Add lint for checking compliance with §7.1.2.10.5 of the BRs (CA Certificate Policies)#887
Merged
christopher-henderson merged 43 commits intozmap:masterfrom Oct 26, 2024
Conversation
Added //nolint:all to comment block to avoid golangci-lint to complain about duplicate words in comment
Fixed import block
Fine to me. Co-authored-by: Christopher Henderson <[email protected]>
As per Chris Henderson's suggestion, to "improve readability".
As per Chris Henderson's suggestion.
Added CABFEV_Sec9_2_8_Date
christopher-henderson
approved these changes
Oct 26, 2024
| lint.RegisterCertificateLint(&lint.CertificateLint{ | ||
| LintMetadata: lint.LintMetadata{ | ||
| Name: "e_invalid_ca_certificate_policies", | ||
| Description: "Checks that the Policy OIDs in the CertificatePolicies extension of a SubCA certificate comply with CABF requirements", |
There was a problem hiding this comment.
I was going to petition to break this up since the description is kind of a catch-all. But 7.1.2.10.5 really is kinda relatively large and tangled.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Please add this lint to verify that a TLS Subordinate CA certificate complies with §7.1.2.10.5 of the BRs (CA Certificate Policies).
In particular, this lint checks that Certificate Policies extension either contains the AnyPolicy OID alone (according to Table 69 in the BRs) or it contains at least one CABF Reserved Policy OID (according to Table 70).
Preliminarily, this lint checks that the CertificatePolicies extension is present, this being a requirement for all TLS Subordinate CAs as prescribed by various sections of Chapter 7 of the BRs. This could be considered a separate check and, as such, it could be moved to a separate lint, but I think it's simpler to leave it in here.
Examples of CA certificates failing this lint can be found at https://bugzilla.mozilla.org/show_bug.cgi?id=1921597