github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/cpcps/lint_crl_is_not_delta.go (about) 1 package cpcps 2 3 import ( 4 "github.com/zmap/zcrypto/encoding/asn1" 5 "github.com/zmap/zcrypto/x509" 6 "github.com/zmap/zlint/v3/lint" 7 8 "github.com/letsencrypt/boulder/linter/lints" 9 ) 10 11 type crlIsNotDelta struct{} 12 13 /************************************************ 14 RFC 5280: 5.2.4 15 16 Section 5.2.4 defines a Delta CRL, and all the requirements that come with it. 17 These requirements are complex and do not serve our purpose, so we ensure that 18 we never issue a CRL which could be construed as a Delta CRL. 19 20 RFC 5280: 5.2.6 21 22 Similarly, Section 5.2.6 defines the Freshest CRL extension, which is only 23 applicable in the case that the CRL is a Delta CRL. 24 ************************************************/ 25 26 func init() { 27 lint.RegisterRevocationListLint(&lint.RevocationListLint{ 28 LintMetadata: lint.LintMetadata{ 29 Name: "e_crl_is_not_delta", 30 Description: "Let's Encrypt does not issue delta CRLs", 31 Citation: "", 32 Source: lints.LetsEncryptCPS, 33 EffectiveDate: lints.CPSV33Date, 34 }, 35 Lint: NewCrlIsNotDelta, 36 }) 37 } 38 39 func NewCrlIsNotDelta() lint.RevocationListLintInterface { 40 return &crlIsNotDelta{} 41 } 42 43 func (l *crlIsNotDelta) CheckApplies(c *x509.RevocationList) bool { 44 return true 45 } 46 47 func (l *crlIsNotDelta) Execute(c *x509.RevocationList) *lint.LintResult { 48 deltaCRLIndicatorOID := asn1.ObjectIdentifier{2, 5, 29, 27} // id-ce-deltaCRLIndicator 49 if lints.GetExtWithOID(c.Extensions, deltaCRLIndicatorOID) != nil { 50 return &lint.LintResult{ 51 Status: lint.Notice, 52 Details: "CRL is a Delta CRL", 53 } 54 } 55 56 freshestCRLOID := asn1.ObjectIdentifier{2, 5, 29, 46} // id-ce-freshestCRL 57 if lints.GetExtWithOID(c.Extensions, freshestCRLOID) != nil { 58 return &lint.LintResult{ 59 Status: lint.Notice, 60 Details: "CRL has a Freshest CRL url", 61 } 62 } 63 64 return &lint.LintResult{Status: lint.Pass} 65 }