Add lints for S/MIME BR 7.1.2.3l (#805)

* Add lints for S/MIME BR 7.1.2.3l

* Save results of util functions as variables to make logic clearer.

---------

Co-authored-by: Christopher Henderson <[email protected]>

Author: bitlux

v3/lints/cabf_smime_br/lint_legal_entity_identifier.go

@@ -0,0 +1,83 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package cabf_smime_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_legal_entity_identifier",
+			Description:   "Mailbox/individual: prohibited. Organization/sponsor: may be present",
+			Citation:      "7.1.2.3.l",
+			Source:        lint.CABFSMIMEBaselineRequirements,
+			EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date,
+		},
+		Lint: NewLegalEntityIdentifier,
+	})
+}
+
+type legalEntityIdentifier struct{}
+
+func NewLegalEntityIdentifier() lint.LintInterface {
+	return &legalEntityIdentifier{}
+}
+
+func (l *legalEntityIdentifier) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c)
+}
+
+func (l *legalEntityIdentifier) Execute(c *x509.Certificate) *lint.LintResult {
+	leiPresent := util.IsExtInCert(c, util.LegalEntityIdentifierOID)
+	leiExt := util.GetExtFromCert(c, util.LegalEntityIdentifierOID)
+	leiRolePresent := util.IsExtInCert(c, util.LegalEntityIdentifierRoleOID)
+	leiRoleExt := util.GetExtFromCert(c, util.LegalEntityIdentifierRoleOID)
+
+	switch {
+	case util.IsMailboxValidatedCertificate(c), util.IsIndividualValidatedCertificate(c):
+		if leiPresent {
+			// Mailbox-validated and Individual-validated prohibited.
+			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present"}
+		}
+	case util.IsOrganizationValidatedCertificate(c):
+		if leiPresent && leiExt.Critical {
+			// LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical.
+			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"}
+		}
+		if leiRolePresent {
+			// This is affirming the negative. Sponsor validated certificates MAY have an LEI Role, so
+			// it is being taken here that not explicitly as such for organization validated certificates
+			// implies that they are not allowed.
+			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present"}
+		}
+	case util.IsSponsorValidatedCertificate(c):
+		if leiPresent && leiExt.Critical {
+			// LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical.
+			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"}
+		}
+		if leiRolePresent && leiRoleExt.Critical {
+			// LEI Role (1.3.6.1.4.1.52266.2) MAY be present and SHALL NOT be marked critical.
+			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present and critical"}
+		}
+	default:
+		return &lint.LintResult{Status: lint.Error, Details: "Unknown validation type"}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/cabf_smime_br/lint_legal_entity_identifier_test.go

@@ -0,0 +1,72 @@
+package cabf_smime_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestLegalEntityIdentifier(t *testing.T) {
+	testCases := []struct {
+		Name            string
+		InputFilename   string
+		ExpectedResult  lint.LintStatus
+		ExpectedDetails string
+	}{
+		{
+			Name:           "pass - mailbox validated, Legal Entity Identifier not present",
+			InputFilename:  "smime/mailboxValidatedLegacyWithCommonName.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:            "error - mailbox validated, Legal Entity Identifier present",
+			InputFilename:   "smime/mailbox_validated_with_lei.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Legal Entity Identifier extension present",
+		},
+		{
+			Name:            "error - individual validated, Legal Entity Identifier present",
+			InputFilename:   "smime/individual_validated_with_lei.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Legal Entity Identifier extension present",
+		},
+		{
+			Name:            "error - organization validated, Legal Entity Identifier critical",
+			InputFilename:   "smime/organization_validated_with_lei_critical.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Legal Entity Identifier extension present and critical",
+		},
+		{
+			Name:            "error - organization validated, Legal Entity Identifier Role present",
+			InputFilename:   "smime/organization_validated_with_lei_role.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Legal Entity Identifier Role extension present",
+		},
+		{
+			Name:            "error - sponsor validated, Legal Entity Identifier critical",
+			InputFilename:   "smime/sponsor_validated_with_lei_critical.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Legal Entity Identifier extension present and critical",
+		},
+		{
+			Name:            "error - sponsor validated, Legal Entity Identifier Role present",
+			InputFilename:   "smime/sponsor_validated_with_lei_role_critical.pem",
+			ExpectedResult:  lint.Error,
+			ExpectedDetails: "Legal Entity Identifier Role extension present and critical",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_legal_entity_identifier", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v", tc.ExpectedResult, result.Status)
+			}
+
+			if tc.ExpectedDetails != result.Details {
+				t.Errorf("expected details: %q, was %q", tc.ExpectedDetails, result.Details)
+			}
+		})
+	}
+}

