Skip to content

Commit

Permalink
Add lint to check that the countryName attribute (C) is in uppercase (#…
Browse files Browse the repository at this point in the history 
…859)

* Add files via upload

* Add files via upload

* Add files via upload

* Add files via upload

* Update lint_invalid_subject_rdn_order_test.go

Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment

* Update lint_invalid_subject_rdn_order.go

Fixed import block

* Update v3/lints/cabf_br/lint_invalid_subject_rdn_order.go

Fine to me.

Co-authored-by: Christopher Henderson <chris@chenderson.org>

* Update lint_invalid_subject_rdn_order.go

As per Chris Henderson's suggestion, to "improve readability".

* Update lint_invalid_subject_rdn_order_test.go

As per Chris Henderson's suggestion.

* Update time.go

Added CABFEV_Sec9_2_8_Date

* Add files via upload

* Add files via upload

* Revised according to Chris and Corey suggestions

* Add files via upload

* Add files via upload

* Delete v3/lints/cabf_br/lint_e_invalid_cps_uri.go

* Delete v3/lints/cabf_br/lint_e_invalid_cps_uri_test.go

* Delete v3/testdata/invalid_cps_uri_ko_01.pem

* Delete v3/testdata/invalid_cps_uri_ko_02.pem

* Delete v3/testdata/invalid_cps_uri_ko_03.pem

* Delete v3/testdata/invalid_cps_uri_ok_01.pem

* Delete v3/testdata/invalid_cps_uri_ok_02.pem

* Delete v3/testdata/invalid_cps_uri_ok_03.pem

* Add files via upload

* Add files via upload

* Update config.json

---------

Co-authored-by: Christopher Henderson <chris@chenderson.org>
  • Loading branch information
@defacto64 @christopher-henderson
defacto64 and christopher-henderson authored Jun 23, 2024
1 parent 24d58f9 commit f7f6b51
Show file tree
Hide file tree
Showing 7 changed files with 532 additions and 1 deletion.
5 changes: 4 additions & 1 deletion v3/integration/config.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -970,6 +970,9 @@
},
"e_ca_invalid_eku": {
"ErrCount": 1
}
},
"e_subj_country_not_uppercase": {
"ErrCount": 1303
}
}
}
62 changes: 62 additions & 0 deletions v3/lints/community/lint_subj_country_not_uppercase.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package community

import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"

"regexp"
)

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_subj_country_not_uppercase",
Description: "Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z",
Citation: "ISO 3166-2:2020(E) section 5.1",
Source: lint.Community,
EffectiveDate: util.ZeroDate,
},
Lint: NewSubjCountryNotUppercase,
})
}

type subjCountryNotUppercase struct{}

func NewSubjCountryNotUppercase() lint.LintInterface {
return &subjCountryNotUppercase{}
}

func (l *subjCountryNotUppercase) CheckApplies(c *x509.Certificate) bool {
return true
}

var re = regexp.MustCompile("^[A-Z]+$")

func (l *subjCountryNotUppercase) Execute(c *x509.Certificate) *lint.LintResult {
// There should be only one countryName attribute in the Subject, normally,
// but checking this is not our business here, so let's scan them all
for _, cc := range c.Subject.Country {
if !re.MatchString(cc) {
return &lint.LintResult{
Status: lint.Error,
Details: "Country codes must be comprised of uppercase A-Z letters",
}
}
}
return &lint.LintResult{Status: lint.Pass}
}
65 changes: 65 additions & 0 deletions v3/lints/community/lint_subj_country_not_uppercase_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
/*
* ZLint Copyright 2024 Regents of the University of Michigan
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy
* of the License at http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
* implied. See the License for the specific language governing
* permissions and limitations under the License.
*/

package community

import (
"testing"

"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/test"
)

/*
* Test cases:
*
* country_not_upcase_ok1.pem Normal
* country_not_upcase_ko1.pem Country code is in mixed case
* country_not_upcase_ko2.pem Country code is all lowercase
* country_not_upcase_ko3.pem Two country codes, one OK and one bad
*/

