Lints for CABF SMIME BRs 7.1.2.3.f - EKUs#747
Lints for CABF SMIME BRs 7.1.2.3.f - EKUs#747christopher-henderson merged 7 commits intozmap:masterfrom
Conversation
|
Merging is blocked until this conversation is resolved: #744 (comment) EDIT: no need to block merge. Conversation has been moved to #748 |
| // - Mailbox Validated Strict | ||
| func (l *mailboxValidatedEnforceSubjectFieldRestrictions) CheckApplies(c *x509.Certificate) bool { | ||
| return util.IsMailboxValidatedCertificate(c) | ||
| return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c) |
There was a problem hiding this comment.
To address #713 (comment) raised by @mtgag
|
@christopher-henderson, would you be able to give this a look over? I'm starting to work on some KU SMIME lints and it'd be easier if some of the util changes from this PR were on master. |
christopher-henderson
left a comment
christopher-henderson
left a comment
There was a problem hiding this comment.
@robplee indeed! I was holding off on reviewing until I thought you were sure that the PR was ready for review.
If you were ready for a review much earlier, then I ask that in the future you assign me as a reviewer or reach out when you think it will be ready.
| return false | ||
| } | ||
|
|
||
| func IsLegacySMIMECertificate(c *x509.Certificate) bool { |
There was a problem hiding this comment.
Thank you so much for adding these 🙏 it was sorely needed for many of the other CheckApplies.
| lint.RegisterCertificateLint(&lint.CertificateLint{ | ||
| LintMetadata: lint.LintMetadata{ | ||
| Name: "e_smime_legacy_multipurpose_eku_check", | ||
| Description: "Strict/Multipurpose and Legacy: id-kp-emailProtection SHALL be present. Other values MAY be present. The values id-kp-serverAuth, id-kp-codeSigning, id-kp-timeStamping, and anyExtendedKeyUsage values SHALL NOT be present.", |
There was a problem hiding this comment.
In general, it's preferred if there is only one SHALL clause in a given lint. This is primarily due to the scenario of encountering both errors at the same time, which typically results in one error shadowing the other. Both errors will eventually be addressed, although the second one will only show up after the first one is resolved.
That's not a blocker for this particular lint, I think, but just a consideration for others.
2 participants
Aiming for all three of the EKU entries from #712