Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)

christopher-henderson · web-flow · commit 08a9354f3002 · 2023-10-15T08:28:31.000-07:00
* Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h)

* not exporting
diff --git a/v3/lints/cabf_smime_br/lint_san_shall_be_present.go b/v3/lints/cabf_smime_br/lint_san_shall_be_present.go
@@ -0,0 +1,53 @@
+/*
+ * ZLint Copyright 2023 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_smime_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterLint(&lint.Lint{
+		Name:          "e_san_shall_be_present",
+		Description:   "Subject alternative name SHALL be present",
+		Citation:      "7.1.2.3.h",
+		Source:        lint.CABFSMIMEBaselineRequirements,
+		EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		Lint:          NewSubjectAlternativeNameShallBePresent,
+	})
+}
+
+type subjectAlternativeNameShallBePresent struct{}
+
+func NewSubjectAlternativeNameShallBePresent() lint.LintInterface {
+	return &subjectAlternativeNameShallBePresent{}
+}
+
+func (l *subjectAlternativeNameShallBePresent) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c)
+}
+
+func (l *subjectAlternativeNameShallBePresent) Execute(c *x509.Certificate) *lint.LintResult {
+	if !util.IsExtInCert(c, util.SubjectAlternateNameOID) {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "SMIME certificate does not have a subject alternative name extension",
+		}
+	} else {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+}
diff --git a/v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go b/v3/lints/cabf_smime_br/lint_san_shall_be_present_test.go
@@ -0,0 +1,35 @@
+package cabf_smime_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestSubscriberSubjectAlternativeNameShallBePresent(t *testing.T) {
+	testCases := []struct {
+		Name           string
+		InputFilename  string
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - cert with SAN",
+			InputFilename:  "smime/with_subject_alternative_name.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "error - cert without SAN",
+			InputFilename:  "smime/without_subject_alternative_name.pem",
+			ExpectedResult: lint.Error,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_san_shall_be_present", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/smime/with_subject_alternative_name.pem b/v3/testdata/smime/with_subject_alternative_name.pem
@@ -0,0 +1,41 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep 30 15:56:47 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:69:58:02:49:7d:98:10:6e:6d:f3:3f:8f:2b:9f:
+                    10:df:09:42:d6:c5:1c:22:9c:86:87:e6:1d:ed:ed:
+                    d5:98:1d:93:ce:ce:61:2a:8d:44:cb:73:59:90:06:
+                    bb:68:e4:7c:24:d0:47:6a:b9:a4:a3:c9:60:a7:4d:
+                    5e:c5:46:dd:bd
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Subject Alternative Name: 
+                email:coolguy@coolplace.come
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:eb:30:e0:f2:cf:6f:a4:95:ca:6a:e0:a9:e7:
+        06:ea:4d:b2:18:b7:bd:6e:69:4f:96:c0:07:86:3c:73:b2:2e:
+        3f:02:20:6e:83:bb:ca:79:8f:91:43:22:08:02:b3:86:30:85:
+        d7:1f:e7:ec:9c:0b:06:58:1b:47:15:08:25:26:99:c2:26
+-----BEGIN CERTIFICATE-----
+MIIBKjCB0aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU1NjQ3WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARpWAJJ
+fZgQbm3zP48rnxDfCULWxRwinIaH5h3t7dWYHZPOzmEqjUTLc1mQBrto5Hwk0Edq
+uaSjyWCnTV7FRt29ozowODATBgNVHSUEDDAKBggrBgEFBQcDBDAhBgNVHREEGjAY
+gRZjb29sZ3V5QGNvb2xwbGFjZS5jb21lMAoGCCqGSM49BAMCA0gAMEUCIQDrMODy
+z2+klcpq4KnnBupNshi3vW5pT5bAB4Y8c7IuPwIgboO7ynmPkUMiCAKzhjCF1x/n
+7JwLBlgbRxUIJSaZwiY=
+-----END CERTIFICATE-----
diff --git a/v3/testdata/smime/without_subject_alternative_name.pem b/v3/testdata/smime/without_subject_alternative_name.pem
@@ -0,0 +1,38 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Sep 30 15:41:50 2023 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:8b:93:b2:84:b1:56:f4:cc:df:55:3f:f4:07:2b:
+                    d1:5a:bc:52:10:41:aa:91:88:aa:25:ac:02:da:3e:
+                    0c:0e:af:3b:65:49:d5:22:f9:a5:80:f1:83:c6:bc:
+                    bb:8e:cf:d1:a6:b5:92:5d:85:6f:91:5e:31:1a:af:
+                    69:04:62:31:86
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:0f:4a:43:42:ff:8b:5a:b3:30:f0:c6:b2:63:1c:
+        92:39:4d:17:5d:b0:15:70:e9:15:2e:9a:3f:a1:d6:12:c2:79:
+        02:21:00:a6:91:19:20:11:17:8d:f1:65:e0:f1:33:89:38:42:
+        24:a5:41:e5:33:6b:53:21:7f:1f:49:49:0f:57:d8:0a:f2
+-----BEGIN CERTIFICATE-----
+MIIBBzCBrqADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjMwOTMwMTU0MTUwWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLk7KE
+sVb0zN9VP/QHK9FavFIQQaqRiKolrALaPgwOrztlSdUi+aWA8YPGvLuOz9GmtZJd
+hW+RXjEar2kEYjGGoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDBDAKBggqhkjOPQQD
+AgNIADBFAiAPSkNC/4taszDwxrJjHJI5TRddsBVw6RUumj+h1hLCeQIhAKaRGSAR
+F43xZeDxM4k4QiSlQeUza1Mhfx9JSQ9X2Ary
+-----END CERTIFICATE-----