v3/testdata/smime/individual_validated_with_lei.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Feb 27 20:23:43 2024 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:cd:01:83:83:79:70:8b:18:4b:21:2b:90:21:06:
+                    46:67:63:13:21:83:7c:13:e8:7b:e5:b9:bd:d9:4e:
+                    6d:c4:83:ad:1b:76:3f:92:be:b5:cb:f5:25:ea:10:
+                    1b:a8:dc:c1:53:f4:c1:d6:68:c5:bc:db:3f:79:90:
+                    8a:c5:56:28:cb
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.4.3
+            1.3.6.1.4.1.52266.1: 
+                0.
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:46:02:21:00:92:2e:20:05:41:95:b7:20:54:9b:91:4c:dd:
+        95:2e:6b:1c:05:5a:a6:87:d0:26:b5:e5:d8:2b:b7:bb:0c:1b:
+        b4:02:21:00:e8:f2:41:83:94:1e:1b:22:bd:9b:2b:2b:1a:f6:
+        19:49:fc:9b:48:87:fc:ef:f7:01:b5:29:47:73:55:89:52:4a
+-----BEGIN CERTIFICATE-----
+MIIBLzCB1aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjQwMjI3MjAyMzQzWhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATNAYOD
+eXCLGEshK5AhBkZnYxMhg3wT6Hvlub3ZTm3Eg60bdj+SvrXL9SXqEBuo3MFT9MHW
+aMW82z95kIrFVijLoz4wPDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFBAMwDwYJKwYBBAGDmCoBBAIwADAKBggqhkjOPQQDAgNJADBGAiEA
+ki4gBUGVtyBUm5FM3ZUuaxwFWqaH0Ca15dgrt7sMG7QCIQDo8kGDlB4bIr2bKysa
+9hlJ/JtIh/zv9wG1KUdzVYlSSg==
+-----END CERTIFICATE-----
+

v3/testdata/smime/mailbox_validated_with_lei.pem

@@ -0,0 +1,45 @@
+-------------Leaf-------------
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Feb 27 21:32:26 2024 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:f6:9a:d1:8b:a9:66:fe:3b:dd:44:58:3b:30:3d:
+                    a8:18:ab:05:c5:0a:f7:dd:7e:10:fd:82:16:2a:78:
+                    22:d1:da:13:3e:f3:13:24:7a:53:5d:a5:a2:c1:fa:
+                    04:d6:65:e5:ee:39:03:03:b6:0b:0a:35:54:a7:1b:
+                    c4:17:74:a0:c4
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.1.3
+            1.3.6.1.4.1.52266.1: 
+                0.
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:6e:d8:65:3b:9b:b9:08:77:e2:bc:2b:a6:24:1e:
+        95:3c:60:61:21:68:35:3e:be:77:95:26:d8:cc:bd:24:f4:37:
+        02:21:00:ed:f8:2e:11:8f:1f:5b:ba:15:5e:25:27:0a:53:dc:
+        7f:f3:d6:33:6f:cd:64:45:ac:a6:37:ba:fa:4d:48:1b:05
+-----BEGIN CERTIFICATE-----
+MIIBLjCB1aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjQwMjI3MjEzMjI2WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT2mtGL
+qWb+O91EWDswPagYqwXFCvfdfhD9ghYqeCLR2hM+8xMkelNdpaLB+gTWZeXuOQMD
+tgsKNVSnG8QXdKDEoz4wPDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAQMwDwYJKwYBBAGDmCoBBAIwADAKBggqhkjOPQQDAgNIADBFAiBu
+2GU7m7kId+K8K6YkHpU8YGEhaDU+vneVJtjMvST0NwIhAO34LhGPH1u6FV4lJwpT
+3H/z1jNvzWRFrKY3uvpNSBsF
+-----END CERTIFICATE-----
+

v3/testdata/smime/organization_validated_with_lei_critical.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Feb 27 20:24:36 2024 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:99:e8:3b:1a:e3:b2:a5:f2:15:04:66:e3:a5:33:
+                    c7:f5:e3:91:1b:fd:0d:9a:50:8b:71:21:e6:90:c6:
+                    63:09:94:44:52:f7:6c:27:4e:48:11:13:cb:20:aa:
+                    3b:b9:f9:8b:d4:8b:82:a7:a1:36:b3:84:8d:a2:f3:
+                    59:fa:8e:24:77
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.2.3
+            1.3.6.1.4.1.52266.1: critical
+                0.
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:46:02:21:00:ad:ff:32:f7:5d:60:46:16:5c:11:3c:52:c4:
+        0c:6e:42:56:73:49:51:ac:19:30:ee:fe:a8:2a:50:92:3c:a3:
+        92:02:21:00:99:b4:76:21:39:93:d4:b5:fd:fb:c6:ff:48:f4:
+        56:e6:67:ed:84:aa:bb:18:63:83:0b:8f:73:67:b4:89:71:ec
+-----BEGIN CERTIFICATE-----
+MIIBMjCB2KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjQwMjI3MjAyNDM2WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASZ6Dsa
+47Kl8hUEZuOlM8f145Eb/Q2aUItxIeaQxmMJlERS92wnTkgRE8sgqju5+YvUi4Kn
+oTazhI2i81n6jiR3o0EwPzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAgMwEgYJKwYBBAGDmCoBAQH/BAIwADAKBggqhkjOPQQDAgNJADBG
+AiEArf8y911gRhZcETxSxAxuQlZzSVGsGTDu/qgqUJI8o5ICIQCZtHYhOZPUtf37
+xv9I9FbmZ+2EqrsYY4MLj3NntIlx7A==
+-----END CERTIFICATE-----
+

