github.com/zmap/zlint@v1.1.0/lints/lint_eku_critical_improperly.go

github.com/zmap/zlint@v1.1.0/lints/lint_eku_critical_improperly.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /************************************************
    18  RFC 5280: 4.2.1.12
    19  If a CA includes extended key usages to satisfy such applications,
    20     but does not wish to restrict usages of the key, the CA can include
    21     the special KeyPurposeId anyExtendedKeyUsage in addition to the
    22     particular key purposes required by the applications.  Conforming CAs
    23     SHOULD NOT mark this extension as critical if the anyExtendedKeyUsage
    24     KeyPurposeId is present.  Applications that require the presence of a
    25     particular purpose MAY reject certificates that include the
    26     anyExtendedKeyUsage OID but not the particular OID expected for the
    27     application.
    28  ************************************************/
    29  
    30  import (
    31  	"github.com/zmap/zcrypto/x509"
    32  	"github.com/zmap/zlint/util"
    33  )
    34  
    35  type ekuBadCritical struct{}
    36  
    37  func (l *ekuBadCritical) Initialize() error {
    38  	return nil
    39  }
    40  
    41  func (l *ekuBadCritical) CheckApplies(c *x509.Certificate) bool {
    42  	return util.IsExtInCert(c, util.EkuSynOid)
    43  }
    44  
    45  func (l *ekuBadCritical) Execute(c *x509.Certificate) *LintResult {
    46  	if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical {
    47  		for _, single_use := range c.ExtKeyUsage {
    48  			if single_use == x509.ExtKeyUsageAny {
    49  				return &LintResult{Status: Warn}
    50  			}
    51  		}
    52  	}
    53  
    54  	return &LintResult{Status: Pass}
    55  }
    56  
    57  func init() {
    58  	RegisterLint(&Lint{
    59  		Name:          "w_eku_critical_improperly",
    60  		Description:   "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present",
    61  		Citation:      "RFC 5280: 4.2.1.12",
    62  		Source:        RFC5280,
    63  		EffectiveDate: util.RFC3280Date,
    64  		Lint:          &ekuBadCritical{},
    65  	})
    66  }