zmap
diff --git a/‎v3/lints/rfc/lint_empty_sct_list.go
+99 b/‎v3/lints/rfc/lint_empty_sct_list.go
+99
diff --git a/‎v3/lints/rfc/lint_empty_sct_list_test.go
+73 b/‎v3/lints/rfc/lint_empty_sct_list_test.go
+73
diff --git a/‎v3/testdata/empty_sct_list_ko_01.pem
+103 b/‎v3/testdata/empty_sct_list_ko_01.pem
+103
diff --git a/‎v3/testdata/empty_sct_list_na_01.pem
+99 b/‎v3/testdata/empty_sct_list_na_01.pem
+99
@@ -0,0 +1,99 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Contributed by Adriano Santoni <[email protected]>
+ */
+
+package rfc
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"encoding/asn1"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_empty_sct_list",
+			Description:   "At least one SCT MUST be included in the SignedCertificateTimestampList extension",
+			Citation:      "RFC 6962 section 3.3",
+			Source:        lint.RFC6962,
+			EffectiveDate: util.RFC6962Date,
+		},
+		Lint: NewEmptySCTList,
+	})
+}
+
+type emptySCTList struct{}
+
+func NewEmptySCTList() lint.LintInterface {
+	return &emptySCTList{}
+}
+
+// CheckApplies returns true for any subscriber certificates that are not precertificates
+// (i.e. that do not have the CT poison extension defined in RFC 6962)
+func (l *emptySCTList) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID)
+}
+
+func (l *emptySCTList) Execute(c *x509.Certificate) *lint.LintResult {
+
+	var sctListExtValue []byte
+
+	for _, e := range c.Extensions {
+		if e.Id.Equal(util.TimestampOID) {
+			sctListExtValue = e.Value
+			break
+		}
+	}
+
+	// SCT extension not found, so there is nothing to check
+	if sctListExtValue == nil {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+
+	var octetString []byte
+
+	_, err := asn1.Unmarshal(sctListExtValue, &octetString)
+	if err != nil {
+		// This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer
+		return &lint.LintResult{
+			Status:  lint.Fatal,
+			Details: "Error decoding the SignedCertificateTimestampList extension",
+		}
+	}
+
+	// Per RFC 5246, the SCT list must begin with a two-bytes length field
+	if len(octetString) < 2 {
+		// This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer
+		return &lint.LintResult{
+			Status:  lint.Fatal,
+			Details: "Invalid SCT list encoding (missing length field)",
+		}
+	}
+
+	// If the SCT list length (first two bytes) is zero, then it's an invalid SCT list per RFC 6962
+	if octetString[0] == 0 && octetString[1] == 0 {
+		return &lint.LintResult{
+			Status:  lint.Error,
+			Details: "At least one SCT MUST be included in the SignedCertificateTimestampList extension",
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
@@ -0,0 +1,73 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package rfc
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+/*
+   === Pass test cases ===
+   empty_sct_list_ok_01.pem    SCTList extension NOT present
+   empty_sct_list_ok_02.pem    SCTList extension present, with length > 0
+
+   === NA test cases ===
+   empty_sct_list_na_01.pem    Precertificate (Poison extension present)
+   empty_sct_list_na_02.pem    CA certificate
+
+   === Fail test cases ===
+   empty_sct_list_ko_01.pem    SCTList extension present, with zero length
+*/
+
+func TestEmptySCTList(t *testing.T) {
