github.com/zmap/zlint@v1.1.0/lints/lint_path_len_constraint_zero_or_less.go

github.com/zmap/zlint@v1.1.0/lints/lint_path_len_constraint_zero_or_less.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /********************************************************************
    18  The pathLenConstraint field is meaningful only if the cA boolean is
    19  asserted and the key usage extension, if present, asserts the
    20  keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
    21  maximum number of non-self-issued intermediate certificates that may
    22  follow this certificate in a valid certification path.  (Note: The
    23  last certificate in the certification path is not an intermediate
    24  certificate, and is not included in this limit.  Usually, the last
    25  certificate is an end entity certificate, but it can be a CA
    26  certificate.)  A pathLenConstraint of zero indicates that no non-
    27  self-issued intermediate CA certificates may follow in a valid
    28  certification path.  Where it appears, the pathLenConstraint field
    29  MUST be greater than or equal to zero.  Where pathLenConstraint does
    30  not appear, no limit is imposed.
    31  ********************************************************************/
    32  
    33  import (
    34  	"encoding/asn1"
    35  
    36  	"github.com/zmap/zcrypto/x509"
    37  	"github.com/zmap/zlint/util"
    38  )
    39  
    40  type basicConst struct {
    41  	CA                bool `asn1:"optional"`
    42  	PathLenConstraint int  `asn1:"optional"`
    43  }
    44  
    45  type pathLenNonPositive struct {
    46  }
    47  
    48  func (l *pathLenNonPositive) Initialize() error {
    49  	return nil
    50  }
    51  
    52  func (l *pathLenNonPositive) CheckApplies(cert *x509.Certificate) bool {
    53  	return cert.BasicConstraintsValid
    54  }
    55  
    56  func (l *pathLenNonPositive) Execute(cert *x509.Certificate) *LintResult {
    57  	var bc basicConst
    58  
    59  	ext := util.GetExtFromCert(cert, util.BasicConstOID)
    60  	if _, err := asn1.Unmarshal(ext.Value, &bc); err != nil {
    61  		return &LintResult{Status: Fatal}
    62  	}
    63  	if bc.PathLenConstraint < 0 {
    64  		return &LintResult{Status: Error}
    65  	}
    66  	return &LintResult{Status: Pass}
    67  }
    68  
    69  func init() {
    70  	RegisterLint(&Lint{
    71  		Name:          "e_path_len_constraint_zero_or_less",
    72  		Description:   "Where it appears, the pathLenConstraint field MUST be greater than or equal to zero",
    73  		Citation:      "RFC 5280: 4.2.1.9",
    74  		Source:        RFC5280,
    75  		EffectiveDate: util.RFC2459Date,
    76  		Lint:          &pathLenNonPositive{},
    77  	})
    78  }