From dca4c0ccec76d95c74dafe15309d7247ee6657f9 Mon Sep 17 00:00:00 2001 From: BJ Cardon Date: Tue, 30 Jan 2024 11:08:31 -0700 Subject: [PATCH 1/2] fix bug in the email address checking in the smime package to allow multiple email address subject fields, but dsisallow multiple values in a single email address field fixes a comment on #753 --- .../lint_single_email_if_present.go | 22 ++++++---- .../lint_single_email_if_present_test.go | 7 ++- .../smime/email_with_multiple_values.pem | 44 +++++++++++++++++++ 3 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 v3/testdata/smime/email_with_multiple_values.pem diff --git a/v3/lints/cabf_smime_br/lint_single_email_if_present.go b/v3/lints/cabf_smime_br/lint_single_email_if_present.go index 031d3e7d2..a5373ec9d 100644 --- a/v3/lints/cabf_smime_br/lint_single_email_if_present.go +++ b/v3/lints/cabf_smime_br/lint_single_email_if_present.go @@ -16,6 +16,7 @@ package cabf_smime_br import ( "fmt" + "net/mail" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" @@ -46,15 +47,18 @@ func (l *singleEmailIfPresent) CheckApplies(c *x509.Certificate) bool { } func (l *singleEmailIfPresent) Execute(c *x509.Certificate) *lint.LintResult { - if len(c.EmailAddresses) == 1 { - return &lint.LintResult{ - Status: lint.Pass, - } - } else { - return &lint.LintResult{ - Status: lint.Error, - Details: fmt.Sprintf("subject:emailAddress was present and contained %d names (%s)", len(c.EmailAddresses), c.EmailAddresses), - LintMetadata: lint.LintMetadata{}, + for _, email := range c.EmailAddresses { + _, err := mail.ParseAddress(email) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("subject:emailAddress was present and contained an invalid email address (%s)", email), + LintMetadata: lint.LintMetadata{}, + } } } + + return &lint.LintResult{ + Status: lint.Pass, + } } diff --git a/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go b/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go index 30a288fb7..677215dbb 100644 --- a/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go +++ b/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go @@ -24,8 +24,13 @@ func TestSingleEmailIfPresent(t *testing.T) { ExpectedResult: lint.NA, }, { - Name: "Error - cert with multiple email addresses", + Name: "Pass - cert with multiple email addresses", InputFilename: "smime/multiple_email_present.pem", + ExpectedResult: lint.Pass, + }, + { + Name: "Error - email address present with mutliple values", + InputFilename: "smime/email_with_multiple_values.pem", ExpectedResult: lint.Error, }, } diff --git a/v3/testdata/smime/email_with_multiple_values.pem b/v3/testdata/smime/email_with_multiple_values.pem new file mode 100644 index 000000000..1b5c2a9e1 --- /dev/null +++ b/v3/testdata/smime/email_with_multiple_values.pem @@ -0,0 +1,44 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: + Validity + Not Before: Sep 30 00:00:00 2023 GMT + Not After : Nov 30 00:00:00 9998 GMT + Subject: + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:b1:40:22:c1:13:22:0c:f6:64:60:55:a0:3c:7d: + 3f:e5:81:49:00:bd:36:9f:ef:d6:29:c6:eb:28:e5: + d7:25:98:9b:f5:a5:e4:b3:95:0f:f6:af:bf:f5:b1: + 32:39:3c:5e:6b:bc:0e:2d:cf:ea:39:55:50:25:55: + 74:bd:e8:5e:f5 + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Extended Key Usage: + E-mail Protection + X509v3 Subject Alternative Name: + email:test+1@example.com test+2@example.com, email:test+3@example.com + X509v3 Certificate Policies: + Policy: 2.23.140.1.5.1.1 + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:44:02:20:0a:ad:0d:13:2f:8d:f2:ea:66:17:2d:d2:6a:63: + ff:4b:3f:01:0a:32:00:74:ce:cd:ea:e2:9f:0d:21:14:55:64: + 02:20:6c:6a:fb:1b:64:88:d8:67:fe:39:a9:e7:77:29:a6:a3: + 77:a5:34:8f:60:1a:85:e6:db:18:5b:e7:00:41:30:fb +-----BEGIN CERTIFICATE----- +MIIBYzCCAQqgAwIBAgIBAzAKBggqhkjOPQQDAjAAMCAXDTIzMDkzMDAwMDAwMFoY +Dzk5OTgxMTMwMDAwMDAwWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsUAi +wRMiDPZkYFWgPH0/5YFJAL02n+/WKcbrKOXXJZib9aXks5UP9q+/9bEyOTxea7wO +Lc/qOVVQJVV0vehe9aNzMHEwEwYDVR0lBAwwCgYIKwYBBQUHAwQwRAYDVR0RBD0w +O4EldGVzdCsxQGV4YW1wbGUuY29tIHRlc3QrMkBleGFtcGxlLmNvbYESdGVzdCsz +QGV4YW1wbGUuY29tMBQGA1UdIAQNMAswCQYHZ4EMAQUBATAKBggqhkjOPQQDAgNH +ADBEAiAKrQ0TL43y6mYXLdJqY/9LPwEKMgB0zs3q4p8NIRRVZAIgbGr7G2SI2Gf+ +Oanndymmo3elNI9gGoXm2xhb5wBBMPs= +-----END CERTIFICATE----- \ No newline at end of file From 6c2608d96e9e3c7da047537b48e14e3df388e721 Mon Sep 17 00:00:00 2001 From: BJ Cardon Date: Tue, 30 Jan 2024 11:13:50 -0700 Subject: [PATCH 2/2] fix typo --- v3/lints/cabf_smime_br/lint_single_email_if_present_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go b/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go index 677215dbb..c81d5181a 100644 --- a/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go +++ b/v3/lints/cabf_smime_br/lint_single_email_if_present_test.go @@ -29,7 +29,7 @@ func TestSingleEmailIfPresent(t *testing.T) { ExpectedResult: lint.Pass, }, { - Name: "Error - email address present with mutliple values", + Name: "Error - email address present with multiple values", InputFilename: "smime/email_with_multiple_values.pem", ExpectedResult: lint.Error, },