github.com/zmap/zlint@v1.1.0/lints/lint_basic_constraints_not_critical.go

github.com/zmap/zlint@v1.1.0/lints/lint_basic_constraints_not_critical.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2017 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  import (
    18  	"github.com/zmap/zcrypto/x509"
    19  	"github.com/zmap/zlint/util"
    20  )
    21  
    22  /************************************************
    23  RFC 5280: 4.2.1.9
    24  Conforming CAs MUST include this extension in all CA certificates that contain
    25  public keys used to validate digital signatures on certificates and MUST mark
    26  the extension as critical in such certificates.  This extension MAY appear as a
    27  critical or non- critical extension in CA certificates that contain public keys
    28  used exclusively for purposes other than validating digital signatures on
    29  certificates.  Such CA certificates include ones that contain public keys used
    30  exclusively for validating digital signatures on CRLs and ones that contain key
    31  management public keys used with certificate.
    32  ************************************************/
    33  
    34  type basicConstCrit struct{}
    35  
    36  func (l *basicConstCrit) Initialize() error {
    37  	return nil
    38  }
    39  
    40  func (l *basicConstCrit) CheckApplies(c *x509.Certificate) bool {
    41  	return c.IsCA && util.IsExtInCert(c, util.BasicConstOID)
    42  }
    43  
    44  func (l *basicConstCrit) Execute(c *x509.Certificate) *LintResult {
    45  	// Add actual lint here
    46  	if e := util.GetExtFromCert(c, util.BasicConstOID); e != nil {
    47  		if e.Critical {
    48  			return &LintResult{Status: Pass}
    49  		} else {
    50  			return &LintResult{Status: Error}
    51  		}
    52  	} else {
    53  		return &LintResult{Status: NA}
    54  	}
    55  }
    56  
    57  func init() {
    58  	RegisterLint(&Lint{
    59  		Name:          "e_basic_constraints_not_critical",
    60  		Description:   "basicConstraints MUST appear as a critical extension",
    61  		Citation:      "RFC 5280: 4.2.1.9",
    62  		Source:        RFC5280,
    63  		EffectiveDate: util.RFC2459Date,
    64  		Lint:          &basicConstCrit{},
    65  	})
    66  }