github.com/zmap/zlint@v1.1.0/lints/lint_ext_subject_key_identifier_missing_ca.go

github.com/zmap/zlint@v1.1.0/lints/lint_ext_subject_key_identifier_missing_ca.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /************************************************
    18     To facilitate certification path construction, this extension MUST
    19     appear in all conforming CA certificates, that is, all certificates
    20     including the basic constraints extension (Section 4.2.1.9) where the
    21     value of cA is TRUE.  In conforming CA certificates, the value of the
    22     subject key identifier MUST be the value placed in the key identifier
    23     field of the authority key identifier extension (Section 4.2.1.1) of
    24     certificates issued by the subject of this certificate.  Applications
    25     are not required to verify that key identifiers match when performing
    26     certification path validation.
    27     ...
    28     For end entity certificates, the subject key identifier extension provides
    29     a means for identifying certificates containing the particular public key
    30     used in an application. Where an end entity has obtained multiple certificates,
    31     especially from multiple CAs, the subject key identifier provides a means to
    32     quickly identify the set of certificates containing a particular public key.
    33     To assist applications in identifying the appropriate end entity certificate,
    34     this extension SHOULD be included in all end entity certificates.
    35  ************************************************/
    36  
    37  import (
    38  	"github.com/zmap/zcrypto/x509"
    39  	"github.com/zmap/zlint/util"
    40  )
    41  
    42  type subjectKeyIdMissingCA struct{}
    43  
    44  func (l *subjectKeyIdMissingCA) Initialize() error {
    45  	return nil
    46  }
    47  
    48  func (l *subjectKeyIdMissingCA) CheckApplies(cert *x509.Certificate) bool {
    49  	return util.IsCACert(cert)
    50  }
    51  
    52  func (l *subjectKeyIdMissingCA) Execute(cert *x509.Certificate) *LintResult {
    53  	if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) {
    54  		return &LintResult{Status: Pass}
    55  	} else {
    56  		return &LintResult{Status: Error}
    57  	}
    58  }
    59  
    60  func init() {
    61  	RegisterLint(&Lint{
    62  		Name:          "e_ext_subject_key_identifier_missing_ca",
    63  		Description:   "CAs MUST include a Subject Key Identifier in all CA certificates",
    64  		Citation:      "RFC 5280: 4.2 & 4.2.1.2",
    65  		Source:        RFC5280,
    66  		EffectiveDate: util.RFC2459Date,
    67  		Lint:          &subjectKeyIdMissingCA{},
    68  	})
    69  }