github.com/zmap/zlint@v1.1.0/lints/lint_ext_san_empty_name.go

github.com/zmap/zlint@v1.1.0/lints/lint_ext_san_empty_name.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /******************************************************************
    18  RFC 5280: 4.2.1.6
    19  If the subjectAltName extension is present, the sequence MUST contain
    20  at least one entry.  Unlike the subject field, conforming CAs MUST
    21  NOT issue certificates with subjectAltNames containing empty
    22  GeneralName fields.  For example, an rfc822Name is represented as an
    23  IA5String.  While an empty string is a valid IA5String, such an
    24  rfc822Name is not permitted by this profile.  The behavior of clients
    25  that encounter such a certificate when processing a certification
    26  path is not defined by this profile.
    27  ******************************************************************/
    28  
    29  import (
    30  	"encoding/asn1"
    31  
    32  	"github.com/zmap/zcrypto/x509"
    33  	"github.com/zmap/zlint/util"
    34  )
    35  
    36  type SANEmptyName struct{}
    37  
    38  func (l *SANEmptyName) Initialize() error {
    39  	return nil
    40  }
    41  
    42  func (l *SANEmptyName) CheckApplies(c *x509.Certificate) bool {
    43  	return util.IsExtInCert(c, util.SubjectAlternateNameOID)
    44  }
    45  
    46  func (l *SANEmptyName) Execute(c *x509.Certificate) *LintResult {
    47  	value := util.GetExtFromCert(c, util.SubjectAlternateNameOID).Value
    48  	var seq asn1.RawValue
    49  	if _, err := asn1.Unmarshal(value, &seq); err != nil {
    50  		return &LintResult{Status: Fatal}
    51  	}
    52  	if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
    53  		return &LintResult{Status: Fatal}
    54  	}
    55  
    56  	rest := seq.Bytes
    57  	for len(rest) > 0 {
    58  		var v asn1.RawValue
    59  		var err error
    60  		rest, err = asn1.Unmarshal(rest, &v)
    61  		if err != nil {
    62  			return &LintResult{Status: NA}
    63  		}
    64  		if len(v.Bytes) == 0 {
    65  			return &LintResult{Status: Error}
    66  		}
    67  	}
    68  	return &LintResult{Status: Pass}
    69  }
    70  
    71  func init() {
    72  	RegisterLint(&Lint{
    73  		Name:          "e_ext_san_empty_name",
    74  		Description:   "General name fields MUST NOT be empty in subjectAlternateNames",
    75  		Citation:      "RFC 5280: 4.2.1.6",
    76  		Source:        RFC5280,
    77  		EffectiveDate: util.RFC2459Date,
    78  		Lint:          &SANEmptyName{},
    79  	})
    80  }