github.com/zmap/zlint@v1.1.0/lints/lint_tbs_signature_rsa_encryption_parameter_not_null.go

github.com/zmap/zlint@v1.1.0/lints/lint_tbs_signature_rsa_encryption_parameter_not_null.go (about)

     1  package lints
     2  
     3  /*
     4   * ZLint Copyright 2019 Regents of the University of Michigan
     5   *
     6   * Licensed under the Apache License, Version 2.0 (the "License"); you may not
     7   * use this file except in compliance with the License. You may obtain a copy
     8   * of the License at http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
    13   * implied. See the License for the specific language governing
    14   * permissions and limitations under the License.
    15   */
    16  
    17  /*******************************************************************************************************
    18  "RFC5280: RFC 4055, Section 5"
    19  RSA: Encoded algorithm identifier MUST have NULL parameters.
    20  *******************************************************************************************************/
    21  
    22  import (
    23  	"fmt"
    24  
    25  	"github.com/zmap/zcrypto/x509"
    26  	"github.com/zmap/zlint/util"
    27  	"golang.org/x/crypto/cryptobyte"
    28  	cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
    29  )
    30  
    31  type rsaTBSSignatureEncryptionParamNotNULL struct{}
    32  
    33  func (l *rsaTBSSignatureEncryptionParamNotNULL) Initialize() error {
    34  	return nil
    35  }
    36  
    37  func (l *rsaTBSSignatureEncryptionParamNotNULL) CheckApplies(c *x509.Certificate) bool {
    38  	_, ok := util.RSAAlgorithmIDToDER[c.SignatureAlgorithmOID.String()]
    39  	return ok
    40  }
    41  
    42  func (l *rsaTBSSignatureEncryptionParamNotNULL) Execute(c *x509.Certificate) *LintResult {
    43  	input := cryptobyte.String(c.RawTBSCertificate)
    44  
    45  	var tbsCert cryptobyte.String
    46  	if !input.ReadASN1(&tbsCert, cryptobyte_asn1.SEQUENCE) {
    47  		return &LintResult{Status: Fatal, Details: "error reading tbsCertificate"}
    48  	}
    49  
    50  	if !tbsCert.SkipOptionalASN1(cryptobyte_asn1.Tag(0).Constructed().ContextSpecific()) {
    51  		return &LintResult{Status: Fatal, Details: "error reading tbsCertificate.version"}
    52  	}
    53  
    54  	if !tbsCert.SkipASN1(cryptobyte_asn1.INTEGER) {
    55  		return &LintResult{Status: Fatal, Details: "error reading tbsCertificate.serialNumber"}
    56  	}
    57  
    58  	var signatureAlgoID cryptobyte.String
    59  	var tag cryptobyte_asn1.Tag
    60  	// use ReadAnyElement to preserve tag and length octets
    61  	if !tbsCert.ReadAnyASN1Element(&signatureAlgoID, &tag) {
    62  		return &LintResult{Status: Fatal, Details: "error reading tbsCertificate.signature"}
    63  	}
    64  
    65  	if err := util.CheckAlgorithmIDParamNotNULL(signatureAlgoID, c.SignatureAlgorithmOID); err != nil {
    66  		return &LintResult{Status: Error, Details: fmt.Sprintf("certificate tbsCertificate.signature %s", err.Error())}
    67  	}
    68  
    69  	return &LintResult{Status: Pass}
    70  }
    71  
    72  func init() {
    73  	RegisterLint(&Lint{
    74  		Name:          "e_tbs_signature_rsa_encryption_parameter_not_null",
    75  		Description:   "RSA: Encoded signature algorithm identifier MUST have NULL parameters",
    76  		Citation:      "RFC 4055, Section 5",
    77  		Source:        RFC5280, // RFC4055 is referenced in RFC5280, Section 1
    78  		EffectiveDate: util.RFC5280Date,
    79  		Lint:          &rsaTBSSignatureEncryptionParamNotNULL{},
    80  	})
    81  }