lint_single_email_if_present.go Checks SANs instead of Subject

[jdkasten]

I believe the lint Name: "e_single_email_if_present", Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", Citation: "7.1.4.2.h"

refers to this requirement which is specifically about the subject's relative distingished names rather than subject alternative names.

The lint's code iterates over c.EmailAddresses, which is the the subject alternative name email addresses and not those potentially contained in the subject [documentation]. There should only be one email address in the subject's distinguished name.

I also believe that the citation should be changed to 7.1.4.2.2.h rather than its current 7.1.4.2.h.

[cardonator]

You're right about the reference, it should be 7.1.4.2.2.h.

You're also right that the target of the current check is the SANs and not the subject as specified in the BR. I can work on a patch for that.

Please note that the referenced requirement does not state that only one Subject EmailAddress field is allowed in a compliant certificate, but that each Subject EmailAddress field contains only a single email address. Currently this lint is technically wrong per reference but not practically wrong in implementation: each Subject EmailAddress must appear as a SAN in the certificate, and therefore each SAN EmailAddress should also only contain a single email address.

[mtgag]

@jdkasten and @cardonator is the discussion in this issue covered by PR #808? If yes, this issue could be closed.