 + + Ca field empty description (#723) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * simply must not have a non-empty distinguished name should suffice. The field is always present, the lints tests if the Sequence is empty. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 59a91a2b1b7562e80894103cf8f8e03319b82a92 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 11 21:02:42 2023 +0200 + + Max length check applies (#724) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + * max length check only if component is present. + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 526f9be2c26b63477a2d03d8a6a2736e2fe89b72 +Merge: b52111ba 45e8dff6 +Author: mtgag +Date: Fri Jun 9 06:52:40 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 45e8dff6fe0d2a6989366a3dbd44713c360afc8f +Author: mwahaj +Date: Sun Jun 4 23:13:06 2023 +0500 + + Update README.md (#719) + + Added PKI Insights which also used zlint for X.509 Certificate verification against the PKI and Industry standards + + Co-authored-by: Christopher Henderson + +commit af903824a31385208566fa640cc13036a0e4d8e4 +Author: Christopher Henderson +Date: Sun Jun 4 11:02:45 2023 -0700 + + Enable accepting a PEM encoded CRL via the command line interface (#721) + + * dispatching CRLs to the CRL linting infra + + * fixing typo in README + +commit 1d8591cffbd9513c7302ef8187297e7463358291 +Author: toddgaunt-gs <107932811+toddgaunt-gs@users.noreply.github.com> +Date: Mon May 29 12:05:30 2023 -0400 + + Remove references in comments to Initialize() method of lints (#718) + + Some comments still refer to lints having an Initialize method. This + appears to no longer be the case but a warning in the comments for + RegisterLint, RegisterCertificateLint, and RegisterRevocationListLint + was still referencing lints having such a method. + +commit b52111baec7700cadeafd21ca74e448cec162483 +Merge: 351a3798 24385962 +Author: mtgag +Date: Tue May 16 08:44:04 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 24385962110d84a33e403ae611169297e8d205c1 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun May 14 20:16:08 2023 +0200 + + Always perform e_cert_unique_identifier_version_not_2_or_3 (#711) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * always check and perform the operation in the execution + + --------- + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 351a37987e16c681f69725836a73dc888179d2be +Merge: 92e659c5 a5c869f8 +Author: Christopher Henderson +Date: Sun May 14 11:06:52 2023 -0700 + + Merge branch 'master' into master + +commit a5c869f807cbfce8a689aeba5682eb8f326845ea +Author: Christopher Henderson +Date: Sat May 13 09:23:45 2023 -0700 + + Update copyright text to 2023 (#716) + + * Updating copyright headers to 2023 + +commit 92e659c5aefeeea3afd8a32cc768b112a9355218 +Author: mtgag +Date: Thu Apr 27 08:55:54 2023 +0200 + + always check and perform the operation in the execution + +commit 30b096ee5b613af5eff751d9c5b878e8d07f529e +Merge: 8600050f 997ad514 +Author: mtgag +Date: Wed Apr 19 08:41:37 2023 +0200 + + Merge https://github.com/zmap/zlint + +commit 997ad5143216f4a3f461545f277be7e20bdcb557 +Author: Amir Omidi +Date: Sun Mar 26 14:02:27 2023 -0400 + + Add CRL linting infrastructure (#699) + + * Add the skeleton around linting CRLs + + * Change the entrypoint of zlint + + * Add tests for the new skeleton + + * Address reviews + + * starting my own suggestions to work coopertaively on he change + + * Take out generics from the registration struct (#3) + + * Update to use Zcrypto instead of stdlib crypto for RevocationList (#4) + + * Take out generics from the registration struct (#3) + + * updating to use zcrypto + + * pointing zcrypto back to master + + * go tidy up + + --------- + + Co-authored-by: Amir Omidi + + * Tidy go mod + + * Update zcrypto + + * go mod tidy one more time + + * Bypass lint for Registry + + * Add NextUpdate CRL lint (#5) + + --------- + + Co-authored-by: christopher-henderson + +commit 64ae4e500e020b535a475a6c99007f77b917e1e9 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 12 13:06:18 2023 -0700 + + build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220412020605-290c469a71a5 to 0.7.0. + - [Release notes](https://github.com/golang/net/releases) + - [Commits](https://github.com/golang/net/commits/v0.7.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 68901ea435cd9be1c5f37765ed178120c3f570f9 +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 12 12:58:25 2023 -0700 + + build(deps): bump golang.org/x/net in /v3 (#702) + + Bumps [golang.org/x/net](https://github.com/golang/net) from 0.0.0-20220412020605-290c469a71a5 to 0.7.0. + - [Release notes](https://github.com/golang/net/releases) + - [Commits](https://github.com/golang/net/commits/v0.7.0) + + --- + updated-dependencies: + - dependency-name: golang.org/x/net + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit 5ed8e34fe97edb3fedd7f1fb5cbc48a1444ea195 +Author: Christopher Henderson +Date: Sun Mar 12 12:48:34 2023 -0700 + + asserting human readable strings is error prone (#707) + +commit c7740fad1793b30df07212f9297066363efb19ce +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 12 12:32:52 2023 -0700 + + build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701) + + Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.7 to 0.3.8. + - [Release notes](https://github.com/golang/text/releases) + - [Commits](https://github.com/golang/text/compare/v0.3.7...v0.3.8) + + --- + updated-dependencies: + - dependency-name: golang.org/x/text + dependency-type: indirect + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + Co-authored-by: Christopher Henderson + +commit a476724019152fa17e7ebb3c0bba6b896aecf89d +Author: Christopher Henderson +Date: Sun Mar 12 10:55:47 2023 -0700 + + Upgrading golangci-lint to v1.51.2 (#705) + +commit 46f7185e35ed0a7af55db60004a66ac4f15520fa +Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> +Date: Sun Mar 5 09:18:23 2023 -0800 + + build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700) + + Bumps [golang.org/x/text](https://github.com/golang/text) from 0.3.7 to 0.3.8. + - [Release notes](https://github.com/golang/text/releases) + - [Commits](https://github.com/golang/text/compare/v0.3.7...v0.3.8) + + --- + updated-dependencies: + - dependency-name: golang.org/x/text + dependency-type: direct:production + ... + + Signed-off-by: dependabot[bot] + Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> + +commit 8a9f61eb9d9b2ee4b14519573ee2f0d09474c316 +Author: Christopher Henderson +Date: Thu Nov 3 09:18:18 2022 -0700 + + test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695) + + * util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC + + * Trigger GHA + + * revert change + + * fixing our own tests + + Co-authored-by: GitHub + +commit 6292ca4c07afed0c9e4f43470126901161fd0c2c +Author: Christopher Henderson +Date: Sun Oct 16 11:41:20 2022 -0700 + + Adding support for linting profiles (#595) + + * adding support for linting profiles + + * at least tests running + + * Update v3/lint/profile.go + + Absolutely + + Co-authored-by: Daniel McCarney + + * Update v3/newProfile.sh + + * adding godoc to AllProfiles + + * util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC + + * Trigger GHA + + * fixing linter + + Co-authored-by: Daniel McCarney + Co-authored-by: GitHub + +commit c6273337f37bce57a42c61f61566465ba81a8f4d +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Oct 16 10:20:03 2022 -0700 + + util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694) + + Co-authored-by: GitHub + +commit 13fcc6ff15096c615205e0073681d571227522f9 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Oct 9 07:06:19 2022 -0700 + + util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693) + + Co-authored-by: GitHub + +commit 137e46e0ca400af8c38465773a9d9ef8dc044b62 +Author: Christopher Henderson +Date: Sun Sep 18 11:18:06 2022 -0700 + + Lint to check for invalid KU lengths (#686) + + * lint for incorrecty KU length + + * better code comment + + * correcting linter + + * fixing lint to check for combinations with nine possible flags + + * fixing comments + + * using cryptobyte + + * accounting for jumbo sized KUs + +commit 1209017ea441820ff41f4ef6b05e946ed53efcda +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Sep 18 19:08:44 2022 +0100 + + Prevent OU lint from applying to CA certificates. Add unit test to confirm change of behaviour (#691) + +commit 44e12c12ca43a4af86f0dc2da4a71493ac9f8345 +Author: Christopher Henderson +Date: Sun Aug 28 07:33:00 2022 -0700 + + Add lint to check for incorrect 'unused' bit encoding in KeyUsages (#684) + + * Add lint to check for incorrect 'unused' bit encoding + + * using real life test data as a failure case + +commit 3f5e40d69c7dd1ed2049051f00dba88e97794ef0 +Author: Christopher Henderson +Date: Sun Jul 31 11:02:44 2022 -0700 + + Lint for RSA close prime Fermat factorization susceptibility (#674) + + * lint for close prime factorization with a default round setting of 100 + +commit e5ee614b989dca0615c7fdb9cb6d621f281c5a20 +Author: Christopher Henderson +Date: Sat Jul 23 11:55:36 2022 -0700 + + Support for Configurable Lints (#648) + + * Support for configurable lints + +commit ed9a20f851f487d6d280b72dc9db232779fc11e3 +Author: Christopher Henderson +Date: Sun Jul 17 13:06:32 2022 -0700 + + Added lint to check for superfluous zero byte on KU (#682) + +commit d8b86f771ea068173826b2088f0c502c17eaaa8d +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sun Jun 19 19:58:35 2022 +0200 + + Lints for allowable key usages as per RFC 8813 Section 3 and RFC 3279 Section 2.3.1 (#678) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * added lints that adress issues about correct key usage values for a certain public key type + + * adjustments in config.json + + * adjustments after code review + + * adjustments after code review + + * warnings are turned to errors + + * fixed error count + + Co-authored-by: mtg + Co-authored-by: GitHub + +commit c7955ed482857439faa68dfdfb67b94a1510bce1 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Mon Jun 13 16:19:30 2022 +0200 + + Sunset subject:organizationalUnitName (Section 7.1.4.2.2.i, CAB-Forum BR) (#643) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * added lint for presence of OU in subject + + * Update v3/lints/cabf_br/lint_subject_contains_organizational_unit_name.go + + Co-authored-by: Ryan Sleevi + + * separated lints to adress two requirements + + * separated lints to adress two requirements + + * reverted change proposed by IDE + + * aligning to #644 + + * Update v3/util/time.go + + * Update v3/util/time.go + + * Update v3/util/time.go + + * addressed requested changes, removing lint that is implemented in 675 + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Ryan Sleevi + Co-authored-by: Christopher Henderson + +commit b7abf25bdffae0b85a5c1058ac0dbf9775675803 +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Jun 12 19:53:47 2022 +0100 + + Add new lint to block organisational unit names as of 1st September 2022 (#675) + + * Add new lint to block organisational unit names as of 1st September 2022 + + * update copyright year in all files changed by this PR + + * update name of date variable for ou prohibition + + Co-authored-by: Christopher Henderson + +commit c32f6d3f7bdfa4d6773b1bc6bc60c36c93d6843e +Author: James Kasten +Date: Thu Jun 9 21:50:05 2022 -0700 + + Fix SPKI Encoding Lint's RSA BR Section (#679) + + The RSA AlgorithmIdentifier is specified in 7.1.3.1.1. ECDSA is referenced in 7.1.3.1.2 + https://github.com/cabforum/servercert/blob/main/docs/BR.md#71311-rsa + +commit ed6287a54ce1e6297e2576730e65b5c2f4faddcb +Author: Christopher Henderson +Date: Sun Jun 5 11:16:44 2022 -0700 + + Zlint incorrectly requires TorServiceDescriptors if V3 onion and DNS name (#677) + + * Correct false negative in the presence of a DNS name + +commit 74f454196357f798ca087df6d43e80d9a7a4debd +Author: Christopher Henderson +Date: Sat Apr 16 11:28:06 2022 -0700 + + Update to Go 1.18 and update GolangCI Linter (#672) + + * upgrading the repo to Go 1.18 + +commit a34c016cb0f6d4e79fe584939e2a52fc68fd68a7 +Author: Christopher Henderson +Date: Fri Apr 15 10:38:52 2022 -0700 + + QoL changes to genTestCert.go (#664) + + Co-authored-by: Zakir Durumeric + +commit 20aeab4d82749f573c3a85dc48ad862f8a2c111c +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Fri Apr 15 09:47:47 2022 -0700 + + util: gtld_map autopull updates for 2022-04-15T16:45:51 UTC (#671) + + Co-authored-by: GitHub + Co-authored-by: Zakir Durumeric + +commit 6d874e67f06bf5e62ad2471c3d9627094e67fd2d +Author: Christopher Henderson +Date: Fri Apr 15 09:45:38 2022 -0700 + + updating to zcrypto 599ec18ecbac (#670) + +commit b3be71cf576a4f17272f675f5ee9cda66ccbabd5 +Author: Christopher Henderson +Date: Sun Mar 27 10:06:05 2022 -0700 + + Skip checking for a Tor Descriptor Hash if the provided cert contains a V3 Onion address. (#669) + + * check for v3 addresses before asserting presence of tor descriptor hash + + * fixing linter + +commit 3be391b56b004fbc501f4fc0c1edfb53b71a2937 +Author: Pablo Díaz <59196303+Pabloanf@users.noreply.github.com> +Date: Fri Mar 4 17:57:47 2022 +0100 + + Update README.md (#666) + + * Update README.md + + Added ANF AC to the bullet list of CAs that integrate with this linter. + + * Alphabetizing. + + * Update README.md + + Co-authored-by: Zakir Durumeric + +commit b1bd967fe787933fdbb3be70377ab2508045c401 +Author: Christopher Henderson +Date: Sun Feb 20 10:22:25 2022 -0800 + + No underscores are allowed in DNSNames before BR 1.6.2's permissibility period (#659) + + * no underscores before BR 1.6.2 + + Co-authored-by: Ryan Sleevi + +commit 6badb89602ca1102e34a0c1fe8b2c7b96ead639d +Author: Christopher Henderson +Date: Sun Feb 20 10:10:57 2022 -0800 + + No underscores are allowed in DNSNames after BR 1.6.2's permissibility period (#662) + + * underscores not permissible after hard enforcement + +commit 4ab856795cdd8185c273ae873c52e37bea8535c4 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Thu Feb 17 18:09:19 2022 -0500 + + util: gtld_map autopull updates for 2022-02-17T22:26:31 UTC (#658) + + Co-authored-by: GitHub + +commit 7fc9fbd55c2f6bdca4cd5dee825da903b00844db +Author: Ryan Sleevi +Date: Tue Jan 25 21:09:47 2022 -0500 + + Add Microsoft to the known-ZLint users (#655) + +commit b4a225e88a0a05bd9aed3bde83725a5168331b82 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Sat Jan 15 21:37:08 2022 +0100 + + AlgorithmIdentifier encoding (Section 7.1.3.1, CAB-Forum BR) (#642) + + * lint about the encoding of qcstatements for PSD2 + + * Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + + * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + + * added lint for proper encoding of public key accoring to cab_br + + * fixed prefix error + + * Update v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go + + Co-authored-by: Ryan Sleevi + + * refactored lint after review + + * solving review issue + + Co-authored-by: mtg + Co-authored-by: GitHub + Co-authored-by: Ryan Sleevi + Co-authored-by: Christopher Henderson + +commit da67a2330fc2d880b0c751b55d2de5dddd8c6b86 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sun Jan 9 10:57:07 2022 -0800 + + util: gtld_map autopull updates for 2021-12-30T02:43:35 UTC (#654) + + Co-authored-by: GitHub + +commit 3f7cf6cbc2f56d3fc1e06437b6d0fc69089abdc0 +Author: Leo Grove +Date: Sun Dec 12 21:47:56 2021 -0600 + + Update README.md (#653) + + * Update README.md + + Adding SSL.com to the list of CAs that integrate with this linter. + + * Alphabetizing + + Co-authored-by: Zakir Durumeric + +commit 9199b6d9326f7be600458d3ac7de892ade1467db +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Dec 11 10:00:37 2021 -0800 + + util: gtld_map autopull updates for 2021-12-09T20:29:24 UTC (#649) + + Co-authored-by: GitHub + Co-authored-by: Christopher Henderson + +commit 0d7125864bc4f6baa17426aff2f884e8901fde50 +Author: Paul van Brouwershaven +Date: Sat Dec 11 18:52:05 2021 +0100 + + Entrust Datacard rebranded to Entrust (#652) + +commit bbc7e360e6f8ae223ddd4b1f3e4c460294f2e7f2 +Author: Paul van Brouwershaven +Date: Thu Dec 9 20:21:51 2021 +0100 + + Add lint to detect IP addresses in EV certs (#650) + +commit cb3e7e86e1cf73c82622de4768f15e69599d0751 +Author: Paul van Brouwershaven +Date: Thu Dec 9 20:05:53 2021 +0100 + + Mark CA/Browser Forum EV Policy OID as EV (#651) + + CAs are required to use this OID after 2020-09-30 (per CA/B Forum Ballot SC31 - https://cabforum.org/2020/07/16/ballot-sc31-browser-alignment/ ), so all new EV certs since then can be detected just by looking for this OID. + +commit da4e374e427291aa8d3acaf860623ea83b14d915 +Author: Eng Zer Jun +Date: Sun Nov 14 06:00:35 2021 +0800 + + refactor: move from io/ioutil to io and os packages (#647) + + The io/ioutil package has been deprecated as of Go 1.16, see + https://golang.org/doc/go1.16#ioutil. This commit replaces the existing + io/ioutil functions with their new definitions in io and os packages. + + Signed-off-by: Eng Zer Jun + +commit 3a3de3c3cc9d3b1d9c1c191f395777dd7a4d5d0d +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Nov 13 10:12:36 2021 -0800 + + util: gtld_map autopull updates for 2021-10-30T04:36:00 UTC (#637) + + Co-authored-by: GitHub + Co-authored-by: Zakir Durumeric + +commit 2ff21301bb5f5f5d41a9999705e2bf60b88ebb6b +Author: Christopher Henderson +Date: Sat Nov 13 09:49:53 2021 -0800 + + cleaning up some datetime logic (#644) + +commit 8600050f905393376bd091ded9da59a205fde045 +Merge: 749d8960 e56e2a09 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Thu Oct 21 09:42:15 2021 +0200 + + Merge pull request #1 from mtgag/zlint-gtld-update + + util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + +commit e56e2a09361056ae4f3d9ed9e03624bfbe2fb0cb +Author: GitHub +Date: Thu Oct 21 07:26:00 2021 +0000 + + util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC + +commit 749d89604a42279f37efdc7f65a16a8814fc532a +Merge: 28481cc7 cb17369b +Author: mtg +Date: Thu Oct 21 09:13:49 2021 +0200 + + Merge https://github.com/zmap/zlint + +commit cb17369b4628c684ac68c1fc169ff2a38c00cfdf +Author: Corey Bonnell +Date: Tue Oct 19 13:35:30 2021 -0400 + + Lint for Non-XN Reserved Labels (#635) + + * Lint for Non-XN Reserved Labels + + * Refactor to use idna functions + + Co-authored-by: Corey Bonnell + Co-authored-by: Zakir Durumeric + Co-authored-by: Christopher Henderson + +commit 9113ed8c1f1dd14ca6e19e2d6096fdda8885dd09 +Author: Christopher Henderson +Date: Sun Oct 17 10:50:24 2021 -0700 + + Forbid wildcard certs for non .onion EVs (#641) + + * adding lint to forbid wildcard certs for non .onion EVs + +commit 0508b86cf4c558ad17daf7d4d3438dadaaf33376 +Author: Corey Bonnell +Date: Sat Oct 16 13:18:59 2021 -0400 + + Detect XN-Labels case-insensitively (#636) + + * Detect XN-Labels case-insensitively + + * Incorporate Chris's refactoring suggestion to create idna functions + + Co-authored-by: Corey Bonnell + Co-authored-by: Christopher Henderson + +commit b6ec3270b8ff9c141e335a41e414beaaee0f1485 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Tue Oct 5 18:42:05 2021 -0400 + + util: gtld_map autopull updates for 2021-10-05T22:26:49 UTC (#633) + + Co-authored-by: GitHub + +commit b4060ec70d7ec1d6203a837dafa859710e3e3a9c +Author: Christopher Henderson +Date: Sun Sep 26 11:04:29 2021 -0700 + + Correct lint attribution for dnsname_etc lints and limit scope to just DNS SAN entries (#609) + + Adding an RFC5280 specific version that does not check for CommonName of the dnsname lints that are already present in CABF lints + +commit 74dfff29b023931eed2372d248035c2d2e62d394 +Author: Attila Rozgonyi <81579568+attilarozgonyi@users.noreply.github.com> +Date: Wed Sep 8 16:43:59 2021 +0200 + + Update README.md (#631) + + Added Microsec to the bullet list "Zlint Users/Integrations". + +commit 0944e91628ccd5b175f4468ab0cde0b7753c1fcd +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Mon Sep 6 19:35:20 2021 +0100 + + e_subject_common_name_not_from_san is no longer sufficient for enforcing CABF BRs (#627) + + * Add new subject common name not exactly from san lint. Ineffective from the previous subject common name not from san lint. Tests for both + + * Fix typo in subject_common + _name_not_from_san_test + + * Update integration test config.json + + * Update CABF SC48 deffective date to CABF_1_8_0_Date + + * Add test cases covering IP address common name and SAN IP Addresses + + * Add tests for extra IPv6 scenarios + + * Remove commented out experimental code + + * Rename SANWithoutCNSeptember2021 to CNWithoutSANSeptember2021 test certificate to describe its contents correctly + + * Extend common name in SAN check to verify all provided CNs are present in SAN fields. Add tests + + * Update v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go + + Additional detail information about which CN was missing. + + * Update v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go + + Adding fmt as import + + Co-authored-by: Zakir Durumeric + Co-authored-by: Christopher Henderson + +commit 1b894052a035ea9cca7c82326e0d07cef61bcae4 +Author: Christopher Henderson +Date: Sat Sep 4 13:16:42 2021 -0700 + + bump zcrypto to v0.0.0-20210811211718-6f9bc4aff20f (#629) + +commit 28481cc7ccdd1381f4917ab6094fbf4b3f3bf493 +Merge: 01996c6f 9da3c9fa +Author: mtg +Date: Wed Sep 1 12:30:17 2021 +0200 + + Merge https://github.com/zmap/zlint + +commit 9da3c9fa110527f4b11902970a4c11f3a4d80d3d +Author: Christopher Henderson +Date: Sat Jul 24 11:33:34 2021 -0700 + + disallow duplicate entries in config.json (#616) + +commit 4940d55870f19d5c2ca9447cc2ee0af3cba84138 +Author: Christopher Henderson +Date: Sat Jul 24 11:18:31 2021 -0700 + + Test certificate generator doesn't create a certificate chain (#622) + + * making generated certs chain correctly with correct attributes + +commit e2742152692085cf1c4c6898774c938b7775c9db +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Sun Jul 18 15:45:37 2021 +0100 + + split lint_sub_ca_aia_missing lint into an error lint for before CABF_BR 1.7.1 and a warning for after. Add test data (#613) + +commit 7bba3627145fc5b3f4618862f9868bef0af0d718 +Author: Jaime Hablutzel +Date: Sun Jul 18 09:33:05 2021 -0500 + + Code clarification to match BRs wording. (#621) + +commit 48b300e877f2ed3e6b7e75426a273f84455f17a6 +Author: Adriano Santoni +Date: Sat Jun 26 14:39:47 2021 +0200 + + Update README.md (#614) + +commit 8e8930ee04b5a10052ae29f8b37e8344f0be1d34 +Author: Christopher Henderson +Date: Sun Jun 20 14:01:34 2021 -0700 + + subsitute the initialize method for a constructor in the Lint struct (#607) + + Co-authored-by: Zakir Durumeric + +commit dbd9bfd21e5cb6c78c4ba16c87da21492a999c93 +Author: Denis Issoupov +Date: Sun Jun 20 12:56:09 2021 -0700 + + dep: upgrade to latest ZCrypto with permissive asn1 parsing (#611) + + * upgrade to ZCrypto with permissive asn1 parsing (#596) + + * Merge from master (#610) + + * cmd: add `-version` to `zlint`, `zlint-gtld-update`. (#598) + + Our GoReleaser configuration already populates a `version` variable in + LDFLAGS at build time. Prior to this commit we only included the dynamic + version var in the usage output from `--help`. This made it easy to + overlook. We also didn't set the dynamic var from the makefile, leaving + all src builds as the static version "dev". + + In this commit we add a `--version` flag to the `zlint` and + `zlint-gtld-update` commands that prints the dynamic version and + exits. We also update the `makefile` so that both binaries get built + with a version that includes the latest tag, and the SHA of the local + git checkout, e.g. `v3.1.0-19-g0807bf95`. This should better match user + expectation for CLI tools. + + * lints: fix anyKeyUsage typo in `n_mp_allowed_eku`. (#600) + + * deps: update zcrypto to ea3fdbd (#604) + + * upgrade to ZCrypto with permissive asn1 parsing + + Co-authored-by: Daniel McCarney + Co-authored-by: Rob Stradling + + * deps: update zcrypto to ea3fdbd (#604) + + * upgrade to ZCrypto with permissive asn1 parsing + + Co-authored-by: Daniel McCarney + Co-authored-by: Rob Stradling + +commit 7e75dc35e04f682f0d0eb3de6d4af49ccd5db5af +Author: Daniel McCarney +Date: Mon May 17 21:59:59 2021 -0400 + + deps: update zcrypto to ea3fdbd (#604) + +commit d5d0ed9565c2b2284d0f4eddf8aa83ca7a735bf1 +Author: Rob Stradling +Date: Thu May 13 13:32:40 2021 +0100 + + lints: fix anyKeyUsage typo in `n_mp_allowed_eku`. (#600) + +commit c47eab4fe42cda40cc4c56117869bac4c3850037 +Author: Daniel McCarney +Date: Wed May 12 08:43:29 2021 -0400 + + cmd: add `-version` to `zlint`, `zlint-gtld-update`. (#598) + + Our GoReleaser configuration already populates a `version` variable in + LDFLAGS at build time. Prior to this commit we only included the dynamic + version var in the usage output from `--help`. This made it easy to + overlook. We also didn't set the dynamic var from the makefile, leaving + all src builds as the static version "dev". + + In this commit we add a `--version` flag to the `zlint` and + `zlint-gtld-update` commands that prints the dynamic version and + exits. We also update the `makefile` so that both binaries get built + with a version that includes the latest tag, and the SHA of the local + git checkout, e.g. `v3.1.0-19-g0807bf95`. This should better match user + expectation for CLI tools. + +commit 0807bf95d58b4f0c35831674caf02d40a6972303 +Author: Christopher Henderson +Date: Sat Apr 24 11:18:45 2021 -0700 + + Updating RFC surname and givenname character limits (#586) + + * updating RFC surname and givenname character limits + +commit 3de0a7c3319280bd56a9230f07c70c1526cfda60 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Thu Apr 22 08:21:00 2021 -0400 + + util: gtld_map autopull updates for 2021-04-22T03:40:32 UTC (#590) + + Co-authored-by: GitHub + +commit 5ca3470ab97282d85196552dd0872ea57ed84e16 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Wed Apr 21 17:50:42 2021 -0400 + + util: gtld_map autopull updates for 2021-04-21T21:31:31 UTC (#589) + + Co-authored-by: GitHub + +commit 740b212a296bc321966cfbffd2b58868edcfc217 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Sat Apr 17 11:37:47 2021 -0400 + + util: gtld_map autopull updates for 2021-04-17T02:48:14 UTC (#588) + + Co-authored-by: GitHub + +commit d5ab97e9ca1cef2c7b594672c0265cef3b703637 +Author: Christopher Henderson +Date: Thu Apr 1 07:53:26 2021 -0700 + + Make zero an invalid serial number for RFC lints (#584) + + * making zero an invalid serial number + +commit 2cac1fd10fa9ad71e692c2ca9aea0f341c64055a +Author: Christopher Henderson +Date: Sun Mar 28 10:02:41 2021 -0700 + + Lint that DSA is not used - BR (#577) + + * prohibit DSA in BR and sunset dh_params_missing + +commit 30c55c549f8ea880b958888c8eeb7ea62577b28a +Author: Mathew Hodson +Date: Sun Mar 28 10:52:38 2021 -0400 + + lints: fix typo in e_ext_name_constraints_not_critical description (#579) + +commit a6348f94131181245c3cb33f6d06bbe7a6adef85 +Author: Christopher Henderson +Date: Sun Mar 28 07:34:19 2021 -0700 + + Update zcrypto for vendored crypto/dsa package (#578) + + * update to zcrypto@6b615bf2dd2e for vendored crypto/dsa package + +commit 35273f10a0b56408d64b783d07b4a97d11bc1e7d +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Fri Mar 26 21:09:00 2021 -0400 + + util: gtld_map autopull updates for 2021-03-26T21:30:44 UTC (#580) + + Co-authored-by: GitHub + +commit b313d9f438043ac53924afb3e27d38ef17be7780 +Author: Christopher Henderson +Date: Sun Mar 14 12:59:50 2021 -0700 + + Introduce an upper bounds to effective dates (#576) + + * adding a field for declaring a lint's ineffective date + +commit 3223b2a6047ecf0a9883bd3bc7a40d6418de3ade +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Wed Mar 3 22:15:03 2021 +0000 + + Add a new lint to prohibit using DSA (#572) + + * Create a lint to prevent DSA usage + +commit 3615e0fedae577abb7b8cf7837eeac5c29009057 +Author: Christopher Henderson +Date: Wed Mar 3 08:35:14 2021 -0800 + + Include a playground script for generating one off certificates and certificate chains (#569) + + *Add a playground script for generating test data certificates + +commit 7fcf0da63f3e7467d818c66cd99d54fc1189ba1b +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Fri Feb 19 17:43:09 2021 -0500 + + util: gtld_map autopull updates for 2021-02-19T22:31:45 UTC (#571) + + Co-authored-by: GitHub + +commit 2aa588fc12da8f02a5f0fdb7f6971ba83030a2c5 +Author: Daniel McCarney +Date: Wed Feb 17 11:26:01 2021 -0500 + + project: switch to go 1.16. (#570) + + Go 1.16 is the latest stable release[0]. This commit switches the + `go.mod` go version, as well as the version used in Github workflows for + CI. + + [0]: https://golang.org/doc/go1.16 + +commit 1f157ab6c8ab2a591daefeaad74bd061b13b4d3f +Author: Christopher Henderson +Date: Mon Feb 15 11:00:41 2021 -0800 + + Lint template produces a file with an `init` function that is not at the top of the new lint (#565) + + * update template + + * and v2 to v3 + + Co-authored-by: Zakir Durumeric + +commit 835500b231bc6214ae534cd8e703ca54e8ead959 +Author: Christopher Henderson +Date: Mon Feb 15 10:58:49 2021 -0800 + + Custom static analysis tooling for CI/CD (#551) + + * adding custom linters to the code base for static analysis + + * renaming main test directory to make more consistent + + * Update v3/integration/lints/main.go + + Co-authored-by: Daniel McCarney + + * Update v3/integration/lints/lint/lint.go + + Co-authored-by: Daniel McCarney + + * Update v3/integration/lints/lint/lint.go + + Co-authored-by: Daniel McCarney + + * Update v3/integration/lints/lint/lint.go + + Co-authored-by: Daniel McCarney + + * Update v3/integration/lints/main.go + + * Update v3/integration/lints/filters/nodes.go + + Co-authored-by: Daniel McCarney + + * Update v3/integration/lints/filters/nodes.go + + Co-authored-by: Daniel McCarney + + * Update makefile + + * Update makefile + + * Update v3/integration/lints/lint/lint.go + + Co-authored-by: Daniel McCarney + + Co-authored-by: Daniel McCarney + +commit 1cbdd0cc99a976580a3e7968e4abe079ee5c5fa3 +Author: Rufus Buschart +Date: Fri Feb 12 01:43:15 2021 +0100 + + docs: update CONTRIBUTING.md with cert generation resources (#560) + +commit 59e0d7802dcc38059ed17e961800b74c06b97806 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Thu Feb 11 08:53:50 2021 -0500 + + util: gtld_map autopull updates for 2021-02-11T11:26:01 UTC (#563) + + Co-authored-by: GitHub + +commit f091dd34980fda129fadf2b4a4a0fc9104e11a85 +Author: Daniel McCarney +Date: Mon Feb 8 17:44:59 2021 -0500 + + deps: update zcrypto to 2a2d9c3 (#562) + +commit 848c50b07013a773f2d98620400a6be900c88d2c +Author: Daniel McCarney +Date: Fri Jan 29 08:47:25 2021 -0500 + + integration: fix resultCount types to not overflow, update expected vals. (#557) + + * integration: fix resultCount types to not overflow. + + Using `uint8` as the type for the count fields in the `resultCount` type + produces overflows if more than 255 certificates with a given result + level are linted. + + Our integration test corpus is just shy of 600,000 certificates so + `uint32` should be more than sufficient. + + * integration: update expected values to correct overflows. + + Any lints that had more than 255 results at a given level will have + overflowed, meaning expected counts were not correct. + +commit 12bb0ed27a9859a48a91831fdb6a5f49bd9ef88b +Author: Daniel McCarney +Date: Thu Jan 28 20:09:24 2021 -0500 + + lints: revert e_key_usage_and_extended_key_usage_inconsistent. (#556) + + The `e_key_usage_and_extended_key_usage_inconsistent` lint's + interpretation of RFC 5280 is under question (see zmap#553). + + We also had an integration test bug that resulted in massively + under-estimating it's impact on our integration test corpus (see zmap#555). + + Let's remove this lint while we sort out the correct logic. + +commit c1c6681339ef2247dca5ff81162ab80c4811b154 +Author: Mathew Hodson +Date: Wed Jan 27 19:54:49 2021 -0500 + + lints: fix description of e_ext_ian_uri_not_ia5 (#554) + +commit 2549ed3615faeef82f2c3a297da65f605260aea0 +Author: Daniel McCarney +Date: Sun Jan 24 13:21:15 2021 -0500 + + lints: return detail for e_ext_duplicate_extension. (#550) + + Previously the `e_ext_duplicate_extension` lint from the `lint.RFC5280` + source only returned a `lint.Error` result as soon as one duplicate + extension was found in a certificate. It did not indicate which + extension OID was duplicated, or if there was more than one duplicated + extensions. + + This commit reworks the lint to do both of these things. The detail + string now indicates all of the extension OIDs that were present more + than once. + +commit 6dde095f6f92a1a58b0cb4abee9a4dfe8cde1bb7 +Author: Daniel McCarney +Date: Sat Jan 23 14:16:32 2021 -0500 + + deps: update zcrypto to 9cf5bea (#548) + +commit 30943995122c332fa0c505d8e6f7e3802543a7c3 +Author: Zsófia Tomicskó <72446712+ZsofiaTomicsko@users.noreply.github.com> +Date: Wed Jan 20 18:02:32 2021 +0100 + + tests: coverage for e_name_constraint_not_fqdn detail msgs (#547) + + This is a follow-up PR to #533 that adds test coverage for the details + msg constructed for a non-pass result. + +commit ea233116759a73b38900d929e89427cf8f3a9413 +Author: Daniel McCarney +Date: Mon Jan 18 12:03:02 2021 -0500 + + lints: move init to start of lint_name_constraint_not_fqdn.go (#544) + + This matches the work done in https://github.com/zmap/zlint/pull/536 + +commit 6d643b9bddd500d5585876859efa09403a1f0f42 +Author: Rob <3725956+robplee@users.noreply.github.com> +Date: Mon Jan 18 16:43:46 2021 +0000 + + project: re-order lint init functions (#536) + +commit edd0d0c0474304375e7a783784fdcde720dc7c13 +Author: Zsófia Tomicskó <72446712+ZsofiaTomicsko@users.noreply.github.com> +Date: Mon Jan 18 17:34:40 2021 +0100 + + lints: adds `e_name_constraint_not_fqdn` lint (RFC5280 4.2.1.10) (#533) + + This commit adds a new `e_name_constraint_not_fqdn` lint to the + lint.RFC5280 source that enforces RFC 5280, Section 4.2.1.10 + requirement that name constraints are fully qualified domain names. + +commit 186e2c116bfb533babda67e1033ac6831f6dcf53 +Author: Christopher Henderson +Date: Sat Jan 9 13:20:44 2021 -0800 + + project: update copyright year to 2021 (#543) + +commit 5316fa5a79e7c3be7cf3a1032396fe52d24a51b0 +Author: Christopher Henderson +Date: Sat Jan 9 12:51:16 2021 -0800 + + lints: adds e_ev_organization_id_missing lint (CABF EVG 1.7.0 Section 9.8.2) (#532) + + This commit adds a new `e_ev_organization_id_missing` lint to the + lint.CABFEVGuidelines source that enforces + CA-Browser-Forum-EV-Guidelines-v1.7.0 Section 9.8.2 and the + presence of the CabfExtensionOrganizationIdentifier: + + > Effective January 31, 2020, if the subject:organizationIdentifier + > field is present, this field MUST be present. + +commit b0e20c85df2f646252d3bf568fad98bb87166139 +Author: Daniel McCarney +Date: Thu Jan 7 17:43:45 2021 -0500 + + docs: CONTRIBUTING.md updates, couple copyright year tweaks. (#535) + + * docs: update CONTRIBUTING.md to fix typo & rec. test-driven subtests. + * docs: update copyright year in template and README + +commit 747b41fe8a541f5dd39e5a323a81729ccfe8629e +Author: Christopher Henderson +Date: Wed Jan 6 11:36:12 2021 -0800 + + lints: fix boundary condition in `e_serial_number_longer_than_20_octets` lint (#527) + + Previously the `e_serial_number_longer_than_20_octets` lint would mistakenly + pass certificates that had a DER encoded serial number that was exactly 21 + octets long. This case typically arises when a serial number is 20 octets long + with an MSB of 1 since the encoded form will be prefixed with 0x00 to remain + a positive DER encoded integer, thus bumping the encoded length to 21 octets. + This commit fixes the calculation to correctly return an error finding + for this class of certificates/encoded serial numbers. + +commit 30424383782f921d502e8aa388e0cc9901195c3e +Author: Zsófia Tomicskó <72446712+ZsofiaTomicsko@users.noreply.github.com> +Date: Sat Jan 2 20:45:07 2021 +0100 + + KU and EKU Inconsistent lint correction (#528) + + * Added lint and tests for KU&EKU consistency check + + * Added errors to config.json + + * update to v3 + + * removal of merge artifacts + + * corrected name of eku bits inside comments + + * no need for helper function anymore + + * replaced function with mapping + + * Changed comments + + * Added truth table tests + + * removed empty lines + + Co-authored-by: Rufus Buschart + Co-authored-by: Zakir Durumeric + +commit 4d0ac7ae1afc5f04e5111cb0b8eb7ebf536de550 +Author: Daniel McCarney +Date: Sat Jan 2 14:31:26 2021 -0500 + + deps: update zmap/zcrypto to 1eef276 (#529) + +commit b691fe912db35cf719005041a5c24ba69096ce27 +Author: Zsófia Tomicskó <72446712+ZsofiaTomicsko@users.noreply.github.com> +Date: Wed Dec 23 22:24:01 2020 +0100 + + Added a new lint and tests for correlation between KU&EKU (#497) + + * Added lint and tests for KU&EKU consistency check + + * Added errors to config.json + + * update to v3 + + * removal of merge artifacts + + * corrected name of eku bits inside comments + + * no need for helper function anymore + + * replaced function with mapping + + Co-authored-by: Rufus Buschart + Co-authored-by: Zakir Durumeric + Co-authored-by: Christopher Henderson + +commit a1b837ad58380c74b25c4c92f856fe2ebc4dce90 +Author: Daniel McCarney +Date: Mon Dec 21 20:51:54 2020 -0500 + + deps: update zmap/zcrypto to deeac00. (#526) + + Most notably this includes an updated publicsuffix-go dependency with + fresher PSL data. + +commit 9e16bfc62c32ffa8f29d6ad671780334a31901f5 +Author: Daniel McCarney +Date: Mon Dec 21 12:30:42 2020 -0500 + + util: remove unused `ICANNPublicSuffixParse` helper. (#525) + + The `util.ICANNPublicSuffixParse` helper function is the only place in + ZLint that directly impots `publicsuffix-go`, and it isn't called + anywhere. + + By removing this unused helper we can remove the direct dependency on + `weppos/publicsuffix-go` from ZLint. It remains a transitive dependency + via ZCrypto. + +commit f47c9d6ebeb7e2ea62b63c34b39fc03638f1d36c +Author: Daniel McCarney +Date: Mon Dec 21 12:12:50 2020 -0500 + + CI: Cleanup hacky tld-update workflow env var use. (#524) + + The `tld-update.yml` workflow needs the current date in a human readable + form to include in commit messages, PR titles, and the PR body. + Previously this was achieved in a clunky way with an env var echoed into + `$GITHUB_ENV`. + + This commit replaces that logic with a cleaner way to achieve the same + thing: setting the date string as the output of a step and then + referencing it later in the workflow. + +commit d8314a3cab4a3b971016681608f217b9a2655126 +Author: Daniel McCarney +Date: Sat Dec 12 20:30:51 2020 -0500 + + CI: Have tld-update workflow build & test pre-PR. (#521) + + Once the `tld-update.yml` github workflow job has run `go generate + ./...` and potentially created a local diff with updated gTLD data it + should also build & test. This helps ensure that if something goes + haywire and the local diff won't build/run it won't have a PR opened. + +commit 83f15ca06fc8224d088fd2ffccb8e89db9735045 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Thu Dec 10 21:34:14 2020 -0800 + + util: gtld_map autopull updates for 2020-12-11T05:27:56 UTC (#520) + + Co-authored-by: GitHub + +commit b6e5ba7064ae73cf9aa561b8dba59bd171fda062 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Tue Dec 8 13:35:51 2020 -0500 + + util: gtld_map autopull updates for 2020-12-08T18:31:14 UTC (#518) + + Co-authored-by: GitHub + +commit 1eb11ce3552704904404d56a65f4be3511828dbf +Author: Rufus Buschart +Date: Mon Dec 7 17:33:25 2020 +0100 + + Ocsp eku check for tls certificates (#490) + + * included error overview + + * fix: see https://github.com/zmap/zlint/pull/488#discussion_r508524594 + + * add a check for OCSP responder certs + + * add lint, test and update integration config + + * added test data + + * fixes for v3 + + Co-authored-by: Daniel McCarney + +commit 662504d527366b54ce9dd58a9fb96bec1b6c8f98 +Author: Zakir Durumeric +Date: Mon Nov 30 16:15:17 2020 -0800 + + change tld updator to not be me (#516) + +commit 931c5d4d22f946f33d19a64e7d9c3668196abef1 +Author: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> +Date: Mon Nov 30 18:47:34 2020 -0500 + + util: gtld_map autopull updates for 2020-11-30T23:23:57 UTC (#514) + + Co-authored-by: zakird + +commit 12dfc1846136a481fa889340d591701a3dfaa516 +Author: Daniel McCarney +Date: Mon Nov 30 18:05:31 2020 -0500 + + CI: Add cron workflow for gTLD update PRs. (#513) + + Previously we used a separate repo with a bash script[0] hooked up to + a bot github user[1] in a Travis CI cron build to automatically create + PRs updating ZLint TLD data on a periodic basis. + + Now that we're using Github Actions we can make things much simpler and + self-contained. + + This commit adds a `tld-update.yml` workflow that uses + a create-pull-request Github action to replace the separate repo/bash + script/bot user approach. + + Not only does this let us delete the bot user's write access to the + ZLint repo but it's also a smarter integration overall and won't + recreate the same PR over and over if it isn't merged right away. Lastly + the Github Actions cron schedule is more flexible so we can run the new + action once every hour instead of just once a day like the Travis + version. + + [0]: https://github.com/cpu/zlint-autopull/blob/master/autopull + [1]: https://github.com/tld-update-bot + [2]: https://github.com/peter-evans/create-pull-request + +commit fe65bae28cbc112082e21449a373f7ccf059422f +Author: Daniel McCarney +Date: Sun Nov 29 15:34:33 2020 -0500 + + project: bump major version to 3.0.0 (#510) + + * project: move v2 subdir to v3 + * project: update references from v2 to v3 + * project: bump module version + +commit 0d48ea15507cb16a08f694b8d9b64f91b601d3e7 +Author: Daniel McCarney +Date: Sun Nov 29 14:59:18 2020 -0500 + + lint: combine ZLint and AWSLabs Sources into Community. (#509) + + This commit is a breaking API change that combines the `lint.ZLint` and + `lint.AWSLabs` `lint.LintSource`'s into one: `lint.Community`. This + better matches the directory structure we store the lints under and is + more indicative of the fact that we don't intend to have perfect + matching coverage of all awslabs certlint lints. + +commit 8dc66d05deb6ef92eb21c815e151a5c805730018 +Author: Daniel McCarney +Date: Sun Nov 29 13:49:50 2020 -0500 + + Update to Go 1.15, latest , fix n_san_iana_pub_suffix_empty. (#508) + + * CI: Switch from Travis to Github Actions. + + This commit replaces the existing Travis CI integration with Github + Actions equivalents. + + Notable changes: + + * Golanci-lint had to be updated to a newer version to support the + action. I fixed a few of the new linter findings and added ignores for + others. + + * Integration tests - The Github Action cache support is much more + generous (5GB!). This lets us cache the integration test corpus data + between runs saving ~1-2m each run. + + * chore: update to Go 1.15 + + This switches CI and `go.mod` to use the latest major Go release stream, + 1.15.x. + + * lints: drop one ETSI test case. + + Updates in Go 1.15 mean that an error test case that was used by + `v2/lints/etsi/lint_qcstatem_qccompliance_valid_test.go` now panics + during parse. + + Since we expect the standard library to throw an error for this case now + instead of the ZLint lint we can remove the test case. + + * deps: update ZCrypto to latest. + + * lints: rewrite n_san_iana_pub_suffix_empty. + + Reworked `n_san_iana_pub_suffix_empty`: + + While looking at this lint I noticed it has some weird behaviour: + + * It could only flag at most one info result per cert. + * It didn't include the name that tripped the result in the details. + * It would return NA for a whole cert if one name failed to parse but + with a different error than the one used to determine it's a suffix. + + I've updated the implementation to address all of the above. It collects + up a list of bad names per-cert, includes them in a details message, and + doesn't return NA for parse errors unrelated to suffixes. The unit tests + were also not table driven so I rewrote those quickly and included + a test case based on my integration test update and a test case with + multiple bare public suffixes. + + Updated integration test data: + + Here's the story about the expected integration test data change for + `n_san_iana_pub_suffix_empty` with lots of detail on the debugging process. + + First to find out what certificate changed from an info result to a pass result + I ran the integration tests with `-fingerprintSummary` for just that one lint + with both the ZCrypto version in this branch and the one on master. + + ``` + make integration INT_FLAGS="-fingerprintSummary -lintFilter='n_san_iana_pub_suffix_empty'" + ``` + + I cut out the fingerprint summary and diff'd the output between versions to spot + the one certificate FP that disappeared with the updated ZCrypto. It was + `d570517b96eb7e3db7c6986f421e988fdae8f417295baade0dfc9e6edf8d12cc`. + + Next I ran the `certByFP.sh` script to pull out that cert from the corpus and + get a link to it on Censys. + + ``` + ./integration/certByFP.sh d570517b96eb7e3db7c6986f421e988fdae8f417295baade0dfc9e6edf8d12cc + + https://censys.io/certificates/d570517b96eb7e3db7c6986f421e988fdae8f417295baade0dfc9e6edf8d12cc + ``` + + Then I ran the lint with the old ZCrypto in dlv and set a breakpoint in the + lint. + + ``` + dlv debug ./cmd/zlint -- -includeNames='n_san_iana_pub_suffix_empty' -pretty ~/Downloads/UnsortedChrome/d570517b96eb7e3db7c6986f421e988fdae8f417295baade0dfc9e6edf8d12cc.pem + break pubsuffix.Execute + ``` + + I stepped through until there was a parse error and printed it: + + ``` + (dlv) p parsedName + github.com/zmap/zcrypto/x509.ParsedDomainName { + DomainString: "www.theaterpreise.ch\n\n", + ParsedDomain: *github.com/weppos/publicsuffix-go/publicsuffix.DomainName nil, + ParseError: error(*errors.errorString) *{ + s: "www.theaterpreise.ch\n\n is a suffix",},} + ``` + + A borked DNS SAN with two trailing newlines was incorrectly deemed a suffix by publicsuffix-go. + + Repeating the process with the updated ZCrypto/publicsuffix-go: + + ``` + (dlv) p parsedName + github.com/zmap/zcrypto/x509.ParsedDomainName { + DomainString: "www.theaterpreise.ch\n\n", + ParsedDomain: *github.com/weppos/publicsuffix-go/publicsuffix.DomainName { + TLD: "ch\n\n", + SLD: "theaterpreise", + TRD: "www", + Rule: *(*"github.com/weppos/publicsuffix-go/publicsuffix.Rule")(0xc000108e40),}, + ParseError: error nil,} + ``` + + No more parse error, just a whacky TLD with two newlines. This shouldn't return + an info result for `n_san_iana_pub_suffix_empty` and now with updated deps it + doesn't. TL;DR - old behaviour was a bug we accidentally fixed. + +commit da00f3f052ac0c0b9362486d89908755d18c748f +Author: Daniel McCarney +Date: Sat Nov 28 17:01:32 2020 -0500 + + CI: Switch from Travis to Github Actions. (#505) + + This commit replaces the existing Travis CI integration with Github + Actions equivalents. + + Notable changes: + + * Golanci-lint had to be updated to a newer version to support the + action. I fixed a few of the new linter findings and added ignores for + others. + + * Integration tests - The Github Action cache support is much more + generous (5GB!). This lets us cache the integration test corpus data + between runs saving ~1-2m each run. + +commit 7f7ef1f90617b717b1e0c80ff5c8ca588c6f84c0 +Author: Daniel McCarney +Date: Sat Nov 28 16:47:02 2020 -0500 + + lints: split Apple cert lifetime lint per-result. (#506) + + Previously the `e_tls_server_cert_valid_time_longer_than_398_days` lint + could return either an error result or a warning result. We prefer + having lints return one status level only. + + This commit breaks the lint up so that + `e_tls_server_cert_valid_time_longer_than_398_days` only handles the + error case and a new `w_tls_server_cert_valid_time_longer_than_397_days` + lint handles the warning case. + +commit c42a35826efbac5643ab1b93709380efc6b08a5f +Author: Daniel McCarney +Date: Mon Nov 23 15:01:34 2020 -0500 + + lint: rename Source AppleCTPolicy -> AppleRootProgramPolicy (#501) + +commit 71e2966bbbbd8a3ae6e7ff5f07502f6f59926757 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sun Nov 22 17:36:53 2020 -0500 + + gTLD autopull: 2020-11-21T16:05:09Z (#498) + + Co-authored-by: tld-update-bot + +commit 29b3fa90013c35c61f635f58f0d306a23a169a86 +Author: Zakir Durumeric +Date: Tue Nov 10 13:22:33 2020 -0800 + + Update Contributing Guidelines (#495) + + * contributing guidelines + + * Update CONTRIBUTING.md + + * Update CONTRIBUTING.md + + * Update CONTRIBUTING.md + + * Update CONTRIBUTING.md + + Co-authored-by: Daniel McCarney + + * Update CONTRIBUTING.md + + * Update CONTRIBUTING.md + + Co-authored-by: Daniel McCarney + +commit e2b36583cd24a86a63ac4d7bcd3da204b42428b8 +Author: BJ Cardon +Date: Tue Nov 10 13:08:45 2020 -0700 + + make two lints notice instead of warn, (#493) + + * make two lints notice instead of warn, closes #492 + + * update lint results in tests + + Co-authored-by: Zakir Durumeric + +commit 7b54a38ec9d5701d3d65294605c0eaa6299bf213 +Author: Rufus Buschart +Date: Mon Nov 9 21:55:08 2020 +0100 + + Improve readability of "EKU" abbreviation (#489) + + * included error overview + + * fix: see https://github.com/zmap/zlint/pull/488#discussion_r508524594 + + * improve readability + +commit f46d09c4ec0f3e1036731915a4d61938004b2d76 +Author: Rufus Buschart +Date: Tue Oct 20 23:44:45 2020 +0200 + + tests: include error/warning/info overview for integration test failures (#488) + + This commit introduces an overview of how many lints fail when the complete + integration test is being executed. This is information can be helpful when making + a change that affected multiple lints. + +commit cca4a6b67f9e32a0659b60f44378660c7cd2a1f5 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Mon Oct 19 12:25:28 2020 -0400 + + gTLD autopull: 2020-10-19T15:48:38Z (#487) + + Co-authored-by: tld-update-bot + +commit def029d0380875e92d4dbb518875a195fad76509 +Author: Rufus Buschart +Date: Fri Oct 9 15:40:23 2020 +0200 + + misc: gitignore Visual Studio Code configuration files (#485) + +commit 1fd478276e8f96630ed888780cbbf1ac58e5a97d +Author: Rufus Buschart +Date: Fri Oct 9 15:39:26 2020 +0200 + + README: Correction of link to Siemens PKI (#486) + + Correction of the generic link to Siemens into the link to the Siemens PKI web site + +commit 5ed7e1316baa5eb001b0222645c90b76c140b195 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Thu Oct 8 14:03:39 2020 -0400 + + gTLD autopull: 2020-10-08T15:44:26Z (#484) + + Co-authored-by: tld-update-bot + +commit 6b73243356213d5ff575a547a6131c4d6cc05646 +Author: Hugo Stijns +Date: Tue Oct 6 19:08:57 2020 +0200 + + deps: bump golang.org/x/text to 0.3.3 to fix CVE-2020-14040 (#481) + + Package golang.org/x/text has a vulnerability which is fixed in 0.3.3. + + See: https://nvd.nist.gov/vuln/detail/CVE-2020-14040 + +commit f7543c75b181fe680a544549ad5dacf151060966 +Author: James Kasten +Date: Fri Sep 25 16:55:16 2020 -0400 + + Improve error message of ReadTestCert panic (#478) + + The error from x509.ParseCertificate was not being included within the panic.Debugging is easier if this information is retained. + + Co-authored-by: Zakir Durumeric + +commit c16b5bd64d638ed745f1be545bf3e2ee16989eb6 +Author: Simon Edänge <70440015+OathMeadow@users.noreply.github.com> +Date: Thu Sep 24 21:26:09 2020 +0200 + + README: Add Nexus CM to list of users/integrations (#477) + + * README: Add Nexus CM to list of users/integrations + + * Update README.md + + Co-authored-by: Simon Edänge + Co-authored-by: Zakir Durumeric + +commit aa4e2619db00dbdea768e9afa70262f0d6af3417 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Tue Sep 8 11:55:19 2020 -0400 + + autopull: 2020-09-08T15:28:12Z (#470) + + Co-authored-by: tld-update-bot + +commit 2b994a741bfde638a648a759c16644724d07e708 +Author: Corey Bonnell +Date: Mon Sep 7 20:37:09 2020 -0400 + + Align Validity Period definition with RFC 5280 (#469) + + Co-authored-by: Corey Bonnell + +commit f20a717a628edc3181b9802b0879951808e02803 +Author: Daniel McCarney +Date: Wed Sep 2 20:15:53 2020 -0400 + + CONTRIBUTING: Add notes on publishing a release. (#468) + + The `CONTRIBUTING.md` docs now describe the ZLint release process. The + steps involved are roughly based on the process I've been following and + should be considered a starting point, not an immutable set of laws. + +commit e1a9412ec5b778fd39de5a475b928da88cd68433 +Author: Aaron Gable +Date: Tue Sep 1 10:28:24 2020 -0700 + + Add citation for sub-CAs to ca_digital_signature_not_set (#464) + +commit 01996c6fbb8372cdae2f4b2a82b121e69b789132 +Merge: 4666bb74 9ab0643d +Author: mtg +Date: Wed Aug 26 08:56:33 2020 +0200 + + Merge https://github.com/zmap/zlint + +commit 9ab0643df8f6ad6bac722e72851a0fd3ac7f350c +Author: Jacob Hoffman-Andrews +Date: Thu Aug 20 19:31:25 2020 -0700 + + Ballot SC31 makes OCSP optional for intermediate certificates. (#463) + + Do not merge until Ballot SC31 successfully passes its review period. + + Fixes #462. + +commit 3f689d276c06aad066b36967c4af3f75f6822247 +Author: Zakir Durumeric +Date: Tue Aug 4 12:32:17 2020 -0700 + + README to suggest checking x509.ParseCertificate error (#460) + + * example to check output + + * Spacing fix + + * Update README.md + + * filter error + +commit ada09919b3bc00cbe01accb9fcf8f3e423892b6a +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Wed Jul 29 11:45:04 2020 -0400 + + autopull: 2020-07-29T15:10:15Z (#459) + + Co-authored-by: tld-update-bot + +commit 6d02ef7694200df4173dc7e6f5b2e5dfdcbd8ebf +Author: BJ Cardon +Date: Thu Jul 23 06:59:07 2020 -0600 + + tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457) + +commit 34310bdb6e20040c6ff901468f554b14c2f7b63f +Author: BJ Cardon +Date: Tue Jul 21 19:14:49 2020 -0600 + + this lint shouldn't apply to CA certs (#456) + +commit ca9532d1d3e99a3c9dd2b6fba3f70ef699e1afc9 +Author: Andrew Caird +Date: Mon Jul 20 17:56:59 2020 -0400 + + Create options for human-readable output formats (#437) + + * Add a -summary option to print a short summary of the linting + + Linting the test file `testdata/utf8ControlX88.pem` results in: + ``` + +-------+--------------+ + | LEVEL | # OCCURANCES | + +-------+--------------+ + | info | 0 | + | warn | 7 | + | error | 15 | + | fatal | 0 | + +-------+--------------+ + ``` + + * Added -longsummary option and output + + Running: + ```sh + testdata/indivValAllBad.pem | ./zlint -longsummary + ``` + the output is: + ``` + +-------+--------------+------------------------------------------+ + | LEVEL | # OCCURANCES | DETAILS | + +-------+--------------+------------------------------------------+ + | info | 0 | - | + | warn | 1 | w_ext_san_critical_with_subject_dn | + | error | 7 | e_ca_crl_sign_not_set | + | | | e_sub_ca_crl_distribution_points_missing | + | | | e_ca_country_name_missing | + | | | e_cert_policy_iv_requires_country | + | | | e_sub_cert_not_is_ca | + | | | e_ca_key_cert_sign_not_set | + | | | e_ca_organization_name_missing | + | fatal | 0 | - | + +-------+--------------+------------------------------------------+ + ``` + + * spelling fix + + * Remove tablewriter dependency and reimplement the good parts + + * spelling fix + + * Fixed a missed merge :( + + * switched longsummary to longSummary; fixed output bug + + - switched `-longsummary` option to `-longSummary` to be more consistent with + existing options + + - fixed an embarrassing output bug when two categories had the same number of + errors + + * Cleaned up typos, variable names, formatting + + * parent 99579098a16c10d1d704b8b8149dd8c35329107f + author Andrew Caird 1590420366 -0400 + committer Andrew Caird 1593372751 -0400 + + Add a -summary option to print a short summary of the linting + + Linting the test file `testdata/utf8ControlX88.pem` results in: + ``` + +-------+--------------+ + | LEVEL | # OCCURANCES | + +-------+--------------+ + | info | 0 | + | warn | 7 | + | error | 15 | + | fatal | 0 | + +-------+--------------+ + ``` + + and a -longSummary option and output + + Running: + ```sh + testdata/indivValAllBad.pem | ./zlint -longsummary + ``` + the output is: + ``` + +-------+--------------+------------------------------------------+ + | LEVEL | # OCCURANCES | DETAILS | + +-------+--------------+------------------------------------------+ + | info | 0 | - | + | warn | 1 | w_ext_san_critical_with_subject_dn | + | error | 7 | e_ca_crl_sign_not_set | + | | | e_sub_ca_crl_distribution_points_missing | + | | | e_ca_country_name_missing | + | | | e_cert_policy_iv_requires_country | + | | | e_sub_cert_not_is_ca | + | | | e_ca_key_cert_sign_not_set | + | | | e_ca_organization_name_missing | + | fatal | 0 | - | + +-------+--------------+------------------------------------------+ + ``` + + * autopull: 2020-05-27T14:34:02Z (#441) + + Co-authored-by: tld-update-bot + + * gTLD autopull: 2020-05-28T14:35:00Z (#442) + + Co-authored-by: tld-update-bot + + * Moved structure creation out of function into a method for reporting + + * Moved the formatted output routines out of main + + * Changed newRT to a pointer receiver + + * Changed output options to all them all; newlines for nice output + + * Changed output options to allow printing of them all; newlines for nice output + + Co-authored-by: Zakir Durumeric + Co-authored-by: Daniel McCarney + Co-authored-by: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> + Co-authored-by: tld-update-bot + +commit 