From 0e5e1e98d1750790baee82a097115a5a91c579f5 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 18 Dec 2024 11:41:12 -0800 Subject: [PATCH 1/6] Upgrade zlint v3.6.4 (#7897) This brings in several new and useful lints. It also brings in one CABF BR lint which we have to ignore in our default profile which includes the Subject Key Identifier extension: "w_ext_subject_key_identifier_not_recommended_subscriber". In our modern profile which omits several fields, we have to ignore the opposite RFC5280 lint "w_ext_subject_key_identifier_missing_sub_cert". Release notes: https://github.com/zmap/zlint/releases/tag/v3.6.4 Changelog: https://github.com/zmap/zlint/compare/v3.6.0...v3.6.4 Note that the majority of the ~400 file changes are merely copyright date changes. The corresponding production config changes tracked in IN-10466 are complete. --- cmd/cert-checker/main_test.go | 14 +- go.mod | 2 +- go.sum | 4 +- issuance/cert.go | 13 +- issuance/cert_test.go | 26 ++- issuance/issuer_test.go | 4 + test/config-next/ca.json | 5 +- test/config-next/cert-checker.json | 3 +- test/config/ca.json | 2 +- test/config/cert-checker.json | 2 +- vendor/github.com/zmap/zlint/v3/LICENSE | 2 +- vendor/github.com/zmap/zlint/v3/lint/base.go | 7 +- .../zmap/zlint/v3/lint/configuration.go | 2 +- .../zlint/v3/lint/global_configurations.go | 2 +- .../zmap/zlint/v3/lint/lint_lookup.go | 2 +- .../github.com/zmap/zlint/v3/lint/profile.go | 2 +- .../zmap/zlint/v3/lint/registration.go | 2 +- .../github.com/zmap/zlint/v3/lint/result.go | 2 +- .../github.com/zmap/zlint/v3/lint/source.go | 10 +- .../lint_ct_sct_policy_count_unsatisfied.go | 2 +- ...er_cert_valid_time_longer_than_398_days.go | 2 +- ...er_cert_valid_time_longer_than_397_days.go | 2 +- ...lint_aia_ca_issuers_must_have_http_only.go | 78 +++++++++ ...ia_must_contain_permitted_access_method.go | 113 +++++++++++++ .../lint_aia_ocsp_must_have_http_only.go | 78 +++++++++ .../cabf_br/lint_aia_unique_locations.go | 89 ++++++++++ .../cabf_br/lint_ca_common_name_missing.go | 2 +- .../cabf_br/lint_ca_country_name_invalid.go | 2 +- .../cabf_br/lint_ca_country_name_missing.go | 2 +- .../lints/cabf_br/lint_ca_crl_sign_not_set.go | 2 +- .../lint_ca_digital_signature_not_set.go | 2 +- .../v3/lints/cabf_br/lint_ca_invalid_eku.go | 81 +++++++++ .../zlint/v3/lints/cabf_br/lint_ca_is_ca.go | 2 +- .../cabf_br/lint_ca_key_cert_sign_not_set.go | 2 +- .../cabf_br/lint_ca_key_usage_missing.go | 2 +- .../cabf_br/lint_ca_key_usage_not_critical.go | 2 +- .../lint_ca_organization_name_missing.go | 2 +- .../lint_cab_dv_conflicts_with_locality.go | 2 +- .../cabf_br/lint_cab_dv_conflicts_with_org.go | 2 +- .../lint_cab_dv_conflicts_with_postal.go | 2 +- .../lint_cab_dv_conflicts_with_province.go | 2 +- .../lint_cab_dv_conflicts_with_street.go | 2 +- .../lint_cab_dv_subject_invalid_values.go | 77 +++++++++ .../lint_cab_iv_requires_personal_name.go | 2 +- .../lints/cabf_br/lint_cab_ov_requires_org.go | 2 +- .../lint_cabf_crl_reason_code_not_critical.go | 2 +- .../lint_cabf_crl_valid_reason_codes.go | 2 +- .../lint_cert_policy_iv_requires_country.go | 2 +- ...policy_iv_requires_province_or_locality.go | 2 +- .../lint_cert_policy_ov_requires_country.go | 2 +- ...policy_ov_requires_province_or_locality.go | 2 +- .../lint_crl_distrib_points_not_http.go | 64 ++++++++ ...nt_crlissuer_must_not_be_present_in_cdp.go | 79 +++++++++ .../lints/cabf_br/lint_dh_params_missing.go | 2 +- .../lint_dnsname_bad_character_in_label.go | 2 +- .../lint_dnsname_check_left_label_wildcard.go | 2 +- .../lint_dnsname_contains_bare_iana_suffix.go | 2 +- .../lint_dnsname_contains_empty_label.go | 2 +- ...name_contains_prohibited_reserved_label.go | 2 +- .../cabf_br/lint_dnsname_hyphen_in_sld.go | 2 +- .../cabf_br/lint_dnsname_label_too_long.go | 2 +- .../lint_dnsname_right_label_valid_tld.go | 2 +- .../cabf_br/lint_dnsname_underscore_in_sld.go | 2 +- .../cabf_br/lint_dnsname_underscore_in_trd.go | 2 +- ..._dnsname_wildcard_left_of_public_suffix.go | 2 +- ...int_dnsname_wildcard_only_in_left_label.go | 2 +- .../lint_dsa_correct_order_in_subgroup.go | 13 +- ...nt_dsa_improper_modulus_or_divisor_size.go | 2 +- .../lint_dsa_shorter_than_2048_bits.go | 7 +- .../lint_dsa_unique_correct_representation.go | 13 +- .../cabf_br/lint_duplicate_subject_attribs.go | 99 +++++++++++ .../lints/cabf_br/lint_e_invalid_cps_uri.go | 74 +++++++++ .../cabf_br/lint_e_sub_ca_aia_missing.go | 2 +- .../lints/cabf_br/lint_ec_improper_curves.go | 2 +- .../v3/lints/cabf_br/lint_eku_critical.go | 52 ++++++ .../lint_ext_nc_intersects_reserved_ip.go | 2 +- .../lint_ext_san_contains_reserved_ip.go | 2 +- .../lint_ext_san_critical_with_subject_dn.go | 2 +- .../lint_ext_san_directory_name_present.go | 2 +- .../lint_ext_san_edi_party_name_present.go | 2 +- .../v3/lints/cabf_br/lint_ext_san_missing.go | 2 +- .../lint_ext_san_other_name_present.go | 2 +- .../lint_ext_san_registered_id_present.go | 2 +- .../lint_ext_san_rfc822_name_present.go | 2 +- ...san_uniform_resource_identifier_present.go | 2 +- ...y_identifier_not_recommended_subscriber.go | 70 ++++++++ ...ext_tor_service_descriptor_hash_invalid.go | 2 +- .../lint_extra_subject_common_names.go | 2 +- .../lint_invalid_certificate_version.go | 2 +- .../cabf_br/lint_invalid_subject_rdn_order.go | 145 ++++++++++++++++ .../lint_no_underscores_before_1_6_2.go | 2 +- ...sp_nocheck_ext_not_included_server_auth.go | 2 +- ...old_root_ca_rsa_mod_less_than_2048_bits.go | 2 +- ..._old_sub_ca_rsa_mod_less_than_1024_bits.go | 2 +- ...ld_sub_cert_rsa_mod_less_than_1024_bits.go | 2 +- ...int_organizational_unit_name_prohibited.go | 2 +- ...qualifiers_other_than_cps_not_permitted.go | 2 +- .../lints/cabf_br/lint_prohibit_dsa_usage.go | 2 +- .../lint_public_key_type_not_allowed.go | 2 +- ...aints_path_len_constraint_field_present.go | 2 +- .../lint_root_ca_contains_cert_policy.go | 2 +- ...lint_root_ca_extended_key_usage_present.go | 2 +- ...lint_root_ca_key_usage_must_be_critical.go | 2 +- .../cabf_br/lint_root_ca_key_usage_present.go | 2 +- ...t_rsa_mod_factors_smaller_than_752_bits.go | 2 +- .../lint_rsa_mod_less_than_2048_bits.go | 2 +- .../v3/lints/cabf_br/lint_rsa_mod_not_odd.go | 2 +- .../lint_rsa_public_exponent_not_in_range.go | 2 +- .../lint_rsa_public_exponent_not_odd.go | 2 +- .../lint_rsa_public_exponent_too_small.go | 2 +- .../lint_san_dns_name_onion_invalid.go | 2 +- .../lint_san_dns_name_onion_not_ev_cert.go | 2 +- .../lint_signature_algorithm_not_supported.go | 2 +- ..._ca_aia_does_not_contain_issuing_ca_url.go | 2 +- .../lint_sub_ca_aia_marked_critical.go | 2 +- ...ca_certificate_policies_marked_critical.go | 2 +- ...int_sub_ca_certificate_policies_missing.go | 2 +- ...istribution_points_does_not_contain_url.go | 2 +- ...crl_distribution_points_marked_critical.go | 2 +- ..._sub_ca_crl_distribution_points_missing.go | 2 +- .../lints/cabf_br/lint_sub_ca_eku_critical.go | 2 +- .../lints/cabf_br/lint_sub_ca_eku_missing.go | 2 +- .../cabf_br/lint_sub_ca_eku_valid_fields.go | 2 +- ...nt_sub_ca_name_constraints_not_critical.go | 2 +- ...nt_sub_cert_aia_contains_internal_names.go | 15 +- ...ert_aia_does_not_contain_issuing_ca_url.go | 10 +- ..._sub_cert_aia_does_not_contain_ocsp_url.go | 13 +- .../lint_sub_cert_aia_marked_critical.go | 2 +- .../cabf_br/lint_sub_cert_aia_missing.go | 2 +- ...sub_cert_basic_constraints_not_critical.go | 2 +- .../lint_sub_cert_cert_policy_empty.go | 2 +- ...rt_certificate_policies_marked_critical.go | 2 +- ...t_sub_cert_certificate_policies_missing.go | 2 +- .../lint_sub_cert_country_name_must_appear.go | 2 +- ...istribution_points_does_not_contain_url.go | 2 +- ...crl_distribution_points_marked_critical.go | 2 +- .../lints/cabf_br/lint_sub_cert_eku_check.go | 81 +++++++++ .../cabf_br/lint_sub_cert_eku_extra_values.go | 13 +- .../cabf_br/lint_sub_cert_eku_missing.go | 2 +- ...ert_eku_server_auth_client_auth_missing.go | 13 +- .../lint_sub_cert_gn_sn_contains_policy.go | 2 +- .../v3/lints/cabf_br/lint_sub_cert_is_ca.go | 2 +- ...nt_sub_cert_key_usage_cert_sign_bit_set.go | 2 +- ...int_sub_cert_key_usage_crl_sign_bit_set.go | 2 +- ...lint_sub_cert_locality_name_must_appear.go | 2 +- ..._sub_cert_locality_name_must_not_appear.go | 2 +- .../lint_sub_cert_or_sub_ca_using_sha1.go | 2 +- .../lint_sub_cert_postal_code_prohibited.go | 2 +- .../lint_sub_cert_province_must_appear.go | 2 +- .../lint_sub_cert_province_must_not_appear.go | 2 +- .../lint_sub_cert_sha1_expiration_too_long.go | 2 +- ...ub_cert_street_address_should_not_exist.go | 2 +- ...b_cert_valid_time_longer_than_39_months.go | 2 +- ...ub_cert_valid_time_longer_than_825_days.go | 2 +- .../cabf_br/lint_subj_orgunit_in_ca_cert.go | 69 ++++++++ .../lint_subject_common_name_included.go | 2 +- .../lint_subject_common_name_included_sc62.go | 2 +- ...ubject_common_name_not_exactly_from_san.go | 2 +- .../lint_subject_common_name_not_from_san.go | 2 +- ...lint_subject_contains_malformed_arpa_ip.go | 2 +- ...subject_contains_noninformational_value.go | 2 +- ...onal_unit_name_and_no_organization_name.go | 2 +- .../lint_subject_contains_reserved_arpa_ip.go | 2 +- .../lint_subject_contains_reserved_ip.go | 2 +- .../cabf_br/lint_subject_country_not_iso.go | 2 +- ...er_algorithm_object_identifier_encoding.go | 2 +- .../lint_subject_rdns_correct_encoding.go | 155 ++++++++++++++++++ ...t_underscore_not_permissible_in_dnsname.go | 2 +- ...sible_in_dnsname_if_valid_when_replaced.go | 2 +- ...derscore_present_with_too_long_validity.go | 2 +- .../cabf_br/lint_w_sub_ca_aia_missing.go | 2 +- .../lint_cs_crl_distribution_points.go | 62 +++++++ .../lints/cabf_cs_br/lint_cs_eku_required.go | 87 ++++++++++ .../cabf_cs_br/lint_cs_key_usage_required.go | 79 +++++++++ .../lints/cabf_cs_br/lint_cs_rsa_key_size.go | 58 +++++++ ...t_cabf_org_identifier_psd_vat_has_state.go | 57 +++++++ .../lint_ev_business_category_missing.go | 2 +- .../cabf_ev/lint_ev_country_name_missing.go | 2 +- .../lint_ev_invalid_business_category.go | 69 ++++++++ .../v3/lints/cabf_ev/lint_ev_not_wildcard.go | 2 +- .../lint_ev_organization_id_missing.go | 2 +- .../lint_ev_organization_name_missing.go | 2 +- ...lint_ev_orgid_inconsistent_subj_and_ext.go | 143 ++++++++++++++++ .../cabf_ev/lint_ev_san_ip_address_present.go | 2 +- .../cabf_ev/lint_ev_serial_number_missing.go | 2 +- .../cabf_ev/lint_ev_valid_time_too_long.go | 2 +- ...t_onion_subject_validity_time_too_large.go | 2 +- ...ensions_legacy_multipurpose_criticality.go | 2 +- .../lint_adobe_extensions_strict_presence.go | 2 +- .../lint_aia_contains_internal_names.go | 2 +- .../lint_authority_key_identifier.go | 85 ++++++++++ .../lint_commonname_mailbox_validated.go | 58 +++++++ .../lint_ecpublickey_key_usages.go | 2 +- .../lint_ecpublickey_other_key_usages.go | 2 +- .../lint_edwardspublickey_key_usages.go | 2 +- .../lint_key_usage_criticality.go | 2 +- .../cabf_smime_br/lint_key_usage_presence.go | 2 +- .../lint_legacy_aia_has_one_http.go | 2 +- .../lint_legal_entity_identifier.go | 83 ++++++++++ .../lint_qc_statements_not_critical.go | 55 +++++++ ...ation_scheme_id_matches_subject_country.go | 2 +- .../lint_rsa_key_usage_legacy_multipurpose.go | 2 +- .../lint_rsa_key_usage_strict.go | 2 +- .../lint_rsa_other_key_usages.go | 2 +- .../lint_san_shall_be_present.go | 2 +- .../lint_san_should_not_be_critical.go | 2 +- .../lint_single_email_if_present.go | 45 +++-- .../lint_single_email_subject_if_present.go | 60 +++++++ .../lint_strict_aia_has_http_only.go | 2 +- .../lint_subject_country_name.go | 55 +++++++ .../cabf_smime_br/lint_subject_dir_attr.go | 52 ++++++ ...ribers_crl_distribution_points_are_http.go | 77 +++++++++ ...bers_shall_have_crl_distribution_points.go | 2 +- .../cabf_smime_br/mailbox_address_from_san.go | 124 ++++++++++++++ ...ated_enforce_subject_field_restrictions.go | 2 +- .../smime_legacy_multipurpose_eku_check.go | 6 +- .../cabf_smime_br/smime_strict_eku_check.go | 2 +- .../lints/community/lint_ian_bare_wildcard.go | 2 +- .../lint_ian_dns_name_includes_null_char.go | 2 +- .../lint_ian_dns_name_starts_with_period.go | 2 +- .../lint_ian_iana_pub_suffix_empty.go | 2 +- .../community/lint_ian_wildcard_not_first.go | 2 +- .../lints/community/lint_is_redacted_cert.go | 2 +- .../lint_issuer_dn_leading_whitespace.go | 2 +- .../lint_issuer_dn_trailing_whitespace.go | 2 +- .../community/lint_issuer_multiple_rdn.go | 2 +- .../lints/community/lint_rsa_exp_negative.go | 2 +- .../lint_rsa_fermat_factorization.go | 2 +- .../lints/community/lint_rsa_no_public_key.go | 2 +- .../lints/community/lint_san_bare_wildcard.go | 2 +- .../community/lint_san_dns_name_duplicate.go | 2 +- .../lint_san_dns_name_includes_null_char.go | 2 +- .../lint_san_dns_name_starts_with_period.go | 2 +- .../lint_san_iana_pub_suffix_empty.go | 2 +- .../community/lint_san_wildcard_not_first.go | 2 +- .../lint_subj_country_not_uppercase.go | 62 +++++++ .../lint_subject_dn_leading_whitespace.go | 2 +- .../lint_subject_dn_trailing_whitespace.go | 2 +- .../community/lint_subject_multiple_rdn.go | 2 +- .../lint_validity_time_not_positive.go | 2 +- ...lint_qcstatem_etsi_present_qcs_critical.go | 2 +- .../etsi/lint_qcstatem_etsi_type_as_statem.go | 2 +- .../lint_qcstatem_mandatory_etsi_statems.go | 2 +- .../etsi/lint_qcstatem_qccompliance_valid.go | 2 +- .../etsi/lint_qcstatem_qclimitvalue_valid.go | 2 +- .../etsi/lint_qcstatem_qcpds_lang_case.go | 2 +- .../lints/etsi/lint_qcstatem_qcpds_valid.go | 2 +- .../lint_qcstatem_qcretentionperiod_valid.go | 2 +- .../lints/etsi/lint_qcstatem_qcsscd_valid.go | 2 +- .../lints/etsi/lint_qcstatem_qctype_valid.go | 2 +- .../v3/lints/etsi/lint_qcstatem_qctype_web.go | 2 +- .../mozilla/lint_e_prohibit_dsa_usage.go | 2 +- .../v3/lints/mozilla/lint_mp_allowed_eku.go | 2 +- ...int_mp_authority_key_identifier_correct.go | 2 +- .../lint_mp_ecdsa_pub_key_encoding_correct.go | 2 +- ...int_mp_ecdsa_signature_encoding_correct.go | 2 +- .../mozilla/lint_mp_exponent_cannot_be_one.go | 2 +- ...nt_mp_modulus_must_be_2048_bits_or_more.go | 2 +- .../lint_mp_modulus_must_be_divisible_by_8.go | 2 +- ...lint_mp_pss_parameters_encoding_correct.go | 2 +- .../mozilla/lint_mp_rsassa-pss_in_spki.go | 2 +- .../lint_basic_constraints_not_critical.go | 2 +- .../lints/rfc/lint_ca_subject_field_empty.go | 2 +- .../lint_cert_contains_unique_identifier.go | 2 +- .../v3/lints/rfc/lint_cert_ext_invalid_der.go | 119 ++++++++++++++ .../rfc/lint_cert_extensions_version_not_3.go | 2 +- ...rt_unique_identifier_version_not_2_or_3.go | 2 +- .../lint_crl_empty_revoked_certificates.go | 101 ++++++++++++ .../v3/lints/rfc/lint_crl_has_next_update.go | 2 +- .../lints/rfc/lint_crl_missing_crl_number.go | 62 +++++++ ...nt_crl_revoked_certificates_field_empty.go | 114 +++++++++++++ .../lints/rfc/lint_crl_valid_reason_codes.go | 2 +- .../rfc/lint_distribution_point_incomplete.go | 2 +- ..._distribution_point_missing_ldap_or_uri.go | 2 +- .../rfc/lint_dnsname_contains_empty_label.go | 2 +- .../lints/rfc/lint_dnsname_hyphen_in_sld.go | 2 +- .../lints/rfc/lint_dnsname_label_too_long.go | 2 +- .../rfc/lint_dnsname_underscore_in_sld.go | 2 +- .../rfc/lint_dnsname_underscore_in_trd.go | 2 +- .../v3/lints/rfc/lint_ecdsa_allowed_ku.go | 2 +- .../v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go | 2 +- .../lints/rfc/lint_eku_critical_improperly.go | 2 +- .../zlint/v3/lints/rfc/lint_empty_sct_list.go | 99 +++++++++++ .../lint_ext_aia_access_location_missing.go | 2 +- .../lints/rfc/lint_ext_aia_marked_critical.go | 2 +- ...t_ext_authority_key_identifier_critical.go | 2 +- ...hority_key_identifier_no_key_identifier.go | 2 +- ...lint_ext_cert_policy_contains_noticeref.go | 2 +- ..._policy_disallowed_any_policy_qualifier.go | 2 +- .../rfc/lint_ext_cert_policy_duplicate.go | 2 +- ...xt_cert_policy_explicit_text_ia5_string.go | 2 +- ...t_policy_explicit_text_includes_control.go | 2 +- ...t_ext_cert_policy_explicit_text_not_nfc.go | 2 +- ..._ext_cert_policy_explicit_text_not_utf8.go | 2 +- ..._ext_cert_policy_explicit_text_too_long.go | 2 +- ...nt_ext_crl_distribution_marked_critical.go | 2 +- .../lints/rfc/lint_ext_duplicate_extension.go | 2 +- .../lint_ext_freshest_crl_marked_critical.go | 2 +- .../v3/lints/rfc/lint_ext_ian_critical.go | 2 +- .../rfc/lint_ext_ian_dns_not_ia5_string.go | 2 +- .../v3/lints/rfc/lint_ext_ian_empty_name.go | 2 +- .../v3/lints/rfc/lint_ext_ian_no_entries.go | 2 +- .../rfc/lint_ext_ian_rfc822_format_invalid.go | 2 +- .../lints/rfc/lint_ext_ian_space_dns_name.go | 2 +- .../rfc/lint_ext_ian_uri_format_invalid.go | 2 +- .../lint_ext_ian_uri_host_not_fqdn_or_ip.go | 2 +- .../v3/lints/rfc/lint_ext_ian_uri_not_ia5.go | 2 +- .../v3/lints/rfc/lint_ext_ian_uri_relative.go | 2 +- ...lint_ext_key_usage_cert_sign_without_ca.go | 2 +- .../rfc/lint_ext_key_usage_not_critical.go | 2 +- .../rfc/lint_ext_key_usage_without_bits.go | 2 +- .../lint_ext_name_constraints_not_critical.go | 2 +- .../lint_ext_name_constraints_not_in_ca.go | 2 +- .../rfc/lint_ext_policy_constraints_empty.go | 2 +- ...int_ext_policy_constraints_not_critical.go | 2 +- .../rfc/lint_ext_policy_map_any_policy.go | 2 +- .../rfc/lint_ext_policy_map_not_critical.go | 2 +- .../lint_ext_policy_map_not_in_cert_policy.go | 2 +- .../rfc/lint_ext_san_dns_name_too_long.go | 2 +- .../rfc/lint_ext_san_dns_not_ia5_string.go | 2 +- .../v3/lints/rfc/lint_ext_san_empty_name.go | 2 +- .../v3/lints/rfc/lint_ext_san_no_entries.go | 2 +- ...nt_ext_san_not_critical_without_subject.go | 2 +- .../rfc/lint_ext_san_rfc822_format_invalid.go | 2 +- .../lints/rfc/lint_ext_san_space_dns_name.go | 2 +- .../rfc/lint_ext_san_uri_format_invalid.go | 2 +- .../lint_ext_san_uri_host_not_fqdn_or_ip.go | 2 +- .../v3/lints/rfc/lint_ext_san_uri_not_ia5.go | 2 +- .../v3/lints/rfc/lint_ext_san_uri_relative.go | 2 +- ...int_ext_subject_directory_attr_critical.go | 2 +- ...int_ext_subject_key_identifier_critical.go | 2 +- ...t_ext_subject_key_identifier_missing_ca.go | 2 +- ...subject_key_identifier_missing_sub_cert.go | 2 +- ...neralized_time_does_not_include_seconds.go | 2 +- ...eralized_time_includes_fraction_seconds.go | 2 +- .../rfc/lint_generalized_time_not_in_zulu.go | 2 +- .../rfc/lint_idn_dnsname_malformed_unicode.go | 2 +- .../lints/rfc/lint_idn_dnsname_must_be_nfc.go | 2 +- .../lints/rfc/lint_incorrect_ku_encoding.go | 2 +- .../lint_inhibit_any_policy_not_critical.go | 2 +- ..._issuer_dn_country_not_printable_string.go | 2 +- .../v3/lints/rfc/lint_issuer_field_empty.go | 2 +- ...age_and_extended_key_usage_inconsistent.go | 2 +- .../rfc/lint_key_usage_incorrect_length.go | 2 +- .../lints/rfc/lint_name_constraint_empty.go | 2 +- ...lint_name_constraint_maximum_not_absent.go | 2 +- .../lint_name_constraint_minimum_non_zero.go | 2 +- .../rfc/lint_name_constraint_not_fqdn.go | 2 +- .../lint_name_constraint_on_edi_party_name.go | 2 +- .../lint_name_constraint_on_registered_id.go | 2 +- .../lints/rfc/lint_name_constraint_on_x400.go | 2 +- ...path_len_constraint_improperly_included.go | 2 +- .../lint_path_len_constraint_zero_or_less.go | 2 +- .../lints/rfc/lint_precert_with_sct_list.go | 59 +++++++ .../v3/lints/rfc/lint_rsa_allowed_ku_ca.go | 2 +- .../v3/lints/rfc/lint_rsa_allowed_ku_ee.go | 2 +- .../lint_rsa_allowed_ku_no_encipherment_ca.go | 2 +- ...int_serial_number_longer_than_20_octets.go | 2 +- .../rfc/lint_serial_number_not_positive.go | 2 +- ..._spki_rsa_encryption_parameter_not_null.go | 2 +- .../lint_subject_common_name_max_length.go | 2 +- ...subject_dn_country_not_printable_string.go | 2 +- ...int_subject_dn_not_printable_characters.go | 2 +- ...int_subject_dn_serial_number_max_length.go | 2 +- ...t_dn_serial_number_not_printable_string.go | 2 +- .../rfc/lint_subject_email_max_length.go | 2 +- .../rfc/lint_subject_empty_without_san.go | 2 +- .../rfc/lint_subject_given_name_max_length.go | 2 +- ...bject_given_name_recommended_max_length.go | 2 +- ...int_subject_info_access_marked_critical.go | 2 +- .../lint_subject_locality_name_max_length.go | 2 +- .../zlint/v3/lints/rfc/lint_subject_not_dn.go | 2 +- ...nt_subject_organization_name_max_length.go | 2 +- ...ect_organizational_unit_name_max_length.go | 2 +- .../lint_subject_postal_code_max_length.go | 2 +- .../lint_subject_printable_string_badalpha.go | 2 +- .../rfc/lint_subject_state_name_max_length.go | 2 +- .../lint_subject_street_address_max_length.go | 2 +- .../rfc/lint_subject_surname_max_length.go | 2 +- ..._subject_surname_recommended_max_length.go | 2 +- .../lints/rfc/lint_superfluous_ku_encoding.go | 2 +- ...ignature_alg_matches_cert_signature_alg.go | 2 +- ...ature_rsa_encryption_parameter_not_null.go | 2 +- .../lint_utc_time_does_not_include_seconds.go | 2 +- .../v3/lints/rfc/lint_utc_time_not_in_zulu.go | 2 +- .../rfc/lint_wrong_time_format_pre2050.go | 2 +- vendor/github.com/zmap/zlint/v3/newLint.sh | 123 ++++++++++---- .../github.com/zmap/zlint/v3/profileTemplate | 2 +- vendor/github.com/zmap/zlint/v3/resultset.go | 2 +- vendor/github.com/zmap/zlint/v3/template | 2 +- vendor/github.com/zmap/zlint/v3/test_template | 31 ++++ vendor/github.com/zmap/zlint/v3/util/ca.go | 31 ++-- .../zmap/zlint/v3/util/countries.go | 2 +- vendor/github.com/zmap/zlint/v3/util/cs.go | 18 ++ .../zmap/zlint/v3/util/encodings.go | 2 +- vendor/github.com/zmap/zlint/v3/util/ev.go | 2 +- vendor/github.com/zmap/zlint/v3/util/fqdn.go | 2 +- vendor/github.com/zmap/zlint/v3/util/gtld.go | 2 +- .../github.com/zmap/zlint/v3/util/gtld_map.go | 20 +-- vendor/github.com/zmap/zlint/v3/util/idna.go | 2 +- vendor/github.com/zmap/zlint/v3/util/ip.go | 2 +- vendor/github.com/zmap/zlint/v3/util/names.go | 2 +- vendor/github.com/zmap/zlint/v3/util/oid.go | 78 +++++---- .../github.com/zmap/zlint/v3/util/primes.go | 2 +- .../github.com/zmap/zlint/v3/util/qc_stmt.go | 2 +- vendor/github.com/zmap/zlint/v3/util/rdn.go | 2 +- vendor/github.com/zmap/zlint/v3/util/san.go | 13 +- .../zmap/zlint/v3/util/smime_policies.go | 28 +++- vendor/github.com/zmap/zlint/v3/util/time.go | 8 +- vendor/github.com/zmap/zlint/v3/zlint.go | 3 +- vendor/modules.txt | 3 +- 411 files changed, 3953 insertions(+), 545 deletions(-) create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go create mode 100644 vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go create mode 100644 vendor/github.com/zmap/zlint/v3/test_template create mode 100644 vendor/github.com/zmap/zlint/v3/util/cs.go diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go index 1dc56093654..137b05767e2 100644 --- a/cmd/cert-checker/main_test.go +++ b/cmd/cert-checker/main_test.go @@ -631,11 +631,11 @@ func TestIgnoredLint(t *testing.T) { Expires: subjectCert.NotAfter, } - // Without any ignored lints we expect one error level result due to the - // missing OCSP url in the template. + // Without any ignored lints we expect several errors and warnings about SCTs, + // the common name, and the subject key identifier extension. expectedProblems := []string{ - "zlint error: e_sub_cert_aia_does_not_contain_ocsp_url", "zlint warn: w_subject_common_name_included", + "zlint warn: w_ext_subject_key_identifier_not_recommended_subscriber", "zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.", "zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.", } @@ -650,10 +650,10 @@ func TestIgnoredLint(t *testing.T) { // Check the certificate again with an ignore map that excludes the affected // lints. This should return no problems. _, problems = checker.checkCert(context.Background(), cert, map[string]bool{ - "e_sub_cert_aia_does_not_contain_ocsp_url": true, - "w_subject_common_name_included": true, - "w_ct_sct_policy_count_unsatisfied": true, - "e_scts_from_same_operator": true, + "w_subject_common_name_included": true, + "w_ext_subject_key_identifier_not_recommended_subscriber": true, + "w_ct_sct_policy_count_unsatisfied": true, + "e_scts_from_same_operator": true, }) test.AssertEquals(t, len(problems), 0) } diff --git a/go.mod b/go.mod index 1352f46b109..7fe20a612fd 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 github.com/weppos/publicsuffix-go v0.40.3-0.20240815124645-a8ed110559c9 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c - github.com/zmap/zlint/v3 v3.6.0 + github.com/zmap/zlint/v3 v3.6.4 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0 go.opentelemetry.io/otel v1.30.0 diff --git a/go.sum b/go.sum index 390afaf5d88..fbe821ed7ff 100644 --- a/go.sum +++ b/go.sum @@ -267,8 +267,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c h1:U1b4THKcgOpJ+kILupuznNwPiURtwVW3e9alJvji9+s= github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c/go.mod h1:GSDpFDD4TASObxvfZfvpZZ3OWHIUHMlhVWlkOe4ewVk= github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8= -github.com/zmap/zlint/v3 v3.6.0 h1:vTEaDRtYN0d/1Ax60T+ypvbLQUHwHxbvYRnUMVr35ug= -github.com/zmap/zlint/v3 v3.6.0/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg= +github.com/zmap/zlint/v3 v3.6.4 h1:r2kHfRF7mIsxW0IH4Og2iZnrlpCLTZBFjnXy1x/ZnZI= +github.com/zmap/zlint/v3 v3.6.4/go.mod h1:KQLVUquVaO5YJDl5a4k/7RPIbIW2v66+sRoBPNZusI8= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA= diff --git a/issuance/cert.go b/issuance/cert.go index 884ece7c4df..0c97b1b84c5 100644 --- a/issuance/cert.go +++ b/issuance/cert.go @@ -105,18 +105,7 @@ func NewProfile(profileConfig *ProfileConfig) (*Profile, error) { return nil, fmt.Errorf("validity period %q is too large", profileConfig.MaxValidityPeriod.Duration) } - // TODO(#7756): These lint names don't yet exist in our current zlint v3.6.0 but exist in v3.6.2. - // In order to upgrade without throwing errors, we need to add these to our ignored lints. - // However, v3.6.0 will error if it sees ignored lints it doesn't recognize. Solution: filter - // out these specific lints. As part of the PR that updates to v3.6.2, we will remove this code. - var ignoredLints []string - for _, lintName := range profileConfig.IgnoredLints { - if lintName != "e_cab_dv_subject_invalid_values" && lintName != "w_ext_subject_key_identifier_not_recommended_subscriber" { - ignoredLints = append(ignoredLints, lintName) - } - } - - lints, err := linter.NewRegistry(ignoredLints) + lints, err := linter.NewRegistry(profileConfig.IgnoredLints) cmd.FailOnError(err, "Failed to create zlint registry") if profileConfig.LintConfig != "" { lintconfig, err := lint.NewConfigFromFile(profileConfig.LintConfig) diff --git a/issuance/cert_test.go b/issuance/cert_test.go index 108ae76b3b6..80f8c5d4674 100644 --- a/issuance/cert_test.go +++ b/issuance/cert_test.go @@ -387,11 +387,7 @@ func TestIssueCommonName(t *testing.T) { fc.Set(time.Now()) prof := defaultProfileConfig() - prof.IgnoredLints = []string{ - "w_subject_common_name_included", - "w_ct_sct_policy_count_unsatisfied", - "e_scts_from_same_operator", - } + prof.IgnoredLints = append(prof.IgnoredLints, "w_subject_common_name_included") cnProfile, err := NewProfile(prof) test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) @@ -450,9 +446,12 @@ func TestIssueOmissions(t *testing.T) { pc.OmitClientAuth = true pc.OmitSKID = true pc.IgnoredLints = []string{ - "w_ext_subject_key_identifier_missing_sub_cert", + // Reduce the lint ignores to just the minimal (SCT-related) set. "w_ct_sct_policy_count_unsatisfied", "e_scts_from_same_operator", + // Ignore the warning about *not* including the SubjectKeyIdentifier extension: + // zlint has both lints (one enforcing RFC5280, the other the BRs). + "w_ext_subject_key_identifier_missing_sub_cert", } prof, err := NewProfile(pc) test.AssertNotError(t, err, "building test profile") @@ -529,7 +528,10 @@ func TestIssueSCTList(t *testing.T) { test.AssertNotError(t, err, "failed to load log list") pc := defaultProfileConfig() - pc.IgnoredLints = []string{} + pc.IgnoredLints = []string{ + // Only ignore the SKID lint, i.e., don't ignore the "missing SCT" lints. + "w_ext_subject_key_identifier_not_recommended_subscriber", + } enforceSCTsProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) @@ -754,11 +756,7 @@ func TestMismatchedProfiles(t *testing.T) { test.AssertNotError(t, err, "NewIssuer failed") pc := defaultProfileConfig() - pc.IgnoredLints = []string{ - "w_subject_common_name_included", - "w_ct_sct_policy_count_unsatisfied", - "e_scts_from_same_operator", - } + pc.IgnoredLints = append(pc.IgnoredLints, "w_subject_common_name_included") cnProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") @@ -782,10 +780,6 @@ func TestMismatchedProfiles(t *testing.T) { // Create a new profile that differs slightly (no common name) pc = defaultProfileConfig() pc.AllowCommonName = false - pc.IgnoredLints = []string{ - "w_ct_sct_policy_count_unsatisfied", - "e_scts_from_same_operator", - } test.AssertNotError(t, err, "building test lint registry") noCNProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") diff --git a/issuance/issuer_test.go b/issuance/issuer_test.go index 7d1b39a4be4..39e409fa059 100644 --- a/issuance/issuer_test.go +++ b/issuance/issuer_test.go @@ -28,8 +28,12 @@ func defaultProfileConfig() *ProfileConfig { MaxValidityPeriod: config.Duration{Duration: time.Hour}, MaxValidityBackdate: config.Duration{Duration: time.Hour}, IgnoredLints: []string{ + // Ignore the two SCT lints because these tests don't get SCTs. "w_ct_sct_policy_count_unsatisfied", "e_scts_from_same_operator", + // Ignore the warning about including the SubjectKeyIdentifier extension: + // we include it on purpose, but plan to remove it soon. + "w_ext_subject_key_identifier_not_recommended_subscriber", }, } } diff --git a/test/config-next/ca.json b/test/config-next/ca.json index 942bbb386db..37f69f6bbd7 100644 --- a/test/config-next/ca.json +++ b/test/config-next/ca.json @@ -51,7 +51,7 @@ "lintConfig": "test/config-next/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_not_recommended_subscriber" ] }, "modern": { @@ -64,8 +64,7 @@ "maxValidityBackdate": "1h5m", "lintConfig": "test/config-next/zlint.toml", "ignoredLints": [ - "w_ext_subject_key_identifier_missing_sub_cert", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_missing_sub_cert" ] } }, diff --git a/test/config-next/cert-checker.json b/test/config-next/cert-checker.json index 2f9844d4f60..a4b760e202a 100644 --- a/test/config-next/cert-checker.json +++ b/test/config-next/cert-checker.json @@ -14,7 +14,8 @@ ], "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_missing_sub_cert", + "w_ext_subject_key_identifier_not_recommended_subscriber" ], "ctLogListFile": "test/ct-test-srv/log_list.json", "features": { diff --git a/test/config/ca.json b/test/config/ca.json index d023ad101d0..809d626ac34 100644 --- a/test/config/ca.json +++ b/test/config/ca.json @@ -128,7 +128,7 @@ "lintConfig": "test/config/zlint.toml", "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_not_recommended_subscriber" ] }, "expiry": "7776000s", diff --git a/test/config/cert-checker.json b/test/config/cert-checker.json index eb3d73cabb4..83ecca4f3b0 100644 --- a/test/config/cert-checker.json +++ b/test/config/cert-checker.json @@ -17,7 +17,7 @@ ], "ignoredLints": [ "w_subject_common_name_included", - "w_sub_cert_aia_contains_internal_names" + "w_ext_subject_key_identifier_not_recommended_subscriber" ] }, "pa": { diff --git a/vendor/github.com/zmap/zlint/v3/LICENSE b/vendor/github.com/zmap/zlint/v3/LICENSE index b209ae0fca7..19a9b8a000c 100644 --- a/vendor/github.com/zmap/zlint/v3/LICENSE +++ b/vendor/github.com/zmap/zlint/v3/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright 2020 Regents of the University of Michigan + Copyright 2024 Regents of the University of Michigan Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/vendor/github.com/zmap/zlint/v3/lint/base.go b/vendor/github.com/zmap/zlint/v3/lint/base.go index 9753d9bea46..e572b27a55a 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/base.go +++ b/vendor/github.com/zmap/zlint/v3/lint/base.go @@ -1,7 +1,7 @@ package lint /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -221,7 +221,10 @@ func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) { return &LintResult{Status: NA} } - if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) { + if l.Source == CABFSMIMEBaselineRequirements && !util.IsEmailProtectionCert(cert) { + return &LintResult{Status: NA} + } + if l.Source == CABFCSBaselineRequirements && !util.IsCodeSigning(cert.PolicyIdentifiers) { return &LintResult{Status: NA} } lint := l.Lint() diff --git a/vendor/github.com/zmap/zlint/v3/lint/configuration.go b/vendor/github.com/zmap/zlint/v3/lint/configuration.go index 0ace959be53..9c60a97cbd3 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/configuration.go +++ b/vendor/github.com/zmap/zlint/v3/lint/configuration.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go b/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go index 0438fab334c..4d77584415f 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go +++ b/vendor/github.com/zmap/zlint/v3/lint/global_configurations.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go b/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go index 91d723606e2..273aaec9c94 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go +++ b/vendor/github.com/zmap/zlint/v3/lint/lint_lookup.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/profile.go b/vendor/github.com/zmap/zlint/v3/lint/profile.go index d94c94c0333..20050b96430 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/profile.go +++ b/vendor/github.com/zmap/zlint/v3/lint/profile.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/registration.go b/vendor/github.com/zmap/zlint/v3/lint/registration.go index 9e77ebf8c7b..d380b22180a 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/registration.go +++ b/vendor/github.com/zmap/zlint/v3/lint/registration.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/result.go b/vendor/github.com/zmap/zlint/v3/lint/result.go index fe2a89d5c7f..5839fb0d3ab 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/result.go +++ b/vendor/github.com/zmap/zlint/v3/lint/result.go @@ -1,7 +1,7 @@ package lint /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lint/source.go b/vendor/github.com/zmap/zlint/v3/lint/source.go index e0b19d94153..3cd0c3033d6 100644 --- a/vendor/github.com/zmap/zlint/v3/lint/source.go +++ b/vendor/github.com/zmap/zlint/v3/lint/source.go @@ -7,7 +7,7 @@ import ( ) /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -32,8 +32,10 @@ const ( RFC5280 LintSource = "RFC5280" RFC5480 LintSource = "RFC5480" RFC5891 LintSource = "RFC5891" + RFC6962 LintSource = "RFC6962" RFC8813 LintSource = "RFC8813" CABFBaselineRequirements LintSource = "CABF_BR" + CABFCSBaselineRequirements LintSource = "CABF_CS_BR" CABFSMIMEBaselineRequirements LintSource = "CABF_SMIME_BR" CABFEVGuidelines LintSource = "CABF_EV" MozillaRootStorePolicy LintSource = "Mozilla" @@ -51,7 +53,7 @@ func (s *LintSource) UnmarshalJSON(data []byte) error { } switch LintSource(throwAway) { - case RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi: + case RFC8813, RFC5280, RFC5480, RFC5891, CABFBaselineRequirements, CABFEVGuidelines, CABFSMIMEBaselineRequirements, MozillaRootStorePolicy, AppleRootStorePolicy, Community, EtsiEsi, RFC6962: *s = LintSource(throwAway) return nil default: @@ -75,6 +77,8 @@ func (s *LintSource) FromString(src string) { *s = RFC5480 case RFC5891: *s = RFC5891 + case RFC8813: + *s = RFC8813 case CABFBaselineRequirements: *s = CABFBaselineRequirements case CABFEVGuidelines: @@ -87,6 +91,8 @@ func (s *LintSource) FromString(src string) { *s = AppleRootStorePolicy case Community: *s = Community + case RFC6962: + *s = RFC6962 case EtsiEsi: *s = EtsiEsi } diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go index 0849f22bd41..eba5da4a9c1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_ct_sct_policy_count_unsatisfied.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go index 307b6f15382..f67985de95d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_e_server_cert_valid_time_longer_than_398_days.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go index eb0a22c8c7e..d1d6daa4b7c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/apple/lint_w_server_cert_valid_time_longer_than_397_days.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go new file mode 100644 index 00000000000..08bd9d23317 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ca_issuers_must_have_http_only.go @@ -0,0 +1,78 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIACAIssuersHasHTTPOnly struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +id-ad-caIssuers +1.3.6.1.5.5.7.48.2 uniformResourceIdentifier SHOULD A HTTP URL of the +Issuing CA’s certificate +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_ca_issuers_must_have_http_only", + Description: "The id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIACAIssuersHasHTTPOnly, + }) +} + +func NewBRAIACAIssuersHasHTTPOnly() lint.LintInterface { + return &bRAIACAIssuersHasHTTPOnly{} +} + +func (l *bRAIACAIssuersHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return len(c.IssuingCertificateURL) > 0 && util.IsSubscriberCert(c) +} + +func (l *bRAIACAIssuersHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.IssuingCertificateURL { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: "Could not parse caIssuers in AIA."} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in caIssuers of AIA, which is not allowed.", purl.Scheme)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go new file mode 100644 index 00000000000..ca74124080b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_must_contain_permitted_access_method.go @@ -0,0 +1,113 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAAccessMethodAllowed struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +Each AccessDescription MUST only contain a permitted accessMethod, as detailed below, +and each accessLocation MUST be encoded as the specified GeneralName type. + +This lint checks that only the id-ad-ocsp or id-ad-caIssuers accessMethod is present +and that the value is a uniformResourceIdentifier GeneralName. + +GeneralName ::= CHOICE { + otherName [0] AnotherName, + rfc822Name [1] IA5String, + dNSName [2] IA5String, + x400Address [3] ORAddress, + directoryName [4] Name, + ediPartyName [5] EDIPartyName, + uniformResourceIdentifier [6] IA5String, + iPAddress [7] OCTET STRING, + registeredID [8] OBJECT IDENTIFIER } +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_must_contain_permitted_access_method", + Description: "The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAAccessMethodAllowed, + }) +} + +func NewBRAIAAccessMethodAllowed() lint.LintInterface { + return &bRAIAAccessMethodAllowed{} +} + +func (l *bRAIAAccessMethodAllowed) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) +} + +func (l *bRAIAAccessMethodAllowed) Execute(c *x509.Certificate) *lint.LintResult { + + // see x509.go + for _, ext := range c.Extensions { + if ext.Id.Equal(util.AiaOID) { + var aia []authorityInfoAccess + _, err := asn1.Unmarshal(ext.Value, &aia) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + for _, v := range aia { + if v.Location.Tag != 6 { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid GeneralName with tag %d in an accessLocation.", v.Location.Tag)} + } + + if !