github.com/zmap/zlint@v1.1.0/lints/lint_ext_san_critical_with_subject_dn.go

github.com/zmap/zlint@v1.1.0/lints/lint_ext_san_critical_with_subject_dn.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /************************************************
    18  Further, if the only subject identity included in the certificate is an
    19   alternative name form (e.g., an electronic mail address), then the subject
    20   distinguished name MUST be empty (an empty sequence), and the subjectAltName
    21   extension MUST be present. If the subject field contains an empty sequence,
    22   then the issuing CA MUST include a subjectAltName extension that is marked as
    23   critical. When including the subjectAltName extension in a certificate that
    24   has a non-empty subject distinguished name, conforming CAs SHOULD mark the
    25   subjectAltName extension as non-critical.
    26  ************************************************/
    27  
    28  import (
    29  	"github.com/zmap/zcrypto/x509"
    30  	"github.com/zmap/zlint/util"
    31  )
    32  
    33  type ExtSANCriticalWithSubjectDN struct{}
    34  
    35  func (l *ExtSANCriticalWithSubjectDN) Initialize() error {
    36  	return nil
    37  }
    38  
    39  func (l *ExtSANCriticalWithSubjectDN) CheckApplies(cert *x509.Certificate) bool {
    40  	return util.IsExtInCert(cert, util.SubjectAlternateNameOID)
    41  }
    42  
    43  func (l *ExtSANCriticalWithSubjectDN) Execute(cert *x509.Certificate) *LintResult {
    44  	san := util.GetExtFromCert(cert, util.SubjectAlternateNameOID)
    45  	if san.Critical && util.NotAllNameFieldsAreEmpty(&cert.Subject) {
    46  		return &LintResult{Status: Warn}
    47  	}
    48  	return &LintResult{Status: Pass}
    49  }
    50  
    51  func init() {
    52  	RegisterLint(&Lint{
    53  		Name:          "w_ext_san_critical_with_subject_dn",
    54  		Description:   "If the subject contains a distinguished name, subjectAlternateName SHOULD be non-critical",
    55  		Citation:      "RFC 5280: 4.2.1.6",
    56  		Source:        CABFBaselineRequirements,
    57  		EffectiveDate: util.RFC5280Date,
    58  		Lint:          &ExtSANCriticalWithSubjectDN{},
    59  	})
    60  }