github.com/zmap/zlint@v1.1.0/lints/lint_ext_san_contains_reserved_ip.go (about) 1 package lints 2 3 /* 4 * ZLint Copyright 2018 Regents of the University of Michigan 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); you may not 7 * use this file except in compliance with the License. You may obtain a copy 8 * of the License at http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 * implied. See the License for the specific language governing 14 * permissions and limitations under the License. 15 */ 16 17 /************************************************ 18 BRs: 7.1.4.2.1 19 Also as of the Effective Date, the CA SHALL NOT 20 issue a certificate with an Expiry Date later than 21 1 November 2015 with a subjectAlternativeName extension 22 or Subject commonName field containing a Reserved IP 23 Address or Internal Name. 24 ************************************************/ 25 26 import ( 27 "github.com/zmap/zcrypto/x509" 28 "github.com/zmap/zlint/util" 29 ) 30 31 type SANReservedIP struct{} 32 33 func (l *SANReservedIP) Initialize() error { 34 return nil 35 } 36 37 func (l *SANReservedIP) CheckApplies(c *x509.Certificate) bool { 38 return c.NotAfter.After(util.NoReservedIP) 39 } 40 41 func (l *SANReservedIP) Execute(c *x509.Certificate) *LintResult { 42 for _, ip := range c.IPAddresses { 43 if util.IsIANAReserved(ip) { 44 return &LintResult{Status: Error} 45 } 46 } 47 48 return &LintResult{Status: Pass} 49 } 50 51 func init() { 52 RegisterLint(&Lint{ 53 Name: "e_ext_san_contains_reserved_ip", 54 Description: "Effective October 1, 2016, CAs must revoke all unexpired certificates that contains a reserved IP or internal name.", 55 Citation: "BRs: 7.1.4.2.1", 56 Source: CABFBaselineRequirements, 57 EffectiveDate: util.CABEffectiveDate, 58 Lint: &SANReservedIP{}, 59 }) 60 }