(v.Method.Equal(idAdCaIssuers) || v.Method.Equal(idAdOCSP)) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Certificate has an invalid accessMethod with OID %s.", v.Method)} + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +type authorityInfoAccess struct { + Method asn1.ObjectIdentifier + Location asn1.RawValue +} + +var ( + idAdOCSP = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1} + idAdCaIssuers = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 2} +) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go new file mode 100644 index 00000000000..6b56e177960 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_ocsp_must_have_http_only.go @@ -0,0 +1,78 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAOCSPHasHTTPOnly struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +id-ad-ocsp +1.3.6.1.5.5.7.48.1 uniformResourceIdentifier MUST A HTTP URL of the +Issuing CA’s OCSP responder. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_ocsp_must_have_http_only", + Description: "The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAOCSPHasHTTPOnly, + }) +} + +func NewBRAIAOCSPHasHTTPOnly() lint.LintInterface { + return &bRAIAOCSPHasHTTPOnly{} +} + +func (l *bRAIAOCSPHasHTTPOnly) CheckApplies(c *x509.Certificate) bool { + return len(c.OCSPServer) > 0 && util.IsSubscriberCert(c) +} + +func (l *bRAIAOCSPHasHTTPOnly) Execute(c *x509.Certificate) *lint.LintResult { + for _, u := range c.OCSPServer { + purl, err := url.Parse(u) + if err != nil { + return &lint.LintResult{Status: lint.Error, Details: "Could not parse OCSP URL in AIA."} + } + if purl.Scheme != "http" { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("Found scheme %s in OCSP URL of AIA, which is not allowed.", purl.Scheme)} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go new file mode 100644 index 00000000000..f176d35e449 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_aia_unique_locations.go @@ -0,0 +1,89 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type bRAIAAccessLocationUnique struct{} + +/************************************************************************ +7.1.2.7.7 Subscriber Certificate Authority Information Access +The AuthorityInfoAccessSyntax MUST contain one or more AccessDescriptions. Each +AccessDescription MUST only contain a permitted accessMethod, as detailed below, and +each accessLocation MUST be encoded as the specified GeneralName type. +The AuthorityInfoAccessSyntax MAY contain multiple AccessDescriptions with the +same accessMethod, if permitted for that accessMethod. When multiple +AccessDescriptions are present with the same accessMethod, each accessLocation +MUST be unique, and each AccessDescription MUST be ordered in priority for that +accessMethod, with the most‐preferred accessLocation being the first +AccessDescription. No ordering requirements are given for AccessDescriptions that +contain different accessMethods, provided that previous requirement is satisfied. + +When multiple AccessDescriptions are present with the same accessMethod, +each accessLocation MUST be unique. +*************************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_aia_unique_access_locations", + Description: "When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.", + Citation: "BRs: 7.1.2.7.7", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewBRAIAAccessLocationUnique, + }) +} + +func NewBRAIAAccessLocationUnique() lint.LintInterface { + return &bRAIAAccessLocationUnique{} +} + +func (l *bRAIAAccessLocationUnique) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (len(c.IssuingCertificateURL) > 0 || len(c.OCSPServer) > 0) +} + +func (l *bRAIAAccessLocationUnique) Execute(c *x509.Certificate) *lint.LintResult { + + ocspURLs := make([]string, 0) + for _, url := range c.OCSPServer { + for _, foundURL := range ocspURLs { + if strings.EqualFold(url, foundURL) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in OCSP URLs", url)} + } + } + ocspURLs = append(ocspURLs, url) + } + + issuingCertificateURLs := make([]string, 0) + for _, url := range c.IssuingCertificateURL { + for _, foundURL := range issuingCertificateURLs { + if strings.EqualFold(url, foundURL) { + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("accessLocation with URL %s is found more than once in caIssuers URLs", url)} + } + } + issuingCertificateURLs = append(issuingCertificateURLs, url) + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go index e72bb4d7238..5e27380f989 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_common_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go index 55d19332949..dae179d2dd9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_invalid.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go index 5ed709a9e03..fa97bd9776c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_country_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go index ac68b3f078f..8530f09413f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_crl_sign_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go index d525423c66d..1d1f84be2fa 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_digital_signature_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go new file mode 100644 index 00000000000..d6b8ddea16a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_invalid_eku.go @@ -0,0 +1,81 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "fmt" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ca_invalid_eku", + Description: "Checks that SubCA certificates do not contain forbidden values in their EKU extension.", + Citation: "CABF BRs §7.1.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_1_7_1_Date, + }, + Lint: NewCaInvalidEKU, + }) +} + +type caInvalidEKU struct{} + +func NewCaInvalidEKU() lint.LintInterface { + return &caInvalidEKU{} +} + +// This lint applies to any SubCA certificate to which the CABF BRs are applicable and which contains +// the EKU extension. Given that the lint source is lint.CABFBaselineRequirements, if we arrive here +// it's been already checked that the certificate falls within the purview of the CABF BRs. +func (l *caInvalidEKU) CheckApplies(c *x509.Certificate) bool { + return util.IsSubCA(c) && len(c.ExtKeyUsage) != 0 +} + +func (l *caInvalidEKU) Execute(c *x509.Certificate) *lint.LintResult { + + // If the EKU contains anyExtendedKeyUsage, it's probably a cross-certicate + // In this case, the EKU must not contain any other value + if util.HasEKU(c, x509.ExtKeyUsageAny) && len(c.ExtKeyUsage) > 1 { + return &lint.LintResult{ + Status: lint.Error, + Details: "anyExtendedKeyUsage MUST NOT be accompanied by any other value in the EKU extension", + } + } + + // If we get here, it is necessarily a SubCA with serverAuth in the EKU + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageEmailProtection || + eku == x509.ExtKeyUsageCodeSigning || + eku == x509.ExtKeyUsageTimeStamping || + eku == x509.ExtKeyUsageOcspSigning { + + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("%s MUST not be present together with serverAuth in the EKU extension", util.GetEKUString(eku)), + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go index 3cd27d26fd2..eed50419534 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_is_ca.