+	type Data struct {
+		input string
+		want  lint.LintStatus
+	}
+	data := []Data{
+		{
+			input: "empty_sct_list_ok_01.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "empty_sct_list_ok_02.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "empty_sct_list_na_01.pem",
+			want:  lint.NA,
+		},
+		{
+			input: "empty_sct_list_na_02.pem",
+			want:  lint.NA,
+		},
+		{
+			input: "empty_sct_list_ko_01.pem",
+			want:  lint.Error,
+		},
+	}
+	for _, testData := range data {
+		testData := testData
+		t.Run(testData.input, func(t *testing.T) {
+			out := test.TestLint("e_empty_sct_list", testData.input)
+			if out.Status != testData.want {
+				t.Errorf("expected %s, got %s", testData.want, out.Status)
+			}
+		})
+	}
+}
@@ -0,0 +1,103 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            15:5d:5d:77:7e:9c:cd:57:03:5b:bb:65:0a:db:70:19
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Apr 29 07:50:51 2024 GMT
+            Not After : Apr 29 07:50:51 2025 GMT
+        Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org, serialNumber = 1234567890
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ca:dc:be:ac:45:65:b0:1f:3e:48:bc:f7:8c:a0:
+                    74:ff:b0:12:81:e0:c3:56:54:ca:2e:98:ef:9e:2f:
+                    a1:b1:3f:35:8b:e7:bc:2a:a6:00:15:39:c2:a0:a7:
+                    8d:82:69:40:64:c8:2b:4b:e3:02:83:8e:fc:ff:5b:
+                    38:f1:e6:cd:d2:2d:97:c6:bb:16:9a:21:83:e5:4f:
+                    45:20:f8:02:e8:a3:54:20:bd:80:26:f7:e4:6e:6e:
+                    1b:97:de:e6:aa:36:be:1e:7a:5a:1e:23:d4:40:8a:
+                    59:67:9d:39:b7:2d:58:56:9d:f9:d0:f1:d7:19:47:
+                    ed:66:d2:2f:00:79:cd:ee:52:4c:da:35:27:b4:1e:
+                    4c:27:f5:66:d5:8a:f3:fe:77:bd:93:e4:49:06:dd:
+                    2c:f4:9e:64:b8:a7:be:f4:bb:10:54:d5:7f:88:a9:
+                    8d:1d:36:cd:45:47:72:41:de:32:25:11:ec:e5:74:
+                    58:9f:1e:ad:19:7a:85:49:71:27:4c:95:f0:b7:4e:
+                    18:f1:ef:4a:4f:00:e2:db:bb:f9:fc:26:cd:12:a9:
+                    4a:13:b4:8f:70:08:9b:69:0b:c8:7e:33:42:28:f0:
+                    3a:59:59:7b:aa:7e:d3:9f:d5:6f:c4:b2:67:c6:c2:
+                    bd:67:33:a2:01:3d:5b:ec:a1:98:b4:17:de:b8:df:
+                    53:07
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                71:C2:DE:BD:F0:7E:64:F8:06:3E:92:29:54:90:C8:24:34:A8:EC:02
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+            CT Precertificate SCTs: 
+
+    Signature Algorithm: sha256WithRSAEncryption
+         a7:02:df:31:70:db:35:d2:3c:c3:ab:f0:b8:bb:5a:4c:7f:74:
+         97:3c:83:6a:f4:ec:e9:7a:ff:0c:40:4f:8e:21:11:7e:cf:2c:
+         6d:00:ed:0b:b4:db:ed:1a:e6:f6:c9:8b:6f:19:e6:98:0e:07:
+         d7:b8:1e:bf:10:54:3f:88:82:ae:83:76:53:a8:b2:91:b9:88:
+         12:45:c9:8b:4e:02:e0:b4:55:41:7b:6e:c9:e1:83:79:db:f5:
+         67:63:b9:58:d7:d7:ca:d5:95:b4:ba:03:dc:d2:e9:d1:ac:34:
+         26:38:52:41:02:de:07:ef:62:1b:9a:00:b0:41:b0:b6:9e:14:
+         f1:44:92:ba:cd:d7:91:9d:12:94:50:1a:90:7d:d5:3e:d3:b4:
+         24:88:f3:7e:26:d2:fa:cb:3f:e5:fa:07:80:69:60:09:41:2b:
+         49:62:f9:b7:da:a0:89:ee:17:ea:95:ba:d1:9c:59:7d:00:d3:
+         d9:af:2f:f9:a9:b2:83:6a:22:7b:df:6a:59:5d:e0:0c:79:ee:
+         af:c2:03:70:20:f1:1f:02:c0:72:d5:d8:cf:84:e8:16:8d:bf:
+         21:3c:42:e3:72:46:de:e2:7c:e4:5a:9d:f4:76:81:44:03:05:
+         3f:38:1e:c5:50:1f:41:84:bd:40:83:10:90:2a:ea:6a:8b:06:
+         37:6b:50:91
+-----BEGIN CERTIFICATE-----
+MIIEojCCA4qgAwIBAgIQFV1dd36czVcDW7tlCttwGTANBgkqhkiG9w0BAQsFADBD
+MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD
+QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDA0MjkwNzUwNTFaFw0yNTA0MjkwNzUw
+NTFaMIGJMQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
+aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
+THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcxEzARBgNVBAUTCjEyMzQ1Njc4OTAw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDK3L6sRWWwHz5IvPeMoHT/
+sBKB4MNWVMoumO+eL6GxPzWL57wqpgAVOcKgp42CaUBkyCtL4wKDjvz/Wzjx5s3S
+LZfGuxaaIYPlT0Ug+ALoo1QgvYAm9+RubhuX3uaqNr4eeloeI9RAillnnTm3LVhW
+nfnQ8dcZR+1m0i8Aec3uUkzaNSe0Hkwn9WbVivP+d72T5EkG3Sz0nmS4p770uxBU
+1X+IqY0dNs1FR3JB3jIlEezldFifHq0ZeoVJcSdMlfC3Thjx70pPAOLbu/n8Js0S
+qUoTtI9wCJtpC8h+M0Io8DpZWXuqftOf1W/EsmfGwr1nM6IBPVvsoZi0F96431MH
+AgMBAAGjggFJMIIBRTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
+AwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRxwt698H5k+AY+kilUkMgkNKjsAjAfBgNV
+HSMEGDAWgBTotvZ2S9A75Ual+VTUfgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYI
+KwYBBQUHMAGGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUF
+BzAChh1odHRwOi8vY2Euc29tZWNhLWluYy5jb20vcm9vdDAWBgNVHREEDzANggtl
+eGFtcGxlLm9yZzATBgNVHSAEDDAKMAgGBmeBDAECAjAtBgNVHR8EJjAkMCKgIKAe
+hhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMBIGCisGAQQB1nkCBAIEBAQC
+AAAwDQYJKoZIhvcNAQELBQADggEBAKcC3zFw2zXSPMOr8Li7Wkx/dJc8g2r07Ol6
+/wxAT44hEX7PLG0A7Qu02+0a5vbJi28Z5pgOB9e4Hr8QVD+Igq6DdlOospG5iBJF
+yYtOAuC0VUF7bsnhg3nb9WdjuVjX18rVlbS6A9zS6dGsNCY4UkEC3gfvYhuaALBB
+sLaeFPFEkrrN15GdEpRQGpB91T7TtCSI834m0vrLP+X6B4BpYAlBK0li+bfaoInu
+F+qVutGcWX0A09mvL/mpsoNqInvfalld4Ax57q/CA3Ag8R8CwHLV2M+E6BaNvyE8
+QuNyRt7ifORanfR2gUQDBT84HsVQH0GEvUCDEJAq6mqLBjdrUJE=
+-----END CERTIFICATE-----
@@ -0,0 +1,99 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            85:74:a7:82:8c:9e:37:4d:ff:68:09:28:3a:10:be:b0
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Apr 29 07:32:42 2024 GMT
+            Not After : Apr 29 07:32:42 2025 GMT
+        Subject: C = IT, ST = Some State or Province, L = Somewhere, O = Some Company Ltd., CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c9:f6:cb:84:c2:39:69:2d:4b:f1:90:18:15:62:
+                    bf:4d:b2:0b:86:e4:fa:c2:15:7d:06:29:5c:2c:4e:
+                    9b:8c:17:60:6c:49:18:46:7e:01:f2:a8:31:71:45:
+                    5b:e9:52:b1:22:15:8b:7c:64:84:90:ad:61:55:b8:
+                    90:07:a4:4c:70:cb:a1:d4:bd:c4:d5:6f:73:3f:30:
+                    53:1b:85:5c:7b:0b:ed:4a:d2:2d:1e:3f:f7:57:6a:
+                    ad:49:89:d5:7f:b6:83:02:52:c7:cc:b5:68:42:20:
+                    69:84:7e:f6:a1:79:26:3e:21:57:16:93:47:08:0b:
+                    54:4b:b4:db:a8:59:0f:ea:af:ea:68:7d:b4:5d:f4:
+                    bd:22:f8:8d:f2:c7:ec:38:ca:3f:a9:79:e8:c0:b3:
+                    77:1f:87:3d:e2:52:44:9f:0e:98:07:a3:56:35:c9:
+                    12:57:9c:95:2c:a1:e4:71:64:26:13:83:3b:29:8c:
