github.com/zmap/zlint@v1.1.0/lints/lint_san_dns_name_onion_not_ev_cert.go

github.com/zmap/zlint@v1.1.0/lints/lint_san_dns_name_onion_not_ev_cert.go (about)

     1  /*
     2   * ZLint Copyright 2019 Regents of the University of Michigan
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     5   * use this file except in compliance with the License. You may obtain a copy
     6   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     7   *
     8   * Unless required by applicable law or agreed to in writing, software
     9   * distributed under the License is distributed on an "AS IS" BASIS,
    10   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    11   * implied. See the License for the specific language governing
    12   * permissions and limitations under the License.
    13   */
    14  
    15  package lints
    16  
    17  import (
    18  	"fmt"
    19  
    20  	"github.com/zmap/zcrypto/x509"
    21  	"github.com/zmap/zlint/util"
    22  )
    23  
    24  const (
    25  	// onionTLD is a const for the TLD for Tor Hidden Services.
    26  	onionTLD = ".onion"
    27  )
    28  
    29  type onionNotEV struct{}
    30  
    31  // Initialize for an onionNotEV linter is a NOP.
    32  func (l *onionNotEV) Initialize() error {
    33  	return nil
    34  }
    35  
    36  // CheckApplies returns true if the certificate is a subscriber certificate that
    37  // contains a subject name ending in `.onion`.
    38  func (l *onionNotEV) CheckApplies(c *x509.Certificate) bool {
    39  	return util.IsSubscriberCert(c) && util.CertificateSubjInTLD(c, onionTLD)
    40  }
    41  
    42  // Execute returns an Error LintResult if the certificate is not an EV
    43  // certificate. CheckApplies has already verified the certificate contains one
    44  // or more `.onion` subjects and so it must be an EV certificate.
    45  func (l *onionNotEV) Execute(c *x509.Certificate) *LintResult {
    46  	/*
    47  	 * Effective May 1, 2015, each CA SHALL revoke all unexpired Certificates with an
    48  	 * Internal Name using onion as the right-most label in an entry in the
    49  	 * subjectAltName Extension or commonName field unless such Certificate was
    50  	 * issued in accordance with Appendix F of the EV Guidelines.
    51  	 */
    52  	if !util.IsEV(c.PolicyIdentifiers) {
    53  		return &LintResult{
    54  			Status: Error,
    55  			Details: fmt.Sprintf(
    56  				"certificate contains one or more %s subject domains but is not an EV certificate",
    57  				onionTLD),
    58  		}
    59  	}
    60  	return &LintResult{Status: Pass}
    61  }
    62  
    63  func init() {
    64  	RegisterLint(&Lint{
    65  		Name:          "e_san_dns_name_onion_not_ev_cert",
    66  		Description:   "certificates with a .onion subject name must be issued in accordance with EV Guidelines",
    67  		Citation:      "CABF Ballot 144",
    68  		Source:        CABFBaselineRequirements,
    69  		EffectiveDate: util.OnionOnlyEVDate,
    70  		Lint:          &onionNotEV{},
    71  	})
    72  }