github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cabf_br/lint_crl_no_critical_reason_codes.go (about) 1 package cabfbr 2 3 import ( 4 "github.com/zmap/zcrypto/encoding/asn1" 5 "github.com/zmap/zcrypto/x509" 6 "github.com/zmap/zlint/v3/lint" 7 "github.com/zmap/zlint/v3/util" 8 ) 9 10 type crlCriticalReasonCodes struct{} 11 12 /************************************************ 13 Baseline Requirements: 7.2.2.1: 14 If present, [the reasonCode] extension MUST NOT be marked critical. 15 ************************************************/ 16 17 func init() { 18 lint.RegisterRevocationListLint(&lint.RevocationListLint{ 19 LintMetadata: lint.LintMetadata{ 20 Name: "e_crl_no_critical_reason_codes", 21 Description: "CRL entry reasonCode extension MUST NOT be marked critical", 22 Citation: "BRs: 7.2.2.1", 23 Source: lint.CABFBaselineRequirements, 24 EffectiveDate: util.CABFBRs_1_8_0_Date, 25 }, 26 Lint: NewCrlCriticalReasonCodes, 27 }) 28 } 29 30 func NewCrlCriticalReasonCodes() lint.RevocationListLintInterface { 31 return &crlCriticalReasonCodes{} 32 } 33 34 func (l *crlCriticalReasonCodes) CheckApplies(c *x509.RevocationList) bool { 35 return true 36 } 37 38 func (l *crlCriticalReasonCodes) Execute(c *x509.RevocationList) *lint.LintResult { 39 reasonCodeOID := asn1.ObjectIdentifier{2, 5, 29, 21} // id-ce-reasonCode 40 for _, rc := range c.RevokedCertificates { 41 for _, ext := range rc.Extensions { 42 if ext.Id.Equal(reasonCodeOID) && ext.Critical { 43 return &lint.LintResult{ 44 Status: lint.Error, 45 Details: "CRL entry reasonCode extension MUST NOT be marked critical", 46 } 47 } 48 } 49 } 50 return &lint.LintResult{Status: lint.Pass} 51 }