search

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
349 stars 108 forks source link

CABF SMIME BR 7.1.2.3.e - KeyUsages #757

Closed robplee closed 8 months ago

robplee commented 9 months ago

Addressing #754 with separate lints to check presence and criticality of the KU extension as well as covering the allowed KUs for RSA, EC and Edwards curve public keys.

One shortcoming is that for the Edwards curve keys I've had to leave a TODO in place as I don't think zcrypto has support for curve 448 in certificates (correct me if I'm wrong but I couldn't see it when I looked). That being said, it doesn't stop the checks working adequately for keys defined on curve 25519 so I don't think it should be a blocker for merging this PR.

cardonator commented 8 months ago

Can you guys help me understand why I seem to be having an issue testing this and some other changes regarding SMIME lints out?

I have a PEM with Email Protection EKU and I can't get any SMIME lints to trigger when running zlint directly. -lint-sources-list doesn't show SMIME and the lints aren't ever added to the registry that I can tell. Is there some other pieces missing that we need for running the CLI or as a library?

christopher-henderson commented 8 months ago

@cardonator do you have a particular branch I can take a look at?

cardonator commented 8 months ago

I am working on this branch. https://github.com/zmap/zlint/compare/master...cardonator:zlint:check_aia_internal_names

I will email you a pem I'm testing with, I haven't generated a cert to test with yet. I was trying to test this by building zlint and then running ./zlint cert.pem. None of the SMIME lints show as running in the response.

christopher-henderson commented 8 months ago

@cardonator

Ah, so the cert that you sent me is fine, and it indeed passes the "is this an email cert" check, however there seems to be a regression with regard to cert-to-source-document dispatch that broke smime from the CLI.

$ ./zlint -list-lints-source
    Apple
    CABF_BR
    CABF_BR
    CABF_EV
    Community
    ETSI_ESI
    Mozilla
    RFC3279
    RFC5280
    RFC5280
    RFC5480
    RFC5891
    RFC8813

Listing CABF twice with no SMIME version is incorrect and smime lints are not showing up in the registry on master. I've fired up #759 for me to go fix this.

In the meantime, you are fine to continue writing-and-testing lints as this is an issue in the CLI.

cardonator commented 8 months ago

Thanks @christopher-henderson and sorry to hijack this thread. I will continue on my branch.