1 package rfc
2
3 import (
4 "github.com/zmap/zcrypto/x509"
5 "github.com/zmap/zlint/v3/lint"
6 "github.com/zmap/zlint/v3/util"
7 "golang.org/x/crypto/cryptobyte"
8 cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
9 )
10
11 type crlHasAKI struct{}
12
13
18
19 func init() {
20 lint.RegisterRevocationListLint(&lint.RevocationListLint{
21 LintMetadata: lint.LintMetadata{
22 Name: "e_crl_has_aki",
23 Description: "Conforming",
24 Citation: "RFC 5280: 5.2.1",
25 Source: lint.RFC5280,
26 EffectiveDate: util.RFC5280Date,
27 },
28 Lint: NewCrlHasAKI,
29 })
30 }
31
32 func NewCrlHasAKI() lint.RevocationListLintInterface {
33 return &crlHasAKI{}
34 }
35
36 func (l *crlHasAKI) CheckApplies(c *x509.RevocationList) bool {
37 return true
38 }
39
40 func (l *crlHasAKI) Execute(c *x509.RevocationList) *lint.LintResult {
41 if len(c.AuthorityKeyId) == 0 {
42 return &lint.LintResult{
43 Status: lint.Error,
44 Details: "CRLs MUST include the authority key identifier extension",
45 }
46 }
47 aki := cryptobyte.String(c.AuthorityKeyId)
48 var akiBody cryptobyte.String
49 if !aki.ReadASN1(&akiBody, cryptobyte_asn1.SEQUENCE) {
50 return &lint.LintResult{
51 Status: lint.Error,
52 Details: "CRL has a malformed authority key identifier extension",
53 }
54 }
55 if !akiBody.PeekASN1Tag(cryptobyte_asn1.Tag(0).ContextSpecific()) {
56 return &lint.LintResult{
57 Status: lint.Error,
58 Details: "CRLs MUST use the key identifier method in the authority key identifier extension",
59 }
60 }
61 return &lint.LintResult{Status: lint.Pass}
62 }
63
View as plain text