github.com/zmap/zlint@v1.1.0/lints/lint_ext_key_usage_cert_sign_without_ca.go

github.com/zmap/zlint@v1.1.0/lints/lint_ext_key_usage_cert_sign_without_ca.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /************************************************************************
    18  RFC 5280: 4.2.1.9
    19  The cA boolean indicates whether the certified public key may be used
    20     to verify certificate signatures.  If the cA boolean is not asserted,
    21     then the keyCertSign bit in the key usage extension MUST NOT be
    22     asserted.  If the basic constraints extension is not present in a
    23     version 3 certificate, or the extension is present but the cA boolean
    24     is not asserted, then the certified public key MUST NOT be used to
    25     verify certificate signatures.
    26  ************************************************************************/
    27  
    28  import (
    29  	"github.com/zmap/zcrypto/x509"
    30  	"github.com/zmap/zlint/util"
    31  )
    32  
    33  type keyUsageCertSignNoCa struct{}
    34  
    35  func (l *keyUsageCertSignNoCa) Initialize() error {
    36  	return nil
    37  }
    38  
    39  func (l *keyUsageCertSignNoCa) CheckApplies(c *x509.Certificate) bool {
    40  	return util.IsExtInCert(c, util.KeyUsageOID)
    41  }
    42  
    43  func (l *keyUsageCertSignNoCa) Execute(c *x509.Certificate) *LintResult {
    44  	if (c.KeyUsage & x509.KeyUsageCertSign) != 0 {
    45  		if c.BasicConstraintsValid && util.IsCACert(c) { //CA certs may assert certtificate signing usage
    46  			return &LintResult{Status: Pass}
    47  		} else {
    48  			return &LintResult{Status: Error}
    49  		}
    50  	} else {
    51  		return &LintResult{Status: Pass}
    52  	}
    53  }
    54  
    55  func init() {
    56  	RegisterLint(&Lint{
    57  		Name:          "e_ext_key_usage_cert_sign_without_ca",
    58  		Description:   "if the keyCertSign bit is asserted, then the cA bit in the basic constraints extension MUST also be asserted",
    59  		Citation:      "RFC 5280: 4.2.1.3 & 4.2.1.9",
    60  		Source:        RFC5280,
    61  		EffectiveDate: util.RFC3280Date,
    62  		Lint:          &keyUsageCertSignNoCa{},
    63  	})
    64  }