func TestSubjCountryNotUppercase(t *testing.T) {
type Data struct {
input string
want lint.LintStatus
}
data := []Data{
{
input: "country_not_upcase_ok1.pem",
want: lint.Pass,
},
{
input: "country_not_upcase_ko1.pem",
want: lint.Error,
},
{
input: "country_not_upcase_ko2.pem",
want: lint.Error,
},
{
input: "country_not_upcase_ko3.pem",
want: lint.Error,
},
}
for _, testData := range data {
testData := testData
t.Run(testData.input, func(t *testing.T) {
out := test.TestLint("e_subj_country_not_uppercase", testData.input)
if out.Status != testData.want {
t.Errorf("expected %s, got %s", testData.want, out.Status)
}
})
}
}
100 changes: 100 additions & 0 deletions v3/testdata/country_not_upcase_ko1.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9e:87:87:03:f4:da:fc:d1:1b:7a:87:12:31:89:5a:7a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
Validity
Not Before: Jun 17 12:54:36 2024 GMT
Not After : Jun 17 12:54:36 2025 GMT
Subject: C = de, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d2:85:c1:2c:56:53:86:a8:67:fa:1b:79:0d:b0:
21:ec:a5:d7:cf:34:ab:f8:eb:bb:e9:a6:b7:5c:3b:
36:6a:ed:9f:1f:b2:75:f1:70:03:fb:ca:01:dc:fb:
52:aa:8d:47:65:6b:f7:b2:76:a7:0b:2b:5e:70:82:
f7:3e:58:1e:38:6e:f4:c5:e2:9b:b8:5d:9f:ad:b0:
25:13:0f:e4:19:ac:08:12:cb:bd:1d:85:f6:11:d6:
59:f8:db:a3:28:63:71:00:1d:19:38:d2:77:61:21:
14:91:45:bc:a2:f9:e5:60:64:c8:4e:9a:f8:65:2c:
09:86:77:20:ab:27:ee:b9:70:b0:35:0b:75:9b:7e:
d5:4f:a1:d9:46:ce:56:88:a3:02:2e:45:c3:84:09:
5b:b7:60:5c:83:ae:b3:d7:a7:78:b8:db:dd:e8:44:
83:70:b8:11:c8:a7:b0:75:3d:0d:f7:f6:f6:47:77:
1e:df:05:5f:fc:c7:9d:0c:cb:71:4e:e2:ad:1f:b1:
ee:aa:36:87:5a:66:5b:c0:18:c6:8a:1d:95:11:66:
10:dd:a2:12:96:7d:a8:6b:ae:06:7e:9e:2b:0e:d4:
0c:ba:63:d7:06:c8:c5:57:38:7c:c8:8a:ac:1c:b3:
a7:dc:a3:a7:4d:24:45:2a:03:98:9e:40:b7:cd:00:
e1:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
14:9E:EF:23:D5:A1:C8:38:E9:DA:B8:A9:24:8A:DE:FA:A9:D9:1D:F6
X509v3 Authority Key Identifier:
keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E

Authority Information Access:
OCSP - URI:http://ca.someca-inc.com/ocsp
CA Issuers - URI:http://ca.someca-inc.com/root

X509v3 Subject Alternative Name:
DNS:example.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2

X509v3 CRL Distribution Points:

Full Name:
URI:http://ca.someca-inc.com/crl

Signature Algorithm: sha256WithRSAEncryption
a6:ef:ce:3a:34:72:d7:cb:55:26:fa:8f:34:3b:59:a7:c3:c5:
9d:85:be:b5:05:9e:09:e4:54:66:0e:57:4f:e8:1c:5c:c0:19:
f9:8c:f5:d4:b8:84:cc:eb:59:49:c3:db:e8:a5:e5:47:c5:35:
57:13:8e:0b:00:f2:05:c5:a3:0e:b3:87:f5:13:7f:26:79:90:
8a:46:65:57:c0:8d:3e:ab:65:cc:71:d0:b1:b4:6d:d1:63:51:
4a:ef:7b:d7:34:0c:67:52:93:c3:c7:e5:46:af:03:09:67:d3:
24:23:df:ee:cd:29:3f:a8:13:5e:8f:93:dc:8a:7d:78:39:94:
63:d9:bc:71:7b:08:1e:0f:22:61:50:9b:ad:4d:6e:26:33:6e:
83:eb:43:6d:e8:85:b7:2b:d5:40:9e:ed:36:3d:7a:f6:94:e1:
b0:c1:92:e8:e7:7f:80:2d:1a:d0:93:3c:0d:e8:39:64:ae:25:
9a:92:d7:44:06:cb:9f:4b:dd:80:fe:b6:d3:7a:ba:72:69:46:
92:4f:07:ed:4f:eb:d1:f8:b1:3e:01:26:26:a2:ba:4f:f7:11:
dd:b9:eb:36:6e:b5:02:3c:50:1e:1c:b1:c3:0d:39:5b:f7:af:
98:36:aa:02:0c:dc:c6:40:c5:6c:d8:ef:0d:87:ce:2f:9f:41:
33:2d:9d:5d
-----BEGIN CERTIFICATE-----
MIIEeTCCA2GgAwIBAgIRAJ6HhwP02vzRG3qHEjGJWnowDQYJKoZIhvcNAQELBQAw
QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug
Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE3MTI1NDM2WhcNMjUwNjE3MTI1
NDM2WjB0MQswCQYDVQQGEwJkZTEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDShcEsVlOGqGf6G3kNsCHspdfPNKv467vpprdcOzZq7Z8fsnXx
cAP7ygHc+1KqjUdla/eydqcLK15wgvc+WB44bvTF4pu4XZ+tsCUTD+QZrAgSy70d
hfYR1ln426MoY3EAHRk40ndhIRSRRbyi+eVgZMhOmvhlLAmGdyCrJ+65cLA1C3Wb
ftVPodlGzlaIowIuRcOECVu3YFyDrrPXp3i4293oRINwuBHIp7B1PQ339vZHdx7f
BV/8x50My3FO4q0fse6qNodaZlvAGMaKHZURZhDdohKWfahrrgZ+nisO1Ay6Y9cG
yMVXOHzIiqwcs6fco6dNJEUqA5ieQLfNAOF5AgMBAAGjggE1MIIBMTAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW
BBQUnu8j1aHIOOnauKkkit76qdkd9jAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU
fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z
b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh
LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK
MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu
Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCm7846NHLXy1Um+o80O1mnw8Wd
hb61BZ4J5FRmDldP6BxcwBn5jPXUuITM61lJw9vopeVHxTVXE44LAPIFxaMOs4f1
E38meZCKRmVXwI0+q2XMcdCxtG3RY1FK73vXNAxnUpPDx+VGrwMJZ9MkI9/uzSk/
qBNej5Pcin14OZRj2bxxewgeDyJhUJutTW4mM26D60Nt6IW3K9VAnu02PXr2lOGw
wZLo53+ALRrQkzwN6DlkriWaktdEBsufS92A/rbTerpyaUaSTwftT+vR+LE+ASYm
orpP9xHdues2brUCPFAeHLHDDTlb96+YNqoCDNzGQMVs2O8Nh84vn0EzLZ1d
-----END CERTIFICATE-----
100 changes: 100 additions & 0 deletions v3/testdata/country_not_upcase_ko2.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ff:3b:e5:b4:87:c4:99:76:ec:d5:a6:83:eb:10:78:02
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
Validity
Not Before: Jun 17 12:58:42 2024 GMT
Not After : Jun 17 12:58:42 2025 GMT
Subject: C = Es, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a9:a4:f9:fb:b5:ae:9f:61:c5:7c:af:67:b3:ae:
06:7d:0f:1e:49:f8:c8:1c:fa:52:8b:57:5d:b7:a8:
a8:bc:39:f9:89:0b:fa:e4:f1:8a:45:bc:25:e6:b7:
9b:c6:e4:95:9e:a3:59:01:1b:d7:f6:f3:b2:3f:14:
e0:2a:88:68:00:5a:29:00:9f:6a:5a:f8:b6:14:56:
9b:5b:f6:2f:2a:ac:04:d3:e2:b7:1e:b0:92:b3:56:
ce:34:75:19:76:50:fd:4e:51:53:d5:83:76:09:d5:
24:54:de:7c:20:3e:60:2c:c8:4f:8d:6e:a7:50:71:
ca:15:27:5e:fe:f2:f0:ca:a0:6a:c1:9e:03:f3:05:
16:69:37:cf:84:60:8c:2b:10:53:af:bc:c9:0b:d3:
78:c6:e6:3e:2e:48:a6:95:11:6e:78:ba:c3:61:3e:
f3:40:09:6d:b4:f0:9f:f0:f4:02:8f:84:fc:5d:cf:
c3:80:0b:22:0f:95:8a:7b:3e:d1:a1:b5:56:b6:9f:
05:e0:99:1c:6d:a6:c9:9f:f8:82:aa:3e:27:02:bc:
38:66:0f:20:07:cd:95:13:fe:d1:5a:99:e9:ff:b5:
9a:d4:b4:d3:66:a1:ee:16:dd:f2:18:ae:d2:dc:0a:
f4:54:b7:30:69:39:8b:c7:c3:77:9b:b3:1a:69:96:
78:a5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
B4:94:A3:B1:62:87:63:D7:7A:77:35:EA:52:FF:FA:49:2F:F3:76:71
X509v3 Authority Key Identifier:
keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E

