Closed robplee closed 8 months ago
Can you guys help me understand why I seem to be having an issue testing this and some other changes regarding SMIME lints out?
I have a PEM with Email Protection EKU and I can't get any SMIME lints to trigger when running zlint directly. -lint-sources-list doesn't show SMIME and the lints aren't ever added to the registry that I can tell. Is there some other pieces missing that we need for running the CLI or as a library?
@cardonator do you have a particular branch I can take a look at?
I am working on this branch. https://github.com/zmap/zlint/compare/master...cardonator:zlint:check_aia_internal_names
I will email you a pem I'm testing with, I haven't generated a cert to test with yet. I was trying to test this by building zlint and then running ./zlint cert.pem
. None of the SMIME lints show as running in the response.
@cardonator
Ah, so the cert that you sent me is fine, and it indeed passes the "is this an email cert" check, however there seems to be a regression with regard to cert-to-source-document dispatch that broke smime from the CLI.
$ ./zlint -list-lints-source
Apple
CABF_BR
CABF_BR
CABF_EV
Community
ETSI_ESI
Mozilla
RFC3279
RFC5280
RFC5280
RFC5480
RFC5891
RFC8813
Listing CABF twice with no SMIME version is incorrect and smime lints are not showing up in the registry on master. I've fired up #759 for me to go fix this.
In the meantime, you are fine to continue writing-and-testing lints as this is an issue in the CLI.
Thanks @christopher-henderson and sorry to hijack this thread. I will continue on my branch.
Addressing #754 with separate lints to check presence and criticality of the KU extension as well as covering the allowed KUs for RSA, EC and Edwards curve public keys.
One shortcoming is that for the Edwards curve keys I've had to leave a TODO in place as I don't think zcrypto has support for curve 448 in certificates (correct me if I'm wrong but I couldn't see it when I looked). That being said, it doesn't stop the checks working adequately for keys defined on curve 25519 so I don't think it should be a blocker for merging this PR.