File: lint_eku_critical_improperly.go

package info (click to toggle)
golang-github-zmap-zlint 3.6.2-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 10,008 kB
  • sloc: sh: 162; makefile: 38
file content (69 lines) | stat: -rw-r--r-- 2,422 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
package rfc

/*
 * ZLint Copyright 2024 Regents of the University of Michigan
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy
 * of the License at http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */

import (
	"github.com/zmap/zcrypto/x509"
	"github.com/zmap/zlint/v3/lint"
	"github.com/zmap/zlint/v3/util"
)

type ekuBadCritical struct{}

/************************************************
RFC 5280: 4.2.1.12
If a CA includes extended key usages to satisfy such applications,
   but does not wish to restrict usages of the key, the CA can include
   the special KeyPurposeId anyExtendedKeyUsage in addition to the
   particular key purposes required by the applications.  Conforming CAs
   SHOULD NOT mark this extension as critical if the anyExtendedKeyUsage
   KeyPurposeId is present.  Applications that require the presence of a
   particular purpose MAY reject certificates that include the
   anyExtendedKeyUsage OID but not the particular OID expected for the
   application.
************************************************/

func init() {
	lint.RegisterCertificateLint(&lint.CertificateLint{
		LintMetadata: lint.LintMetadata{
			Name:          "w_eku_critical_improperly",
			Description:   "Conforming CAs SHOULD NOT mark extended key usage extension as critical if the anyExtendedKeyUsage KeyPurposedID is present",
			Citation:      "RFC 5280: 4.2.1.12",
			Source:        lint.RFC5280,
			EffectiveDate: util.RFC3280Date,
		},
		Lint: NewEkuBadCritical,
	})
}

func NewEkuBadCritical() lint.LintInterface {
	return &ekuBadCritical{}
}

func (l *ekuBadCritical) CheckApplies(c *x509.Certificate) bool {
	return util.IsExtInCert(c, util.EkuSynOid)
}

func (l *ekuBadCritical) Execute(c *x509.Certificate) *lint.LintResult {
	if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical {
		for _, single_use := range c.ExtKeyUsage {
			if single_use == x509.ExtKeyUsageAny {
				return &lint.LintResult{Status: lint.Warn}
			}
		}
	}

	return &lint.LintResult{Status: lint.Pass}
}