github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cabf_br/lint_crl_acceptable_reason_codes.go

github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cabf_br/lint_crl_acceptable_reason_codes.go (about)

     1  package cabfbr
     2  
     3  import (
     4  	"github.com/zmap/zcrypto/x509"
     5  	"github.com/zmap/zlint/v3/lint"
     6  
     7  	"github.com/letsencrypt/boulder/linter/lints"
     8  )
     9  
    10  type crlAcceptableReasonCodes struct{}
    11  
    12  /************************************************
    13  Baseline Requirements: 7.2.2.1:
    14  The CRLReason indicated MUST NOT be unspecified (0).
    15  The CRLReason MUST NOT be certificateHold (6).
    16  
    17  When the CRLReason code is not one of the following, then the reasonCode extension MUST NOT be provided:
    18  - keyCompromise (RFC 5280 CRLReason #1);
    19  - privilegeWithdrawn (RFC 5280 CRLReason #9);
    20  - cessationOfOperation (RFC 5280 CRLReason #5);
    21  - affiliationChanged (RFC 5280 CRLReason #3); or
    22  - superseded (RFC 5280 CRLReason #4).
    23  ************************************************/
    24  
    25  func init() {
    26  	lint.RegisterRevocationListLint(&lint.RevocationListLint{
    27  		LintMetadata: lint.LintMetadata{
    28  			Name:        "e_crl_acceptable_reason_codes",
    29  			Description: "CRL entry Reason Codes must be 1, 3, 4, 5, or 9",
    30  			Citation:    "BRs: 7.2.2.1",
    31  			Source:      lint.CABFBaselineRequirements,
    32  			// We use the Mozilla Root Store Policy v2.8.1 effective date here
    33  			// because, although this lint enforces requirements from the BRs, those
    34  			// same requirements were in the MRSP first.
    35  			EffectiveDate: lints.MozillaPolicy281Date,
    36  		},
    37  		Lint: NewCrlAcceptableReasonCodes,
    38  	})
    39  }
    40  
    41  func NewCrlAcceptableReasonCodes() lint.RevocationListLintInterface {
    42  	return &crlAcceptableReasonCodes{}
    43  }
    44  
    45  func (l *crlAcceptableReasonCodes) CheckApplies(c *x509.RevocationList) bool {
    46  	return true
    47  }
    48  
    49  func (l *crlAcceptableReasonCodes) Execute(c *x509.RevocationList) *lint.LintResult {
    50  	for _, rc := range c.RevokedCertificates {
    51  		if rc.ReasonCode == nil {
    52  			continue
    53  		}
    54  		switch *rc.ReasonCode {
    55  		case 1: // keyCompromise
    56  		case 3: // affiliationChanged
    57  		case 4: // superseded
    58  		case 5: // cessationOfOperation
    59  		case 9: // privilegeWithdrawn
    60  			continue
    61  		default:
    62  			return &lint.LintResult{
    63  				Status:  lint.Error,
    64  				Details: "CRLs MUST NOT include reasonCodes other than 1, 3, 4, 5, and 9",
    65  			}
    66  		}
    67  	}
    68  	return &lint.LintResult{Status: lint.Pass}
    69  }