github.com/zmap/zlint@v1.1.0/lints/lint_onion_subject_validity_time_too_large.go

github.com/zmap/zlint@v1.1.0/lints/lint_onion_subject_validity_time_too_large.go (about)

     1  /*
     2   * ZLint Copyright 2019 Regents of the University of Michigan
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     5   * use this file except in compliance with the License. You may obtain a copy
     6   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     7   *
     8   * Unless required by applicable law or agreed to in writing, software
     9   * distributed under the License is distributed on an "AS IS" BASIS,
    10   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    11   * implied. See the License for the specific language governing
    12   * permissions and limitations under the License.
    13   */
    14  
    15  package lints
    16  
    17  import (
    18  	"fmt"
    19  
    20  	"github.com/zmap/zcrypto/x509"
    21  	"github.com/zmap/zlint/util"
    22  )
    23  
    24  const (
    25  	// Ballot 144 specified:
    26  	// CAs MUST NOT issue a Certificate that includes a Domain Name where .onion
    27  	// is in the right-most label of the Domain Name with a validity period longer
    28  	// than 15 months
    29  	maxOnionValidityMonths = 15
    30  )
    31  
    32  type torValidityTooLarge struct{}
    33  
    34  // Initialize for a torValidityTooLarge linter is a NOP.
    35  func (l *torValidityTooLarge) Initialize() error {
    36  	return nil
    37  }
    38  
    39  // CheckApplies returns true if the certificate is a subscriber certificate that
    40  // contains a subject name ending in `.onion`.
    41  func (l *torValidityTooLarge) CheckApplies(c *x509.Certificate) bool {
    42  	return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, onionTLD)
    43  }
    44  
    45  // Execute will return an Error LintResult if the provided certificate has
    46  // a validity period longer than the maximum allowed validity for a certificate
    47  // with a .onion subject.
    48  func (l *torValidityTooLarge) Execute(c *x509.Certificate) *LintResult {
    49  	if c.NotBefore.AddDate(0, maxOnionValidityMonths, 0).Before(c.NotAfter) {
    50  		return &LintResult{
    51  			Status: Error,
    52  		}
    53  	}
    54  	return &LintResult{Status: Pass}
    55  }
    56  
    57  func init() {
    58  	RegisterLint(&Lint{
    59  		Name: "e_onion_subject_validity_time_too_large",
    60  		Description: fmt.Sprintf(
    61  			"certificates with .onion names can not be valid for more than %d months",
    62  			maxOnionValidityMonths),
    63  		Citation:      "CABF EV Guidelines: Appendix F",
    64  		Source:        CABFEVGuidelines,
    65  		EffectiveDate: util.OnionOnlyEVDate,
    66  		Lint:          &torValidityTooLarge{},
    67  	})
    68  }