5f05d1d1ce935f63136a071a7cdb103ba0a6e235 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sat Jul 18 11:35:26 2020 -0400 + + gTLD autopull: 2020-07-18T15:05:07Z (#455) + + Co-authored-by: tld-update-bot + +commit a9b00321fcd4fddcbec3af6e7478b67dabfb7904 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sat Jun 27 14:37:17 2020 -0400 + + gTLD autopull: 2020-06-27T14:52:30Z (#452) + + Co-authored-by: tld-update-bot + +commit f530e42915b345f3cff5333ec161221e1c3a3615 +Author: Daniel McCarney +Date: Thu Jun 25 19:17:02 2020 -0400 + + docs: add Entrust Datacard to README ZLInt users. (#451) + + Per Bugzilla[0] Entrust reports using ZLint: + + > we are using both pre-issuance linting and post-issuance linting using + > zlint. + + [0]: https://bugzilla.mozilla.org/show_bug.cgi?id=1648472 + +commit d4acbba05c50b44ae34d60d9e1b0fd3b34a8619f +Author: sleevi +Date: Fri Jun 12 17:41:17 2020 -0400 + + lints: cabf_br lint to verify .onion addresses are well-formed (#450) + + Adds a new lint, identified as `e_san_dns_name_onion_invalid`, + that makes sure that the `.onion` addresses present within a + certificate are well-formed v2 or v3 addresses, according to + the v2 or v3 Rendezvous specifications. + + Closes #440 + +commit 84a8a2047667f1d6bda3368204ff1e258f1b8b6e +Author: sleevi +Date: Wed Jun 10 12:24:48 2020 -0400 + + Fix .onion tests to only apply to EV certificates (#449) + + Before this change, ZLint would reject .onion names in non-EV certs + via the `lint_san_dns_name_onion_not_ev_cert` lint, and if that + was suppressed, then complain about the missing Tor Service + Descriptor extension. As of CA/Browser Forum Ballot SC27, it's + allowed for v3 onion names to appear in DV/OV/IV certificates, and + the Tor Service Descriptor extension is neither required nor + prohibited for these. + + This change corrects the Tor Service Descriptor tests to properly + account for it being mandatory for EV, while optional for DV/OV/IV. + This does not introduce new lints to ensure that the address is + itself a well-formed V2 (if EV) or V3 (all types) address, which + will come in a follow-up change. + + Closes #440 + +commit ecf8678e38d1e50a2e92cb3cd35eebe12f45cc11 +Author: sleevi +Date: Thu Jun 4 21:47:15 2020 -0400 + + Move EV-specific tests to cabf_ev (#445) + +commit c820d9566a0e295070ebe3954b5fe521862d6e34 +Author: sleevi +Date: Thu Jun 4 20:58:56 2020 -0400 + + Fix the EV validity check (#447) + + The lint lint_ev_valid_time_too_long has several issues: + * It set the maximum validity as 825-days, rather than 27 months + (which is 366 + 365 + 31 + 31 + 30 = 823 days) for certs issued + before the 825-day change + * It set the source of the requirements to the BRs, rather than + the EVGs + + Co-authored-by: Zakir Durumeric + +commit 37a03da912510fb5b4b89a07f12d1f715c247812 +Author: sleevi +Date: Thu Jun 4 08:14:26 2020 -0400 + + docs: correct link to integration test documentation (#446) + +commit ce1631b8b1c6fce0348724d37a0d0b4ad62c73fa +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Wed Jun 3 10:55:58 2020 -0400 + + autopull: 2020-06-03T14:39:17Z (#444) + + Co-authored-by: tld-update-bot + +commit de9eafbe63b6e03da98c681fd1b916da97779f1f +Author: Roland Bracewell Shoemaker +Date: Mon Jun 1 13:19:04 2020 -0700 + + Check tbsCertificate signature algorithm matches certificate (#436) + + * Check tbsCertificate signature algorithm matches certificate + + Per RFC 5280 section 4.1.1.2, couldn't find an existing lint. + + * Add ignore to integration + reuse tbsCert + + Co-authored-by: Daniel McCarney + +commit 82e1f43dcbc2e6ef9aa89194c0a828487f218e9f +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Thu May 28 14:51:09 2020 -0400 + + gTLD autopull: 2020-05-28T14:35:00Z (#442) + + Co-authored-by: tld-update-bot + +commit da06a3a1d029fe8b8bd6b50d7ce20ac3da0e7664 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Wed May 27 11:03:53 2020 -0400 + + autopull: 2020-05-27T14:34:02Z (#441) + + Co-authored-by: tld-update-bot + +commit 99579098a16c10d1d704b8b8149dd8c35329107f +Author: Daniel McCarney +Date: Thu May 14 12:27:47 2020 -0400 + + Deps: Update ZCrypto, fix assoc. test breakage. (#435) + + * deps: update zcrypto to tip of master. + + This pulls in ZCrypto at zmap/zcrypto@16679db + + * lints: remove invalid TestEtsiTypeAsQcStmt test case. + + The `testdata/QcStmtEtsiTaggedValueCert20.pem` test certificate has an + invalid QCStatements extension value[0] and ZCrypto with support for + parsing QC Statements panics reading the test cert. + + Since ZLint can't lint certificates that ZCrypto won't parse we must + remove this test case. + + [0]: https://github.com/zmap/zlint/issues/433#issuecomment-628698981 + + * lints: rm invalid `TestEtsiQcCompliance`, `TestEtsiQcType` certs. + + Similar to the prev. commit now that ZCrypto understands QCStatement + extensions it will error parsing these test cases and so they must be + removed. This test coverage should be handled by ZCrypto. + + * integration: updates for QCStatement lint expected results. + + With an updated ZCrypto there is now 1 certificate[0] from the integration + test data that no longer parses. This in turn means that the + `e_qcstatem_qctype_valid`, `n_subject_common_name_included`, + `w_qcstatem_qcpds_lang_case` and `w_qcstatem_qctype_web` lints that + previously had findings for this certificate need to have their expected + result counts adjusted. + + [0]: https://censys.io/certificates/4712f1b2a94994b55626ecba2104bbf23d39c05e7a2751e5af8a923bac23fd8f + +commit a42b7782cdb2bff02d6a18691a34611580f4b7fa +Author: Daniel McCarney +Date: Wed May 13 17:00:59 2020 -0400 + + ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432) + + * chore: remove vendor dir. + + Vendoring has lost favour compared to relying on the Go 1.13+ + proxy/module checksum behaviour[0]. + + [0]: https://proxy.golang.org/ + + * ci: go 1.13.x -> go1.14.x + + Also remove setting GO111MODULE and GOFLAGS. The former is already the + default since Go 1.12.x and the latter isn't required because we removed + the vendor dir. + + * ci: update expected integration test data for Go 1.14. + + New lints without result cases in our integration test data are added + with the expected set `{}`. + + Four existing lints have their expected error result tallies updated: + + 1. "e_sub_cert_locality_name_must_not_appear" + old: fatals: 0 errs: 23 warns: 0 infos: 0 + new: fatals: 0 errs: 13 warns: 0 infos: 0 + + 2. "e_sub_cert_province_must_not_appear" + old: fatals: 0 errs: 16 warns: 0 infos: 0 + new: fatals: 0 errs: 8 warns: 0 infos: 0 + + 3. "e_sub_cert_street_address_should_not_exist" + old: fatals: 0 errs: 8 warns: 0 infos: 0 + new: fatals: 0 errs: 0 warns: 0 infos: 0 + + 4. "e_sub_cert_postal_code_must_not_appear" + old: fatals: 0 errs: 8 warns: 0 infos: 0 + new: fatals: 0 errs: 0 warns: 0 infos: 0 + + These four lints previously returned an error result for certificates + that had a Subject Organization/GivenName/Surname that were encoded as + a BMPString. Go < 1.14.x's ASN.1 package did not support this encoding + type and so the lints assumed the field was absent, resulting in a false + positive. In Go 1.14.x+ the field is correctly decoded and the error + result is no longer applicable. + +commit bb6c7a74f1901fecf545c51af97e9e874a0260d9 +Author: Daniel McCarney +Date: Wed May 13 12:46:42 2020 -0400 + + docs: add ZLint announcements mailing list to README (#431) + + Co-authored-by: Zakir Durumeric + +commit ee0c915cbde37dd2cbea362a30bd9bf1dfe53819 +Author: Zakir Durumeric +Date: Tue May 12 13:24:17 2020 -0500 + + Adding mailing list link to README. + +commit 1e160b10bc75c589461aa5036196f07f8f38fdcb +Author: Daniel McCarney +Date: Mon May 11 10:50:57 2020 -0400 + + ci: update goreleaser install URL. (#429) + + The upstream project README[0] is using a different URL now and in my + tests the old URL has an HTTPS subject common name mismatch preventing + installation from succeeding and breaking the `make code-lint` phase of + integration tests. + + [0]: https://github.com/golangci/golangci-lint#install + +commit 3bf4bbf127fa32da92ab89abc8554d4e7d46defb +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Mon May 11 16:02:29 2020 +0200 + + lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378) + + `e_mp_ecdsa_pub_key_encoding_correct`, enforces certificate ECDSA public key + algorithm identifiers are a byte-for-byte match to the required values from + Section 5.1.2 of the Mozilla root store policy or a `lint.Error` level finding + is returned. The `e_mp_ecdsa_signature_encoding_correct` lint applies similar + checks to certificate ECDSA signature algorithm identifiers. Both lints + require that the ECDSA curve in use be one of P-256 or P-384, per Moz. + policy. + + To help implement the new lints (and to simplify one existing lint), a new + utility function `util.GetPublicKeyAidEncoded` is added. This function returns + the encoded tag/length ASN.1 bytes of a certificate's `SubjectPublicKeyInfo` + sequence's algorithm field (or an error if the field can not be extracted). + + Resolves #355, #358 + +commit 206df7d26e1ca081025a4314c98255c69404e7c7 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Thu Apr 2 15:03:03 2020 -0400 + + gTLD autopull: 2020-04-02T17:35:25Z (#425) + + Co-authored-by: tld-update-bot + +commit d933f03c8465fd904602c64a7ae82abbc86e8833 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sat Mar 28 13:48:42 2020 -0400 + + autopull: 2020-03-28T17:34:11Z (#423) + + Co-authored-by: tld-update-bot + +commit 4ca06954c1c903a63a217ad21930947c648920a9 +Author: John Wood +Date: Mon Mar 23 12:56:49 2020 -0700 + + Fix spelling of 'distinguished' in lint descriptions (#422) + +commit 94d7dde424d0e8ebaee5b1abc57da7979bda55f5 +Author: Daniel McCarney +Date: Tue Mar 17 13:28:05 2020 -0400 + + util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421) + + * util: rewrite test/prepend_testcerts_openssl.sh + + The old version needed to be run from a specific directory, didn't pass + `shellcheck`, and would unconditionally prepend the OpenSSL text output + to all certs in the testdata dir (even if they already had it). + + This version should be safer and suitable to be integrated with CI in + a later step. It also supports taking a glob as the first argument and + only prepending certs that need it and have a filename that matches + the glob. + + * testdata: add openssl -text output where missed. + + This catches up all of the test data to have prepended text. + + * testdata: add note to subCertLocalityNameDoesNotNeedToAppear.pem. + + This test file does not parse successfully with OpenSSL 1.1.1d on my dev + machine. Adding a small text note about this before the PEM content + avoids the `v2/test/prepend_testcerts_openssl.sh` script emitting + a warning. + + * CI: require all testdata is prepended w/ text. + + This updates CI to run the `test/prepend_testcerts_openssl.sh` script + and fail if there are any diffs to the `testdata/` directory. This would + indicate there was a `.pem` file that didn't have text prepended to it. + +commit 83d24bd1f73e7a4ba91091ed1aa894d00ab8d68b +Author: Daniel McCarney +Date: Tue Mar 17 12:17:42 2020 -0400 + + lints: lint for upcoming Apple max cert lifetime policy. (#417) + + A new `e_tls_server_cert_valid_time_longer_than_398_days` lint is added for the + Apple source category (presently named `lint.AppleCTPolicy`, see + https://github.com/zmap/zlint/issues/418). + + This lint returns an error lint result if a server-auth certificate issued after + Sept 1st, 2020 has a lifetime > 398 days. The lifetime is calculated as Apple + specifies, e.g. "398 days is measured with a day being equal to 86,400 + seconds.". + + A warning result is returned if a certificate issued after Sept 1st, 2020 has + a lifetime > 397 days and < 398 days. This matches Apple's SHOULD-equivalent + recommendation to use a validity period <= 397 days in length. + + See https://support.apple.com/en-us/HT211025 for more information. + + Resolves https://github.com/zmap/zlint/issues/407 + +commit cfbfdeca3ae4c583b66a9c002275f48c478495d0 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sat Mar 14 14:15:17 2020 -0400 + + gTLD autopull: 2020-03-14T17:26:52Z (#420) + + Co-authored-by: tld-update-bot + +commit c7c6a31fe3969214b3fbf417d52137fc8743c37b +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Thu Mar 12 16:02:02 2020 +0100 + + lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377) + + This commit adds a new Mozilla source lint + (`e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct`) for + enforcing the RSASSA-PSS encoding requirements for TBSCertificate signature + algorithm fields based on version 2.7 of the Mozilla PKI policy. + + It returns an `Error` result when the RSASSA-PSS parameters of + a TBSCertificate's Signature algorithm field do not match the exact encoded + bytes specified in the Mozilla policy. + +commit b28794baf37819442e98e28655a8d4536681b095 +Author: Daniel McCarney +Date: Wed Mar 11 13:01:07 2020 -0400 + + docs: fix template to use v2 package import. (#416) + + The `template` file used by `v2/newLint.sh` needs to use the ZLint 2.0.0 + import path for the `lint` package or building a lint created with the + utility will fail. + +commit 19685159ea30c8546bdc0463e40dd07d01902034 +Author: Zakir Durumeric +Date: Thu Mar 5 05:50:35 2020 -0800 + + lints: disallow reserved iPAddresses in NCs (#414) + + Co-authored-by: Zakir Durumeric + +commit 48bf6ee88374e55cd233d713175690c0c241b24f +Author: Zakir Durumeric +Date: Wed Mar 4 11:29:45 2020 -0800 + + remove lisp reserved range since no longer IANA reserved (#415) + + * remove lisp reserved range since no longer IANA reserved + + * go way of deprecating const + + * replacing README, bad change made it in. Will get corrected with squash + +commit 3329bb69d206198706abc7c84eccb59011bd9de5 +Author: BJ Cardon +Date: Tue Feb 25 17:28:21 2020 -0500 + + README: fix a typo and fix the example for LintCertificateEx (#409) + +commit 5b2df5c915f1d73dbfcd4f2ac2a6241103fbc4a3 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Wed Feb 19 15:24:42 2020 +0100 + + lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376) + + Adds new Mozilla sourced lint, `e_mp_rsassa-pss_in_spki`, that enforces Section 5.1.1 + of the v2.7 Mozilla PKI policy[0]: + + CAs MUST NOT use the id-RSASSA-PSS OID (1.2.840.113549.1.1.10) within a SubjectPublicKeyInfo to represent a RSA key. + + [0]: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ + +commit 36d042eba350cc658fc10997693ce44eb8fa616d +Author: Daniel McCarney +Date: Fri Feb 14 14:01:39 2020 -0500 + + ci: try and fix goreleaser for v2 structure (round 2) (#406) + +commit a03f7226d0faf5b92aec5aaa4d6f7fd1d942a710 +Author: Daniel McCarney +Date: Fri Feb 14 12:53:54 2020 -0500 + + ci: try and fix goreleaser for v2 structure (#405) + + * ci: try moving .goreleaser.yml to v2/ + * ci: update main path + +commit fd40f579253ea1ebfb18a585ab5cd8e7dcde61aa +Author: David Adrian +Date: Thu Feb 13 18:34:21 2020 -0500 + + Fix v2 with go.mod (#398) + + https://github.com/zmap/zlint/pull/398 + + Adopt the **Major Subdirectory** approach from + https://github.com/golang/go/wiki/Modules#releasing-modules-v2-or-higher + + ### Effects: + + * Moves all code into a `v2` subdirectory. Consumers of ZLint v2 will need to change their imports in go to `github.com/zmap/zlint/v2` and update `go.mod` accordingly. + * Old versions of ZLint are still fetchable via `go.mod` and version pinning, e.g. `require github.com/zmap/zlint@1.1.0` + * People using `go get` without modules are going to have all their code break. However, this was going to happen regardless of what we do with our directories because we made breaking changes to our code. + + ### Patching old versions + + To patch an old version (pre-2.0), we would need to branch off of one of the old tags. To avoid this, we could attempt to maintain support for 1.1.0 by implementing another point release at the top-level directory on top of `v2`, and then exposing the old API's above the v2 directory (see https://github.com/rsc/quote/blob/master/quote.go as an example). However, I don't believe we plan on supporting old versions at all, so there's no reason to do this. On the off chance we do need to cut a point release for 1.1.0, we can use Git. + + ### Why not use the Major Branch approach + + When not maintaining support for v1 side-by-side with v2, the major branch approach is identical to the Major Subdirectory approach from a Git standpoint---point release for v1 would need to be done on branches. However, it does then have the side effect that the import path for your code no longer matches the directory structure of your code. Effectively, we could `mv` all of the `v2` directory back up to the top-level, claim the name `...v2/`, and use `v2` in all of our import paths. While this might look cleaner from a Git repo standpoint, my gut sense is that we may as well match the directories to the import path, since that's slightly easier to grok. + +commit 53441bdd36c98f9d85ece445effe95d9c283f1c8 +Author: Paschalis Korosoglou <824785+pkoro@users.noreply.github.com> +Date: Thu Feb 13 22:38:04 2020 +0200 + + misc: update newLint.sh script and contributing guide. (#397) + + * Minor changes in lint generator script + * Modifies package name per new lint + * Adds variable LINTNAME and seperates it from actual filename + +commit 24e7a0db2810c5364d9e42efbfdb6d6a6940aeca +Author: Daniel McCarney +Date: Tue Feb 11 15:38:46 2020 -0500 + + README: Update, split out a CONTRIBUTING.md (#386) + +commit 79424f2a127788b83b973b5279ac7bd873705677 +Author: Daniel McCarney +Date: Tue Feb 11 15:10:50 2020 -0500 + + cmd/zlint: fix panic w/ deref of nil registry. (#385) + + This fixes a panic that can occur when there are no filtering arguments + provided to the `zlint` command line tool. + + This occurs because `setLints` returned a `nil` `Registry` when the intention + was to use the global registry. + + Before fix: + ``` + $ zlint -list-lints-source + panic: runtime error: invalid memory address or nil pointer dereference + [signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x717bd0] + + goroutine 1 [running]: + main.main() + /home/daniel/go/src/github.com/zmap/zlint/cmd/zlint/main.go:85 +0xe0 + ``` + + After fix: + ``` + $ zlint -list-lints-source + AWSLabs + Apple + CABF_BR + CABF_EV + ETSI_ESI + Mozilla + RFC5280 + RFC5480 + RFC5891 + ZLint + ``` + +commit 7741587316b5f34b13c0f4849816dd33697f5f19 +Author: Daniel McCarney +Date: Tue Feb 11 13:43:45 2020 -0500 + + zlint: refactor lint reg., allow filtering lints used. (#372) + + This replaces the exported `lint.LintMap` field (`map[string]*Lint`) that was used by `RegisterLint` with a more robust solution based around a `Registry` interface. This allows ZLint users to include/exclude lints by name or source. + + ## Top Level API + + The `lint.RegisterLint` function remains the same, meaning individual lints are not changed. Lints that call this function are added to the global registry. Clients can access this registry with `lint.GlobalRegistry()`. Similarly the top level `zlint.LintCertificate` remains unchanged. It lints the provided cert with all lints in the global registry. + + The old `zlint.LintCertificateFiltered` function that accepted a lint name regex to filter the lints applied is replaced by a new function `zlint.LintCertificateEx` that allows specifying a `lint.Registry` explicitly. The same regex filtering can be done by pre-filtering the provided registry (See notes below). + + The `lint.Source` type was changed from an int enum to a string enum. This makes it easier to work with as a consumer (e.g. via command line flags, and JSON output) and since the number of lints (and sources) is small the benefits to using an int enum type are minimal. The serialized form of Lints now includes the `Source` field in the output as `"source"`. + + ## Registry + + The `Registry` interface also allows finding all lint names with `Names()`, finding all lint sources with `Sources()`, finding a specific lint by name with `ByName()`, and finding all lints for a given source + with `BySource()`. + + The `zlint.EncodeLintDescriptionsToJSON` function is now implemented by the `Registry` interface as `WriteJSON`. This makes it easier to encode a subset of the Registry's lints by filtering the global registry. + + ~Like before (with the exported `map[string]*Lint`) the registry is not safe for concurrent updates. That's fine for the current ZLint codebase but is something we may want to consider addressing in the future.~ _Edit: I decided it made sense to add locking to future proof the implementation for thread safety, see 6072e24 The implementation in this branch is now safe for concurrent access/registration_ + + ## Registry Filtering + + Filtering of lints to be run is now done with the `lint.Registry.Filter` function and corresponding `lint.FilterOptions` type. This allows filtering a registry to include/exclude lints by name (or using a name regex), and to include/exclude lints by source. + + By filtering the global registry and then providing it explicitly to `zlint.LintCertificateEx` callers have control over exactly what lints will be applied. + + Filtering operations are applied with the following precedence: excludes by source > includes by source > excludes by name > includes by name. + + E.g. excluding a source and then trying to include a lint in that excluded source by name will not work. The source exclusion happens first. + + ## ZLint CMD Updates + + The `zlint` command (`cmd/zlint/main.go`) is updated to add four new command line flags: + + 1. `-list-lints-sources` - Prints a list of lint sources, one per line. + 2. `-excludeSources` - Comma-separated list of lint sources to exclude. + 3. `-includeSources` - Comma-separated list of lint sources to include. + 4. `-nameFilter` - Regex used to match lint names to include (cannot be used at the same time as `-excludeSources` or `-includeSources) + + Two existing flags are renamed: + + 1. `-include` becomes `-includeNames` + 2. `-exclude` becomes `-excludeNames`. + + Notably all three list flags (`-list-lints-json`, `-list-lints-schema` and `-list-lints-sources`) now operate **after** applying the include/exclude filters, allowing an easy way to find which lints/sources will be run with the filtered command line flags in use. + + ## Integration Test Updates + + Matching the `zlint` command the integration test (`integration/integration_test.go`) command line flags are updated to allow including/excluding lints by source. + + Resolves https://github.com/zmap/zlint/issues/344 + +commit 4666bb74318f221c77ca69616603d2e897d7cd3e +Author: mtg +Date: Tue Feb 4 17:58:04 2020 +0100 + + Revert "lint about the encoding of qcstatements for PSD2" + + This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26. + +commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26 +Author: mtg +Date: Tue Feb 4 17:45:58 2020 +0100 + + lint about the encoding of qcstatements for PSD2 + +commit 72fb7ad5f84659029286854606d828ead7ef38ef +Author: Daniel McCarney +Date: Mon Feb 3 14:01:15 2020 -0500 + + project: add goreleaser configuration. (#374) + + Adds configuration for GoReleaser to the project/CI. + + By default releases are added to the repository in draft status. This gives + maintainers a chance to write the release notes/changelog and verify the build + artifacts before publishing the release. Tags with "rc" in the name will be + marked as pre-release candidates automatically. + + Updates #351 + +commit 8a37cc71af2ae1d62f62add5174f34626a3278d6 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Thu Jan 30 12:28:05 2020 -0500 + + gTLD autopull: 2020-01-30T17:10:08Z (#375) + +commit 11071233ae3b140047b71612ea934e86b0bd2d66 +Author: Daniel McCarney +Date: Wed Jan 29 11:51:51 2020 -0500 + + deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373) + + This addresses CVE-2020-7919[0]: + + > On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 + parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. + + [0]: https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/Hsw4mHYc470/WJeW5wguEgAJ + +commit 77026f684b414c0e84106407bf93f1cbfdba0ed8 +Author: Jacob Hoffman-Andrews +Date: Wed Jan 22 15:24:26 2020 -0800 + + Add reference to RFC 6818 to clarify explicitText (#370) + +commit c0407b6a75c49ca02e2dcbc9e3aad1cee89596ba +Author: Daniel McCarney +Date: Tue Jan 21 11:24:44 2020 -0500 + + lints: improve template_test.go (#367) + + Rather than hardcode a mapping of `LintSource` to package directory that + needs to be maintained the `template_test.go` logic should just walk the + filesystem under the `lints/` directory and check all `.go` files. + + This makes a smaller `lint` API, removes two places that need to be kept + up to date with new `LintSource`s and results in a test that is robust + against further subdirectory modifications (e.g. a structure deeper than + 1 package below `lints`). + +commit dbb54ce28280eff52888ff9083ad3c4f26cbf214 +Author: Daniel McCarney +Date: Sun Jan 19 15:28:31 2020 -0500 + + lints/mozilla: fix moz lint packages (#365) + + * lints/mozilla: fix package names + + * lint: add Moz source to list/Directory + + Co-authored-by: Zakir Durumeric + +commit cc90ed6cceeb23e77e84277c6c99d82f365bedfc +Author: Daniel McCarney +Date: Sun Jan 19 15:10:33 2020 -0500 + + test: more comments in helpers.go (#366) + + I had left this commit with some additional comments out of #364 by + mistake. + +commit 2cce20392ad0045f265595820b66914e2f844bd8 +Author: Daniel McCarney +Date: Fri Jan 17 17:57:32 2020 -0500 + + lints: better test utils, avoid accessing lint.Lints directly (#364) + + * testlint: remove unused testDef dir/json data + + * testlint: move prepend_openssl.sh to test/ + + * test: update paths in prepend_testcerts_openssl.sh + + * testlint: move all test certs to testdata/ + + * test: fix helpers.go package/paths + + * lints: refactor all lints to use new test helpers. + + This avoids needing to access `lint.Lints` (soon to be un-exported) and + also removes a lot of duplication (particularly of test data paths). + +commit 566701eb88d3c0987bec9b8d7fa8b91eaea6202a +Author: Daniel McCarney +Date: Thu Jan 16 12:18:29 2020 -0500 + + Lints: add new lints for Mozilla Root Store Policy (adopted) (#353) + + * Lints: add new lints for Mozilla Root Store Policy. + + * Split Mozilla Root Store Policy RSA key lint + + Mozilla Root Store Policy contains multiple different requirements on + RSA keys. All these were tested in a single lint. These split into two + different lints based on the different requirement. + + * Deleted old Mozilla Root Store Policy RSA key lint. + + * Moved hasEKU() to util package. + + * Added fetching Mozilla Trust Store SPKIs. + + * Added cross-cert detection for MP EKU lint. + + * Added fatal error details to MP AuthKeyID lint. + + * Minor style change. + + * Added error details to MP ECDSA lint. + + * Renamed lint_mp_allowed_rsa_keys_exponent to e_mp_exponent_cannot_be_one. + + * Split RSA modulus lints into two files. + + * Minor fix in test function name. + + * Update lints/lint_mp_modulus_must_be_divisible_by_8.go + + Co-Authored-By: Daniel McCarney + + * Update lints/lint_mp_modulus_must_be_divisible_by_8.go + + Co-Authored-By: Daniel McCarney + + * Update lints/lint_mp_modulus_must_be_divisible_by_8.go + + Co-Authored-By: Daniel McCarney + + * Update lints/lint_mp_modulus_must_be_2048_bits_or_more.go + + Co-Authored-By: Daniel McCarney + + * Update lints/lint_mp_exponent_cannot_be_one.go + + Co-Authored-By: Daniel McCarney + + * Update lints/lint_mp_modulus_must_be_2048_bits_or_more.go + + Co-Authored-By: Daniel McCarney + + * Update lints/lint_mp_modulus_must_be_2048_bits_or_more.go + + Co-Authored-By: Daniel McCarney + + * Fixed incorrect commits by github ui. + + * Minor syntax change. + + * Removed zlint-mozilla-trusted-roots-update. + + * Renamed IsSPKIMozillaTrusted() to IsInMozillaRootStore(). + + * lints: move lint_mp_* to lints/mozilla + + * lints: remove unneeded .gitinclude + + * lints/mozilla: fix build breakages from refactoring in master + + * lint: add src link for MozillaRootStorePolicy + + * zlint: run Mozilla lints + + * util: remove IsInMozillaRootStore and assoc. data. + + We'll return to this requirement in a subsequent PR when the tooling to + generate the data can be reviewed and automated. + + * lints/mozilla: demote lint_mp_allowed_eku to notice + + * lints/mozilla; simplify lint_mp_ecdsa_allowed_algo CheckApplies. + + * lints/mozilla: rename ecdsa_allowed_algorithm -> ecdsa_allowed_curve_hash_pair. + + * lints/mozilla: add ecdsa curve/hash pair err detail. + + * lints/mozilla: ref trusted roots data issue num + + * lints/mozilla: fix mp_allowed_eku lint name + + * lints/mozilla: clarify allowed_eku desc + + * lints/mozilla: use 0 for err return from getSigningKeySize + + * lints/mozilla: assume CheckApplies works + + * lints/mozilla: remove `e_mp_ecdsa_allowed_curve_hash_pair`. + + * integration: add vetted expected results for Moz. lints + + Co-authored-by: Fotis Loukos + Co-authored-by: Zakir Durumeric + +commit ea19827801ed54974eb244b531d22ff4ca585eb9 +Author: Daniel McCarney +Date: Mon Jan 13 15:21:56 2020 -0500 + + README: fix crt.sh link target. (#349) + +commit 4a01d2e8f105d7ff317aad339e98a5fe1e10b7d9 +Author: Daniel McCarney +Date: Mon Jan 13 14:09:57 2020 -0500 + + README: Link to company sites, not bugzilla bugs. (#348) + +commit 2c5688ec6e9eec503e31523ac7324922a41fc84f +Author: James Kasten +Date: Mon Jan 13 10:43:35 2020 -0800 + + README: Add Google Trust Services to list of users/integrations (#347) + + Self reporting. There are aren't any associated bugs or posts about this, hence the lack of a link. + +commit b7425cbf555a5a2b443aa1bdeea976e5e25f7065 +Author: Daniel McCarney +Date: Tue Jan 7 15:19:56 2020 -0500 + + lints: add more context to `w_subject_contains_malformed_arpa_ip`. (#345) + + Section 7.1.4.2.1 of the BRs is a good citation for + `e_subject_contains_reserved_arpa_ip` but isn't a great choice for + `w_subject_contains_malformed_arpa_ip`. + + When the `.arpa` address doesn't have enough labels, or can't be parsed as an IP + address it's clear that it isn't an internal IP address and so 7.1.4.2.1 isn't + a good citation. Section 3.2.2.6 talks about wildcard domains for "registry + controlled" zones, and `.arpa` is one of those (based on BCP49). A wildcard + label is one way the `.arpa` domain wouldn't parse as an IP. + + While the larger discussion on how `.arpa` domains that aren't formatted per RFC + 3596 unfolds we can ref 3.2.2.6 and add a bit more context to the lint and + description. It isn't perfect, but I think less confusing than ref'ing + 7.1.4.2.1, which clearly doesn't apply. + + See also https://github.com/zmap/zlint/issues/343 + +commit 9bba7b7e572cd92a5b6d74ad0520522f45277ffc +Author: Daniel McCarney +Date: Mon Jan 6 13:56:08 2020 -0500 + + lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342) + + The `e_signature_algorithm_not_supported` lint enforces Section 6.1.5 of + the baseline requirements by checking certificate signature algorithms + against a fixed set. Previously this set did not include the RSA-PSS + signature algorithms and would mistakenly flag certificates signed with + a RSA-PSS algorithm with an error result. + + The BRs do not forbid using RSA-PSS signature algorithms (provided the + associated digest algorithm is one of the three approved in 6.1.5). The + Mozilla root program requirements do forbid RSA-PSS in v2.7+ but that + should be checked in a separate Mozilla scoped lint. + + This commit adjusts the `e_signature_algorithm_not_supported` lint to + return `lint.Warn` for RSA-PSS with SHA256, SHA384 or SHA512. + + See #326 for more background. + +commit 359be75f66a8c0ee0ea2f7f8fcaed3df4095e32a +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Mon Jan 6 12:11:54 2020 -0500 + + gTLD autopull: 2020-01-06T16:47:48Z (#341) + +commit 86bcc674785a38a8bc72dcc306ee5a9572c3c0fb +Author: Daniel McCarney +Date: Fri Jan 3 13:07:16 2020 -0500 + + Misc. cleanups, unit test for finding leftover template bits. (#340) + + * tests: remove gofmt_test.go + + The golangci-lint pass run in CI includes an equivalent test. If folks + want to test for unformatted code locally install the linter and run + `golangci-lint run` in the root directory. This will flag findings + above and beyond `gofmt` problems ahead of CI failing. + + * lints: remove commented out code. + + In three cases, remove a comment ahead of a return that added no + useful context. + + In `lints/community/lint_rsa_exp_negative_test.go` remove a commented + out test case for a negative RSA exponent. The test code doesn't build + as-is and the referenced test cert (`rsaExpNegative.pem`) doesn't exist + in-tree. A TODO is left to indicate there's missing test coverage for + later follow-up. + + * lints: fix "certtificate" comment typo. + + * lints: fix tabs in ref text for lint_sub_cert_or_sub_ca_using_sha1. + + * lints: fix field name ref. in lint Descriptions. + + These two lints mistakenly said in their `Description` that they only + check the `DNSNames` field of the certificate when in fact they only + check the `IANDNSNames` field. There are two corresponding lints + (`lints/community/lint_san_wildcard_not_first.go` and + `lints/community/lint_san_bare_wildcard.go`) that check `DNSNames`. + + * lints: add slice of known LintSources, test for templating leftovers. + + There should never be finished lint source code that contains template + text intended to be replaced by the programmer. A new + `TestLeftoverTemplates` unit test is added to make sure we enforce this + during CI to lessen the burden on code reviewers to catch this problem. + + * tests: use full path in TestLeftoverTemplates errs + + * lints: fix TestLeftoverTemplates findings + + Prior to these fixes all of the modified files had templating leftovers: + ``` + === RUN TestLeftoverTemplates + --- FAIL: TestLeftoverTemplates (0.01s) + template_test.go:49: Lint "cabf_br/lint_root_ca_extended_key_usage_present.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_root_ca_key_usage_present.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_cert_policy_empty.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_certificate_policies_missing.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_eku_extra_values.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_eku_missing.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "rfc/lint_basic_constraints_not_critical.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "rfc/lint_ext_key_usage_not_critical.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "rfc/lint_basic_constraints_not_critical.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "rfc/lint_ext_key_usage_not_critical.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "rfc/lint_basic_constraints_not_critical.go" contains template leftover "// Add actual lint here" + template_test.go:49: Lint "rfc/lint_ext_key_usage_not_critical.go" contains template leftover "// Add actual lint here" + FAIL + FAIL command-line-arguments 0.017s + FAIL + ``` + + * lints: update template test with another string, fix occurrences. + + ``` + === RUN TestLeftoverTemplates + --- FAIL: TestLeftoverTemplates (0.01s) + template_test.go:50: Lint "cabf_br/lint_sub_ca_name_constraints_not_critical.go" contains template leftover "Change this to match source TEXT" + template_test.go:50: Lint "community/lint_validity_time_not_positive.go" contains template leftover "Change this to match source TEXT" + template_test.go:50: Lint "community/lint_validity_time_not_positive.go" contains template leftover "Change this to match source TEXT" + FAIL + FAIL command-line-arguments 0.017s + FAIL + ``` + + * lints: move lint_ian_bare_wildcard.go from RFC to community. + + It cites RFC 5280 but that RFC doesn't prescribe any semantics to the + use of wildcards in DNSNames or elsewhere. I suspect this lint actually + came from AWSLabs, similar to `lint_ian_wildcard_not_first.go` and + `lint_san_bare_wildcard.go`, both of which are already in + `lints/community/`. + + * lints: fix moved lint_ian_bare_wildcard.go source/category/package + + * lints: fix off-by-one in RFC max length lint Descs. + + The upper bounds being enforced against in the changed lints are + inclusive. The lint tests were doing the right thing but the + descriptions incorrectly described the boundary as if it were exclusive. + + For comparison the following lints already did the right thing already + and had the UB+1 in the desc: + ``` + lints/rfc/lint_subject_given_name_max_length.go + lints/rfc/lint_subject_postal_code_max_length.go + lints/rfc/lint_subject_street_address_max_length.go + lints/rfc/lint_subject_surname_max_length.go + ``` + + * lint: revert accidental whitespace diff + +commit e3ad0f9eba10b1fa0ee70e6581a627cdfeaa590c +Author: Zakir Durumeric +Date: Thu Jan 2 17:15:59 2020 -0500 + + Split of lints into directories by source (#337) + + * initial pass at a dissection + + * moving in new lints + + * second pass on directories for lints + + * lints in better shape + + * make zlint work again + + * tests pass. + + * updating copyright while I'm making large sweeping changes + + * missing an important file + + * apparently a random util file wasn't go'fmted????? + + * integration tests fixes + + Co-authored-by: Daniel McCarney + +commit 0ab41f2f58a96458f8311f3afbce35381d2addc1 +Author: Zakir Durumeric +Date: Sat Dec 28 12:57:59 2019 -0600 + + README: add note about small PRs (#339) + +commit 257d49ddebf672fc0c581d7efdd3e62175b891e4 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Wed Dec 25 11:56:00 2019 -0500 + + gTLD autopull: 2019-12-25T16:40:11Z (#338) + +commit c74b45bf8ea3d3ba26201c53582bc3d9b6e0de3a +Author: Daniel McCarney +Date: Mon Dec 9 16:40:10 2019 -0500 + + CI: Add golangci-lint, enforce Go best practices (#335) + + * tidy: rename test functions so they are run. + + Unit tests functions must be named with `Test` as a prefix or they won't + be run. This fixes an `unused` golangci-lint finding for this file. + + * tidy: remove unused functions. + + Neither of these functions are being used anywhere. Deleting them fixes + a `golangci-lint` finding from the `unused` linter. + + * tidy: cleanup errcheck finding + + * tidy: cleanup errcheck finding + + * tidy: fixup all gosimple golangci-lint findings + + * tidy: fix ineffassign golangci-lint findings + + * tidy: cleanup gocritic golangci-lint finding + + * tidy: fix golangci-lint goimports findings + + * tidy: fix golangci-lint nakedret finding + + * tidy: ignore golangci-lint interfacer for one func + + * tidy: fix golangci-lint misspell finding + + * tidy: add some gocyclo lint ignores + + * CI: enforce golangci-lint. + +commit 872e43139cd4269530ec2b237c5643e352a45fa3 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Fri Dec 6 11:47:41 2019 -0500 + + gTLD autopull: 2019-12-06T16:32:55Z (#334) + +commit 71201e7f6c374a07357066504a13577aed052cf6 (tag: v1.1.0) +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Mon Dec 2 11:56:38 2019 -0500 + + gTLD autopull: 2019-12-02T16:31:54Z (#333) + +commit 9f4f7099a6efd817b6a8d9c67249b6c505cea27e +Author: Daniel McCarney +Date: Tue Nov 26 12:22:20 2019 -0500 + + README: Add Camerfirma to users list. (#331) + +commit 5b9959d6ee45ffa6d9368aea8c08897e9115dbea +Author: Daniel McCarney +Date: Tue Nov 26 12:19:44 2019 -0500 + + lints: add w_extra_subject_common_names lint (#330) + + The BRs don't expressly forbid having multiple subject common names but it + seems counter to the intentions of section 7.1.4.2.2 and generally weird enough + that ZLint should produce a Warn level finding (like cablint does already). + + To implement this lint `github.com/zmap/zcrypto` is updated to 7f2fe6f + the tip of master at the time of writing. Notably this brings in a change that + stores multiple subject CN values into the `Certificate.Subject` `pkix.Name` + field. + + Along the way, I bumped the Go mod version to 1.13 and updated the README to + reflect we expect Go 1.13+ to use zlint master (it's what our CI is using + already). + + Integration tests flagged 16 certificates tripping the new lint. Those + certificates are: + + https://censys.io/certificates/1cd00ff04092b4c2faa7becd76c44f0a7ca38fbb2269d1588d81756159ca6ec6 + https://censys.io/certificates/2242b07bb4393996a940a01eb08336849a5d199410715c0af3e8c6a5cd007932 + https://censys.io/certificates/225d57740aa0a824c164f7c5994cccbe8627310d573c793632005e170ee07699 + https://censys.io/certificates/22aa2d265a69c95792967a9c182928e01c8bfbcab1667e6e9e0259dd31041e7f + https://censys.io/certificates/2b09e53182a4ef6e440b3c39f90f3d91d8e98a6d973233d323956981e0674deb + https://censys.io/certificates/2cff4e44a9fb9563e55217300f4d5e49f73c20101aed5725e7b6b04d539cff9e + https://censys.io/certificates/6b1db534a22b2a3ce9eaa54b5ce8720391db6ca60014edd2ff4b78d7bffc2cb9 + https://censys.io/certificates/7d95620a0993673e289e0ae894566dd6c0b03e936d1c0a4d3484d8898d9296ae + https://censys.io/certificates/824c4c4f893962023dc256d48ce52ac667f7b504e9a46947c3207b57f64d7ad0 + https://censys.io/certificates/8795bcd44516c8643d2a41a6da735d556b989a4c2c96c974bb11c0811404f479 + https://censys.io/certificates/a04c2da1bccb1a97c6a882a4b8688941673adc715d8d2769eec345cb1c4e3b52 + https://censys.io/certificates/c289369fed510acf2653b8a8eb8bee949d3c18f8d8a2817c6373ad2ec7e789d9 + https://censys.io/certificates/c6bb0cb620135851db0eb8ca54d0e8b77c1565683e405a3177e460e8fd3cd9cc + https://censys.io/certificates/e18e4a9277e96542371436a1b78f1d3e09bf1095a44d2e7c02e049945a3dd66a + https://censys.io/certificates/f006baa460163b35cbc35d96ffb20aa1ec27f2a8edf5db99a8ad51ab7b5bb88b + https://censys.io/certificates/f658d49a2dc3332e2e0d893cbeb3d982d404bf5bf17d7e2e925e38ba7093e174 + + All of them were checked to ensure that they do in fact have multiple subject + common names and are being linted correctly. + + I also took this as a chance to describe the process of adding a new lint and + updating the golden data for `integration/README.md`. + +commit 227314aaca984cd9137bdf34796b294566e8725f +Author: Daniel McCarney +Date: Sun Nov 24 16:51:13 2019 -0500 + + integration: restructure expected data to use lints vs. cert FPs (#329) + + * integration: small TestMain tidy-up chore. + + * integration: rename -summary flag to be more specific + + * integration: rename -force to -forceDownload. + + * integration: add -overwriteExpected flag + + * integration: add -lintSummarize, results by lint name. + + * integration: rename result type to resultCount + + * integration: cleaner resultCount increment + + * integration: sort summary output. + + * integration: support filtering by fp/lint name + + * integration: add small certByFP.sh util script + + * makefile: add more integration examples. + + * integration: track expected by lint instead of cert fp. + + * README: first pass at integration test docs + + * integration: show # of files left to download + + * CI: remove data caching. + + Per Travis docs the cache is fetched over the network from an + S3-like-service and isn't any faster than downloading the data directly + from Github for our use-case. Removing the caching saves us from + spending time at the end of builds uploading the new cache data back to + the cloud. + + * integration: fix progress print format args + + * integration: print loading progress + + * integration: refine README + + * integration: README clarifications. + +commit 6ba0b4dbc15bab5dd75635674bbe59e9b5c3ad59 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Wed Nov 20 11:59:22 2019 -0500 + + gTLD autopull: 2019-11-20T16:25:28Z (#327) + +commit eea5fe83935a0904234975899617923cd3a0e83e +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Fri Nov 15 11:40:49 2019 -0500 + + gTLD autopull: 2019-11-15T16:23:46Z (#325) + +commit 7314deb0a2a11b829a1144d21ec75d16b587e8f4 +Author: Daniel McCarney +Date: Mon Sep 30 12:22:49 2019 -0400 + + tests: add large cert corpus based integration test. (#318) + + # Background + + The idea is to run `zlint` across a big corpus of certificates, ideally as + diverse a corpus as possible, and compare the results against expected values. + The hope is that this will catch regressions in lints that change lint results + for the corpus in an unexpected way. + + To start with 60 data files (each of ~5000 certificates) are used to lint + ~600,000 certificates during each CI run to verify lint results do not change + unexpectedly. The tooling was written such that it is easy to run against + larger corpuses before doing a big release, or on a less frequent schedule than + for day to day CI. + + The config in this branch adds ~10 minutes runtime to CI. I verified it would + help catch regressions by reverting the fix to the + `e_subject_printable_string_badalpha` lint + (`5dcecad773158b82b5e52064ee2782d1b8a79314`). The integration tests + successfully flagged a difference that would have focused attention on the new + lint: https://gist.github.com/cpu/3a80db08a14a9de7a56db4ff1fc821e9 + + ## Golden state + + In a perfect world we would record the full results from each lint for each + certificate and make sure they don't change unexpectedly. Recording that much + data in a "golden" state file in the repo for a large number of certs would + result in pretty significant bloat and slow clones. Putting it out-of-repo + would make PRs cumbersome and adds challenges for external contributors. + + As a compromise the current integration test only tracks a count of fatal, + error, warning, and notice lint results per-certificate but not details about + which lint produced each result at that level. + + With the one corpus file in this branch this adds ~60mb of golden state data to + the repo (see `integration/config.json`) which seems acceptable to me. If we + want to trim this down we could stop tracking notice level lint results or use + a more efficient serialized representation than JSON. One of the advantages of + the bloated JSON form is that it is human readable and easy to update in an + editor. + + To produce the golden state for the first time or for a large update you can + edit the `integration/config.json` to delete the `"Expected"` map. When the + test is run and there is no configured `Expected` map then the current results + are saved as the `Expected` map to be validated against in subsequent runs. + + ## Corpus + + The cert corpus data is quite large so the integration tests are written to + keep the data out of tree and only download it when needed. Support is included + to automatically decompress the downloaded data using bzip2 when the URL ends + in the `.bz2` file extension. + + The Travis CI config is updated to explicitly cache the downloaded corpus data + between builds to help avoid needing to download it every build. Similarly some + effort was made to process data in parallel to keep builds as fast as possible + while still linting as many certs as we can. Local testing on good hardware can + be done even faster by increasing the parallelism over what is used in CI where + the worker machines are weak and often under-provisioned. + + To start with 60 corpus files (each ~5000 certs) are configured for day to day + CI. These files (and more) live in the + https://github.com/zmap/zlint-test-corpus repository. + + ## Running Integration Tests + + By default when running `go test` (or `make test`) the integration tests are + not built or run. You must provide `-tag=integration` to build/run these tests. + This should keep day to day development quick. + + The `makefile` is updated with a `make integration` target to run just the + integration tests and the Travis script uses that to run integration tests. The + `PARALLELISM` and `INT_FLAGS` makefile variables can be used to change the + number of Go routines and additional flags (see Extra Command Line Flags) + without modifying the Makefile. + + ## Extra Command Line Flags + + To use an alternative configuration specify the `-config` command line flag. By + default `integration/config.json` is used. + + To control the number of linting Go routines used by the `TestCorpus` + integration test change the `-parallelism` command line flag when running the + integration tests. By default 5 Go routines are used for local integration + tests and 3 for Travis CI. + + To force corpus data to be downloaded even when it exists on disk use the + `-force` command line flag when running the integration tests. By default + `-force` is disabled. + + To have a summary of certificate fingerprint and integration test results at + the end of the integration test provide the `-summary` command line flag. Note + that this is quite spammy and is disabled by default + + To change how many certificates are linted before a '.' character is printed to + the screen use the `-outputTick` flag. By default one period is printed per + 1000 certificates to keep Travis from deciding the CI job is dead. + +commit 7db289cfd3689e9ecd04b8ab31681ab69c90bf29 (tag: v1.0.2) +Author: bilalashraf123 +Date: Thu Sep 26 23:20:33 2019 +0500 + + Fixed two bugs in QcEuLimitValue - QC Statement (#315) + + * Changed to IdEtsiQcsQcLimitValue + + * Marked fields exportable for Unmarshal + + * No QcEuLimitValue in test cert + + * Added tests for QcStmtLimitValue + +commit 00156801166b89b8cbeb1f56bd6bd720120960bf +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sat Sep 21 17:40:57 2019 -0400 + + autopull: 2019-09-21T15:56:13Z (#321) + +commit 43843b085caa3465b5fe7ea4f53c62a06e67bd25 +Author: Daniel McCarney +Date: Sun Sep 15 19:41:22 2019 -0400 + + README: Add a section on users/integrations. (#320) + + * README: Add a section on users/integrations. + + * README: update crt.sh link, also note it is used for Sectico. + + * README: Add Izenpe to users list + + * README: Add GoDaddy to users list. + + * README: Add EJBCA integration. + +commit c67053f79915a9f9edf470b522977df16ac2c07c +Author: Daniel McCarney +Date: Sun Sep 15 19:37:42 2019 -0400 + + CI: Switch to Go 1.13. (#319) + + The `makefile` could have the `GO_ENV` cleaned up to remove + `GO111MODULE="on"` but for now I've left it to aid with Go 1.12.x + compatibility. + +commit c6437affd66336f6a9bc50cc7213ec5a5e1deddd +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Thu Sep 12 12:03:52 2019 -0400 + + tld autopull: 2019-09-12T15:51:26Z (#317) + +commit 0d4db4102b199c2c07467c3b048ef51583535b3c +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Tue Sep 10 11:23:46 2019 -0400 + + gTLD autopull: 2019-09-10T15:21:16Z (#314) + +commit a0b3bc322455906a290ea52bd3064b94a403b03a +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Fri Aug 30 15:09:06 2019 -0400 + + gTLD autopull: 2019-08-30T19:02:52Z (#313) + +commit 5dcecad773158b82b5e52064ee2782d1b8a79314 (tag: v1.0.1) +Author: Zakir Durumeric +Date: Sat Aug 24 09:30:31 2019 -0400 + + lints: fix e_subject_printable_string_badalpha for single quote (#311) + + #309 missed the single quote character in its regex of valid characters. This PR + fixes the regex and adds a test case. This PR addresses the comment here: + https://github.com/zmap/zlint/pull/309#discussion_r317297206 + +commit dc635f9345c00451bd06a5877e1ebacfb1b9b0f1 (tag: v1.0.0) +Author: Daniel McCarney +Date: Mon Aug 19 15:45:15 2019 -0400 + + README: add semver guidance (#310) + +commit 3307e6abe1904cf6f0573d7c9fb35a800385f02c +Author: Daniel McCarney +Date: Mon Aug 12 19:42:38 2019 -0400 + + lints: add e_subject_printable_string_badalpha lint. (#309) + + When the raw Subject RDNSequence of a Certificate includes + a PrintableString type DirectoryString attribute the value of the + attribute must adhere to the PrintableString character set defined in + RFC 5280 Appendix B: + + The character string type PrintableString supports a very basic Latin + character set: the lowercase letters 'a' through 'z', uppercase + letters 'A' through 'Z', the digits '0' through '9', eleven special + characters ' = ( ) + , - . / : ? and space. + + If any of the PrintableString attributes in the linted Certificate's + raw subject do not match a regexp for this character set an Error level + lint result is returned by the `e_subject_printable_string_badalpha` lint. + +commit d18ad02ac400de715e688d59f315e53de1cfe18f +Author: Daniel McCarney +Date: Fri Aug 9 16:59:28 2019 -0400 + + README: Make Go version requirement explicit. (#306) + +commit 0dfef633f728201b05b16493f0b765da56469862 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Fri Aug 9 16:08:37 2019 -0400 + + gTLD autopull: 2019-08-09T20:03:29Z (#308) + +commit 88c3f6b6f2f5ebc573c4679e548d6f1823d89213 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Tue Aug 6 14:24:16 2019 -0400 + + gTLD autopull: 2019-08-06T18:19:07Z (#304) + +commit fd021b4cfbeb919cc763d1cafd1e604658a6bbe7 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Tue Aug 6 11:40:20 2019 -0400 + + gTLD autopull: 2019-08-06T15:35:36Z (#303) + +commit 1fdad3421775e34615dec50d234ac9cb73c9a6a1 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Sat Aug 3 11:32:02 2019 -0400 + + gTLD autopull: 2019-08-03T15:29:31Z (#302) + +commit 0e1f6d0520cf1137c74f40f80c44c7a1d75c38d1 +Author: Daniel McCarney +Date: Thu Aug 1 14:37:18 2019 -0400 + + README: add guidance on choosing a lint result level. (#301) + + Clarifying the historic context on the lint levels in the README will + help new lint contributors (and consumers of the lint results) + understand the rationale behind which lints return which result. + + The text is largely stolen from @zakird's comment[0] on an unrelated + issue. + + [0]: https://github.com/zmap/zlint/issues/291#issuecomment-514413055 + +commit 13a927f87ec7ccb59edbf529ba0a64d26621c6b0 +Author: Daniel McCarney +Date: Thu Aug 1 14:04:51 2019 -0400 + + lints: consistently name lints by lint status result. (#300) + + * lints: subject_contains_malformed_arpa_ip -> w_subject_contains_malformed_arpa_ip + + * lints: onion_subject_validity_time_too_large -> e_onion_subject_validity_time_too_large + + * lints: ext_tor_service_descriptor_hash_invalid -> e_ext_tor_service_descriptor_hash_invalid + + * lints: ct_sct_policy_count_unsatisfied -> w_ct_sct_policy_count_unsatisfied + + * lints: san_dns_name_onion_not_ev_cert -> e_san_dns_name_onion_not_ev_cert + + * lints: subject_contains_reserved_arpa_ip -> e_subject_contains_reserved_arpa_ip + + * tests: add test to enforce lint name prefix convention. + + * test: fix TestLintNames allowedPrefixes + + * review: fix gofmt of new test file + +commit b126a9b258d55b1b9621e9a16525567317d86b6e +Author: Daniel McCarney +Date: Thu Aug 1 12:21:32 2019 -0400 + + lints: ct_sct_policy_count_unsatisfied NA for precerts. (#299) + + The `ct_sct_policy_count_unsatisfied` lint should return NA when asked + to lint a precertificate (e.g. a "poisoned" cert containing the + `util.CtPoisonOID` defined in RFC 6962). + +commit 9971d62266e74547157ff95b5413227e21d8fe23 +Author: Daniel McCarney +Date: Tue Jul 30 17:53:01 2019 -0400 + + lints: implement json.Unmarshaler for LintStatus. (#297) + + The `lints.LintStatus` type implements `json.Marshaler` to marshal to + a human readable string (e.g. `"error"` instead of `6`). Without + providing a compatible `json.Unmarshaler` implementation downstream + users that marshal a `lints.LintStatus` to JSON will encounter an error + when they try to unmarshal it due to a mixmatch of types (`int` vs + `string`). + +commit 757a6bf54dd74342f378904af0265e01b26d975e +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Tue Jul 30 11:30:40 2019 -0400 + + gtld autopull: 2019-07-30T15:27:51Z (#296) + + Marks removal date of `.bnl`. + +commit d8d7761d228b61e7bd2227a7dfa9cd9b60652674 +Author: Daniel McCarney +Date: Mon Jul 29 16:14:22 2019 -0400 + + util: faster GetExtFromCert using ExtensionsMap. (#295) + + The `github.com/zmap/zcrypto` library that provides certificate parsing + for zlint has been updated to add a `ExtensionsMap` field on parsed + Certificates. + + The `util.GetExtFromCert` function is updated to use the `ExtensionsMap` + for O(1) extension access by OID instead of an O(n) search of the + `Extensions` slice. + + This change speeds up the function and removes `util.GetExtFromCert` + from the top10 cumulative CPU usage nodes in the zlint benchmarking. + + Before: + ``` + $ cd $GOPATH/src/github.com/zmap/zlint + $ go test --run=XXX -bench=. -cpuprofile all.profile + + $ go tool pprof all.profile + File: zlint.test + Type: cpu + Time: Jul 26, 2019 at 10:58am (EDT) + Duration: 4.13mins, Total samples = 4.79mins (115.90%) + Entering interactive mode (type "help" for commands, "o" for options) + (pprof) top10 + Showing nodes accounting for 146.71s, 51.07% of 287.25s total + Dropped 522 nodes (cum <= 1.44s) + Showing top 10 nodes out of 221 + flat flat% sum% cum cum% + 45.89s 15.98% 15.98% 142.36s 49.56% runtime.mallocgc + 31.59s 11.00% 26.97% 39.26s 13.67% runtime.heapBitsSetType + 18.20s 6.34% 33.31% 18.20s 6.34% runtime.nextFreeFast + 11.27s 3.92% 37.23% 20.05s 6.98% runtime.scanobject + 9.90s 3.45% 40.68% 9.90s 3.45% runtime.memclrNoHeapPointers + 8.31s 2.89% 43.57% 8.31s 2.89% encoding/asn1.ObjectIdentifier.Equal + 6.92s 2.41% 45.98% 13.52s 4.71% github.com/zmap/zlint/util.GetExtFromCert + 5.63s 1.96% 47.94% 7s 2.44% runtime.heapBitsForAddr + 4.60s 1.60% 49.54% 130.51s 45.43% runtime.newobject + 4.40s 1.53% 51.07% 245.67s 85.52% github.com/zmap/zlint.BenchmarkZlint.func4 + ``` + + After: + ``` + $ cd $GOPATH/src/github.com/zmap/zlint + $ go test --run=XXX -bench=. -cpuprofile all.new.profile + + $ go tool pprof all.new.profile + File: zlint.test + Type: cpu + Time: Jul 29, 2019 at 3:38pm (EDT) + Duration: 4.21mins, Total samples = 4.89mins (116.10%) + Entering interactive mode (type "help" for commands, "o" for options) + (pprof) top10 + Showing nodes accounting for 142.94s, 48.69% of 293.55s total + Dropped 513 nodes (cum <= 1.47s) + Showing top 10 nodes out of 233 + flat flat% sum% cum cum% + 48.05s 16.37% 16.37% 138.73s 47.26% runtime.mallocgc + 28.32s 9.65% 26.02% 37.09s 12.63% runtime.heapBitsSetType + 14.54s 4.95% 30.97% 14.54s 4.95% runtime.nextFreeFast + 12.19s 4.15% 35.12% 21.52s 7.33% runtime.scanobject + 10.59s 3.61% 38.73% 30.52s 10.40% runtime.concatstrings + 9.60s 3.27% 42.00% 9.60s 3.27% runtime.memclrNoHeapPointers + 5.60s 1.91% 43.91% 6.88s 2.34% runtime.heapBitsForAddr + 4.85s 1.65% 45.56% 252.74s 86.10% github.com/zmap/zlint.BenchmarkZlint.func4 + 4.73s 1.61% 47.17% 118.13s 40.24% runtime.newobject + 4.47s 1.52% 48.69% 4.47s 1.52% runtime.memmove + ``` + + :tada: + +commit 320c5961c17adf603bfceb77dca63752740f4527 +Author: Daniel McCarney +Date: Fri Jul 26 14:25:10 2019 -0400 + + deps: update zcrypto, remove govalidator. (#294) + + This commit updates the `github.com/zmap/zcrypto` dependency to the + tip of master. This allows removing the + `github.com/asakevich/govalidator` dependency by using the new + `zcrypto/util.IsURL` function relied on in `zlint` by `util/fqdn.go`. + +commit d9a29c3ddfb5b3b498dea53607b9c395267d3807 +Author: Daniel McCarney +Date: Fri Jul 26 09:29:56 2019 -0400 + + lints: add Notice level lint for EE ECDSA KeyUsages. (#293) + + RFC 5480 Section 3 "Key Usage Bits" indicates that end-entity certificates using + a EC public key MAY include the digitalSignature, nonRepudiation, and + keyAgreement Key Usages. + + If such a certificate contains other Key Usages the new n_ecdsa_ee_invalid_ku + lint will return a Notice level LintResult indicating the unexpected Key Usage + bits that were included. Depending on the adoption of a clarification document + and respective CABF BR updates it may be possible to increase the severity of + this LintResult in the future. See #291 for more background discussion. + +commit a0632adea60b9c2f9068b07d2e0a9e0dc5039744 +Author: Daniel McCarney +Date: Fri Jul 19 21:53:09 2019 -0400 + + lints: remove w_serial_number_low_entropy lint. (#292) + + Per zlint #270: + + > I believe this check does more harm than good. + > + > + > A fully compliant CA which generates a random serial number from + > exactly 64 bits of entropy will produce a serial number less than + > 8 bytes long 1 in 256 times. That means that for every million certs + > issued, this check will cause about 4,000 false positives. + > + > ... + > + > The only sensible way to detect low entropy is to run an analysis + > across a large corpus of certificates. If you try to detect it on + > a cert-by-cert basis you should at least have a much smaller minimum + > length than 8 so there's a lower false positive rate than 1/256. + + This commit removes the `w_serial_number_low_entropy` lint and + associated tests/testdata. + +commit dfa3ce3b1d700fbdebe28026c67479da1cb3ef9f +Author: Daniel McCarney +Date: Thu Jul 11 14:46:53 2019 -0400 + + ci: use GOFLAGS, enforce gofmt -s. (#290) + + * ci: use GOFLAGS, enforce gofmt -s. + + This commit sets up a global `GOFLAGS` to avoid needing to repeat it for + each command. + + It also changes the script to exit on the first error, and to enforce + that all non-vendored `.go` files satisfy `gofmt -s` without diffs. This + will make sure all code is consistently formatted and help contributors + do the right thing by default. + + * ci: fix format enforcement to expect silence. + +commit c65cea169ca143abb31093051f96d5fed68522e5 +Author: tadukurow +Date: Mon Jun 10 16:42:22 2019 +0100 + + lints: update/expand e_subject_contains_noninformational_value + + Expanded the check for no metadata only in subject DN to check for subject DN + fields containing no characters in a-Z0-9 or outside of ascii table. This + catches more than just checking for ".", "-", " ". Also remove separate checks + for serial and domainComponent as they are part of pkix.Names so separate + checking was redundant. + + This will help zlint catch issues that CABLint catches today such as: + + https://crt.sh/?id=106177929&opt=zlint,cablint,x509lint + https://crt.sh/?id=134328239&opt=cablint,zlint + https://crt.sh/?id=26408912&opt=cablint,zlint + + The new check is still susceptible to UTF8 runes metadata only. + +commit 46c8a3a2f9838308e46a05b45a75b699fc264473 +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Thu Jun 6 16:08:37 2019 -0400 + + gtld autopull: 2019-06-06T20:03:56Z (#288) + + Notes removal of `.honeywell` gTLD. + +commit b991e17a58f1447cb63ef87a9a113c0cafba7a89 +Author: tadukurow +Date: Thu Jun 6 13:24:19 2019 +0100 + + lints: RFC4055 RSA SPKI AlgorithmIdentifier param and tbsCertificate.signature (#286) + + Adds two new lints: + + 1. `e_spki_rsa_encryption_parameter_not_null` + 2. `e_tbs_signature_rsa_encryption_parameter_not_null` + + The first enforces that the RSA AlgorithmIdentifier in a certificate SPKI field is correctly encoded + (particularly with respect to the mandatory NULL parameters). + + The second does similarly with the tbsCertificate.Signature field. + +commit 64ec0afbd7174756179985c660d7e47141528626 +Author: Daniel McCarney +Date: Tue May 21 15:19:20 2019 -0400 + + CI: Update to Go 1.12. (#284) + + Go 1.12.x is the latest stable release at the time of writing. + +commit 9047d02cf65ab5251641c4ef1568761cad06685e +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Thu May 16 18:15:41 2019 +0200 + + Fix for #272 (#282) + + * added support for qc statements according to ETSI 319 412-5 + + * updated date of ETSI specification + + * go fmt + + * Update util/qc_stmt.go + + Co-Authored-By: mtgag <36234449+mtgag@users.noreply.github.com> + + * Update lints/lint_qcstatem_qctype_web.go + + Co-Authored-By: mtgag <36234449+mtgag@users.noreply.github.com> + + * removed cryptosource GmbH copyright + + * changed oi to oid and Wo to Without + + * deleted + + * fixes capitalization + + * typo in last commit + + * missing e + + * added fix for #272 + + * merged changes + +commit 4d94f5800b73944b340e8266580538b136057aa6 +Author: Jaime Hablutzel +Date: Thu May 2 10:16:24 2019 -0500 + + Making lint apply to subscriber certificates only. (#281) + +commit c46893cb03d22258e44d276d8f8ce59037df4cee +Author: TLD Update Robot <47792085+tld-update-bot@users.noreply.github.com> +Date: Wed Apr 10 12:54:01 2019 -0400 + + autopull: 2019-04-10T16:49:43Z (#280) + +commit f13105e53ee699f027a0751ea0d25964776948e7 +Author: Daniel McCarney +Date: Tue Apr 9 13:15:24 2019 -0400 + + lints: count embedded SCTs for Apple CT policy. (#278) + + A new `ct_sct_policy_count_unsatisfied` lint is added that checks if + subscriber certificates issued after October 15th 2018 have embedded + SCTs from a sufficient number of unique CT logs to meet Apple's CT log + policy[0]. + + The number of required SCTs from different logs is calculated based on the + Certificate's lifetime. If the number of required SCTs are not embedded in + the certificate a Notice level LintResult is returned. + + | Certificate lifetime | # of SCTs from separate logs | + ------------------------------------------------------- + | Less than 15 months | 2 | + | 15 to 27 months | 3 | + | 27 to 39 months | 4 | + | More than 39 months | 5 | + ------------------------------------------------------ + + Important note 1: We can't know whether additional SCTs were presented + alongside the certificate via OCSP stapling. The new linter assumes only + embedded SCTs are used and ignores the portion of the Apple policy + related to SCTs delivered via OCSP. This is one limitation that + restricts the linter's findings to Notice level. See more background + discussion in Issue 226[1]. + + Important note 2: The linter doesn't maintain a list of Apple's trusted + logs. The SCTs embedded in the certificate may not be from log's Apple + actually trusts. Similarly the embedded SCT signatures are not validated + in any way. + + [0]: https://support.apple.com/en-us/HT205280 + [1]: https://github.com/zmap/zlint/issues/226 + +commit 48eabaf3670895c84fe36e90ebdb092db69669de +Author: Daniel McCarney +Date: Sun Mar 31 17:14:50 2019 -0400 + + lints: fix bug in lint_qcstatem_qclimitvalue_valid.go (#276) + + * Revert "temporarily pulling qcstatement_crash_zlint.crt lint until we can troubleshoot why it's causing Zlint to crash (#273)" + + This reverts commit 81c75536456cffe04d2af9c51ef0eaf3c6cd60d5. + + * lints: fix bug in lint_qcstatem_qclimitvalue_valid.go + + The `e_qcstatem_qclimitvalue_valid` linter was blinding performing + a type cast that could fail in some real-world conditions. This fix + checks if the type cast fails and returns an error lint result instead + of panicing. + + A small test cases is added that lints the real-world certificate that + triggered the bug. Before applying the fix in this branch the test + fails as expected: + ``` + $ go test -v --test.run TestQcStatemQcLimitValueValid ./lints/... + === RUN TestQcStatemQcLimitValueValid + --- FAIL: TestQcStatemQcLimitValueValid (0.00s) + panic: interface conversion: util.EtsiQcStmtIf is util.EtsiQcSscd, not util.EtsiQcLimitValue [recovered] + panic: interface conversion: util.EtsiQcStmtIf is util.EtsiQcSscd, not util.EtsiQcLimitValue + + goroutine 5 [running]: + testing.tRunner.func1(0xc00012a600) + /usr/lib/go/src/testing/testing.go:830 +0x388 + panic(0x7c9040, 0xc0002dea80) + /usr/lib/go/src/runtime/panic.go:522 +0x1b5 + github.com/zmap/zlint/lints.(*qcStatemQcLimitValueValid).Execute(0xc3f450, 0xc000272a80, 0xc0002b0101) + /home/daniel/go/src/github.com/zmap/zlint/lints/lint_qcstatem_qclimitvalue_valid.go:60 +0x59a + github.com/zmap/zlint/lints.(*Lint).Execute(0xc0002aac00, 0xc000272a80, 0x85b992) + /home/daniel/go/src/github.com/zmap/zlint/lints/base.go:114 +0x94 + github.com/zmap/zlint/lints.TestQcStatemQcLimitValueValid(0xc00012a600) + /home/daniel/go/src/github.com/zmap/zlint/lints/lint_qcstatem_qclimitvalue_valid_test.go:25 +0x1e8 + testing.tRunner(0xc00012a600, 0x878ef0) + /usr/lib/go/src/testing/testing.go:865 +0xc0 + created by testing.(*T).Run + /usr/lib/go/src/testing/testing.go:916 +0x357 + FAIL github.com/zmap/zlint/lints 0.008s + ``` + + Afterwards, it passes :tada: + + ``` + $ go test -v --test.run TestQcStatemQcLimitValueValid ./lints/... + === RUN TestQcStatemQcLimitValueValid + --- PASS: TestQcStatemQcLimitValueValid (0.00s) + PASS + ok github.com/zmap/zlint/lints 0.005s + ``` + + * nit: fix shuffled import order + +commit 70de5ac71c59a75671bfc3ca3bb539b6be90e7b8 +Author: Daniel McCarney +Date: Sun Mar 31 14:23:32 2019 -0400 + + lints: add lint for TorServiceDescriptorHash ext. (#275) + + * lints: enforce .onion certs have valid cabf-TorServiceDescriptor ext. + + Adds a lint (`lint_ext_tor_service_descriptor.go`) that validates + that `.onion` subjects have the correct `cabf-TorServiceDescriptor` + extension with a well formed `TorServiceDescriptorHash` object for each + `.onion` subject. + + * lints: add lint for TorServiceDescriptorHash ext. + + The new `lints/lint_ext_tor_service_descriptor_hash_invalid.go` lint + validates that certificates with `.onion` subjects include a well formed + `TorServiceDescriptor` extension with a `TorServiceDescriptorHash` for + each onion eTLD+1 subject as expected by CAB forum Ballot 201[0]. + + E.g. a certificate with three onion subjects (`a.example.onion`, + `b.example.onion`, `c.other-example.onion`) should have *two* + `TorServiceDescriptorHash` entries in the `TorServiceDescriptor` + extension: + + * One with URI `https://example.onion` + * One with URI `https://other-example.onion` + + Only the eTLD+1 is relevant for Onion sites. Subdomains are resolved by + the hidden server based on the HTTP layer `Host` header. + + The new linter will return a fail result if: + + * There is no `TorServiceDescriptor` extension present. + * There were no `TorServiceDescriptors` parsed by zcrypto + * There are `TorServiceDescriptorHash` entries with an invalid Onion + URL (unparseable, missing hostname, non-HTTPS protocol, etc). + * There are `TorServiceDescriptorHash` entries with an unknown hash + algorithm or incorrect hash bit length. + * There is a `TorServiceDescriptorHash` entry that doesn't correspond to + an onion subject in the cert. + * There is an onion subject in the cert that doesn't correspond to + a `TorServiceDescriptorHash`. + + [0]: https://cabforum.org/2017/06/08/2427/ + + * lints: typo fix for onion service desc comment + +commit 81c75536456cffe04d2af9c51ef0eaf3c6cd60d5 +Author: Zakir Durumeric +Date: Fri Mar 29 21:24:41 2019 -0400 + + temporarily pulling qcstatement_crash_zlint.crt lint until we can troubleshoot why it's causing Zlint to crash (#273) + +commit d326a8ac0b1def266078a292c87b581b11571f66 +Author: Daniel McCarney +Date: Sat Mar 23 23:23:38 2019 -0400 + + lints: fix comment typos for IPv6 arpa zone. (#271) + +commit 50895a56a02b2e6e6f79768a2fa7a98b825e4366 +Author: Daniel McCarney +Date: Tue Mar 12 12:35:14 2019 -0400 + + lints: clarify dsa_improper_modulus description (#269) + +commit 37704a2cd136bddc46feea6bd2b2ac70f6be4d45 +Author: Zakir Durumeric +Date: Tue Mar 12 09:24:30 2019 -0400 + + test for bad DSA modulus (#268) + + Adds a test case with an improper DSA modulus/divisor size for the + `e_dsa_improper_modulus_or_divisor_size` lint. + +commit 503aaf6c7edc0d9203de55138576be96b63b78ca +Author: Zakir Durumeric +Date: Mon Mar 11 05:41:34 2019 -0700 + + test for lint_ext_authority_key_identifier_no_key_identifier (#267) + + Add test coverage for the `e_ext_authority_key_identifier_no_key_identifier` lint. + +commit 9c9f067b800e54e0541b3ceccb071399a07f0edc +Author: Daniel McCarney +Date: Thu Mar 7 17:36:32 2019 -0500 + + Add Go module support, cleanup Makefile (#266) + + * chore: ignore zlint-gtld-update build artifacts + + * chore: use lowercase import paths + + * project: add Go modules support. + + * project: clean up makefile, use go modules + + * chore: reformat travis.yml. + + * chore: remove vendor/ from gitignore + + * project: vendor go module deps + +commit c8bc33bb3a1ca9a78d2bdf4c806bc2465a4efdce +Author: Daniel McCarney +Date: Wed Mar 6 17:15:22 2019 -0500 + + lints: enforce .onion certs are EV, have <15mo expiry (#265) + + * lints: enforce .onion subjects are in EV certs. + + Adds a lint (`lint_san_dns_name_onion_not_ev_cert.go`) that validates + that any subscriber certificates containing a `.onion` subject that were + issued after May 1st, 2015 are EV certificates. Any non-EV certs issued + after this date that contain a `.onion` subject should receive an + `Error` lint result. + + * lints: enforce .onion cert maximum validity. + + Adds a lint (`lint_onion_subject_validity_time_too_large.go`) that + validates certificates with one or more `.onion` subjects do not have + a validity period larger than 15 months. + + * util: add CertificateSubjInTLD helper. + + * lints: update .onion lint Citations. + + * lints: cleanup duplicate loop in onion EV lint + +commit 0f862af0a6db1b6bf2f7fffef5cb160583b93537 +Author: MTG <36234449+mtgag@users.noreply.github.com> +Date: Fri Mar 1 02:49:36 2019 +0100 + + Adding support for linting QcStatements (#250) + + * added support for qc statements according to ETSI 319 412-5 + + * updated date of ETSI specification + + * go fmt + + * Update util/qc_stmt.go + + Co-Authored-By: mtgag <36234449+mtgag@users.noreply.github.com> + + * Update lints/lint_qcstatem_qctype_web.go + + Co-Authored-By: mtgag <36234449+mtgag@users.noreply.github.com> + + * removed cryptosource GmbH copyright + + * changed oi to oid and Wo to Without + + * deleted + + * fixes capitalization + + * typo in last commit + + * missing e + +commit edc14b276d77a052891716312a2b580e4bbb87c4 +Author: Daniel McCarney +Date: Wed Feb 27 17:03:41 2019 -0500 + + lints: add new lints for .arpa reverse DNS subjects. (#260) + + * lints: add new lint for .arpa reverse DNS subjects. + + A new `lint_subject_contains_reserved_arpa_ip.go` lint is added that + checks that any subject with a domain ending in the suffix + ".in-addr.arpa" or ".ip6.arpa": + + 1) has the correct number of labels for the address class in question. + 2) specifies a reversed IP address that parses as a valid IP address. + 3) specifies a parsed IP address isn't in an IANA reserved IP range. + + * lints: split rDNS arpa lint into two separate lints. + + * nit: update copyright header year + + * nit: move comments to proper block + +commit e73a2aa5897d9329b74c1ec2db9043f5b4657750 +Author: Jonathan Rudenberg +Date: Wed Feb 27 16:59:21 2019 -0500 + + Update year in template copyright header (#262) + +commit 7aa8fbb2ed3e7d5406ac55be0f462dca6b7ddb83 +Author: Daniel McCarney +Date: Wed Feb 27 13:48:32 2019 -0500 + + utils: clarify newLint.sh args. (#261) + + My first attempt at using `newLint.sh` gave me + `lint_lint_subject_contains_reserved_arpa_ip` :-) + +commit 007fb1dc6e36169c64fd7399ec132a956a5c6805 +Author: Daniel McCarney +Date: Tue Feb 19 23:26:56 2019 -0500 + + zlint-gtld-update: don't template generation date. (#256) + + Having `zlint-gtld-update` template a generation date stamp into the top + of `util/gtld_map.go` doesn't add much value above-and-beyond the git + commit date that last modified the file. Including the generation date + makes automating `zlint-gtld-update` more complex because the automation + must account for ignoring diffs that only change the generation date but + leave the underlying `tldMap` the same. + +commit f38bd223a43c3378b07b78a0bab51ac7006b8586 +Author: Daniel McCarney +Date: Mon Feb 18 10:46:16 2019 -0500 + + gtld_map: capture `.active` removal. (#255) + + IANA has revoked the `.active` gTLD as of 2019-02-17. + + ``` + $ curl https://www.icann.org/resources/registries/gtlds/v2/gtlds.json 2>/dev/null | \ + jq '.gTLDs | .[] | select(.gTLD=="active") | .removalDate' + + "2019-02-17" + ``` + +commit b2aa7469fab8fcdcd14bdcee36d96448b7330fdf +Author: Daniel McCarney +Date: Fri Feb 15 13:30:03 2019 -0500 + + gtld_map: capture .epost and .zippo removal. (#254) + + IANA has revoked the `.epost` and `.zippo` gTLDs as of 2019-02-15. + +commit fbc0b698c5777242bf84986e8a52ebece97720d7 +Author: Phil Porada +Date: Thu Feb 14 00:53:18 2019 -0500 + + Remove .blanco GTLD (#253) + +commit bb32118ad3ab29c4d9a697aa1d8faa71c07e7500 +Author: Daniel McCarney +Date: Mon Feb 11 11:26:21 2019 -0500 + + ci: update to Go 1.11.x (#252) + + Previously CI was running tests under Go 1.9.x and this is no longer + listed as a stable version. Using Go 1.11.x tests against the newest + stable version available at the time of writing. + + In addition to changing the CI version one file (`util/ip.go`) requires a `go + fmt -s` update using the Go 1.11.x toolchain in order for (`TestGoFmt`) to + pass. + + Before the update: + ``` + $ go version + go1.11.5 linux/amd64 + $ make test + GORACE=halt_on_error=1 go test -race ./... + --- FAIL: TestGofmt (0.25s) + gofmt_test.go:37: glob util/*.go not gofmt'ed + FAIL + FAIL github.com/zmap/zlint 0.275s + + ``` + + After: + ``` + $ go version + go1.11.5 linux/amd64 + $ make test + ok github.com/zmap/zlint 0.191s + + ``` + +commit a797fdc8b16c70478920913adc010e65f604610a +Author: Kiel C +Date: Mon Feb 11 07:21:49 2019 -0800 + + Two TLDs added via zlint-gtld-update. (#251) + +commit 90b8be3e6248c4b1e464232ab077aadffb2d5cd3 +Author: BJ Cardon +Date: Wed Jan 23 17:02:32 2019 -0700 + + Properly parse BMPStrings out of the ExplicitText userNotice field for length check (#244) + + * testing out some solutions + + * correctly parse a BMPString in the ExplicitText field + + * correctly check for the BMPString type before trying to parse the string + + * move parseBMPString to util/encodings + + * add a test PEM that has a BMPString ExplicitText + + * added openssl output to test cert + + * * add a const for the bmpString tag since Go does not currently provide one + * add a comment pointing out that we are only looking at the raw bytes from the userNotice sequence + + * rename constant to better match Go asn1 library + +commit b4a052e4ce8a0f4c412768cf5a5d802a1c028600 +Author: BJ Cardon +Date: Wed Jan 16 14:33:35 2019 -0700 + + New lint to ensure DN fields only contain printable characters (#249) + + * add a new lint to make sure that all DN fields only contain printable characters + + * remove accidentally left in logs + + * normalize to hex + + * found several false positives in UTF8 strings because we were not looking at the runes as opposed to the raw bytes + + * added a test for UTF8 characters which triggered the lint to fail previously + + * fix test + +commit 5b6682016f2105c4254cc086f26c49b9811edbf2 +Author: tadukurow +Date: Tue Jan 15 16:49:14 2019 +0000 + + Add lints include/exclude flag to executable (#247) + + * Add lints include/exclude flag to executable + + * use struct{} over interface{} in maps + +commit 7fc4ee7f2008b5dc979a17a45ccbaa27a69ff8c7 +Author: Daniel McCarney +Date: Sun Dec 16 16:36:42 2018 -0500 + + gtld_map: capture `.spiegel` removal. (#248) + + See http://www.iana.org/domains/root/db/spiegel.html + +commit ad0c575cebb83abb73116a918a2832bc652ef57e +Author: Zach Peacock <1316813+thoom@users.noreply.github.com> +Date: Fri Nov 23 11:12:12 2018 -0700 + + Added notice if the DNSNames are duplicated in the SANS extextension. (#245) + +commit 55c4aa8f8cddf2611ff0ba80491a56f6ffafe4e2 +Author: Zach Peacock <1316813+thoom@users.noreply.github.com> +Date: Tue Nov 13 15:13:09 2018 -0700 + + Fixed template used to create new lints (#246) + +commit 7ecc723be25df79f5438898f19dbaa3a8f2cf627 +Author: BJ Cardon +Date: Fri Nov 9 11:26:13 2018 -0700 + + e_subject_common_name_not_from_san incorrectly fails on case sensitive match (#243) + + * allow cn and san to have mixed (not matching) case + test with no pem yet + + * add a test PEM to catch the case + + * Update lints/lint_subject_common_name_not_from_san.go + + Co-Authored-By: cardonator + +commit 709893ce67d2dc2efe09c58f6ed8e94ee1b374cf +Author: BJ Cardon +Date: Sat Oct 20 14:45:41 2018 -0600 + + lowercase effective domain label when checking if TLD is legitimate (#241) + + * lowercase effective domain label when checking if TLD is legitimate + + * add tests for HasValidTLD utility function + +commit 61cf5c4e58bd262b241dad09b770b03348f6b561 +Author: Daniel McCarney +Date: Tue Oct 16 19:21:43 2018 -0400 + + gtld_map: capture `.statoil` removal. (#239) + +commit 34b7be2e59081f4bbe6970785e021e6bf0741f2a +Author: Daniel McCarney +Date: Fri Sep 21 12:05:21 2018 -0400 + + gtld_map: capture latest IANA removals. (#238) + + Removed: + * `.goodhands` + * `.jlc` + * `.panerai` + * `.vista` + +commit 868b34da65defaccf9bcc04f079f9cbfeff3c678 +Author: Daniel McCarney +Date: Tue Sep 11 17:34:09 2018 -0400 + + README: Document updating generated gtld_map.go (#237) + +commit e2c7d742bb02e91440ba80f02828b72faea18143 +Author: David Adrian +Date: Tue Sep 11 17:29:56 2018 -0400 + + Filter existing EV lints to subscriber certs (#229) + + * Filter existing EV lints to subscriber certs + + All of the existing EV lints don't make sense for CA certificates, and + should have been scoped to subscriber certs. + + * fixed tests + +commit 8093f211c43679b1ade744d238a02ba1f0c07371 +Author: Daniel McCarney +Date: Tue Sep 11 16:54:41 2018 -0400 + + Give TLD data effective periods, rework generation. (#236) + + * Give TLD data effective periods, rework generation. + + A new `zlint-gtld-update` command is added which fetches ICANN/IANA TLD + data, generating a Go map of TLD names to their effective periods. The + `data/gtld_map.go` file is now generated using `zlint-gtld-update` using + `go generate ./...` in the root of the project. This replaces + `updateTLDs.sh`, `scripts/consolidate_tlds.py`, and the `data/` + directory files. + + The `lint_dnsname_right_label_valid_tld.go` lint is updated to check + that a TLD exists and was valid at the time the certificate was issued. + Tests are added for the case where a certificate identifier referenced + a TLD that was not yet valid, that was no longer valid, and that was + valid at the time of issuance. + + * Comment getData + + * Handle .onion TLD correctly, add testcase. + + * Moving an HTTP to HTTPS + +commit 848521ffb4ee6042d34faf7389e970d149a84d91 +Author: Daniel McCarney +Date: Fri Aug 31 12:22:43 2018 -0400 + + util: remove updatetld.sh in favour of updateTLDs.sh (#234) + + There is a more robust TLD update script in the root of the project + directory under the name 'updateTLDs.sh'. + +commit 02fe9a29bbae57da0c77db7afb53734dc262b130 +Author: Kiel C +Date: Wed Aug 22 07:08:57 2018 -0700 + + Update TLD map using updateTLDs.sh (#233) + +commit 12b8dc0338e6261fb4ad6a623c0a4c1bc99b3dfe +Author: Steven +Date: Thu Jun 28 18:27:46 2018 -0700 + + Update to tests to conform with RFC5891 (#232) + + * Update to tests to conform RFC5891 + + * Add new RFC to base + + * Update source and reference date for new RFC + + * Fix failing test + + * Add new pem files for test + +commit 9bebe5e32c2c4b27892021e8e2f0459ef3b075ab +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Tue May 29 13:29:23 2018 -0400 + + add test case for issue #223 (#231) + +commit 50c579ea6e55a2c41adb11f8ee77ab994211d3e6 +Author: Deepak Kumar +Date: Tue May 29 06:36:22 2018 -0500 + + remove ev locality lint (#230) + +commit 251516b8a38fac8140665435053dbb9921972125 +Author: Jacob Hoffman-Andrews +Date: Wed May 23 15:33:23 2018 -0700 + + Run race detector in Travis. (#224) + +commit 56537c7665d1cb8a6ae026f94157e1d293e1b3d2 +Author: Zakir Durumeric +Date: Mon May 21 13:08:16 2018 -0400 + + subject_multiple_rdn.go warning -> notice (#221) + + * subject_multiple_rdn.go warning -> notice + + * fixing associated test + + * all the tests this time + + * return notice + + * updated description + +commit 1b7e944ead5d95139a90b5d2d78a3bdbc20dd529 +Author: Zakir Durumeric +Date: Sun May 20 20:48:44 2018 -0400 + + email length is 255 not 128 (#222) + + * email length is 255 not 128 + + * new test cert + +commit f6e1d287883a5d9a100f695b87d496a711f9d389 +Author: Tim D. Smith +Date: Fri Apr 13 06:16:02 2018 -0700 + + Fix lint description (#218) + + The lint description was incorrectly duplicated from `e_sub_cert_eku_server_auth_client_auth_missing`. + +commit 83c5c0b1fa58465a7c4567c9f19d25d623632f7e +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Mon Mar 19 13:05:19 2018 -0400 + + New SANOtherName test cert with CONSTRUCTED OtherName value (#214) + +commit 6ae1b281ecb761f860f06a4c7e26fa74b67487fb +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Mon Mar 19 11:03:56 2018 -0400 + + lint-wide basicConstraints variable leads to potential race condition (#217) + +commit 77f487ab11cb395f313683a183a128c9c24a6eb3 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Mon Mar 19 09:57:23 2018 -0400 + + Fix other shared state bugs in time lints (#216) + + * Don't assume that Execute is called immediately after CheckApplies on the exact same cert + + * fix same problem in lint_utc_time_not_in_zulu + + * Remove remaining lint_generalized_time / lint_utc_time shared state bugs + +commit f27cb8f8ffb6d66991d553d4e401c7a6ae128af9 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Mon Mar 19 09:45:00 2018 -0400 + + Fix misuse of lint-global state (#215) + + * Don't assume that Execute is called immediately after CheckApplies on the exact same cert + + * fix same problem in lint_utc_time_not_in_zulu + +commit 88032a5e59f98690016d7dd312a3620cecb3e2e0 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Wed Mar 14 12:54:24 2018 -0400 + + Rearrange copyright blocks so as to not mangle godocs (#213) + + * rearrange copyright blocks to not mangle godocs + + * update go to 1.9 + +commit 13cf4d349e95ba2f7bb454cf94cbd164e10e5d17 +Author: Jonathan Rudenberg +Date: Thu Mar 1 21:41:54 2018 -0500 + + Change EV max validity to 825 days (#208) + + This is very slightly greater than 27 months and came into effect on + March 17, 2017, so changing the existing lint instead of creating + a new one. + + Reference EVGL: 9.4 / Ballot 193 + +commit d41c3b0c6541f9034787e1a8e1bc2ac34a105737 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Tue Feb 27 18:26:17 2018 -0500 + + Fix for 7.1.6.1 tests -- only state/locality only required in subscribers (#207) + + * lint_cert_policy_iv_requires_province_or_locality only applies to subscriber certificates, per 7.1.6.1 (citing 7.1.4.2.2) -- re issue #206 + + * lint_cert_policy_iv_requires_province_or_locality only applies to subscriber certificates, per 7.1.6.1 (citing 7.1.4.2.2) -- re issue #206 + +commit e0298945acad69eaee526b29cef8f1cc572b94a1 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Wed Feb 21 09:42:55 2018 -0500 + + Remove e_sub_ca_eku_name_constraints + + https://github.com/zmap/zlint/pull/203 + + Fixes #200 + +commit 4b48de28dcddf65f3dec379f1ee1a8f8abcac28b +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Fri Feb 9 14:17:26 2018 -0500 + + Remove anyPolicy check on subordinate CAs (#202) + + * Per #201, remove lint_sub_ca_must_not_contain_anypolicy.go; affiliated subordinate CAs *are* allowed to have the AnyPolicy (see the second part of section 7.1.6.3), and there is no way for us to verify affiliation (see definition in section 1.6.1) + + * remove unused test + +commit aca25bbbeca43a9cbe333d479f1684a72eef0459 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Tue Jan 16 10:04:40 2018 -0500 + + Address issue 198 (SAN format) (#199) + + * FQDN utils: authority does not need to have an @; make AUthIsFQDNOrIP take an authority, not a host; add IsFQDNOrIP that does just take a host + + * address issue in lint_ext_san_uri_host_not_fqdn_or_ip -- catch bad URLs, check host instead of (bogus) authority; update test certs to use proper URI as mentioned in issue (test:// instead of test//) + + * don't fail out on URIs with no authority + + * add test for no-authority URI + + * Update GetAuthority and GetHost in fqdn.go to match rules from rfc3986, and to use net/url.Parse() where possible. + + * add happy-case tests for GetAuthority and GetHost for all combinations of userinfo/port/absolute path/query/fragment + + * add exceptional test cases for GetAuthority/GetHost + +commit 80fe8eced4b4df54e7e9b70e52bc6aa273d03a54 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Thu Jan 11 08:59:06 2018 -0500 + + Fix 39 month effective date (#196) + + * fix effective date for SubCert825Days + + * Push 39-month effective date forward as well ('... issued after 1 July 2016...') + +commit e1cfeb895232d2f18a79c572bf816f6a274548d6 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Wed Jan 10 17:17:58 2018 -0500 + + fix effective date for SubCert825Days (#195) + +commit 5899dfa3116b1f4c9f88e6a4dab18f72e5836812 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Tue Jan 9 13:56:12 2018 -0500 + + Strip filename comments (#194) + + * strip redundant filename comments + + * add copyright where missing; remove some additional redundant comments + +commit 41cd1cfc0f4bf3e7a62c332a61695f8460c7ba48 +Author: justinbastress <33579608+justinbastress@users.noreply.github.com> +Date: Tue Jan 9 13:20:04 2018 -0500 + + Issue #191: 825 day certificates (#193) + + * Issue #191: Update existing lint_sub_cert_valid_time_too_long to implement the language of https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/ -- namely, subscriber certificates issued after 2018/03/01 must have a validity period no longer than 825 days (and those issued after 2016/07/01 retain the 39-month requirement). Also updated the filename in the header comment, and added a vacuous success for certificates issued prior to 2016/07/01. + + * gofmt lint + + * add new lint for 825-day validity window; update text of CABF-BR 6.3.2 in subCertValidTimeTooLong + + * sub_cert_valid_time_too_long -> sub_cert_valid_time_longer_than_39_months + + * fix name of 39 months lint test + + * Add tests for 825 day limit: > 825 days, > cutoff -> fail; <= 825 days, > cutoff -> pass; < cutoff -> not effective + + * gofmt test + + * shortening description to what's tested in lint + + * updating description to describe specific lint + +commit 56d810974215ff3ac0d520b10c1708963f48a10a +Author: David Adrian +Date: Tue Jan 2 10:56:36 2018 -0500 + + Add `openssl x509 -text` to "How to write tests" (#192) + +commit cfe45c5d7d7f2b3a7330889022e5b5a509a869fa +Author: Deepak Kumar +Date: Thu Dec 28 15:38:51 2017 -0600 + + check if CN is IP address before testing for DNSName lints (#190) + +commit 55d1dccbf9f6b8922e098320a4f81bb7da07c1f3 +Author: Maciej Galkowski +Date: Fri Dec 8 17:21:16 2017 +0000 + + Add new lints for RFC 5280, fix existing ones (#184) + + * Add new lints for RFC 5280, fix existing ones + + * Add util.IsEmptyASN1Sequence func + + * Fix compilation error + +commit 860a701c9b8c1e9648f3bec85531ed09101cebee +Author: Maciej Galkowski +Date: Thu Dec 7 18:46:28 2017 +0000 + + Add length check linters for the remaining subject DN fields (#185) + + * Add length check linters for the remaining subject DN fields + + * Fix typo + +commit 6c4a75f84e594d40a1d88fb02dcd8cfb89330fe8 +Author: Maciej Galkowski +Date: Mon Dec 4 16:01:33 2017 +0000 + + Enhance e_ext_san_contains_reserved_ip linter to check for more reserved IP ranges, reject 0.0.0.0 IP address (#182) + +commit cfd5104da0befc1651518b1bc3b4ddbe45b55f59 +Author: Zakir Durumeric +Date: Wed Nov 22 09:47:00 2017 -0600 + + adding a test for lint_dnsname_bad_character_in_label + +commit e7e179d93c7c5a991adb9486fd713271f9202086 +Author: Rob Stradling +Date: Wed Nov 22 14:09:19 2017 +0000 + + Add missing [ to dnsNameRegexp. (#181) + +commit 36a643fb3d1d4e92d7de5056003fda59676d18ea +Author: Maciej Galkowski +Date: Mon Nov 20 14:38:18 2017 +0000 + + Speed up the linters (#179) + + * Speed up the linters + + * Changes requested in the code review + +commit 7057a53b1d1daf9ee70547255cf2fa516ff50c3c +Author: Deepak Kumar +Date: Fri Sep 15 11:37:52 2017 -0500 + + Update dnsName to apply to correct EKU values (#176) + + * update all dnsName lints with serverAuth only + + * prepend openssl output + +commit 7b41c239ca65ff0b6df2e226b6b19884960c1b2b +Author: Deepak Kumar +Date: Fri Sep 15 11:17:55 2017 -0500 + + Fix san bare suffix, ca CN effective time, subCA EKU (#174) + + * fix san bare suffix bug + + * gofmt + +commit 88cddc638874e5f8b1e9899d95a68001ec35be8a +Author: Deepak Kumar +Date: Thu Sep 7 18:33:59 2017 -0500 + + Add bare IANA Suffix lint (#172) + + * add bare iana suffix lint + + * change naming + + * add license + + * y + +commit 5826a245d6a559e51c77144f7aed099189bb1ea5 +Author: David Adrian +Date: Thu Sep 7 11:41:15 2017 -0400 + + Update new lint template + + Fill in source, don't add useless comment, add license + +commit 2c8be8ad1a769ec3544da976aff3a0310f8b0628 +Author: Jonathan Rudenberg +Date: Thu Sep 7 11:23:55 2017 -0400 + + Fix fatal errors for certificates with public suffixes (#156) + + * Fix fatal errors for certificates with public suffixes + + - Use the ICANN section of the PSL for all relevant lints, as we + want to lint the non-ICANN labels. + - Return NA instead of Fatal for PSL failures, the TLD lint will + catch these if they are valid. + + Fixes #155 + + Signed-off-by: Jonathan Rudenberg + + * update lints to fatal instead of NA + + * update lints + + * remove unused import + + * scope DNS lints to BRs + + * update to NA + +commit 3081e3ed02034d502c3c4d295ccafc98a03ca427 +Author: Deepak Kumar +Date: Wed Sep 6 16:52:36 2017 -0500 + + Add question mark notice lint (#170) + +commit f4040dac46c3d36f9178aa9901226abe92d7ad0e +Author: Deepak Kumar +Date: Wed Sep 6 14:25:56 2017 -0500 + + Fix eku check for BRs (#171) + + * fix eku check for BRs + + * fix nits + + * update name + +commit 27b67e2f61e20b09c4753633504bc0e316d6b391 +Author: Deepak Kumar +Date: Wed Sep 6 11:08:09 2017 -0500 + + Add type to lints (#169) + + * adding type to lints + + * BRs -> CABFBaselineRequirements + + * update names + + * ReadableSource -> Citation + + * rename to UnknownLintSource + + * fix README spacing + + * Fix nits + + * update base.go to remove Source from JSON + + * fix test + + * address JSON + +commit 9e196af38011ae3292ac4f451ddaa6cb9e8a1385 +Author: Deepak Kumar +Date: Tue Sep 5 10:45:36 2017 -0500 + + remove old subject lints from 1.4.0 (#168) + +commit 8e4deb3844d7d076e899539572e117d69b83c877 +Author: Deepak Kumar +Date: Tue Sep 5 08:50:14 2017 -0500 + + fix international names length check (#164) + +commit d3378a58946b0093480dc0c9fef6aa3e6aedb70d +Author: Deepak Kumar +Date: Sat Sep 2 20:25:02 2017 -0500 + + Set correct effective date for givenName lints (#162) + +commit 66858570887619f9a5f481beb2a8fb244fce97e4 +Author: David Adrian +Date: Fri Sep 1 15:53:48 2017 -0400 + + Add --list-lints-schema (#160) + + Output lints as ZSchema, sorted by name. + +commit a2f68c6cbdd32f94b8e65306fe6a69f957fa30b0 +Author: David Adrian +Date: Fri Sep 1 14:44:43 2017 -0400 + + Add licenses header to some files. + + Start adding license header until I got tired of it. Will do more later. + +commit b7b0924fd2c7d38f9937cbb434fbfe73502135ff +Author: David Adrian +Date: Fri Sep 1 11:21:59 2017 -0400 + + Prevent panic() in example code in README + +commit a23cd954a4d64f4f7f0524d94ddc90fdcb758aa5 +Author: David Adrian +Date: Fri Sep 1 11:20:45 2017 -0400 + + Fix comment grammar + +commit 7d1dc46016c7567abfa709343eef053bee5ae6f0 +Author: Deepak Kumar +Date: Fri Sep 1 10:13:15 2017 -0500 + + Address ambiguity in BRs (#158) + + * address ambiguity in BRs + + * add comment + +commit f94d2a7c4a96821d692c492c631e35213eec56cd +Author: Deepak Kumar +Date: Thu Aug 31 23:08:02 2017 -0500 + + Removing duplicate lints (#154) + +commit 53c9753c5932714928e0141edeea1cc3de2188d3 +Author: David Adrian +Date: Thu Aug 31 23:35:50 2017 -0400 + + Refactor structure to simplify types and names (#153) + + Add comments explaining the interfaces. Remove extraneous error + returns. Fix test formatting. + +commit d3c6ab2a20d7d252eaf6695e8d5a2321be726fd4 +Author: Jonathan Rudenberg +Date: Thu Aug 31 13:40:32 2017 -0400 + + Fix some typos (#152) + + Signed-off-by: Jonathan Rudenberg + +commit 806ee207c2e54cce56d07fd222e8a305d211b772 +Author: Jonathan Rudenberg +Date: Thu Aug 31 13:35:39 2017 -0400 + + Remove useless comments (#151) + + Signed-off-by: Jonathan Rudenberg + +commit b13f74b4631e585f321575783bde4ea3aaae175b +Author: Jonathan Rudenberg +Date: Thu Aug 31 13:22:21 2017 -0400 + + Change Golang -> Go (#149) + + Signed-off-by: Jonathan Rudenberg + +commit 4373a48e3b5735a3493100358c9ba8b3be3f1304 +Author: Alex Gaynor +Date: Thu Aug 31 13:07:35 2017 -0400 + + Apply SHA1 test to DSA and ECDSA certs as well. (#150) + +commit 6fb7b154abd1f7b042206894b3181636d63349c0 +Author: Rich Salz +Date: Thu Aug 31 12:47:28 2017 -0400 + + Replace last instances of provenance with source (#148) + +commit a7fda0c5a17152ea85457471cc7403e9aaac66ee +Author: Rich Salz +Date: Thu Aug 31 12:40:33 2017 -0400 + + Improve help message (#147) + +commit 311c8541dc9c9774473ebb88659a7cadb7539d1f +Author: Zakir Durumeric +Date: Thu Aug 31 11:56:14 2017 -0400 + + syntax highlight code example in README + +commit 6ad5cc524fe90e390b421473bd30a137dbe14b1c +Author: Deepak Kumar +Date: Wed Aug 30 23:26:42 2017 -0500 + + Add DSA unique representation lint (#142) + +commit 383696bee1b56f8509369b8bd566928ea75adedb +Author: Deepak Kumar +Date: Wed Aug 30 23:11:54 2017 -0500 + + Add DSA Correct subgroup lint (#143) + + Clean up other DSA lints + +commit 0ea55e3be77431cf77661498607e09e8953dc5e7 +Author: Deepak Kumar +Date: Wed Aug 30 21:27:16 2017 -0500 + + add sub cert validity check to 39 months (#146) + +commit 9d433a47f773ad461320befd59247b513def5167 +Author: Zakir Durumeric +Date: Wed Aug 30 14:45:27 2017 -0400 + + changing provenance to source (#145) + + * changing provenance to source + + * providenct to source + +commit 18a30b3365d737152eb9389736a861336654ead7 +Author: Deepak Kumar +Date: Wed Aug 30 12:52:57 2017 -0500 + + Update README on how to add a new lint (#144) + + * update README for creating a lint + + * update + + * make readme better + + * some backticks + + * Update README.md + +commit 9162bd940e15bd045d2d716752d3f771d5ed94be +Author: Deepak Kumar +Date: Tue Aug 29 22:17:38 2017 -0500 + + add Is cA check (#139) + + * add isCa check + + * add isCA check on raw extension + + * add std asn1 lib + + * remove basicConstraints declaration + +commit 019b8f30d0aefd59ccad9cb900f8b6589370c490 +Author: Deepak Kumar +Date: Tue Aug 29 19:04:02 2017 -0500 + + Subscriber certs should not have is cA field set. (#140) + + * stuff + + * check actual extension for is cA field + + * change to default go asn1 + +commit be08bd22bfbea3a670a46d62603a16019aa2c669 +Author: Deepak Kumar +Date: Tue Aug 29 18:54:55 2017 -0500 + + Cleanup name constraints check (#141) + + * name constraints check cleanup + + * update pem with openssl + +commit 32224f1959a8685ec1eec0c41cfcc959941518ae +Author: Deepak Kumar +Date: Tue Aug 29 12:45:22 2017 -0500 + + Align the text of BR lints to match what we have in the public spreadsheet. (#138) + + * normalizing text with spreadsheet + + * update to match spreadsheet + + * gofmt + +commit f5ee2167043aa0c2959754a62775f1f8d8762812 +Author: Deepak Kumar +Date: Tue Aug 29 12:13:28 2017 -0500 + + Remove san dnsname FQDN lint (#137) + +commit 6188084fdb716cae13c8547ffa915d11db507812 +Author: Deepak Kumar +Date: Tue Aug 29 09:58:05 2017 -0500 + + panic when initialize throws an error (#135) + + * panic when initialize throws an error + + * add error + + * make error idiomatic + +commit e67e60db89424af511bd25a70b4b06d07d8104df +Author: Deepak Kumar +Date: Tue Aug 29 09:52:42 2017 -0500 + + Add bad character in label check (#134) + + * bad character in label lint + + * move regexp to init + + * update function signature + + * address zakir comments + + * update compile to MustCompile + + * add CheckApplies + +commit 20cd430294359a6ce5fd5b871d47903d66a6f498 +Author: Rich Salz +Date: Mon Aug 28 17:38:13 2017 -0400 + + Take multiple input files; intuit filetype (#132) + + If file ends with .der or .pem, then use that as the filetype. + Otherwise can specify it with the -format flag. + +commit dd4c0f1e4330953aa90c8c066be8b905b8ddc520 +Author: Deepak Kumar +Date: Mon Aug 28 16:32:57 2017 -0500 + + Add label length check for DNSNames. (#133) + + * add label too long check + + * add openssl output + +commit fbdbc89d7d32082d84c232664caddd40c0df1388 +Author: Deepak Kumar +Date: Mon Aug 28 16:00:22 2017 -0500 + + Update TLD Script (#116) + + * update tld script + + * add check for valid tld + + * remove SAN extension check + + * update to subscriber cert + + * add existent check + + * add proper cn check + +commit d50975d6892f5b28258b9d72ba8fd49674ac3a40 +Author: Deepak Kumar +Date: Mon Aug 28 15:57:37 2017 -0500 + + add empty label dnsname check (#117) + + * add empty label dnsname check + + * update to subscriber cert + + * add existent check + + * proper cn checking + +commit 574726c5e32c660a4fbbcd3700488307b731bfff +Author: Deepak Kumar +Date: Mon Aug 28 15:55:57 2017 -0500 + + adding SLD hyphen check (#119) + + * adding SLD hyphen check + + * remove SAN checkApplies + + * return ResultStruct + + * add existent check + + * add proper error checking + + * change name of func + + * rename again + +commit 27c2a19c47e8ada659b2e7188d174d02a70ae91b +Author: Zakir Durumeric +Date: Mon Aug 28 16:38:23 2017 -0400 + + Start a more helpful readme file (#131) + +commit f80e205f38fce6e98c258a7c9a743421c4c463a8 +Author: Deepak Kumar +Date: Mon Aug 28 15:28:37 2017 -0500 + + Check if underscore in SLD (#118) + + * check for underscore in SLD + + * underscore lint + + * remove SAN checkApplies + + * add result + + * update to fatal + + * add existent check + + * add correct error checking + +commit 8259bf877a6989aae8e2ac9d6ee662e78b11ae43 +Author: Rich Salz +Date: Mon Aug 28 16:27:04 2017 -0400 + + Add -pretty flag (#130) + +commit 8a96225c4ffd03df69a52d674ead3b098bc6689c +Author: Deepak Kumar +Date: Mon Aug 28 15:20:57 2017 -0500 + + adding underscore in left of ETLD+1 check (#120) + + * adding underscore in TRD check + + * remove SAN checkApplies + + * apply to subscriber certs + + * return result in addition to bool + + * update to fatal + + * add existent check + + * add proper error checking + +commit f718436a728255f134c80e2f09b98afc4fa3871b +Author: Deepak Kumar +Date: Mon Aug 28 14:59:05 2017 -0500 + + Add test for wildcard left of ETLD (#127) + + * add test for left of public suffix + + * update helper to return Result in addition to bool + + * publicsuffix cannot parse is NA + + * public suffix + + * update to fatal + + * add check for existent DNSNames + + * make helper not domain specific + + * remove unnecessary restriction + + * actually check if CN is empty + +commit 8f5859ea6ac14b7abfbe5d1f0bfd9ff38ca01cea +Author: Deepak Kumar +Date: Mon Aug 28 14:28:50 2017 -0500 + + Update helper to use the right lib. (#129) + + * update helper + + * gofmt + +commit 119f503afd92adc6adba23e2167ced0531655b1c +Author: Deepak Kumar +Date: Mon Aug 28 14:19:36 2017 -0500 + + Add helper function to determine if there are names to check. (#128) + + * add helper function + + * gofmt + +commit 29bd40e7adbeef3fca2e40238673c07a83aedee2 +Author: Deepak Kumar +Date: Sun Aug 27 09:32:55 2017 -0500 + + Add wildcard only in left label check (#121) + + * check wildcard only in left label + + * fix unsafe array index + + * add immediate return + +commit d6de6b1c9f6c5c0f85e1b455700efe324f73ada1 +Author: Deepak Kumar +Date: Sun Aug 27 09:29:51 2017 -0500 + + Add left label wildcard check (#122) + + * left label wildcard check + + * fix bug to check the correct value + + * squash and clause + + * address titanous + +commit 53bb5bfe293f6a5c768da2f728348e578cd80a68 +Author: Alex Gaynor +Date: Sat Aug 26 23:58:40 2017 -0400 + + Simplify removeQuestionMarks implementation (#126) + +commit 4aa2e44bca2c12258b258472684bde865210c1a7 +Author: David Adrian +Date: Sat Aug 26 15:51:26 2017 -0400 + + Add Slack notifications to TravisCI + +commit e77dd5989af05ee75158d300c3d16cf86d86c001 +Author: David Adrian +Date: Sat Aug 26 15:42:11 2017 -0400 + + Remove nested zlint package structure (#125) + + This moves main.go to a cmd/ subpackage, and moves zlint/zlint to the + root package. It further simplifies main.go to operate only on single + certificates. Multiple certificate linting should be accomplished using + the ZCertificate utility. + +commit d35efad6d164f53162c098fdd10fba34aaa2ca23 +Author: Zakir Durumeric +Date: Sat Aug 26 11:57:18 2017 -0400 + + a couple of other fixes from providence to provenance (#124) + +commit 77bb27c31feb35e6e5365b411d48b4741980b4c4 +Author: Deepak Kumar +Date: Fri Aug 25 10:03:29 2017 -0500 + + Add malformed unicode for IDN check (#115) + + * malformed unicode + + * update description + +commit c89c81c0d1494a2b1722d454fcfbc71ef920e99b +Author: Deepak Kumar +Date: Fri Aug 25 09:42:35 2017 -0500 + + Check Internationalized DNSNames for NFKC (#114) + + * check if DNSNames are NFKC if internationalized + + * remove extra comment + + * gofmt + + * fix dadrian nits + + * new lint update + + * NA instead of Fatal when ToUnicode fails + + * remove comment + +commit fd09e89b5d3f9cfb2fa136d1dd7cefa1c3559e79 +Merge: c082259e 5db497f4 +Author: David Adrian +Date: Thu Aug 24 20:00:29 2017 -0400 + + Merge branch 'titanous-simplify-report-generation' + +commit 5db497f4470f6efa8ceeb4e653bf93268b087963 +Merge: c082259e 3d4a5ba0 +Author: David Adrian +Date: Thu Aug 24 20:00:11 2017 -0400 + + Merge branch 'simplify-report-generation' of https://github.com/titanous/zlint into titanous-simplify-report-generation + +commit c082259e99a4278baa66c5c7b9657f34ed94b808 +Author: Deepak Kumar +Date: Thu Aug 24 16:25:30 2017 -0500 + + add serial number low entropy check (#112) + + * add low entropy check + + * update to warning + + * fix tests + +commit 875c2d70ad894b23948ea7931e5622b28a94e69a +Author: Deepak Kumar +Date: Thu Aug 24 11:48:40 2017 -0500 + + add subCA anypolicy check (#111) + + * add subCA anypolicy check + + * add subCA cert fix + + * remove second cert + +commit 9c9a02cdf3f2b39f680c9ead3ec987193ba03da1 +Author: Deepak Kumar +Date: Wed Aug 23 23:52:24 2017 -0500 + + remove duplicate lints (#93) + +commit 8ae4ade6f22a26b963690a3cc5328ccb4bb664b3 +Author: Deepak Kumar +Date: Wed Aug 23 23:34:29 2017 -0500 + + add countryName required check (#110) + +commit 23045185e92ca99cde678d7ad8c706677f3c11a3 +Author: Deepak Kumar +Date: Wed Aug 23 23:27:59 2017 -0500 + + add postal code prohibited lint (#109) + +commit 0c1c125b9c85ae8a37cebf189d286e6e3a94d681 +Author: Deepak Kumar +Date: Wed Aug 23 23:04:59 2017 -0500 + + Add province prohibited check (#108) + + * locality + + * province prohibited + + * fix conflict + +commit 65a9b1c6a323df056a72913c900be0bacc9a3c23 +Author: Deepak Kumar +Date: Wed Aug 23 22:57:27 2017 -0500 + + Add province required check. (#107) + + * locality + + * update with province prohibited lint + +commit 57042a7abb8f74be1316c79f40f7cde905005e1d +Author: Deepak Kumar +Date: Wed Aug 23 22:54:32 2017 -0500 + + Add Locality name prohibited check (#106) + + * locality + + * locality name lint update + + * add locality prohibited lint + +commit 07803469fb6df822f438e025e4289289ab80d7d6 +Author: Deepak Kumar +Date: Wed Aug 23 22:16:38 2017 -0500 + + Add locality name check (#105) + + * add locality name test + + * remove unnecessary comment + + * remove . + +commit 57b4ca48e37957baa8220fafe8f8871f6c68c73c +Author: Deepak Kumar +Date: Wed Aug 23 18:34:40 2017 -0500 + + add givenName and surname policy check (#103) + + * add givenName and surname policy check + + * given name test fix + +commit 2f1a3c601e88277149d890e21207362dae0feb96 +Author: Deepak Kumar +Date: Wed Aug 23 18:33:15 2017 -0500 + + add AIA lint for subcert (#100) + +commit 6ec6f1afe77b6310e377cdf4318f93616c7b2fe2 +Author: Deepak Kumar +Date: Wed Aug 23 18:30:52 2017 -0500 + + Check if streetAddress MUST NOT appear. (#104) + + * add streetAddress lint + + * reorder names + + * remove bad comment + + * build + +commit 01b70c8eb4b384af7db781f7fdde57355ada935d +Author: Deepak Kumar +Date: Wed Aug 23 18:26:43 2017 -0500 + + add subCA EKU missing lint (#102) + +commit 6aae9006637ed745e65a7acedbad2cc1cdfbaa60 +Author: Deepak Kumar +Date: Wed Aug 23 18:23:41 2017 -0500 + + add common name missing lint (#101) + +commit af3bdb17d9da9ba2c3fbcdc1e6065884f984c8f8 +Author: Deepak Kumar +Date: Wed Aug 23 15:48:39 2017 -0500 + + Add lints that are inbound to base.go to prevent merge conflicts (#99) + + * add lints tbd + + * gofmt + +commit b8ccba0ed460ae2fa2720764859ce2482a0dd45c +Author: Deepak Kumar +Date: Wed Aug 23 09:07:31 2017 -0500 + + check if aia exists before operating on it (#98) + +commit d3ce2dc037ab70e8d3e07cb07cc0f79ee048727c +Author: Deepak Kumar +Date: Wed Aug 23 09:01:48 2017 -0500 + + check if keyUsage exists before operating on it (#97) + +commit 451071820f73e5db293150b6c530b4f91271885c +Author: Deepak Kumar +Date: Wed Aug 23 08:56:24 2017 -0500 + + subCA EKU Valid Fields (#95) + + * update lint with tests + + * add tests + + * CAB -> BRs + + * change to notice + + * update with proper text + + * update name to not technically constrained + + * update reportStruct with correct name + + * update lint and test + +commit 234a47481b9c821b5cde77e8fdfe6957e51225ff +Author: Deepak Kumar +Date: Tue Aug 22 13:18:21 2017 -0500 + + Check if HTTP URL is inside AIA/CRL URLs. (#96) + + * actually check if an http url is inside ocsp, crl urls + + * hasPrefix instead of contains + +commit b60d4bfd02b0347ba710bd59a46290153cf42473 +Author: Deepak Kumar +Date: Tue Aug 22 10:03:17 2017 -0500 + + SubCA AIA Marked Critical Lint (#94) + +commit 09f16fb8a7d1a0ce78326623774b7ede9b8bddcf +Author: Deepak Kumar +Date: Mon Aug 21 21:08:21 2017 -0500 + + RootCA Key Usage Critical Lint (#92) + + * not critical + + * update lints + + * fix broken test with not critial cert + + * remove fmt + + * remove comment + +commit 020e8ba5126bd1458fd28a920cf5070f4435fa55 +Author: Deepak Kumar +Date: Mon Aug 21 15:37:17 2017 -0500 + + adding rootCA key usage present lint (#91) + +commit 0b36404b8cdd3d194cc8b5e84cfcfcfcc9b18a50 +Author: Deepak Kumar +Date: Mon Aug 21 15:05:15 2017 -0500 + + Adding signature not supported lint (#90) + + * add algorithm not supported + + * update test with sha1withRSA test + + * update pems with stuff + +commit 770b40799509a4aabfbd2f56b26bbea717521a25 +Author: Deepak Kumar +Date: Mon Aug 21 13:42:52 2017 -0500 + + These key identifier checks only apply to Subscriber Certificates (#88) + + * update two lints with correct applies clause + + * remove swp forever + + * update to not root CA and remove duplicate lint + + * fixing tests + +commit 3528ed3db31839496c31baa2b4f1ffab2dc34c70 +Author: Jonathan Rudenberg +Date: Sun Aug 20 19:24:29 2017 -0400 + + Fix 1024-bit RSA sunset dates (#80) + + Signed-off-by: Jonathan Rudenberg + +commit 528096a36c9e7348e2b637c52205bcc670a8821d +Author: Deepak Kumar +Date: Sun Aug 20 18:15:58 2017 -0500 + + Update subcert AIA lint prefix to "w" as it's actually a warning. (#86) + + * update sub cert aia lint to use proper prefix + + * update test + + * update underlying struct to use W instead of E + +commit dd95a32d5bf6613426f8d98b1f5005ac116b5436 +Author: Jonathan Rudenberg +Date: Sun Aug 20 19:13:49 2017 -0400 + + Fix report skew (#87) + + * Rename RDN -> rdn in lint names + + Signed-off-by: Jonathan Rudenberg + + * Remove unused EExtSanDnsSyntaxIncorrect + +commit aa491a8aca7bda7c74a784213bcf71663909c265 +Author: Jonathan Rudenberg +Date: Sun Aug 20 19:11:51 2017 -0400 + + Rename CAB -> BRs (#84) + + "[the] BRs" is an official short reference to our favorite document, + The Baseline Requirements for the Issuance and Management of + Publicly-Trusted Certificates. + + https://cabforum.org/pipermail/public/2017-August/011856.html + + Signed-off-by: Jonathan Rudenberg + +commit db7435f8e6f89f06dde470249961aefc56421e96 +Author: Jonathan Rudenberg +Date: Sun Aug 20 19:11:08 2017 -0400 + + Add LICENSE (#83) + + Signed-off-by: Jonathan Rudenberg + +commit 49fbb4510fdd2e25b63486a933bc38f2a5646a04 +Author: Jonathan Rudenberg +Date: Sun Aug 20 19:09:48 2017 -0400 + + gofmt -s (#81) + + Signed-off-by: Jonathan Rudenberg + +commit e1426b4e0479d6d7e6087d48855ac4f9a35f081c +Author: Jonathan Rudenberg +Date: Sun Aug 20 19:07:49 2017 -0400 + + Fix typo in json tag for ENameConstraintMaximumNotAbsent (#82) + + Signed-off-by: Jonathan Rudenberg + +commit 3d4a5ba0727486a09ccee45085e8da8d3672f5bf +Author: Jonathan Rudenberg +Date: Sun Aug 20 15:41:21 2017 -0400 + + Simplify lint report generation by using map + + Signed-off-by: Jonathan Rudenberg + +commit 1f3497eb444fa211699f71b16a33a6c070aa80e2 +Author: Jonathan Rudenberg +Date: Sun Aug 20 15:39:42 2017 -0400 + + Rename RDN -> rdn in lint names + + Signed-off-by: Jonathan Rudenberg + +commit 7b2b2757caa3d18de37fb5eb574b19b32ccd2c14 +Author: Jonathan Rudenberg +Date: Sun Aug 20 14:03:07 2017 -0400 + + Add `openssl x509 -text` output to test certs (#79) + + Signed-off-by: Jonathan Rudenberg + +commit 39c9f80ce77cf420df30907b75d0782d7bda4b19 +Author: Jonathan Rudenberg +Date: Sun Aug 20 13:34:14 2017 -0400 + + Rename Providence -> Provenance (#78) + + Signed-off-by: Jonathan Rudenberg + +commit 57d939a687cedb4625ba110b1fef621f444dbe72 +Author: Jonathan Rudenberg +Date: Sun Aug 20 12:59:41 2017 -0400 + + Switch AIA missing issuing CA URL from error to warn (#77) + + This is a SHOULD, not a MUST so it should be a warning. + + Signed-off-by: Jonathan Rudenberg + +commit 6e5f9d572d5d6bb3e1b5c24daa881e405da62764 +Author: David Adrian +Date: Mon Jun 12 15:34:21 2017 -0400 + + Clean up DNS Name Encoding Lints (#71) + +commit 860b76a57d05be69e682cc8979319f61093b4f67 +Author: David Adrian +Date: Mon Jun 12 14:56:35 2017 -0400 + + Make util/ Great Again (#70) + + - Fix CA Cert and Self-Signed and Intermediate Detection + - Fix the tests that using the correct detection broke + - Clean up util some to make sense + +commit ccb27dab36cfca10930db51a7a679ac228db6e51 +Author: Deepak Kumar +Date: Mon Jun 5 11:48:11 2017 -0400 + + Update LintReport JSON to match Schema (#69) + +commit 113adb24646c015defd9dd04ae823c3f1c0bba0a +Author: Deepak Kumar +Date: Fri Jun 2 12:49:32 2017 -0400 + + Rewrite main.go with channels (#68) + +commit 18005bc6417e59ddd659dd1ba32ca62c9b9201d0 +Author: David Adrian +Date: Wed May 31 18:05:45 2017 -0400 + + Ensure Lint fields are set (#62) + + Test that Name, Providence, and Description are set on all Lints. + +commit 193ba7d10700de382e0de6f01ed0ca0a1e580c2c +Author: David Adrian +Date: Wed May 31 15:54:41 2017 -0400 + + Add meta-lint for assigning to the correct report field (#63) + + This checks that the field name in ZLintReport matches Lint.name + +commit 55c5af7cc87636cc0a02bc9dd44dbbc9428a7e8b +Author: Deepak Kumar +Date: Wed May 31 15:51:31 2017 -0400 + + Use correct name for multiple RDN lints (#64) + + Fixes error exposed in #63 + +commit 2617c7e7a32f056e7bb6b86de7bdbb1b31ea8bb1 +Author: Deepak Kumar +Date: Wed May 31 14:07:54 2017 -0400 + + Add multiple RDNs lint (#59) + + This adds a new lint that checks for multiple RDNs in subject and issuer. + +commit 089d34647a744babc05b09e84cac4d9ddf783a3a +Author: David Adrian +Date: Wed May 31 13:42:17 2017 -0400 + + Ensure lints have updateReport defined (#61) + +commit 2d1ea919cc4920c5454a64a9b6553ad399268341 +Author: zhengping +Date: Mon Apr 17 16:33:58 2017 -0500 + + Add DN attribute value space lints (#28) + +commit b946258a7d1ec1ecafc0e0af70af01e6159e2d15 +Author: Paul Murley +Date: Wed May 24 12:51:45 2017 -0500 + + Minor cosmetic fixes in test descriptions (#54) + +commit 51d8fd000044f1cba7d2fe3a2858bd1d5d114c4d +Author: Deepak Kumar +Date: Tue May 30 20:12:14 2017 -0400 + + Add --list-lints-json (#51) + +commit 3f9b85cdc76d0bdc682566515fdb55ee86563c9e +Author: Deepak Kumar +Date: Fri May 26 16:26:29 2017 -0500 + + update common name test to exclude CA certs (#57) + + * update common name test to exclude CA certs + + * smh gofmt + +commit e94c186f143b5324d8048fe9ccc1c457f8db24bb +Author: Deepak Kumar +Date: Thu May 25 09:42:53 2017 -0500 + + Add missing defense checks to lints (#55) + +commit 961ea435888129d8977228c6780e99216f0b7306 +Author: Deepak Kumar +Date: Wed May 24 15:45:46 2017 -0500 + + Lints that only apply to subscriber certs should not apply to CA certs (#53) + +commit 818f0029e9c386c49a75570b6bed4273e46df841 +Author: Alex Holland +Date: Mon May 22 17:34:33 2017 -0400 + + Pedantic Fixes (#52) + + Adds goreportcard + +commit fd5ecf2ec11d4adfd3f9fa3cd95602266b197ae7 +Author: Deepak Kumar +Date: Sun May 21 16:59:09 2017 -0500 + + ignoring error because its in the damn lint itself (#49) + + * ignoring error because its in the damn lint itself + + * update to 1.8.1 + + * removing zcrypto + + * dont update twice + +commit a313b0c1a68ff15362d7c6ea45a0f55583315ea3 +Author: Deepak Kumar +Date: Sun May 21 15:29:03 2017 -0500 + + removing writing to map (#48) + +commit 59bf413cfb8aadc0f600780241df97c2c96898b3 +Author: Deepak Kumar +Date: Sun May 21 15:05:47 2017 -0500 + + Kumarde/update travis (#47) + + * removing dependency on zgrab to zcrypto + + * update travis + +commit c36ba035744cb1fbe44c1f2b16f3c20bcb40d612 +Author: Deepak Kumar +Date: Sun May 21 14:50:28 2017 -0500 + + segfault fixing (#45) + +commit a39229dd713b86021ac2cf12481e6f57a8e3a75c +Author: Deepak Kumar +Date: Tue May 16 11:29:44 2017 -0500 + + updating base with max length lints (#44) + +commit 872737683f22ece29da88c5979629b735ee5c5e6 +Author: Deepak Kumar +Date: Fri May 12 11:41:42 2017 -0500 + + Update JSON output to match ZTag schema (#43) + +commit fea6847e8559d30cde77b5a58231befa7bff21e8 +Author: jddicki2 +Date: Thu May 11 19:59:44 2017 -0500 + + max_length lints: Subject common_name, locality_name, organization_name, and state_name (#40) + + * Adding max_length lint for subject common name + + * Adding max_length lint for subject locality name + + * Adding max_length lint for subject state name + + * Adding max_length lint for subject organizational name + + * added organizational unit max length lint and tests + + * Changed lint to match style of other max_length lints + +commit 6d5b9a14365da57350239328708081fa694abed0 +Author: Deepak Kumar +Date: Wed May 10 15:33:11 2017 -0500 + + Kumarde/fill out fields (#42) + + * updating info to notice + + * update base + + * gofmt code + + * update w bools in right struct + + * fixing nits + + * json removal + + * updating fields to the right places + +commit 20fc474b7cb9e59614739c73f6085b6668a7db08 +Author: Deepak Kumar +Date: Tue May 2 20:26:20 2017 -0500 + + updating info to notice (#41) + +commit 7f1506cb3dd99e62f366833c8c27e89d23afd176 +Author: Deepak Kumar +Date: Sat Apr 29 10:20:12 2017 -0500 + + fixing public suffix lint (#38) + +commit 6752a0674f881e51a395a772d562ccfb3504bf5e +Author: Deepak Kumar +Date: Fri Apr 28 17:19:00 2017 -0500 + + Kumarde/zlint refactor (#35) + + * update version to ZLint + + * gofmt + + * first refactor attempt + + * update refactor to have lint store their own state + + * actually setting ZLint field... + + * Fix fqdn update to govalidator + + * removing useless nil return + + * return nil if nil + +commit 741f8e0396a9f1f73e99da6c6f90f92392605b91 +Author: zhengping12 +Date: Thu Apr 20 21:00:05 2017 -0500 + + Added gofmt test for all source code (#33) + + * Added gofmt test for all source code + + * ran gofmt on every file + +commit 279d659bf4687487ec7c4cb924711c98e2d61370 +Author: Deepak Kumar +Date: Wed Apr 19 10:29:49 2017 -0500 + + update warning to errors (#30) + +commit 2d715176213e8021066586b67ba74418b491bd21 +Author: Deepak Kumar +Date: Wed Apr 19 10:23:50 2017 -0500 + + update warning to info (#29) + +commit 258ee7c6bd15167e5a73d29392a5e68495ca7a07 +Author: zhengping12 +Date: Sun Apr 16 11:32:07 2017 -0500 + + Changed .cer to .pem (#26) + +commit 9a7f9d481b879c3ea258c043667fb6c08c96f400 +Author: Deepak Kumar +Date: Sat Apr 15 09:28:08 2017 -0500 + + fixing bad hostname checking for URIs (#25) + + * fixing very bad hostname checking for URIs + + * fixing certs + +commit 11f225d2c2254629fbee3bd44d5a85fd197517d6 +Author: Deepak Kumar +Date: Wed Apr 12 14:23:03 2017 -0500 + + removing a lint which is encompased by lint_ext_san_dns_not_fqdn (#23) + + * removing an incorrect lint which is encompased by lint_ext_san_dns_not_fqdn + + * fixing tests + +commit 6e61b3dadc70b6dd2a3591b8c75c0fb544102ad7 +Author: Deepak Kumar +Date: Fri Mar 31 08:51:54 2017 -0500 + + updating FQDN parsing in ZLint (#20) + + * updating FQDN parsing in ZLint + + * removing unnecessary comment + + * update fqdn + + * if ? is in end, this goes there so now its only the beginnign + + * gofmt + +commit 504f3e137466d10c11049505c6f5911fb3af5d26 +Author: Deepak Kumar +Date: Fri Mar 24 16:11:08 2017 -0400 + + fixing bug in ip checking for common names (#19) + +commit 2382879c3f4b75304f33077142a9f396d2b23445 +Author: zhengping12 +Date: Tue Mar 21 17:02:47 2017 -0500 + + fixing naming, adding sanity check, adding error msg to zlint output file (#18) + +commit 618a3ef21bd7932e65701955145ffb42d4a7142e +Author: zhengping12 +Date: Tue Mar 21 16:24:10 2017 -0500 + + fix to sanFqdn lint and 3 new tests (#16) + + * fix to sanFqdn lint and 3 new tests + + * new tests for ian/san uri host to test wildcard fqdn correctness + + * Fixing naming for IAN SAN FQDN and URI + + * fixing DNS capitalization + + * fixing IAN capitalization + + * fixing DNS capitalization + + * fixing IP capitalization + + * fixing SAN capitalization + + * fixing IA5String spelling + + * changing lint names to lowercase for those involving IAN and SAN + + * fixed RFC capitalization + + * removing duplicate files + + * fixed EDI capitalization + + * fixed capitalization + + * fixed SAN capitalization + + * fixed name constraint spelling + +commit e6b50db049c4e6e35a1a5b74879d2d70d1aaabbb +Author: Deepak Kumar +Date: Mon Mar 13 14:40:52 2017 -0500 + + Kumarde/rename lints (#15) + + * renaming lints that do not make sense + + * fixing typo + +commit e859f3a11a2e52d14b74ad5e5a99bf3485b7c02c +Author: Deepak Kumar +Date: Sun Mar 12 17:45:44 2017 -0500 + + Kumarde/modify output to match protobuf (#13) + + * modifying lints to match protobuf output + + * fixing a typo in constraints... + + * moving back from protobuf + +commit 7862de5be4c4be17576e4ede7a658b590a11969c +Author: zhengping12 +Date: Sun Mar 12 09:27:31 2017 -0500 + + rsa related lints changes. (#11) + + * moving the error case to not apply for rsa certs with no public key + + * fixed to check ok first in rsa lints + + * fixing parenthesis + +commit 5df5702a0d66d3eca73cb5843377ac7c751a47f3 +Merge: b91e79e7 e8ca2730 +Author: Deepak Kumar +Date: Tue Mar 7 13:45:49 2017 -0600 + + Merge pull request #10 from zmap/dadrian/zcrypto + + Migrate x509 from ZGrab to ZCrypto + +commit e8ca27301f8c6b06d006d3682e175e18b34a24fd +Author: David Adrian +Date: Tue Mar 7 14:37:25 2017 -0500 + + Migrate x509 from ZGrab to ZCrypto + + Implemented by running: + + ``` + $ find . -type f -name '*.go' -exec sed -i '' 's|github.com/zmap/zgrab/ztools/x509|github.com/zmap/zcrypto/x509|g' {} \; + ``` + +commit b91e79e7ace9660f7972a193bf02520e22d277f5 +Merge: 3636d956 e1d012eb +Author: Zakir Durumeric +Date: Wed Mar 1 13:39:55 2017 -0800 + + Merge pull request #9 from zhengping12/master + + Ran go fmt and Lints/* + +commit e1d012eb0c3ee9732fae75e6a74284607bb33529 +Author: zhengping12 +Date: Wed Mar 1 15:38:26 2017 -0600 + + Ran go fmt and Lints/* + +commit 3636d956d6bd0b0cc84bd8524aa1064b73def40c +Merge: 03634486 d5d0ef99 +Author: Zakir Durumeric +Date: Wed Mar 1 13:37:32 2017 -0800 + + Merge pull request #8 from zhengping12/master + + Removed debugging code + +commit d5d0ef991ae0d0cd2adb2a7847c02a6e7efd54ea +Author: zhengping12 +Date: Wed Mar 1 15:34:42 2017 -0600 + + Removed debugging code + +commit 036344869cc00556ddc4421a963acf93a6713540 +Merge: 14d40795 14eb2712 +Author: Zakir Durumeric +Date: Wed Mar 1 13:23:30 2017 -0800 + + Merge pull request #7 from zhengping12/master + + only the rsa related changes + +commit 14eb271201b97eba00beaf98c98d3956efb44de3 +Author: zhengping12 +Date: Wed Mar 1 15:19:35 2017 -0600 + + lint_rsa_public_exponent_not_in_range.go fix + +commit 755437e70b82d7c3abad2502de7ec84bc040ad1c +Author: zhengping12 +Date: Wed Mar 1 15:01:53 2017 -0600 + + only the rsa related changes + +commit 14d407952a7255db29576fdc153e3ff51a1c86f1 +Merge: 451b3b52 1876fd48 +Author: Deepak Kumar +Date: Fri Feb 17 15:26:03 2017 -0600 + + Merge pull request #4 from mhyder13/master + + added -num-threads option + +commit 1876fd48e5ec001ee1df7c3a0d662c77307f6eee +Author: mhyder13 +Date: Fri Feb 10 16:33:24 2017 -0600 + + added -num-threads option + + Changed threaded mode to accept a command line argument to alter the number of goroutines used for processing + +commit 451b3b52ac3408f4f70bad91020f54cddd9bd2d1 +Merge: 13b684fe 9cd525d8 +Author: Zakir Durumeric +Date: Mon Dec 19 21:10:44 2016 -0600 + + Merge pull request #3 from zmap/kumarde/gtld_in_struct + + fixing names + +commit 9cd525d882093a33ba644db4a0e5f1f2a0861572 +Author: Deepak Kumar +Date: Mon Dec 19 16:01:11 2016 -0500 + + fixing names + +commit 13b684fe7321b9c6bbbdc7fb5e096c9feefeee35 +Author: Deepak Kumar +Date: Fri Dec 16 15:22:07 2016 -0600 + + finally removing gtld + +commit e432811bdca0a3525717df0e55c2162874118636 +Author: Deepak Kumar +Date: Fri Dec 16 15:21:28 2016 -0600 + + removing println + +commit d21c7093bcf37aac3eb57497c3ca19f0f4c5b8ef +Merge: 71f46f29 1e5bb463 +Author: Deepak Kumar +Date: Fri Dec 16 15:20:04 2016 -0600 + + Merge pull request #2 from zmap/kumarde/update_gtld_util + + Kumarde/update gtld util + +commit 1e5bb463aa9d1d0fe5af39143183987b5cc9e3b4 +Author: Deepak Kumar +Date: Fri Dec 16 15:18:28 2016 -0600 + + fixing map + +commit 362dbebf2afc389fbe7ae9828935088d224a1f5d +Author: Deepak Kumar +Date: Fri Dec 16 13:24:20 2016 -0600 + + adding gtld util direct HTTP request + +commit 71f46f29a2a5aecffc2dbccd76d03b99c0e0a28c +Merge: a4b087f0 cbafd7a7 +Author: Deepak Kumar +Date: Thu Dec 15 17:19:58 2016 -0600 + + Merge pull request #1 from zmap/kumarde/json_cleanup + + Kumarde/json cleanup + +commit cbafd7a7a99d06633856b6a349f01905b8172e3d +Author: Deepak Kumar +Date: Thu Dec 15 11:00:41 2016 -0600 + + moved enumToString in right place + +commit 12b0ba98556ef0b77f11508258e95dcefa9a0c90 +Author: Deepak Kumar +Date: Thu Dec 15 10:56:06 2016 -0600 + + json cleanup + +commit a4b087f0e4b71d59fa46684c11ed306212746444 +Author: Deepak Kumar +Date: Wed Dec 14 17:34:41 2016 -0600 + + enumToString + +commit 897779809fcd720e6b45cf77b41e2c533d85919c +Author: Deepak Kumar +Date: Tue Dec 13 10:34:26 2016 -0600 + + adding gitignore to ignore idea files + +commit 7b2398b406e6b116afd8423028ab70f7ad135d01 +Author: Deepak Kumar +Date: Tue Dec 6 15:07:52 2016 -0600 + + adding travis CI to Readme + +commit cffe92b08b3dfeb21228e2cd0145e411a609b04c +Author: Deepak Kumar +Date: Tue Dec 6 15:04:35 2016 -0600 + + again, casing + +commit b52d470e9d19beb585c135cde7ce1cb5d588bdd2 +Author: Deepak Kumar +Date: Tue Dec 6 15:01:40 2016 -0600 + + casing issue fix + +commit 2e3c84532728fc11264602b6fd4a2522b85eb1fd +Author: Deepak Kumar +Date: Tue Dec 6 14:57:24 2016 -0600 + + first travis.yml attempt + +commit 637e564518df8595cb671609c1318c70263435cb +Author: Deepak Kumar +Date: Tue Dec 6 11:48:03 2016 -0600 + + purging old testing framework + +commit 27d47cb83dfba54cfad6790b5669c0ed94a08870 +Author: Deepak Kumar +Date: Mon Dec 5 22:43:34 2016 -0600 + + update teamnsrg->zmap + +commit fa41d29c28e934a68a62ce4a5d82e65e85ec06f6 +Author: Deepak Kumar +Date: Mon Dec 5 22:35:00 2016 -0600 + + fixing README + +commit 303acf0753ff52b2fb8f564c9783d1076a522de9 +Author: Deepak Kumar +Date: Mon Dec 5 22:34:16 2016 -0600 + + adding zmap org to README.md + +commit 8a0f765f8dbabc601a7c4bea0dba0e5189089684 +Author: Deepak Kumar +Date: Mon Dec 5 22:30:32 2016 -0600 + + initial commit from teamnsrg diff --git a/v3/cmd/genTestCerts/go.sum b/v3/cmd/genTestCerts/go.sum index e14f32a94..10b9f480a 100644 --- a/v3/cmd/genTestCerts/go.sum +++ b/v3/cmd/genTestCerts/go.sum @@ -13,11 +13,13 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8= github.com/mreiferson/go-httpclient v0.0.0-20201222173833-5e475fde3a4d/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8= github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk= +github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8= github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -40,9 +42,11 @@ github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhu github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE= github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is= github.com/zmap/zcertificate v0.0.1/go.mod h1:q0dlN54Jm4NVSSuzisusQY0hqDWvu92C+TWveAxiVWk= +github.com/zmap/zcrypto v0.0.0-20201128221613-3719af1573cf/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ= github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ= github.com/zmap/zcrypto v0.0.0-20250129210703-03c45d0bae98 h1:Qp98bmMm9JHPPOaLi2Nb6oWoZ+1OyOMWI7PPeJrirI0= github.com/zmap/zcrypto v0.0.0-20250129210703-03c45d0bae98/go.mod h1:YTUyN/U1oJ7RzCEY5hUweYxbVUu7X+11wB7OXZT15oE= +github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -83,13 +87,13 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -101,6 +105,7 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= @@ -113,9 +118,9 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= -golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= diff --git a/v3/integration/config.json b/v3/integration/config.json index 0e41071dd..91110bbdb 100644 --- a/v3/integration/config.json +++ b/v3/integration/config.json @@ -828,6 +828,7 @@ }, "e_qcstatem_qctype_smime": { }, "e_qcstatem_pds_must_have_https_only": { }, + "e_qcstatem_correct_national_scheme": { }, "n_ca_digital_signature_not_set": { "NoticeCount": 1405 }, diff --git a/v3/lints/etsi/lint_qcstatem_etsi_national_scheme.go b/v3/lints/etsi/lint_qcstatem_etsi_national_scheme.go new file mode 100644 index 000000000..cf93cd842 --- /dev/null +++ b/v3/lints/etsi/lint_qcstatem_etsi_national_scheme.go @@ -0,0 +1,144 @@ +package etsi + +/* + * ZLint Copyright 2025 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "regexp" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type qcStatemNationalScheme struct{} + +/************************************************************************ +ETSI EN 319 412-2 V2.2.1 (2020-07) +https://www.etsi.org/deliver/etsi_en/319400_319499/31941202/02.02.01_60/en_31941202v020201p.pdf +4.2.4 Certificates may include one or more semantics identifiers as specified in ETSI +EN 319 412-1 [i.4], clause 5 which defines the semantics for the organizationIdentifier attribute. + +Certificates may include one or more semantics identifiers as specified in ETSI EN 319 412-1 [i.4], +clause 5 which define the semantics for the serialNumber attribute. + +ETSI EN 319 412-1 V1.4.1 (2020-06) +https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.01_60/en_31941201v010401p.pdf +5.1.3 Natural person semantics identifier +The semantics of id-etsi-qcs-SemanticsId-Natural shall be as follows. +When the natural person semantics identifier is included, any present serialNumber attribute in the subject field shall +contain information using the following structure in the presented order: +The three initial characters shall have one of the following defined values: +1) "PAS" for identification based on passport number. +2) "IDC" for identification based on national identity card number. +3) "PNO" for identification based on (national) personal number (national civic registration number). +4) "TAX" for identification based on a personal tax reference number issued by a national tax authority. This +value is deprecated. The value "TIN" should be used instead. +5) "TIN" Tax Identification Number according to the European Commission – Tax and Customs Union +(https://ec.europa.eu/taxation_customs/tin/tinByCountry.html). +6) Two characters according to local definition within the specified country and name registration authority, +identifying a national scheme that is considered appropriate for national and European level, followed by the +character ":" (colon). + +5.1.4 Legal person semantics identifier +The semantics of id-etsi-qcs-SemanticsId-Legal shall be as follows. +When the legal person semantics identifier is included, any present organizationIdentifier attribute in the subject +field shall contain information using the following structure in the presented order: +• 3 character legal person identity type reference; +• 2 character ISO 3166 [2] country code; +• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and +• identifier (according to country and identity type reference). +The three initial characters shall have one of the following defined values: +1) "VAT" for identification based on a national value added tax identification number. +2) "NTR" for identification based on an identifier from a national trade register. +3) "PSD" for identification based on national authorization number of a payment service provider under +Payments Services Directive (EU) 2015/2366 [i.13]. This shall use the extended structure as defined in ETSI +TS 119 495 [3], clause 5.2.1. +4) "LEI" for a global Legal Entity Identifier as specified in ISO 17442 [4]. The 2 character ISO 3166 [2] country +code shall be set to 'XG'. +5) Two characters according to local definition within the specified country and name registration authority, +identifying a national scheme that is considered appropriate for national and European level, followed by the +character ":" (colon) +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_qcstatem_correct_national_scheme", + Description: "This lint checks that the national scheme is well-formed when used in the serialNumber or organizationIdentifier attribute in the subject field, provided that either the natural person semantics identifier or the legal person semantics identifier is present.", + Citation: "ETSI EN 319 412-1 V1.4.1, 5.1.3 Natural person semantics identifier and 5.1.4 Legal person semantics identifier", + Source: lint.EtsiEsi, + EffectiveDate: util.ETSI_EN_319_412_1_V1_4_1_DATE, + }, + Lint: NewQcStatemNationalScheme, + }) +} + +func NewQcStatemNationalScheme() lint.LintInterface { + return &qcStatemNationalScheme{} +} + +var re = regexp.MustCompile(`^[a-zA-Z]{2}:`) + +func (l *qcStatemNationalScheme) CheckApplies(c *x509.Certificate) bool { + _, isPresent := util.IsQcStatemPresent(c, &util.IdQcsPkixQCSyntaxV2) + + if !isPresent { + return false + } + + qcs2Generic := util.ParseQcStatem(util.GetQcStatemExtValue(c), util.IdQcsPkixQCSyntaxV2) + + qcs2 := qcs2Generic.(util.DecodedQcS2) + semanticsId := qcs2.Decoded.SemanticsId + + if semanticsId.Equal(util.IdEtsiQcsSemanticsIdNatural) { + serialNumber := c.Subject.SerialNumber + return re.MatchString(serialNumber) + } + + if semanticsId.Equal(util.IdEtsiQcsSemanticsIdLegal) { + for _, orgId := range c.Subject.OrganizationIDs { + if re.MatchString(orgId) { + return true + } + } + } + return false +} + +func (l *qcStatemNationalScheme) Execute(c *x509.Certificate) *lint.LintResult { + + qcs2Generic := util.ParseQcStatem(util.GetQcStatemExtValue(c), util.IdQcsPkixQCSyntaxV2) + + qcs2 := qcs2Generic.(util.DecodedQcS2) + semanticsId := qcs2.Decoded.SemanticsId + + if semanticsId.Equal(util.IdEtsiQcsSemanticsIdNatural) { + serialNumber := c.Subject.SerialNumber + if !util.CheckNationalScheme(serialNumber) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("invalid format of subject:serialNumber %s for national scheme", serialNumber)} + } + } + + if semanticsId.Equal(util.IdEtsiQcsSemanticsIdLegal) { + for _, orgId := range c.Subject.OrganizationIDs { + if re.MatchString(orgId) && !util.CheckNationalScheme(orgId) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("invalid format of subject:organizationIdentifier %s for national scheme", orgId)} + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/v3/lints/etsi/lint_qcstatem_etsi_national_scheme_test.go b/v3/lints/etsi/lint_qcstatem_etsi_national_scheme_test.go new file mode 100644 index 000000000..b559ab04f --- /dev/null +++ b/v3/lints/etsi/lint_qcstatem_etsi_national_scheme_test.go @@ -0,0 +1,69 @@ +package etsi + +/* + * ZLint Copyright 2025 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestQcStatemNationalScheme(t *testing.T) { + testCases := []struct { + Name string + InputFilename string + ExpectedResult lint.LintStatus + }{ + { + Name: "NA - certificate has the natural person semantics identifier and no national scheme value", + InputFilename: "qcNaturalNoNationalScheme.pem", + ExpectedResult: lint.NA, + }, + { + Name: "Pass - certificate has the natural person semantics identifier and a correct national scheme value", + InputFilename: "qcNaturalCorrectNationalScheme.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "Error - certificate has the natural person semantics identifier and a wrong national scheme value", + InputFilename: "qcNaturalNotCorrectScheme.pem", + ExpectedResult: lint.Error, + }, + { + Name: "NA - certificate has the legal person semantics identifier and no national scheme value", + InputFilename: "qcLegalNoNationalScheme.pem", + ExpectedResult: lint.NA, + }, + { + Name: "Pass - certificate has the legal person semantics identifier and a correct national scheme value", + InputFilename: "qcLegalCorrectNationalScheme.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "Error - certificate has the legal person semantics identifier and a wrong national scheme value", + InputFilename: "qcLegalNotCorrectScheme.pem", + ExpectedResult: lint.Error, + }, + } + for _, tc := range testCases { + t.Run(tc.Name, func(t *testing.T) { + result := test.TestLint("e_qcstatem_correct_national_scheme", tc.InputFilename) + if result.Status != tc.ExpectedResult { + t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details) + } + }) + } +} diff --git a/v3/testdata/qcLegalCorrectNationalScheme.pem b/v3/testdata/qcLegalCorrectNationalScheme.pem new file mode 100644 index 000000000..326d9dbd3 --- /dev/null +++ b/v3/testdata/qcLegalCorrectNationalScheme.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3e:40:85:f1:1f:4f:d3:c8:50:3f:5b:dc + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Feb 18 00:00:00 2025 GMT + Not After : Feb 18 00:00:00 2026 GMT + Subject: organizationIdentifier = EI:SE-5567971433 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:5e:3f:b1:9b:cb:61:f6:56:fe:06:f2:26:06: + 93:00:d4:6f:5a:ac:72:d7:3f:3c:f4:8e:72:73:71: + 6f:2e:e0:af:93:2f:57:42:58:50:ef:47:f4:b2:ab: + 58:d5:d5:7a:c9:d0:cd:46:1f:8e:b1:c5:19:28:5f: + ea:c1:d4:49:3e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + qcStatements: + 0.0...+.......0.......I.. + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:49:36:0b:d5:cc:db:c9:d2:2a:81:19:3f:11:3a: + 01:e3:34:fd:66:65:c7:05:e2:76:2e:36:cf:17:bb:91:90:ca: + 02:20:4d:e5:9e:45:32:d5:c8:99:c3:0f:4d:aa:2b:b8:a0:34: + 2d:a6:d5:11:76:63:5a:09:3b:0d:7d:ad:ed:f4:14:ae +-----BEGIN CERTIFICATE----- +MIIBazCCARKgAwIBAgIMPkCF8R9P08hQP1vcMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTI1MDIx +ODAwMDAwMFoXDTI2MDIxODAwMDAwMFowGzEZMBcGA1UEYQwQRUk6U0UtNTU2Nzk3 +MTQzMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIxeP7Gby2H2Vv4G8iYGkwDU +b1qsctc/PPSOcnNxby7gr5MvV0JYUO9H9LKrWNXVesnQzUYfjrHFGShf6sHUST6j +KTAnMCUGCCsGAQUFBwEDBBkwFzAVBggrBgEFBQcLAjAJBgcEAIvsSQECMAoGCCqG +SM49BAMCA0cAMEQCIEk2C9XM28nSKoEZPxE6AeM0/WZlxwXidi42zxe7kZDKAiBN +5Z5FMtXImcMPTaoruKA0LabVEXZjWgk7DX2t7fQUrg== +-----END CERTIFICATE----- diff --git a/v3/testdata/qcLegalNoNationalScheme.pem b/v3/testdata/qcLegalNoNationalScheme.pem new file mode 100644 index 000000000..2c25720a5 --- /dev/null +++ b/v3/testdata/qcLegalNoNationalScheme.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 43:f4:da:2d:d7:7e:4f:67:7f:3c:0e:2a + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Feb 18 00:00:00 2025 GMT + Not After : Feb 18 00:00:00 2026 GMT + Subject: organizationIdentifier = PASSK-P3000180 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:5e:3f:b1:9b:cb:61:f6:56:fe:06:f2:26:06: + 93:00:d4:6f:5a:ac:72:d7:3f:3c:f4:8e:72:73:71: + 6f:2e:e0:af:93:2f:57:42:58:50:ef:47:f4:b2:ab: + 58:d5:d5:7a:c9:d0:cd:46:1f:8e:b1:c5:19:28:5f: + ea:c1:d4:49:3e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + qcStatements: + 0.0...+.......0.......I.. + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:35:22:18:10:bc:e0:55:ca:df:5d:c1:14:de:07: + 68:f0:70:59:22:23:99:da:0e:1a:15:df:d1:4b:f3:c4:36:16: + 02:20:24:40:37:4f:d7:b4:61:df:75:60:97:22:c2:63:d7:9d: + 88:4f:5f:be:5f:9b:88:27:80:3c:ab:60:e9:75:1d:25 +-----BEGIN CERTIFICATE----- +MIIBaTCCARCgAwIBAgIMQ/TaLdd+T2d/PA4qMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTI1MDIx +ODAwMDAwMFoXDTI2MDIxODAwMDAwMFowGTEXMBUGA1UEYQwOUEFTU0stUDMwMDAx +ODAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMXj+xm8th9lb+BvImBpMA1G9a +rHLXPzz0jnJzcW8u4K+TL1dCWFDvR/Syq1jV1XrJ0M1GH46xxRkoX+rB1Ek+oykw +JzAlBggrBgEFBQcBAwQZMBcwFQYIKwYBBQUHCwIwCQYHBACL7EkBAjAKBggqhkjO +PQQDAgNHADBEAiA1IhgQvOBVyt9dwRTeB2jwcFkiI5naDhoV39FL88Q2FgIgJEA3 +T9e0Yd91YJciwmPXnYhPX75fm4gngDyrYOl1HSU= +-----END CERTIFICATE----- diff --git a/v3/testdata/qcLegalNotCorrectScheme.pem b/v3/testdata/qcLegalNotCorrectScheme.pem new file mode 100644 index 000000000..7b7335630 --- /dev/null +++ b/v3/testdata/qcLegalNotCorrectScheme.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + a3:18:71:ec:c6:9d:6a:5b:6b:d7:30:95 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Feb 18 00:00:00 2025 GMT + Not After : Feb 18 00:00:00 2026 GMT + Subject: organizationIdentifier = EI:A + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:5e:3f:b1:9b:cb:61:f6:56:fe:06:f2:26:06: + 93:00:d4:6f:5a:ac:72:d7:3f:3c:f4:8e:72:73:71: + 6f:2e:e0:af:93:2f:57:42:58:50:ef:47:f4:b2:ab: + 58:d5:d5:7a:c9:d0:cd:46:1f:8e:b1:c5:19:28:5f: + ea:c1:d4:49:3e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + qcStatements: + 0.0...+.......0.......I.. + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:b0:e6:d8:b7:37:6c:d1:c8:6c:ea:e1:77:76: + 6a:02:5c:d3:7a:f9:97:d5:a0:78:fa:be:98:09:7b:99:93:c2: + 1c:02:20:13:41:02:f0:be:66:7d:5a:6e:dd:fd:3f:41:f3:12: + 0d:df:a4:38:a4:e7:bb:8a:14:d9:c7:bf:9c:41:bc:ae:c1 +-----BEGIN CERTIFICATE----- +MIIBYTCCAQegAwIBAgINAKMYcezGnWpba9cwlTAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yNTAy +MTgwMDAwMDBaFw0yNjAyMTgwMDAwMDBaMA8xDTALBgNVBGEMBEVJOkEwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAASMXj+xm8th9lb+BvImBpMA1G9arHLXPzz0jnJz +cW8u4K+TL1dCWFDvR/Syq1jV1XrJ0M1GH46xxRkoX+rB1Ek+oykwJzAlBggrBgEF +BQcBAwQZMBcwFQYIKwYBBQUHCwIwCQYHBACL7EkBAjAKBggqhkjOPQQDAgNIADBF +AiEAsObYtzds0chs6uF3dmoCXNN6+ZfVoHj6vpgJe5mTwhwCIBNBAvC+Zn1abt39 +P0HzEg3fpDik57uKFNnHv5xBvK7B +-----END CERTIFICATE----- diff --git a/v3/testdata/qcNaturalCorrectNationalScheme.pem b/v3/testdata/qcNaturalCorrectNationalScheme.pem new file mode 100644 index 000000000..f1e906ef1 --- /dev/null +++ b/v3/testdata/qcNaturalCorrectNationalScheme.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:c6:37:be:da:c8:6d:69:39:c2:0b:c5 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Feb 18 00:00:00 2025 GMT + Not After : Feb 18 00:00:00 2026 GMT + Subject: serialNumber = EI:SE-5567971433 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:5e:3f:b1:9b:cb:61:f6:56:fe:06:f2:26:06: + 93:00:d4:6f:5a:ac:72:d7:3f:3c:f4:8e:72:73:71: + 6f:2e:e0:af:93:2f:57:42:58:50:ef:47:f4:b2:ab: + 58:d5:d5:7a:c9:d0:cd:46:1f:8e:b1:c5:19:28:5f: + ea:c1:d4:49:3e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + qcStatements: + 0.0...