github.com/letsencrypt/boulder@v0.20251208.0/linter/lints/rfc/lint_crl_has_aki.go (about) 1 package rfc 2 3 import ( 4 "github.com/zmap/zcrypto/x509" 5 "github.com/zmap/zlint/v3/lint" 6 "github.com/zmap/zlint/v3/util" 7 "golang.org/x/crypto/cryptobyte" 8 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" 9 ) 10 11 type crlHasAKI struct{} 12 13 /************************************************ 14 RFC 5280: 5.2.1 15 Conforming CRL issuers MUST use the key identifier method, and MUST include this 16 extension in all CRLs issued. 17 ************************************************/ 18 19 func init() { 20 lint.RegisterRevocationListLint(&lint.RevocationListLint{ 21 LintMetadata: lint.LintMetadata{ 22 Name: "e_crl_has_aki", 23 Description: "Conforming", 24 Citation: "RFC 5280: 5.2.1", 25 Source: lint.RFC5280, 26 EffectiveDate: util.RFC5280Date, 27 }, 28 Lint: NewCrlHasAKI, 29 }) 30 } 31 32 func NewCrlHasAKI() lint.RevocationListLintInterface { 33 return &crlHasAKI{} 34 } 35 36 func (l *crlHasAKI) CheckApplies(c *x509.RevocationList) bool { 37 return true 38 } 39 40 func (l *crlHasAKI) Execute(c *x509.RevocationList) *lint.LintResult { 41 if len(c.AuthorityKeyId) == 0 { 42 return &lint.LintResult{ 43 Status: lint.Error, 44 Details: "CRLs MUST include the authority key identifier extension", 45 } 46 } 47 aki := cryptobyte.String(c.AuthorityKeyId) 48 var akiBody cryptobyte.String 49 if !aki.ReadASN1(&akiBody, cryptobyte_asn1.SEQUENCE) { 50 return &lint.LintResult{ 51 Status: lint.Error, 52 Details: "CRL has a malformed authority key identifier extension", 53 } 54 } 55 if !akiBody.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) { 56 return &lint.LintResult{ 57 Status: lint.Error, 58 Details: "CRLs MUST use the key identifier method in the authority key identifier extension", 59 } 60 } 61 return &lint.LintResult{Status: lint.Pass} 62 }