Authority Information Access:
OCSP - URI:http://ca.someca-inc.com/ocsp
CA Issuers - URI:http://ca.someca-inc.com/root

X509v3 Subject Alternative Name:
DNS:example.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2

X509v3 CRL Distribution Points:

Full Name:
URI:http://ca.someca-inc.com/crl

Signature Algorithm: sha256WithRSAEncryption
26:f1:47:a3:cc:f9:cf:c2:b6:83:c4:f5:1e:74:f5:46:f5:d8:
4a:75:e5:20:cd:f2:b1:3b:f7:b7:f7:39:ff:78:09:d4:bc:c8:
4a:2b:45:8a:08:95:67:b7:9c:ca:61:65:f6:22:62:78:bd:1b:
3d:6c:2a:2f:09:4d:f1:61:6a:d2:64:a1:59:87:c2:24:74:7f:
6c:ad:f1:da:53:a7:3c:6a:2c:88:78:00:88:aa:33:51:d1:08:
19:a4:7e:37:ee:85:a6:77:7d:15:83:a1:f8:b4:2f:26:fd:b4:
f4:d0:9b:7b:15:c0:ec:7a:20:ea:fb:49:ec:7c:32:86:38:51:
c6:6b:91:9a:c8:3a:a3:15:bc:0d:b2:ac:f7:b5:f6:9b:37:94:
4d:71:2b:5a:b8:63:98:87:de:3e:a3:9a:8a:a3:12:d2:8a:f0:
30:95:d1:33:09:99:67:e9:ec:a4:4f:19:ca:7f:f1:03:42:79:
3c:52:19:b1:41:ab:b6:72:5b:2a:66:50:2c:13:dc:49:c3:26:
39:7a:36:f0:1c:d2:3e:c1:43:da:bc:52:cc:4d:c6:bd:13:01:
7e:f9:bf:d1:e5:0e:04:c8:0a:68:93:cb:f5:41:26:d3:f3:a0:
c4:65:9f:8a:e7:28:b6:11:b8:2e:b3:6c:0f:41:81:5c:26:c4:
d8:0f:fc:91
-----BEGIN CERTIFICATE-----
MIIEeTCCA2GgAwIBAgIRAP875bSHxJl27NWmg+sQeAIwDQYJKoZIhvcNAQELBQAw
QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug
Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNjE3MTI1ODQyWhcNMjUwNjE3MTI1
ODQyWjB0MQswCQYDVQQGEwJFczEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCppPn7ta6fYcV8r2ezrgZ9Dx5J+Mgc+lKLV123qKi8OfmJC/rk
8YpFvCXmt5vG5JWeo1kBG9f287I/FOAqiGgAWikAn2pa+LYUVptb9i8qrATT4rce
sJKzVs40dRl2UP1OUVPVg3YJ1SRU3nwgPmAsyE+NbqdQccoVJ17+8vDKoGrBngPz
BRZpN8+EYIwrEFOvvMkL03jG5j4uSKaVEW54usNhPvNACW208J/w9AKPhPxdz8OA
CyIPlYp7PtGhtVa2nwXgmRxtpsmf+IKqPicCvDhmDyAHzZUT/tFamen/tZrUtNNm
oe4W3fIYrtLcCvRUtzBpOYvHw3ebsxpplnilAgMBAAGjggE1MIIBMTAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW
BBS0lKOxYodj13p3NepS//pJL/N2cTAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU
fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z
b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh
LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzATBgNVHSAEDDAK
MAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWlu
Yy5jb20vY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAm8UejzPnPwraDxPUedPVG9dhK
deUgzfKxO/e39zn/eAnUvMhKK0WKCJVnt5zKYWX2ImJ4vRs9bCovCU3xYWrSZKFZ
h8IkdH9srfHaU6c8aiyIeACIqjNR0QgZpH437oWmd30Vg6H4tC8m/bT00Jt7FcDs
eiDq+0nsfDKGOFHGa5GayDqjFbwNsqz3tfabN5RNcStauGOYh94+o5qKoxLSivAw
ldEzCZln6eykTxnKf/EDQnk8UhmxQau2clsqZlAsE9xJwyY5ejbwHNI+wUPavFLM
Tca9EwF++b/R5Q4EyApok8v1QSbT86DEZZ+K5yi2Ebgus2wPQYFcJsTYD/yR
-----END CERTIFICATE-----
Loading

0 comments on commit f7f6b51

Please sign in to comment.