github.com/zmap/zlint@v1.1.0/lints/lint_ext_policy_constraints_empty.go

github.com/zmap/zlint@v1.1.0/lints/lint_ext_policy_constraints_empty.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /*************************************************************************
    18  RFC 5280: 4.2.1.11
    19  Conforming CAs MUST NOT issue certificates where policy constraints
    20     is an empty sequence.  That is, either the inhibitPolicyMapping field
    21     or the requireExplicitPolicy field MUST be present.  The behavior of
    22     clients that encounter an empty policy constraints field is not
    23     addressed in this profile.
    24  *************************************************************************/
    25  
    26  import (
    27  	"encoding/asn1"
    28  
    29  	"github.com/zmap/zcrypto/x509"
    30  	"github.com/zmap/zlint/util"
    31  )
    32  
    33  type policyConstraintsContents struct{}
    34  
    35  func (l *policyConstraintsContents) Initialize() error {
    36  	return nil
    37  }
    38  
    39  func (l *policyConstraintsContents) CheckApplies(c *x509.Certificate) bool {
    40  	if !(util.IsExtInCert(c, util.PolicyConstOID)) {
    41  		return false
    42  	}
    43  	pc := util.GetExtFromCert(c, util.PolicyConstOID)
    44  	var seq asn1.RawValue
    45  	rest, err := asn1.Unmarshal(pc.Value, &seq) //only one sequence, so rest should be empty
    46  	if err != nil || len(rest) != 0 || seq.Tag != 16 || seq.Class != 0 || !seq.IsCompound {
    47  		return false
    48  	}
    49  	return true
    50  }
    51  
    52  func (l *policyConstraintsContents) Execute(c *x509.Certificate) *LintResult {
    53  	pc := util.GetExtFromCert(c, util.PolicyConstOID)
    54  	var seq asn1.RawValue
    55  	_, err := asn1.Unmarshal(pc.Value, &seq) //only one sequence, so rest should be empty
    56  	if err != nil {
    57  		return &LintResult{Status: Fatal}
    58  	}
    59  	if len(seq.Bytes) == 0 {
    60  		return &LintResult{Status: Error}
    61  	}
    62  
    63  	return &LintResult{Status: Pass}
    64  }
    65  
    66  func init() {
    67  	RegisterLint(&Lint{
    68  		Name:          "e_ext_policy_constraints_empty",
    69  		Description:   "Conforming CAs MUST NOT issue certificates where policy constraints is an empty sequence. That is, either the inhibitPolicyMapping field or the requireExplicityPolicy field MUST be present",
    70  		Citation:      "RFC 5280: 4.2.1.11",
    71  		Source:        RFC5280,
    72  		EffectiveDate: util.RFC2459Date,
    73  		Lint:          &policyConstraintsContents{},
    74  	})
    75  }