Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) #744

Merged
merged 3 commits into from
Oct 15, 2023

Conversation

christopher-henderson
Copy link
Member

Resolves #743. Addresses subjectAlternativeName, all: SHALL be present (7.1.2.3.h) from #712

Copy link
Contributor

@robplee robplee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need some changes for this PR and #747 re: checkApplies+CertificateLint.Execute.

}

func (l *SubjectAlternativeNameShallBePresent) CheckApplies(c *x509.Certificate) bool {
return util.IsSubscriberCert(c)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, there's a bit of a circular dependency on when this lint might apply. Currently, this lint applies to subscriber certificates with emailProtection EKU. However, by section 1.1 of the SMIME BRs, a certificate isn't an SMIME certificate if it merely contains emailProtection and no subjectAltName extension. So, by failing this lint, it means that it shouldn't apply...

Relevant quote: "An S/MIME Certificate for the purposes of this document can be identified by the existence of an Extended Key Usage (EKU) for id-kp-emailProtection (OID: 1.3.6.1.5.5.7.3.4) and the inclusion of a rfc822Name or an otherName of type id-on-SmtpUTF8Mailbox in the subjectAltName extension."

I guess one option is to refactor lint.base.go to remove the need for emailProtection on SMIME lints or to instead change it to require either (emailProtection AND a SAN extension) OR an SMIME BR policy OID and returning N/A whenever neither of those conditions are met.

It's occurred to me that my #747 PR probably has the same issue as I've a lint requiring emailProtection but if it's not present then the lint would be N/A. For simplicities sake, let's keep the discussion about this here and I'll put a comment on my PR to point to this one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this to be a separate issue and I have begun tracking it at #748.


That said, I am inclined to move forward with merging this (and other lints) as it implements 7.1.2.3.h quite precisely

subjectAlternativeName, all: SHALL be present

Any separate issues with regard to the general applicability of SMIME certificates from within the framework is out of scope of this change.

v3/lints/cabf_smime_br/lint_san_shall_be_present.go Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present
3 participants