1 package cabfbr
2
3 import (
4 "github.com/zmap/zcrypto/encoding/asn1"
5 "github.com/zmap/zcrypto/x509"
6 "github.com/zmap/zlint/v3/lint"
7 "github.com/zmap/zlint/v3/util"
8 )
9
10 type crlCriticalReasonCodes struct{}
11
12
16
17 func init() {
18 lint.RegisterRevocationListLint(&lint.RevocationListLint{
19 LintMetadata: lint.LintMetadata{
20 Name: "e_crl_no_critical_reason_codes",
21 Description: "CRL entry reasonCode extension MUST NOT be marked critical",
22 Citation: "BRs: 7.2.2.1",
23 Source: lint.CABFBaselineRequirements,
24 EffectiveDate: util.CABFBRs_1_8_0_Date,
25 },
26 Lint: NewCrlCriticalReasonCodes,
27 })
28 }
29
30 func NewCrlCriticalReasonCodes() lint.RevocationListLintInterface {
31 return &crlCriticalReasonCodes{}
32 }
33
34 func (l *crlCriticalReasonCodes) CheckApplies(c *x509.RevocationList) bool {
35 return true
36 }
37
38 func (l *crlCriticalReasonCodes) Execute(c *x509.RevocationList) *lint.LintResult {
39 reasonCodeOID := asn1.ObjectIdentifier{2, 5, 29, 21}
40 for _, rc := range c.RevokedCertificates {
41 for _, ext := range rc.Extensions {
42 if ext.Id.Equal(reasonCodeOID) && ext.Critical {
43 return &lint.LintResult{
44 Status: lint.Error,
45 Details: "CRL entry reasonCode extension MUST NOT be marked critical",
46 }
47 }
48 }
49 }
50 return &lint.LintResult{Status: lint.Pass}
51 }
52
View as plain text