@@ -90,6 +90,19 @@ type SigningProfile struct {
9090 CTLogServers []string `json:"ct_log_servers"`
9191 AllowedExtensions []OID `json:"allowed_extensions"`
9292 CertStore string `json:"cert_store"`
93+ // LintErrLevel controls preissuance linting for the signing profile.
94+ // 0 = no linting is performed [default]
95+ // 2..3 = reserved
96+ // 3 = all lint results except pass are considered errors
97+ // 4 = all lint results except pass and notice are considered errors
98+ // 5 = all lint results except pass, notice and warn are considered errors
99+ // 6 = all lint results except pass, notice, warn and error are considered errors.
100+ // 7 = lint is performed, no lint results are treated as errors.
101+ LintErrLevel int `json:"lint_error_level"`
102+ // IgnoredLints lists zlint lint names to ignore. Any lint results from
103+ // matching lints will be ignored no matter what the configured LintErrLevel
104+ // is.
105+ IgnoredLints []string `json:"ignored_lints"`
93106
94107 Policies []CertificatePolicy
95108 Expiry time.Duration
@@ -427,7 +440,8 @@ func (p *SigningProfile) Usages() (ku x509.KeyUsage, eku []x509.ExtKeyUsage, unk
427440// valid local default profile has defined at least a default expiration.
428441// A valid remote profile (default or not) has remote signer initialized.
429442// In addition, a remote profile must has a valid auth provider if auth
430- // key defined.
443+ // key defined. A valid profile must not include a lint_error_level outside of
444+ // [0,8).
431445func (p * SigningProfile ) validProfile (isDefault bool ) bool {
432446 if p == nil {
433447 return false
@@ -484,6 +498,11 @@ func (p *SigningProfile) validProfile(isDefault bool) bool {
484498 }
485499 }
486500
501+ if p .LintErrLevel < 0 || p .LintErrLevel >= 8 {
502+ log .Debugf ("invalid profile: lint_error_level outside of range [0,8)" )
503+ return false
504+ }
505+
487506 log .Debugf ("profile is valid" )
488507 return true
489508}
0 commit comments