update citation for e_ca_common_name_missing#976
Merged
christopher-henderson merged 1 commit intozmap:masterfrom Jul 27, 2025
Merged
update citation for e_ca_common_name_missing#976christopher-henderson merged 1 commit intozmap:masterfrom
christopher-henderson merged 1 commit intozmap:masterfrom
Conversation
christopher-henderson
approved these changes
Jul 27, 2025
Member
There was a problem hiding this comment.
Thank you so much @mhyder13! This sort of work is sorely needed, and I admit that I have just enough time to keep the repo alive and humming from a code-and-CICD stand point. So your work is here very much appreciated 🙏
Unfortunately, there doesn't seem to be any definitive, distinctive element to this profile that can be used to detect it in zlint.
You may find ZLint's configurable lints infrastructure to be useful.
type MyLint struct {
FrobbleTheWidgets bool
}
func (m *MyLint) Configure() interface{} {
return m
}
func (m *MyLinkt) Execute(c *x509.Certificate) *lint.LintResult {
if m.FrobbleTheWidgets {
return &lint.LintResult{Status: lint.Pass}
} else {
return &lint.LintResult{Status: lint.Error, Details: "Widgets MUST be frobbled."}
}
}The operator can then define a TOML file as the following...
[MyLint]
FrobbleTheWidgets = trueAnd invoke ZLint vis-a-vis this configuration...
zlint -config myConfig.toml myCert.pem
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is related to #973. This requirement comes in after most of the early reformatting of the BRs, so the citation string is only one movement out of date. I've added the old citation and the versions it was included in the comments. I've also added the requirements language this lint is (now) based on to the comment, which is similar to how some other lints have it. (example)
One sticking point is that in the new version, there is a "Cross-Certified Subordinate CA Certificate Profile" intended to allow new cross-signs of existing compliant CAs even after the name rules are update with their original names. This profile allows certain CAs without commonName in the subjects of their existing certificates issued before 2017-06-08 to receive new certificates which are not subject to this requirement, provided that "the encoded subject name MUST be byte-for-byte identical to the
encoded subject name of the existing CA Certificate." (It also allows other deviations from the normal CA naming requirements.) The profile otherwise looks similar to the other CA profiles.
Unfortunately, there doesn't seem to be any definitive, distinctive element to this profile that can be used to detect it in zlint. Additionally, the factors that allow its usage like "the existing CA Certificate complied with the Baseline Requirements in force at time of issuance" aren't detectable from the certificate itself. For now, I'm proposing to leave the implementation of the lint as it is with a note about this profile in the comment. CAs attempting to use it should already be aware that they are using it to circumvent the normal naming rules. Research users will unfortunately have to live with this limitation or follow up to determine if a certificate should have been eligible for this profile. If anyone has an idea how to accurately filter these certificates out, we might want to split this lint to separate the two forms of the requirement. Failing that, maybe the configuration system can be leveraged to indicate when a certificate is using this profile?