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go index a1a94db28b7..481f08b66f3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_cert_sign_not_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go index 2b766506161..0467c1c6f2d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go index c7e5226f4f0..eb19f22335d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_key_usage_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go index 123ccad25d9..e8041fe922e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ca_organization_name_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go index 62564f1da33..393f2306e95 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go index 189f3edd95b..8f849cf9236 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_org.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go index d41ec790964..f982d568867 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_postal.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go index 23a5377e8ee..b2a6f0c3206 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_province.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go index a7ab3eb8f84..0d9d87eff3c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_conflicts_with_street.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go new file mode 100644 index 00000000000..3563da7f055 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_dv_subject_invalid_values.go @@ -0,0 +1,77 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type dvSubjectInvalidValues struct{} + +/************************************************ +7.1.2.7.2 Domain Validated + +The following table details the acceptable AttributeTypes that may appear within the type +field of an AttributeTypeAndValue, as well as the contents permitted within the value field. + +Table 35: Domain Validated subject Attributes + +countryName MAY The two‐letter ISO 3166‐1 country code for the country +associated with the Subject. Section 3.2.2.3 + +commonName NOT RECOMMENDED +If present, MUST contain a value derived from the +subjectAltName extension according to Section +7.1.4.3. + +Any other attribute MUST NOT +************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cab_dv_subject_invalid_values", + Description: "If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.", + Citation: "BRs: 7.1.2.7.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewDvSubjectInvalidValues, + }) +} + +func NewDvSubjectInvalidValues() lint.LintInterface { + return &dvSubjectInvalidValues{} +} + +func (l *dvSubjectInvalidValues) CheckApplies(cert *x509.Certificate) bool { + return util.SliceContainsOID(cert.PolicyIdentifiers, util.BRDomainValidatedOID) && util.IsSubscriberCert(cert) +} + +func (l *dvSubjectInvalidValues) Execute(cert *x509.Certificate) *lint.LintResult { + names := util.GetTypesInName(&cert.Subject) + for _, n := range names { + if n.Equal(util.CommonNameOID) || n.Equal(util.CountryNameOID) { + continue + } + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("DV certificate contains the invalid attribute type %s", n)} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go index 5ccfb129702..32c01617573 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go index a3f1035bc39..7206ff712ca 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cab_ov_requires_org.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go index 2147fc4467f..a09416506dd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_reason_code_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go index 70aea45eb66..470b1e12519 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cabf_crl_valid_reason_codes.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go index f851b89719a..f05f8553e22 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_country.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go index cef1df45b1d..c146f90cdfa 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_iv_requires_province_or_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go index 7c3562e8f6c..1cc761db0a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_country.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go index 85d9bc961fe..59dda9e4a2a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_cert_policy_ov_requires_province_or_locality.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go new file mode 100644 index 00000000000..54d041a2aac --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crl_distrib_points_not_http.go @@ -0,0 +1,64 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "strings" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_distrib_points_not_http", + Description: "The scheme of each CRL Distribution Point MUST be 'http'", + Citation: "CABF BRs §7.1.2.11.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewCrlDistribPointsNotHTTP, + }) +} + +type crlDistribPointsNotHTTP struct{} + +func NewCrlDistribPointsNotHTTP() lint.LintInterface { + return &crlDistribPointsNotHTTP{} +} + +func (l *crlDistribPointsNotHTTP) CheckApplies(c *x509.Certificate) bool { + return len(c.CRLDistributionPoints) > 0 +} + +func (l *crlDistribPointsNotHTTP) Execute(c *x509.Certificate) *lint.LintResult { + for _, dp := range c.CRLDistributionPoints { + if !strings.HasPrefix(dp, "http:") { + return &lint.LintResult{ + Status: lint.Error, + Details: "Certificate contains a non-HTTP CRL distribution point", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go new file mode 100644 index 00000000000..739ed233d01 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_crlissuer_must_not_be_present_in_cdp.go @@ -0,0 +1,79 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crlissuer_must_not_be_present_in_cdp", + Description: "crlIssuer and/or Reason field MUST NOT be present in the CDP extension.", + Citation: "BR Section 7.1.2.11.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewCrlissuerMustNotBePresentInCdp, + }) +} + +type CrlissuerMustNotBePresentInCdp struct{} + +func NewCrlissuerMustNotBePresentInCdp() lint.LintInterface { + return &CrlissuerMustNotBePresentInCdp{} +} + +func (l *CrlissuerMustNotBePresentInCdp) CheckApplies(c *x509.Certificate) bool { + return c.CRLDistributionPoints != nil +} + +func (l *CrlissuerMustNotBePresentInCdp) Execute(c *x509.Certificate) *lint.LintResult { + + for _, ext := range c.Extensions { + if ext.Id.Equal(util.CrlDistOID) { + var cdp []distributionPoint + _, err := asn1.Unmarshal(ext.Value, &cdp) + if err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + for _, dp := range cdp { + if (len(dp.CRLIssuer.Bytes) > 0) || (len(dp.Reason.Bytes) > 0) { + return &lint.LintResult{Status: lint.Error} + } + + } + + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +type distributionPoint struct { + DistributionPoint distributionPointName `asn1:"optional,tag:0"` + Reason asn1.BitString `asn1:"optional,tag:1"` + CRLIssuer asn1.RawValue `asn1:"optional,tag:2"` +} + +type distributionPointName struct { + FullName asn1.RawValue `asn1:"optional,tag:0"` + RelativeName pkix.RDNSequence `asn1:"optional,tag:1"` +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go index ea6472e59a1..db9546ebd8a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dh_params_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go index 7f4d6d3b06a..4147d04ff17 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_bad_character_in_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go index 1169cbec191..ed3bcc871bc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_check_left_label_wildcard.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go index d60b6160ea2..61d46b55654 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_bare_iana_suffix.