github.com/zmap/zlint@v1.1.0/lints/lint_sub_cert_eku_extra_values.go

github.com/zmap/zlint@v1.1.0/lints/lint_sub_cert_eku_extra_values.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /*******************************************************************************************************
    18  BRs: 7.1.2.3
    19  extKeyUsage (required)
    20  Either the value id-kp-serverAuth [RFC5280] or id-kp-clientAuth [RFC5280] or both values MUST be present. id-kp-emailProtection [RFC5280] MAY be present. Other values SHOULD NOT be present.
    21  *******************************************************************************************************/
    22  
    23  import (
    24  	"github.com/zmap/zcrypto/x509"
    25  	"github.com/zmap/zlint/util"
    26  )
    27  
    28  type subExtKeyUsageLegalUsage struct{}
    29  
    30  func (l *subExtKeyUsageLegalUsage) Initialize() error {
    31  	return nil
    32  }
    33  
    34  func (l *subExtKeyUsageLegalUsage) CheckApplies(c *x509.Certificate) bool {
    35  	return util.IsSubscriberCert(c) && c.ExtKeyUsage != nil
    36  }
    37  
    38  func (l *subExtKeyUsageLegalUsage) Execute(c *x509.Certificate) *LintResult {
    39  	// Add actual lint here
    40  	for _, kp := range c.ExtKeyUsage {
    41  		if kp == x509.ExtKeyUsageServerAuth ||
    42  			kp == x509.ExtKeyUsageClientAuth ||
    43  			kp == x509.ExtKeyUsageEmailProtection {
    44  			// If we find any of these three, considered passing, continue
    45  			continue
    46  		} else {
    47  			// A bad usage was found, report and leave
    48  			return &LintResult{Status: Warn}
    49  		}
    50  	}
    51  	// If no bad usage was found, pass
    52  	return &LintResult{Status: Pass}
    53  }
    54  
    55  func init() {
    56  	RegisterLint(&Lint{
    57  		Name:          "w_sub_cert_eku_extra_values",
    58  		Description:   "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.",
    59  		Citation:      "BRs: 7.1.2.3",
    60  		Source:        CABFBaselineRequirements,
    61  		EffectiveDate: util.CABEffectiveDate,
    62  		Lint:          &subExtKeyUsageLegalUsage{},
    63  	})
    64  }