+                    1d:7a:f0:fa:1b:81:c5:ac:b1:cd:51:99:7d:46:0d:
+                    d8:3e:f4:d5:90:d4:5f:16:db:85:84:2b:d0:42:8f:
+                    85:8a:9b:85:39:0c:df:19:5a:b9:d9:ab:a0:0f:22:
+                    64:2b:90:88:1b:a1:6f:42:e7:66:a3:c0:2a:88:d4:
+                    c6:40:5f:49:df:a9:85:5b:7b:e7:72:64:80:8d:4d:
+                    65:95
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                07:23:84:22:FA:B0:66:0F:62:49:26:90:FE:0B:E8:33:1B:5B:82:01
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+            CT Precertificate Poison: critical
+                NULL
+    Signature Algorithm: sha256WithRSAEncryption
+         08:6d:c4:48:6f:4b:e9:a4:8c:f0:0a:0b:33:7c:45:14:e1:1c:
+         81:ec:54:67:e2:5f:94:57:61:11:86:b7:c1:80:4c:c0:70:a1:
+         7f:1e:58:7e:4e:09:b2:8a:3a:d4:b1:fd:63:8a:d7:61:2e:bc:
+         60:72:04:af:68:66:a5:bd:45:52:9d:e3:43:64:5a:ff:48:48:
+         c4:e2:62:f3:e9:a3:f7:3a:32:f5:e3:85:d7:4e:99:f0:2e:3a:
+         a2:43:09:51:43:8b:80:f7:34:16:b8:1a:57:fb:8b:d0:3d:e2:
+         73:12:42:a6:eb:4a:ca:5c:21:6e:1b:cf:5b:cb:5b:2e:d3:0b:
+         c7:01:6c:0b:a7:81:24:61:7c:7c:f4:b7:d3:4b:e4:ec:04:71:
+         97:d2:68:55:b1:ef:a7:2b:ce:ac:2e:bf:23:fa:31:ff:86:c6:
+         82:ab:87:b8:2e:92:66:46:44:5a:bb:aa:09:8b:f1:4c:75:f7:
+         45:79:9a:25:5f:42:2a:61:7b:5e:d8:50:5f:37:8b:66:ee:0d:
+         dc:f0:f1:2b:08:24:93:bd:33:3f:06:48:d8:78:ac:cd:5c:92:
+         ab:a5:78:59:b0:14:26:f9:42:91:4c:fb:a1:fc:de:1b:18:51:
+         66:26:d5:86:f9:13:00:24:22:e3:27:29:49:9e:36:f6:b1:87:
+         89:82:14:a5
+-----BEGIN CERTIFICATE-----
+MIIEeTCCA2GgAwIBAgIRAIV0p4KMnjdN/2gJKDoQvrAwDQYJKoZIhvcNAQELBQAw
+QzELMAkGA1UEBhMCWFgxEDAOBgNVBAoTB1NvbWUgQ0ExIjAgBgNVBAMTGUZha2Ug
+Q0EgZm9yIHpsaW50IHRlc3RpbmcwHhcNMjQwNDI5MDczMjQyWhcNMjUwNDI5MDcz
+MjQyWjB0MQswCQYDVQQGEwJJVDEfMB0GA1UECBMWU29tZSBTdGF0ZSBvciBQcm92
+aW5jZTESMBAGA1UEBxMJU29tZXdoZXJlMRowGAYDVQQKExFTb21lIENvbXBhbnkg
+THRkLjEUMBIGA1UEAxMLZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDJ9suEwjlpLUvxkBgVYr9NsguG5PrCFX0GKVwsTpuMF2BsSRhG
+fgHyqDFxRVvpUrEiFYt8ZISQrWFVuJAHpExwy6HUvcTVb3M/MFMbhVx7C+1K0i0e
+P/dXaq1JidV/toMCUsfMtWhCIGmEfvaheSY+IVcWk0cIC1RLtNuoWQ/qr+pofbRd
+9L0i+I3yx+w4yj+peejAs3cfhz3iUkSfDpgHo1Y1yRJXnJUsoeRxZCYTgzspjB16
+8PobgcWssc1RmX1GDdg+9NWQ1F8W24WEK9BCj4WKm4U5DN8ZWrnZq6APImQrkIgb
+oW9C52ajwCqI1MZAX0nfqYVbe+dyZICNTWWVAgMBAAGjggE1MIIBMTAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQW
+BBQHI4Qi+rBmD2JJJpD+C+gzG1uCATAfBgNVHSMEGDAWgBTotvZ2S9A75Ual+VTU
+fgez3g1gPjBkBggrBgEFBQcBAQRYMFYwKQYIKwYBBQUHMAGGHWh0dHA6Ly9jYS5z
+b21lY2EtaW5jLmNvbS9vY3NwMCkGCCsGAQUFBzAChh1odHRwOi8vY2Euc29tZWNh
+LWluYy5jb20vcm9vdDAWBgNVHREEDzANggtleGFtcGxlLm9yZzAtBgNVHR8EJjAk
+MCKgIKAehhxodHRwOi8vY2Euc29tZWNhLWluYy5jb20vY3JsMBMGCisGAQQB1nkC
+BAMBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQAIbcRIb0vppIzwCgszfEUU4RyB
+7FRn4l+UV2ERhrfBgEzAcKF/Hlh+TgmyijrUsf1jitdhLrxgcgSvaGalvUVSneND
+ZFr/SEjE4mLz6aP3OjL144XXTpnwLjqiQwlRQ4uA9zQWuBpX+4vQPeJzEkKm60rK
+XCFuG89by1su0wvHAWwLp4EkYXx89LfTS+TsBHGX0mhVse+nK86sLr8j+jH/hsaC
+q4e4LpJmRkRau6oJi/FMdfdFeZolX0IqYXte2FBfN4tm7g3c8PErCCSTvTM/BkjY
+eKzNXJKrpXhZsBQm+UKRTPuh/N4bGFFmJtWG+RMAJCLjJylJnjb2sYeJghSl
+-----END CERTIFICATE-----