github.com/zmap/zlint@v1.1.0/lints/lint_ext_authority_key_identifier_no_key_identifier.go

github.com/zmap/zlint@v1.1.0/lints/lint_ext_authority_key_identifier_no_key_identifier.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /***********************************************************************
    18  RFC 5280: 4.2.1.1
    19  The keyIdentifier field of the authorityKeyIdentifier extension MUST
    20     be included in all certificates generated by conforming CAs to
    21     facilitate certification path construction.  There is one exception;
    22     where a CA distributes its public key in the form of a "self-signed"
    23     certificate, the authority key identifier MAY be omitted.  The
    24     signature on a self-signed certificate is generated with the private
    25     key associated with the certificate's subject public key.  (This
    26     proves that the issuer possesses both the public and private keys.)
    27     In this case, the subject and authority key identifiers would be
    28     identical, but only the subject key identifier is needed for
    29     certification path building.
    30  ***********************************************************************/
    31  
    32  import (
    33  	"github.com/zmap/zcrypto/x509"
    34  	"github.com/zmap/zlint/util"
    35  )
    36  
    37  type authorityKeyIdNoKeyIdField struct{}
    38  
    39  func (l *authorityKeyIdNoKeyIdField) Initialize() error {
    40  	return nil
    41  }
    42  
    43  func (l *authorityKeyIdNoKeyIdField) CheckApplies(c *x509.Certificate) bool {
    44  	return true
    45  }
    46  
    47  func (l *authorityKeyIdNoKeyIdField) Execute(c *x509.Certificate) *LintResult {
    48  	if c.AuthorityKeyId == nil && !util.IsSelfSigned(c) { //will be nil by default if not found in x509.parseCert
    49  		return &LintResult{Status: Error}
    50  	} else {
    51  		return &LintResult{Status: Pass}
    52  	}
    53  }
    54  
    55  func init() {
    56  	RegisterLint(&Lint{
    57  		Name:          "e_ext_authority_key_identifier_no_key_identifier",
    58  		Description:   "CAs must include keyIdentifer field of AKI in all non-self-issued certificates",
    59  		Citation:      "RFC 5280: 4.2.1.1",
    60  		Source:        RFC5280,
    61  		EffectiveDate: util.RFC2459Date,
    62  		Lint:          &authorityKeyIdNoKeyIdField{},
    63  	})
    64  }