+.......0.......I.. + Signature Algorithm: ecdsa-with-SHA256 + 30:45:02:21:00:f2:4a:e3:08:fa:26:6a:7c:7c:b4:45:80:24: + 37:b4:50:84:a0:c5:33:36:77:c3:97:27:17:70:18:7d:aa:52: + 17:02:20:75:52:6a:1e:d2:cb:7f:ea:89:f2:11:c4:7d:c7:ee: + 08:67:22:4c:83:8b:27:a1:40:39:c8:20:4e:60:c4:d1:d9 +-----BEGIN CERTIFICATE----- +MIIBbDCCARKgAwIBAgIMCMY3vtrIbWk5wgvFMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTI1MDIx +ODAwMDAwMFoXDTI2MDIxODAwMDAwMFowGzEZMBcGA1UEBRMQRUk6U0UtNTU2Nzk3 +MTQzMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIxeP7Gby2H2Vv4G8iYGkwDU +b1qsctc/PPSOcnNxby7gr5MvV0JYUO9H9LKrWNXVesnQzUYfjrHFGShf6sHUST6j +KTAnMCUGCCsGAQUFBwEDBBkwFzAVBggrBgEFBQcLAjAJBgcEAIvsSQEBMAoGCCqG +SM49BAMCA0gAMEUCIQDySuMI+iZqfHy0RYAkN7RQhKDFMzZ3w5cnF3AYfapSFwIg +dVJqHtLLf+qJ8hHEfcfuCGciTIOLJ6FAOcggTmDE0dk= +-----END CERTIFICATE----- diff --git a/v3/testdata/qcNaturalNoNationalScheme.pem b/v3/testdata/qcNaturalNoNationalScheme.pem new file mode 100644 index 000000000..0d6088c1a --- /dev/null +++ b/v3/testdata/qcNaturalNoNationalScheme.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 28:26:2b:58:e1:88:b4:dc:db:24:a7:53 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Feb 18 00:00:00 2025 GMT + Not After : Feb 18 00:00:00 2026 GMT + Subject: serialNumber = PASSK-P3000180 + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:5e:3f:b1:9b:cb:61:f6:56:fe:06:f2:26:06: + 93:00:d4:6f:5a:ac:72:d7:3f:3c:f4:8e:72:73:71: + 6f:2e:e0:af:93:2f:57:42:58:50:ef:47:f4:b2:ab: + 58:d5:d5:7a:c9:d0:cd:46:1f:8e:b1:c5:19:28:5f: + ea:c1:d4:49:3e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + qcStatements: + 0.0...+.......0.......I.. + Signature Algorithm: ecdsa-with-SHA256 + 30:46:02:21:00:e7:4f:6b:e2:3e:ec:32:e1:cd:2c:24:b0:08: + a2:ea:77:f4:97:76:5e:f2:48:e5:75:69:8d:f8:14:2e:d7:7d: + f4:02:21:00:83:12:6a:54:09:95:0c:4b:34:09:57:d2:8c:5f: + 2c:98:57:d1:0f:b9:88:65:40:ad:b6:f7:0e:d8:dc:ab:c8:03 +-----BEGIN CERTIFICATE----- +MIIBazCCARCgAwIBAgIMKCYrWOGItNzbJKdTMAoGCCqGSM49BAMCMC4xEDAOBgNV +BAMMB0xpbnQgQ0ExDTALBgNVBAoMBExpbnQxCzAJBgNVBAYTAkRFMB4XDTI1MDIx +ODAwMDAwMFoXDTI2MDIxODAwMDAwMFowGTEXMBUGA1UEBRMOUEFTU0stUDMwMDAx +ODAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMXj+xm8th9lb+BvImBpMA1G9a +rHLXPzz0jnJzcW8u4K+TL1dCWFDvR/Syq1jV1XrJ0M1GH46xxRkoX+rB1Ek+oykw +JzAlBggrBgEFBQcBAwQZMBcwFQYIKwYBBQUHCwIwCQYHBACL7EkBATAKBggqhkjO +PQQDAgNJADBGAiEA509r4j7sMuHNLCSwCKLqd/SXdl7ySOV1aY34FC7XffQCIQCD +EmpUCZUMSzQJV9KMXyyYV9EPuYhlQK229w7Y3KvIAw== +-----END CERTIFICATE----- diff --git a/v3/testdata/qcNaturalNotCorrectScheme.pem b/v3/testdata/qcNaturalNotCorrectScheme.pem new file mode 100644 index 000000000..e88319f8f --- /dev/null +++ b/v3/testdata/qcNaturalNotCorrectScheme.pem @@ -0,0 +1,40 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e1:4a:bb:79:0a:5f:77:38:02:42:ee:7c + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = Lint CA, O = Lint, C = DE + Validity + Not Before: Feb 18 00:00:00 2025 GMT + Not After : Feb 18 00:00:00 2026 GMT + Subject: serialNumber = EI:NOTCORRECTSCHEME + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:8c:5e:3f:b1:9b:cb:61:f6:56:fe:06:f2:26:06: + 93:00:d4:6f:5a:ac:72:d7:3f:3c:f4:8e:72:73:71: + 6f:2e:e0:af:93:2f:57:42:58:50:ef:47:f4:b2:ab: + 58:d5:d5:7a:c9:d0:cd:46:1f:8e:b1:c5:19:28:5f: + ea:c1:d4:49:3e + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + qcStatements: + 0.0...+.......0.......I.. + Signature Algorithm: ecdsa-with-SHA256 + 30:44:02:20:7d:85:ef:21:06:41:0d:d9:d2:55:3e:2c:cc:5f: + 25:4e:8a:22:21:7d:7f:67:1b:cc:95:8f:00:42:52:75:d3:3c: + 02:20:3b:47:11:ec:7a:b1:38:8e:0e:f6:ad:cb:9f:01:64:87: + 89:bb:b0:d7:8e:1d:50:40:83:2d:ea:ee:cb:4f:ca:b2 +-----BEGIN CERTIFICATE----- +MIIBbzCCARagAwIBAgINAOFKu3kKX3c4AkLufDAKBggqhkjOPQQDAjAuMRAwDgYD +VQQDDAdMaW50IENBMQ0wCwYDVQQKDARMaW50MQswCQYDVQQGEwJERTAeFw0yNTAy +MTgwMDAwMDBaFw0yNjAyMTgwMDAwMDBaMB4xHDAaBgNVBAUTE0VJOk5PVENPUlJF +Q1RTQ0hFTUUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASMXj+xm8th9lb+BvIm +BpMA1G9arHLXPzz0jnJzcW8u4K+TL1dCWFDvR/Syq1jV1XrJ0M1GH46xxRkoX+rB +1Ek+oykwJzAlBggrBgEFBQcBAwQZMBcwFQYIKwYBBQUHCwIwCQYHBACL7EkBATAK +BggqhkjOPQQDAgNHADBEAiB9he8hBkEN2dJVPizMXyVOiiIhfX9nG8yVjwBCUnXT +PAIgO0cR7HqxOI4O9q3LnwFkh4m7sNeOHVBAgy3q7stPyrI= +-----END CERTIFICATE----- diff --git a/v3/util/alt_reg_num_ev.go b/v3/util/alt_reg_num_ev.go new file mode 100644 index 000000000..aabd70e3c --- /dev/null +++ b/v3/util/alt_reg_num_ev.go @@ -0,0 +1,103 @@ +package util + +/* +* ZLint Copyright 2025 Regents of the University of Michigan +* +* Licensed under the Apache License, Version 2.0 (the "License"); you may not +* use this file except in compliance with the License. You may obtain a copy +* of the License at http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +* implied. See the License for the specific language governing +* permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/encoding/asn1" +) + +type RDNSequence []RelativeDistinguishedNameSET + +type RelativeDistinguishedNameSET []AttributeTypeAndValue + +type AttributeTypeAndValue struct { + Type asn1.ObjectIdentifier + Value asn1.RawValue +} + +type parsedSubjectElement struct { + IsPresent bool + Value string + Asn1RawValue asn1.RawValue + ErrorString string +} + +type ParsedEvOrgId struct { + Rsi, Country, StateOrProvince, RegRef string +} + +func GetSubjectOrgId(rawSubject []byte) ParsedSubjectElement { + return GetSubjectElement(rawSubject, CabfExtensionOrganizationIdentifier) +} + +type ParsedSubjectElement interface { + Present() bool + ParsedValue() string + RawValue() asn1.RawValue + Error() string +} + +func (pse *parsedSubjectElement) Present() bool { + return pse.IsPresent +} + +func (pse *parsedSubjectElement) ParsedValue() string { + return pse.Value +} + +func (pse *parsedSubjectElement) RawValue() asn1.RawValue { + return pse.Asn1RawValue +} + +func (pse *parsedSubjectElement) Error() string { + return pse.ErrorString +} + +func NewParsedSubjectElement(isPresent bool, value string, rawValue asn1.RawValue, err string) ParsedSubjectElement { + return &parsedSubjectElement{IsPresent: isPresent, Value: value, Asn1RawValue: rawValue, ErrorString: err} +} + +func GetSubjectElement(rawSubject []byte, soughtOid asn1.ObjectIdentifier) ParsedSubjectElement { + + var nl RDNSequence + rest, err := asn1.Unmarshal(rawSubject, &nl) // parse the sequence of sets, i.e. each list element in nl will be a set + if err != nil { + return NewParsedSubjectElement(false, "", asn1.RawValue{}, "error parsing outer SEQ of subject DN. Error: "+err.Error()) + } + if len(rest) != 0 { + return NewParsedSubjectElement(false, "", asn1.RawValue{}, "rest len of outer seq != 0 in subject DN") + } + + var asn1RawValue asn1.RawValue + var parsedString string + alreadyFound := false + for _, item := range nl { + for _, typeAndValue := range item { + if typeAndValue.Type.Equal(soughtOid) { + if alreadyFound { + return NewParsedSubjectElement(false, "", asn1.RawValue{}, "double AVA found in subject:... encountered, this is not expected") + } + alreadyFound = true + _, _ = asn1.Unmarshal(typeAndValue.Value.FullBytes, &parsedString) + asn1RawValue = typeAndValue.Value + } + } + } + return NewParsedSubjectElement(true, parsedString, asn1RawValue, "") +} + +type ParsedOrgId struct { + Rsi, Country, SubDiv, RegRef string +} diff --git a/v3/util/oid.go b/v3/util/oid.go index 78909a8e2..0527fe563 100644 --- a/v3/util/oid.go +++ b/v3/util/oid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2024 Regents of the University of Michigan + * ZLint Copyright 2025 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,7 +32,6 @@ var ( CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - DeltaCRLIndicatorOID = asn1.ObjectIdentifier{2, 5, 29, 27} // Delta CRL Indicator EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy @@ -96,27 +95,40 @@ var ( SHA384OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 2} SHA512OID = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 2, 3} // other OIDs - OidRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} - OidRSASSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} - OidMD2WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} - OidMD5WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} - OidSHA1WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} - OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14} - OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} - OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} - OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} - AnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32, 0} - UserNoticeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2} - CpsOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1} - IdEtsiQcsQcCompliance = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1} - IdEtsiQcsQcLimitValue = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2} - IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3} - IdEtsiQcsQcSSCD = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4} - IdEtsiQcsQcEuPDS = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5} - IdEtsiQcsQcType = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6} - IdEtsiQcsQctEsign = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1} - IdEtsiQcsQctEseal = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2} - IdEtsiQcsQctWeb = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3} + OidRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} + OidRSASSAPSS = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 10} + OidMD2WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} + OidMD5WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} + OidSHA1WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} + OidSHA224WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 14} + OidSHA256WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} + OidSHA384WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} + OidSHA512WithRSAEncryption = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} + AnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32, 0} + UserNoticeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 2} + CpsOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1} + IdEtsiQcsQcCompliance = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 1} + IdEtsiQcsQcLimitValue = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 2} + IdEtsiQcsQcRetentionPeriod = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 3} + IdEtsiQcsQcSSCD = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 4} + IdEtsiQcsQcEuPDS = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 5} + IdEtsiQcsQcType = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6} + IdEtsiQcsQctEsign = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 1} + IdEtsiQcsQctEseal = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 2} + IdEtsiQcsQctWeb = asn1.ObjectIdentifier{0, 4, 0, 1862, 1, 6, 3} + IdEtsiPsd2Statem = asn1.ObjectIdentifier{0, 4, 0, 19495, 2} + IdEtsiPsd2RolePspAs = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 1} + IdEtsiPsd2RolePspPi = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 2} + IdEtsiPsd2RolePspAi = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 3} + IdEtsiPsd2RolePspIc = asn1.ObjectIdentifier{0, 4, 0, 19495, 1, 4} + IdEtsiQcsSemanticsIdNatural = asn1.ObjectIdentifier{0, 4, 0, 194121, 1, 1} + IdEtsiQcsSemanticsIdLegal = asn1.ObjectIdentifier{0, 4, 0, 194121, 1, 2} + IdEtsiPolicyQcpNatural = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 0} + IdEtsiPolicyQcpLegal = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 1} + IdEtsiPolicyQcpNaturalQscd = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 2} + IdEtsiPolicyQcpLegalQscd = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 3} + IdEtsiPolicyQcpWeb = asn1.ObjectIdentifier{0, 4, 0, 194112, 1, 4} + IdQcsPkixQCSyntaxV2 = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 11, 2} ) const ( diff --git a/v3/util/qc_stmt.go b/v3/util/qc_stmt.go index b258053d7..aca2397aa 100644 --- a/v3/util/qc_stmt.go +++ b/v3/util/qc_stmt.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2024 Regents of the University of Michigan + * ZLint Copyright 2025 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -18,10 +18,24 @@ import ( "bytes" "fmt" "reflect" + "regexp" + "strings" + "unicode" "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" ) +var EtsiQcStmtOidList = [...]*asn1.ObjectIdentifier{ + &IdEtsiQcsQcCompliance, + &IdEtsiQcsQcLimitValue, + &IdEtsiQcsQcRetentionPeriod, + &IdEtsiQcsQcSSCD, + &IdEtsiQcsQcEuPDS, + &IdEtsiQcsQcType, + &IdEtsiPsd2Statem, +} + type anyContent struct { Raw asn1.RawContent } @@ -30,10 +44,12 @@ type qcStatementWithInfoField struct { Oid asn1.ObjectIdentifier Any asn1.RawValue } + type qcStatementWithoutInfoField struct { Oid asn1.ObjectIdentifier } +// === etsi base ==> type etsiBase struct { errorInfo string isPresent bool @@ -47,6 +63,8 @@ func (this etsiBase) IsPresent() bool { return this.isPresent } +// <== etsi base === + type EtsiQcStmtIf interface { GetErrorInfo() string IsPresent() bool @@ -98,16 +116,76 @@ type EtsiQcPds struct { PdsLocations []PdsLocation } -func AppendToStringSemicolonDelim(this *string, s string) { - if len(*this) > 0 && len(s) > 0 { - (*this) += "; " +// ==== QcStatement 2 (RFC3739)types ===> + +type DecodedQcS2 struct { + etsiBase + Decoded QcStatemt2 +} +type QcStatemt2 struct { + SemanticsId asn1.ObjectIdentifier `asn1:"optional"` + NameRegAuthorities NameRegistrationAuthorities `asn1:"optional"` +} + +type NameRegistrationAuthorities []asn1.RawValue + +// <=== QcStatement 2 (RFC3739)types ==== + +// ==== PSD2 QcStatement types ===> +type Psd2RoleOfPspType int + +const ( + RoleAs Psd2RoleOfPspType = 1 + RolePi Psd2RoleOfPspType = 2 + RoleAi Psd2RoleOfPspType = 3 + RoleIc Psd2RoleOfPspType = 4 +) + +// === ASN.1 Types ==> +type Psd2RoleOfPsp struct { + RoleType asn1.ObjectIdentifier + RoleOfPspName string `asn1:"utf8"` +} + +type EtsiPsd2QcStatem struct { + Roles []Psd2RoleOfPsp + NCAName string `asn1:"utf8"` + CountryAndNCAId string `asn1:"utf8"` +} + +// <== ASN.1 Types === + +type EtsiPsd2 struct { + etsiBase + DecodedPsd2Statm EtsiPsd2QcStatem +} + +func (this EtsiPsd2) getCountryAndNcaId() (string, string) { + runes := []rune(this.DecodedPsd2Statm.CountryAndNCAId) + if len(this.DecodedPsd2Statm.CountryAndNCAId) < 4 || !unicode.IsUpper(runes[0]) || !unicode.IsUpper(runes[1]) || runes[2] != '-' { + return "", "" } - (*this) += s + return string(runes[0:2]), string(runes[3:]) } -func checkAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfComparisonFails string) string { +func (this EtsiPsd2) GetNcaCountry() string { + co, _ := this.getCountryAndNcaId() + return co +} +func (this EtsiPsd2) GetNcaId() string { + _, ncaId := this.getCountryAndNcaId() + return ncaId +} + +// <=== PSD2 QcStatement types ==== + +func CheckAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfComparisonFails string) string { + return CheckAsn1ReencodingWithParams(i, originalEncoding, appendIfComparisonFails, "") +} + +func CheckAsn1ReencodingWithParams(i interface{}, originalEncoding []byte, appendIfComparisonFails string, params string) string { result := "" - reencoded, marshErr := asn1.Marshal(i) + reencoded, marshErr := asn1.MarshalWithParams(i, params) if marshErr != nil { AppendToStringSemicolonDelim(&result, fmt.Sprintf("error reencoding ASN1 value of statementInfo field: %s", marshErr)) @@ -118,15 +196,122 @@ func checkAsn1Reencoding(i interface{}, originalEncoding []byte, appendIfCompari return result } +func CertHasSubjectOrgIdWithPrefix(c *x509.Certificate, prefix string) bool { + + if !IsExtInCert(c, QcStateOid) { + return false + } + if !ParseQcStatem(GetExtFromCert(c, QcStateOid).Value, IdEtsiPsd2Statem).IsPresent() { + return false + } + + orgId := GetSubjectOrgId(c.RawSubject) + if len(orgId.Error()) != 0 || !orgId.Present() { + return false + } + runes := []rune(orgId.ParsedValue()) + prefixLen := len(prefix) + if len(runes) < prefixLen || string(runes[0:prefixLen]) != prefix { + return false + } + return true +} + +type EtsiPsd2OrgId struct { + Rsi, Country, NcaId, PspId string +} + +func ParseEtsiPsd2OrgId(oi *string) (string, EtsiPsd2OrgId) { + var result EtsiPsd2OrgId + re_psd := regexp.MustCompile(`^(PSD)([A-Z]{2})-([A-Z]{2,8})-(.+)$`) + re_generic := regexp.MustCompile(`^(.{3})([A-Z]{2})()-(.+)$`) + var sm []string + if re_psd.MatchString(*oi) { + sm = re_psd.FindStringSubmatch(*oi) + } else if !strings.HasPrefix(*oi, "PSD") && re_generic.MatchString(*oi) { + sm = re_generic.FindStringSubmatch(*oi) + } else { + return "invalid format of PSD2 organizationIdentifier", result + } + result.Rsi = sm[1] + result.Country = sm[2] + result.NcaId = sm[3] + result.PspId = sm[4] + return "", result +} + +func CheckEtsiPsd2OrgIdPsd(oi *string) string { + errStr, x := ParseEtsiPsd2OrgId(oi) + if len(errStr) != 0 { + return errStr + } + if x.Rsi != "PSD" { + return "ETSI PSD2 OrganizationIdentifier does not start with 'PSD'" + } + return "" +} + +func GetEtsiQcTypes(c *x509.Certificate) []asn1.ObjectIdentifier { + var result []asn1.ObjectIdentifier + ext := GetExtFromCert(c, QcStateOid) + if ext == nil { + return nil + } + s := ParseQcStatem(ext.Value, IdEtsiQcsQcType) + if len(s.GetErrorInfo()) != 0 { + return nil + } + if !s.IsPresent() { + return result + } + qcType := s.(Etsi423QcType) + result = append(result, qcType.TypeOids...) + return result +} + +func HasCertAnyEtsiQcpPolicy(c *x509.Certificate) bool { + for _, p := range c.PolicyIdentifiers { + if p.Equal(IdEtsiPolicyQcpNatural) || p.Equal(IdEtsiPolicyQcpLegal) || p.Equal(IdEtsiPolicyQcpNaturalQscd) || p.Equal(IdEtsiPolicyQcpLegalQscd) || p.Equal(IdEtsiPolicyQcpWeb) { + return true + } + } + return false + +} + +func HasCertPolicy(c *x509.Certificate, soughtPolicyOid asn1.ObjectIdentifier) bool { + + for _, policyOid := range c.PolicyIdentifiers { + if policyOid.Equal(soughtPolicyOid) { + return true + } + } + return false +} + +func HasCertEtsiQcType(c *x509.Certificate, soughtTypeOid asn1.ObjectIdentifier) bool { + typeList := GetEtsiQcTypes(c) + if typeList == nil { + return false + } + for _, typeOid := range typeList { + if typeOid.Equal(soughtTypeOid) { + return true + } + } + return false +} + +func HasCertAnyEtsiQcStatement(c *x509.Certificate) bool { + ext := GetExtFromCert(c, QcStateOid) + if ext == nil { + return false + } + return IsAnyEtsiQcStatementPresent(ext.Value) +} + func IsAnyEtsiQcStatementPresent(extVal []byte) bool { - oidList := make([]*asn1.ObjectIdentifier, 6) - oidList[0] = &IdEtsiQcsQcCompliance - oidList[1] = &IdEtsiQcsQcLimitValue - oidList[2] = &IdEtsiQcsQcRetentionPeriod - oidList[3] = &IdEtsiQcsQcSSCD - oidList[4] = &IdEtsiQcsQcEuPDS - oidList[5] = &IdEtsiQcsQcType - for _, oid := range oidList { + for _, oid := range EtsiQcStmtOidList { r := ParseQcStatem(extVal, *oid) if r.IsPresent() { return true @@ -135,7 +320,29 @@ func IsAnyEtsiQcStatementPresent(extVal []byte) bool { return false } -//nolint:gocyclo +func IsQcStatemPresent(c *x509.Certificate, oid *asn1.ObjectIdentifier) (string, bool) { + if !IsExtInCert(c, QcStateOid) { + return "", false + } + qcs := ParseQcStatem(GetExtFromCert(c, QcStateOid).Value, *oid) + if qcs.GetErrorInfo() != "" { + return qcs.GetErrorInfo(), qcs.IsPresent() + } + return "", qcs.IsPresent() +} + +func CheckNationalScheme(oi string) bool { + if len(oi) < 6 { + return false + } + re := regexp.MustCompile(`^.{2}:[A-Z]{2}-.+$`) + return re.MatchString(oi) +} + +func GetQcStatemExtValue(c *x509.Certificate) []byte { + return GetExtFromCert(c, QcStateOid).Value +} + func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf { sl := make([]anyContent, 0) rest, err := asn1.Unmarshal(extVal, &sl) @@ -170,85 +377,155 @@ func ParseQcStatem(extVal []byte, sought asn1.ObjectIdentifier) EtsiQcStmtIf { continue } if statem.Oid.Equal(IdEtsiQcsQcCompliance) { - etsiObj := Etsi421QualEuCert{etsiBase: etsiBase{isPresent: true}} - statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} - AppendToStringSemicolonDelim(&etsiObj.errorInfo, checkAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, - "invalid format of ETSI Complicance statement")) - return etsiObj + return handleIdEtsiQcsQcCompliance(statem, raw) } else if statem.Oid.Equal(IdEtsiQcsQcLimitValue) { - etsiObj := EtsiQcLimitValue{etsiBase: etsiBase{isPresent: true}} - numErr := false - alphErr := false - var numeric EtsiMonetaryValueNum - var alphabetic EtsiMonetaryValueAlph - restNum, errNum := asn1.Unmarshal(statem.Any.FullBytes, &numeric) - if len(restNum) != 0 || errNum != nil { - numErr = true - } else { - etsiObj.IsNum = true - etsiObj.Amount = numeric.Amount - etsiObj.Exponent = numeric.Exponent - etsiObj.CurrencyNum = numeric.Iso4217CurrencyCodeNum - - } - if numErr { - restAlph, errAlph := asn1.Unmarshal(statem.Any.FullBytes, &alphabetic) - if len(restAlph) != 0 || errAlph != nil { - alphErr = true - } else { - etsiObj.IsNum = false - etsiObj.Amount = alphabetic.Amount - etsiObj.Exponent = alphabetic.Exponent - etsiObj.CurrencyAlph = alphabetic.Iso4217CurrencyCodeAlph - AppendToStringSemicolonDelim(&etsiObj.errorInfo, - checkAsn1Reencoding(reflect.ValueOf(alphabetic).Interface(), - statem.Any.FullBytes, "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) - } - } - if numErr && alphErr { - etsiObj.errorInfo = "error parsing the ETSI Qc Statement statementInfo field" - } - return etsiObj - + return handleIdEtsiQcsQcLimitValue(statem) } else if statem.Oid.Equal(IdEtsiQcsQcRetentionPeriod) { - etsiObj := EtsiQcRetentionPeriod{etsiBase: etsiBase{isPresent: true}} - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.Period) - - if len(rest) != 0 || err != nil { - etsiObj.errorInfo = "error parsing the statementInfo field" - } - return etsiObj + return handleIdEtsiQcsQcRetentionPeriod(statem) } else if statem.Oid.Equal(IdEtsiQcsQcSSCD) { - etsiObj := EtsiQcSscd{etsiBase: etsiBase{isPresent: true}} - statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} - AppendToStringSemicolonDelim(&etsiObj.errorInfo, checkAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, - "invalid format of ETSI SCSD statement")) - return etsiObj + return handleIdEtsiQcsQcSSCD(statem, raw) } else if statem.Oid.Equal(IdEtsiQcsQcEuPDS) { - etsiObj := EtsiQcPds{etsiBase: etsiBase{isPresent: true}} - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.PdsLocations) - if len(rest) != 0 || err != nil { - etsiObj.errorInfo = "error parsing the statementInfo field" - } else { - AppendToStringSemicolonDelim(&etsiObj.errorInfo, - checkAsn1Reencoding(reflect.ValueOf(etsiObj.PdsLocations).Interface(), statem.Any.FullBytes, - "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) - } - return etsiObj + return handleIdEtsiQcsQcEuPDS(statem) } else if statem.Oid.Equal(IdEtsiQcsQcType) { - var qcType Etsi423QcType - qcType.isPresent = true - rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcType.TypeOids) - if len(rest) != 0 || err != nil { - return etsiBase{errorInfo: "error parsing IdEtsiQcsQcType extension statementInfo field", isPresent: true} - } - return qcType + return handleIdEtsiQcsQcType(statem) + } else if statem.Oid.Equal(IdEtsiPsd2Statem) { + return handleIdEtsiPsd2Statem(statem) + } else if statem.Oid.Equal(IdQcsPkixQCSyntaxV2) { + return handleIdQcsPkixQCSyntaxV2(statem) } else { return etsiBase{errorInfo: "", isPresent: true} } - } return etsiBase{errorInfo: "", isPresent: false} } + +func handleIdQcsPkixQCSyntaxV2(statem qcStatementWithInfoField) EtsiQcStmtIf { + var qcs2Statem DecodedQcS2 + qcs2Statem.isPresent = true + if len(statem.Any.FullBytes) == 0 { + return qcs2Statem + } + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcs2Statem.Decoded) + if err != nil { + AppendToStringSemicolonDelim(&qcs2Statem.errorInfo, "error parsing statement: "+err.Error()) + } + if len(rest) != 0 { + AppendToStringSemicolonDelim(&qcs2Statem.errorInfo, "trailing bytes after QcStatement") + } + return qcs2Statem +} + +func handleIdEtsiPsd2Statem(statem qcStatementWithInfoField) EtsiQcStmtIf { + var psd2Statem EtsiPsd2 + psd2Statem.isPresent = true + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &psd2Statem.DecodedPsd2Statm) + if len(rest) != 0 || err != nil { + return etsiBase{errorInfo: "error parsing IdEtsiPsd2Statem extension statementInfo field", isPresent: true} + } + if psd2Statem.DecodedPsd2Statm.CountryAndNCAId == "" || psd2Statem.DecodedPsd2Statm.NCAName == "" { + AppendToStringSemicolonDelim(&psd2Statem.errorInfo, "field has length 0") + } + for _, role := range psd2Statem.DecodedPsd2Statm.Roles { + if role.RoleOfPspName == "" { + AppendToStringSemicolonDelim(&psd2Statem.errorInfo, "field has length 0") + } + } + AppendToStringSemicolonDelim(&psd2Statem.errorInfo, + CheckAsn1Reencoding(reflect.ValueOf(psd2Statem.DecodedPsd2Statm).Interface(), statem.Any.FullBytes, + "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) + return psd2Statem +} + +func handleIdEtsiQcsQcType(statem qcStatementWithInfoField) EtsiQcStmtIf { + var qcType Etsi423QcType + qcType.isPresent = true + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &qcType.TypeOids) + if len(rest) != 0 || err != nil { + return etsiBase{errorInfo: "error parsing IdEtsiQcsQcType extension statementInfo field", isPresent: true} + } + return qcType +} + +func handleIdEtsiQcsQcEuPDS(statem qcStatementWithInfoField) EtsiQcStmtIf { + etsiObj := EtsiQcPds{etsiBase: etsiBase{isPresent: true}} + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.PdsLocations) + if len(rest) != 0 || err != nil { + etsiObj.errorInfo = "error parsing the statementInfo field" + } else { + AppendToStringSemicolonDelim(&etsiObj.errorInfo, + CheckAsn1Reencoding(reflect.ValueOf(etsiObj.PdsLocations).Interface(), statem.Any.FullBytes, + "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) + } + return etsiObj +} + +func handleIdEtsiQcsQcSSCD(statem qcStatementWithInfoField, raw anyContent) EtsiQcStmtIf { + etsiObj := EtsiQcSscd{etsiBase: etsiBase{isPresent: true}} + statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} + AppendToStringSemicolonDelim(&etsiObj.errorInfo, CheckAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, + "invalid format of ETSI SCSD statement")) + return etsiObj +} + +func handleIdEtsiQcsQcRetentionPeriod(statem qcStatementWithInfoField) EtsiQcStmtIf { + etsiObj := EtsiQcRetentionPeriod{etsiBase: etsiBase{isPresent: true}} + rest, err := asn1.Unmarshal(statem.Any.FullBytes, &etsiObj.Period) + + if len(rest) != 0 || err != nil { + etsiObj.errorInfo = "error parsing the statementInfo field" + } + return etsiObj +} + +func handleIdEtsiQcsQcLimitValue(statem qcStatementWithInfoField) EtsiQcStmtIf { + etsiObj := EtsiQcLimitValue{etsiBase: etsiBase{isPresent: true}} + numErr := false + alphErr := false + var numeric EtsiMonetaryValueNum + var alphabetic EtsiMonetaryValueAlph + restNum, errNum := asn1.Unmarshal(statem.Any.FullBytes, &numeric) + if len(restNum) != 0 || errNum != nil { + numErr = true + } else { + etsiObj.IsNum = true + etsiObj.Amount = numeric.Amount + etsiObj.Exponent = numeric.Exponent + etsiObj.CurrencyNum = numeric.Iso4217CurrencyCodeNum + + } + if numErr { + restAlph, errAlph := asn1.Unmarshal(statem.Any.FullBytes, &alphabetic) + if len(restAlph) != 0 || errAlph != nil { + alphErr = true + } else { + etsiObj.IsNum = false + etsiObj.Amount = alphabetic.Amount + etsiObj.Exponent = alphabetic.Exponent + etsiObj.CurrencyAlph = alphabetic.Iso4217CurrencyCodeAlph + AppendToStringSemicolonDelim(&etsiObj.errorInfo, + CheckAsn1Reencoding(reflect.ValueOf(alphabetic).Interface(), + statem.Any.FullBytes, "error with ASN.1 encoding, possibly a wrong ASN.1 string type was used")) + } + } + if numErr && alphErr { + etsiObj.errorInfo = "error parsing the ETSI Qc Statement statementInfo field" + } + return etsiObj +} + +func handleIdEtsiQcsQcCompliance(statem qcStatementWithInfoField, raw anyContent) EtsiQcStmtIf { + etsiObj := Etsi421QualEuCert{etsiBase: etsiBase{isPresent: true}} + statemWithoutInfo := qcStatementWithoutInfoField{Oid: statem.Oid} + AppendToStringSemicolonDelim(&etsiObj.errorInfo, CheckAsn1Reencoding(reflect.ValueOf(statemWithoutInfo).Interface(), raw.Raw, + "invalid format of ETSI Complicance statement")) + return etsiObj +} + +func AppendToStringSemicolonDelim(this *string, s string) { + if len(*this) > 0 && len(s) > 0 { + (*this) += "; " + } + (*this) += s +} diff --git a/v3/util/time.go b/v3/util/time.go index b4354b1e9..3cb53423b 100644 --- a/v3/util/time.go +++ b/v3/util/time.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2024 Regents of the University of Michigan + * ZLint Copyright 2025 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -96,8 +96,9 @@ var ( // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) // Date when section 9.2.8 of CABF EVG became effective - CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) - CABF_CS_BRs_1_2_Date = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC) + CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) + CABF_CS_BRs_1_2_Date = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC) + ETSI_EN_319_412_1_V1_4_1_DATE = time.Date(2020, time.June, 1, 0, 0, 0, 0, time.UTC) ) var (