1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
package rfc
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"
)
type nameConstMin struct{}
/************************************************************************
RFC 5280: 4.2.1.10
Within this profile, the minimum and maximum fields are not used with
any name forms, thus, the minimum MUST be zero, and maximum MUST be
absent. However, if an application encounters a critical name
constraints extension that specifies other values for minimum or
maximum for a name form that appears in a subsequent certificate, the
application MUST either process these fields or reject the
certificate.
************************************************************************/
func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_name_constraint_minimum_non_zero",
Description: "Within the name constraints name forms, the minimum field is not used and therefore MUST be zero",
Citation: "RFC 5280: 4.2.1.10",
Source: lint.RFC5280,
EffectiveDate: util.RFC2459Date,
},
Lint: NewNameConstMin,
})
}
func NewNameConstMin() lint.LintInterface {
return &nameConstMin{}
}
func (l *nameConstMin) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.NameConstOID)
}
//nolint:gocyclo
//nolint:cyclop
func (l *nameConstMin) Execute(c *x509.Certificate) *lint.LintResult {
for _, i := range c.PermittedDNSNames {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedDNSNames {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.PermittedEmailAddresses {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedEmailAddresses {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.PermittedIPAddresses {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedIPAddresses {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.PermittedDirectoryNames {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedDirectoryNames {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.PermittedEdiPartyNames {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedEdiPartyNames {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.PermittedRegisteredIDs {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedRegisteredIDs {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.PermittedX400Addresses {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
for _, i := range c.ExcludedX400Addresses {
if i.Min != 0 {
return &lint.LintResult{Status: lint.Error}
}
}
return &lint.LintResult{Status: lint.Pass}
}
|
