...

Source file src/github.com/letsencrypt/boulder/linter/lints/cpcps/lint_crl_has_no_cert_issuers.go

Documentation: github.com/letsencrypt/boulder/linter/lints/cpcps 

     1  package cpcps
     2  
     3  import (
     4  	"github.com/zmap/zcrypto/encoding/asn1"
     5  	"github.com/zmap/zcrypto/x509"
     6  	"github.com/zmap/zlint/v3/lint"
     7  
     8  	"github.com/letsencrypt/boulder/linter/lints"
     9  )
    10  
    11  type crlHasNoCertIssuers struct{}
    12  
    13  /************************************************
    14  RFC 5280: 5.3.3
    15  
    16  Section 5.3.3 defines the Certificate Issuer entry extension. The presence of
    17  this extension means that the CRL is an "indirect CRL", including certificates
    18  which were issued by a different issuer than the one issuing the CRL itself.
    19  We do not issue indirect CRLs, so our CRL entries should not have this extension.
    20  ************************************************/
    21  
    22  func init() {
    23  	lint.RegisterRevocationListLint(&lint.RevocationListLint{
    24  		LintMetadata: lint.LintMetadata{
    25  			Name:          "e_crl_has_no_cert_issuers",
    26  			Description:   "Let's Encrypt does not issue indirect CRLs",
    27  			Citation:      "",
    28  			Source:        lints.LetsEncryptCPS,
    29  			EffectiveDate: lints.CPSV33Date,
    30  		},
    31  		Lint: NewCrlHasNoCertIssuers,
    32  	})
    33  }
    34  
    35  func NewCrlHasNoCertIssuers() lint.RevocationListLintInterface {
    36  	return &crlHasNoCertIssuers{}
    37  }
    38  
    39  func (l *crlHasNoCertIssuers) CheckApplies(c *x509.RevocationList) bool {
    40  	return true
    41  }
    42  
    43  func (l *crlHasNoCertIssuers) Execute(c *x509.RevocationList) *lint.LintResult {
    44  	certIssuerOID := asn1.ObjectIdentifier{2, 5, 29, 29} // id-ce-certificateIssuer
    45  	for _, entry := range c.RevokedCertificates {
    46  		if lints.GetExtWithOID(entry.Extensions, certIssuerOID) != nil {
    47  			return &lint.LintResult{
    48  				Status:  lint.Notice,
    49  				Details: "CRL has an entry with a Certificate Issuer extension",
    50  			}
    51  		}
    52  	}
    53  	return &lint.LintResult{Status: lint.Pass}
    54  }
    55  

View as plain text