Closed christopher-henderson closed 2 years ago
Hmmm. I think that it might be better to write IsOnionV2
and IsOnionV3
that would check .onion
names. They could be reused in another lint that would check if .onion
names are valid.
In https://github.com/zmap/zlint/blob/master/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go#L133 you only check the address length, but in https://github.com/zmap/zlint/blob/master/v3/util/onion.go#L25-L39 you check the length and the last byte.
@mimi89999
I think that it might be better to write IsOnionV2 and IsOnionV3 that would check .onion names. They could be reused in another lint that would check if .onion names are valid.
Sure thing! Indeed, with our newfound access to generics in Go, I went ahead and added some utility functions that help fill the gap of Any
and All
which would help with this.
In https://github.com/zmap/zlint/blob/master/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go#L133 you only check the address length, but in https://github.com/zmap/zlint/blob/master/v3/util/onion.go#L25-L39 you check the length and the last byte.
Fair enough, although I think the only extra thing I can reasonably do here is check that it is lowercase base32 encoded. That is, V3 has a number of extra semantics to it, however a V2 address is nothing but a b32 encoded hash of length 16.
This patch addresses #676 wherein the presence of a normal DNS entry would trigger a
false
return onIsOnionV3
, resulting in the Onion V3 cert being checked as though it were V2.I believe that the solution here is to change this from checking whether-or-not all names are V3 into checking whether-or-not at least one name is V2.
@mimi89999