github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cpcps/lint_crl_has_no_cert_issuers.go (about) 1 package cpcps 2 3 import ( 4 "github.com/zmap/zcrypto/encoding/asn1" 5 "github.com/zmap/zcrypto/x509" 6 "github.com/zmap/zlint/v3/lint" 7 8 "github.com/letsencrypt/boulder/linter/lints" 9 ) 10 11 type crlHasNoCertIssuers struct{} 12 13 /************************************************ 14 RFC 5280: 5.3.3 15 16 Section 5.3.3 defines the Certificate Issuer entry extension. The presence of 17 this extension means that the CRL is an "indirect CRL", including certificates 18 which were issued by a different issuer than the one issuing the CRL itself. 19 We do not issue indirect CRLs, so our CRL entries should not have this extension. 20 ************************************************/ 21 22 func init() { 23 lint.RegisterRevocationListLint(&lint.RevocationListLint{ 24 LintMetadata: lint.LintMetadata{ 25 Name: "e_crl_has_no_cert_issuers", 26 Description: "Let's Encrypt does not issue indirect CRLs", 27 Citation: "", 28 Source: lints.LetsEncryptCPS, 29 EffectiveDate: lints.CPSV33Date, 30 }, 31 Lint: NewCrlHasNoCertIssuers, 32 }) 33 } 34 35 func NewCrlHasNoCertIssuers() lint.RevocationListLintInterface { 36 return &crlHasNoCertIssuers{} 37 } 38 39 func (l *crlHasNoCertIssuers) CheckApplies(c *x509.RevocationList) bool { 40 return true 41 } 42 43 func (l *crlHasNoCertIssuers) Execute(c *x509.RevocationList) *lint.LintResult { 44 certIssuerOID := asn1.ObjectIdentifier{2, 5, 29, 29} // id-ce-certificateIssuer 45 for _, entry := range c.RevokedCertificates { 46 if lints.GetExtWithOID(entry.Extensions, certIssuerOID) != nil { 47 return &lint.LintResult{ 48 Status: lint.Notice, 49 Details: "CRL has an entry with a Certificate Issuer extension", 50 } 51 } 52 } 53 return &lint.LintResult{Status: lint.Pass} 54 }