github.com/zmap/zlint@v1.1.0/lints/lint_sub_cert_sha1_expiration_too_long.go

github.com/zmap/zlint@v1.1.0/lints/lint_sub_cert_sha1_expiration_too_long.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2018 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /***************************************************************************************************************
    18  Effective 16 January 2015, CAs SHOULD NOT issue Subscriber Certificates utilizing the SHA‐1 algorithm with
    19  an Expiry Date greater than 1 January 2017 because Application Software Providers are in the process of
    20  deprecating and/or removing the SHA‐1 algorithm from their software, and they have communicated that
    21  CAs and Subscribers using such certificates do so at their own risk.
    22  ****************************************************************************************************************/
    23  
    24  import (
    25  	"time"
    26  
    27  	"github.com/zmap/zcrypto/x509"
    28  	"github.com/zmap/zlint/util"
    29  )
    30  
    31  type sha1ExpireLong struct{}
    32  
    33  func (l *sha1ExpireLong) Initialize() error {
    34  	return nil
    35  }
    36  
    37  func (l *sha1ExpireLong) CheckApplies(c *x509.Certificate) bool {
    38  	return !util.IsCACert(c) && (c.SignatureAlgorithm == x509.SHA1WithRSA ||
    39  		c.SignatureAlgorithm == x509.DSAWithSHA1 ||
    40  		c.SignatureAlgorithm == x509.ECDSAWithSHA1)
    41  }
    42  
    43  func (l *sha1ExpireLong) Execute(c *x509.Certificate) *LintResult {
    44  	if c.NotAfter.After(time.Date(2017, time.January, 1, 0, 0, 0, 0, time.UTC)) {
    45  		return &LintResult{Status: Warn}
    46  	} else {
    47  		return &LintResult{Status: Pass}
    48  	}
    49  }
    50  
    51  func init() {
    52  	RegisterLint(&Lint{
    53  		Name:          "w_sub_cert_sha1_expiration_too_long",
    54  		Description:   "Subscriber certificates using the SHA-1 algorithm SHOULD NOT have an expiration date later than 1 Jan 2017",
    55  		Citation:      "BRs: 7.1.3",
    56  		Source:        CABFBaselineRequirements,
    57  		EffectiveDate: time.Date(2015, time.January, 16, 0, 0, 0, 0, time.UTC),
    58  		Lint:          &sha1ExpireLong{},
    59  	})
    60  }