search

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
349 stars 108 forks source link

Revisit S/MIME applicability rules #748

Closed christopher-henderson closed 8 months ago

christopher-henderson commented 9 months ago

Stemming from the comment at https://github.com/zmap/zlint/pull/744#discussion_r1347031645 we may want to revisit the logic at IsEmailProtectionCert

An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension.

robplee commented 8 months ago

So, my proposal to address this issue is to change this line: https://github.com/zmap/zlint/blob/master/v3/lint/base.go#L224

To something like this: if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert) || util.IsSMIMEBRCertificate(cert)) {

Where HasEmailSAN (name TBC) checks for the presence of at least one san:rfc822Name or a san:otherName of type id-on-SmtpUtf8Mailbox.

Am happy to open a PR with the above if there is agreement with my suggested change.