v3/testdata/smime/organization_validated_with_lei_role.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Feb 27 21:24:08 2024 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:65:5a:40:93:2d:68:a9:f2:bc:25:f1:d5:73:41:
+                    7e:d1:8b:df:e3:ff:78:c6:35:18:e7:1a:01:18:19:
+                    87:5f:7e:db:97:6b:73:bd:b2:52:5c:58:87:59:4e:
+                    6a:2d:8d:4e:ea:7a:c9:84:7e:68:18:61:64:a0:c6:
+                    35:7d:e0:e4:b8
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.2.3
+            1.3.6.1.4.1.52266.2: 
+                0.
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:74:8e:47:17:c0:68:88:aa:48:2d:bb:e1:ea:5e:
+        b1:4b:9e:34:52:3d:84:81:64:8d:7f:c0:c7:2c:34:36:a8:8b:
+        02:21:00:fe:54:e1:63:17:25:a7:2f:b8:89:d1:19:d8:81:a2:
+        bc:e6:d1:0b:7a:f7:e0:3b:8a:5e:d3:63:dd:d2:d0:91:8d
+-----BEGIN CERTIFICATE-----
+MIIBLjCB1aADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjQwMjI3MjEyNDA4WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARlWkCT
+LWip8rwl8dVzQX7Ri9/j/3jGNRjnGgEYGYdfftuXa3O9slJcWIdZTmotjU7qesmE
+fmgYYWSgxjV94OS4oz4wPDATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAgMwDwYJKwYBBAGDmCoCBAIwADAKBggqhkjOPQQDAgNIADBFAiB0
+jkcXwGiIqkgtu+HqXrFLnjRSPYSBZI1/wMcsNDaoiwIhAP5U4WMXJacvuInRGdiB
+orzm0Qt69+A7il7TY93S0JGN
+-----END CERTIFICATE-----
+

v3/testdata/smime/sponsor_validated_with_lei_critical.pem

@@ -0,0 +1,44 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: 
+        Validity
+            Not Before: Feb 27 20:27:18 2024 GMT
+            Not After : Nov 30 00:00:00 9998 GMT
+        Subject: 
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:70:4c:86:07:80:17:0b:2c:db:4d:32:0b:fa:5b:
+                    2b:7a:90:09:60:f5:d9:10:f9:1f:c7:a9:1d:b2:84:
+                    91:0c:88:ac:de:c2:85:a3:39:2b:89:70:6d:44:16:
+                    49:ae:46:92:82:c6:d8:05:7d:3c:16:80:9b:fb:11:
+                    41:df:03:ee:05
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Extended Key Usage: 
+                E-mail Protection
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.5.3.3
+            1.3.6.1.4.1.52266.1: critical
+                0.
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:21:00:a8:1d:cf:1e:5e:8d:ea:40:f2:30:0b:4b:b9:
+        11:42:75:de:30:00:7b:31:ba:0f:df:64:83:72:0f:2e:94:a7:
+        84:02:20:4d:95:81:58:2a:2b:ab:86:3a:ae:37:25:10:79:56:
+        7c:07:01:34:06:5f:4c:f9:cc:40:1d:31:e4:94:48:34:db
+-----BEGIN CERTIFICATE-----
+MIIBMTCB2KADAgECAgEDMAoGCCqGSM49BAMCMAAwIBcNMjQwMjI3MjAyNzE4WhgP
+OTk5ODExMzAwMDAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARwTIYH
+gBcLLNtNMgv6Wyt6kAlg9dkQ+R/HqR2yhJEMiKzewoWjOSuJcG1EFkmuRpKCxtgF
+fTwWgJv7EUHfA+4Fo0EwPzATBgNVHSUEDDAKBggrBgEFBQcDBDAUBgNVHSAEDTAL
+MAkGB2eBDAEFAwMwEgYJKwYBBAGDmCoBAQH/BAIwADAKBggqhkjOPQQDAgNIADBF
+AiEAqB3PHl6N6kDyMAtLuRFCdd4wAHsxug/fZINyDy6Up4QCIE2VgVgqK6uGOq43
+JRB5VnwHATQGX0z5zEAdMeSUSDTb
+-----END CERTIFICATE-----
+