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go index 834235f32ae..d2b0a0ac93f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_empty_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go index dc2ddd5f37a..aa6342c872a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_contains_prohibited_reserved_label.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go index c64677e992c..9a7474b3cfb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_hyphen_in_sld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go index f129b64a1e3..6d619e7b859 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_label_too_long.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go index e8e29a64227..8bc682a9e74 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_right_label_valid_tld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go index fdb69a6a6ab..0a0f1de67fb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_sld.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go index 03a7c4ab0e1..0384cf376c1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_underscore_in_trd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go index 5d12c5779a0..30be62ff127 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_left_of_public_suffix.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go index e8b09ea45cf..38a9521178f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dnsname_wildcard_only_in_left_label.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go index f0e28050f64..6dc0a0dceac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_correct_order_in_subgroup.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,11 +29,12 @@ type dsaSubgroup struct{} func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_dsa_correct_order_in_subgroup", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_dsa_correct_order_in_subgroup", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, }, Lint: NewDsaSubgroup, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go index d979b6dd11e..83a497528c3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_improper_modulus_or_divisor_size.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go index 690a960393f..bde8f0ee4d6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_shorter_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -31,8 +31,9 @@ func init() { Description: "DSA modulus size must be at least 2048 bits", Citation: "BRs v1.7.0: 6.1.5", // Refer to BRs: 6.1.5, taking the statement "Before 31 Dec 2010" literally - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.ZeroDate, + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.ZeroDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, }, Lint: NewDsaTooShort, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go index 5016a83fc0d..cdb5019fff0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_dsa_unique_correct_representation.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -29,11 +29,12 @@ type dsaUniqueCorrectRepresentation struct{} func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_dsa_unique_correct_representation", - Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", - Citation: "BRs v1.7.0: 6.1.6", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_dsa_unique_correct_representation", + Description: "DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup", + Citation: "BRs v1.7.0: 6.1.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_1_7_1_Date, }, Lint: NewDsaUniqueCorrectRepresentation, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go new file mode 100644 index 00000000000..200e8362ace --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_duplicate_subject_attribs.go @@ -0,0 +1,99 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "fmt" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_duplicate_subject_attribs", + Description: "Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs", + Citation: "CABF BRs 7.1.4.1", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewDuplicateSubjectAttribs, + }) +} + +type duplicateSubjectAttribs struct{} + +func NewDuplicateSubjectAttribs() lint.LintInterface { + return &duplicateSubjectAttribs{} +} + +func (l *duplicateSubjectAttribs) CheckApplies(c *x509.Certificate) bool { + return true +} + +// The domainComponent and streetAddress attributes are exempt from +// the single-instance requirement; organizationalUnitName would be too, +// if it weren't for the fact that it has been deprecated. + +var singleInstanceOIDs = map[string]string{ + "1.3.6.1.4.1.311.60.2.1.1": "jurisdictionLocality", + "1.3.6.1.4.1.311.60.2.1.2": "jurisdictionStateOrProvince", + "1.3.6.1.4.1.311.60.2.1.3": "jurisdictionCountry", + "2.5.4.3": "commonName", + "2.5.4.4": "surname", + "2.5.4.5": "serialNumber", + "2.5.4.6": "countryName", + "2.5.4.7": "localityName", + "2.5.4.8": "stateOrProvinceName", + "2.5.4.10": "organizationName", + "2.5.4.15": "businessCategory", + "2.5.4.42": "givenName", + "2.5.4.97": "organizationIdentifier", +} + +func (l *duplicateSubjectAttribs) Execute(c *x509.Certificate) *lint.LintResult { + + var subject pkix.RDNSequence + if _, err := asn1.Unmarshal(c.RawSubject, &subject); err != nil { + return &lint.LintResult{Status: lint.Fatal} + } + + foundOIDs := make(map[string]bool) + + for _, rdn := range subject { + for _, ava := range rdn { + oid := fmt.Sprint(ava.Type) + name, mustBeSingle := singleInstanceOIDs[oid] + _, alreadySeen := foundOIDs[oid] + if mustBeSingle && alreadySeen { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Multiple instances of '%s' are NOT allowed in the Subject", name), + } + } + foundOIDs[oid] = true + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go new file mode 100644 index 00000000000..a2c542d5028 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_invalid_cps_uri.go @@ -0,0 +1,74 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "net/url" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_cps_uri", + Description: "If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL", + Citation: "CABF BR 7.1.2 (several subsections thereof)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidCPSUri, + }) +} + +type invalidCPSUri struct{} + +func NewInvalidCPSUri() lint.LintInterface { + return &invalidCPSUri{} +} + +func (l *invalidCPSUri) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CertPolicyOID) +} + +func isValidHttpOrHttpsURL(input string) bool { + parsedURL, err := url.Parse(input) + if err != nil { + return false + } + + scheme := parsedURL.Scheme + return scheme == "http" || scheme == "https" +} + +func (l *invalidCPSUri) Execute(c *x509.Certificate) *lint.LintResult { + // There should normally be just one CPS URI, but one never knows... + for _, pol := range c.CPSuri { + for _, uri := range pol { + if !isValidHttpOrHttpsURL(uri) { + return &lint.LintResult{Status: lint.Error} + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go index 2e637382846..ac887fa1d21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_e_sub_ca_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go index 5c6c78012d0..4309c979a7d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ec_improper_curves.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go new file mode 100644 index 00000000000..43a2f139477 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_eku_critical.go @@ -0,0 +1,52 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type eKUCrit struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_eku_critical", + Description: "Subscriber Certificate extkeyUsage extension MUST NOT be marked critical", + Citation: "BRs: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewEKUCrit, + }) +} + +func NewEKUCrit() lint.LintInterface { + return &eKUCrit{} +} + +func (l *eKUCrit) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) +} + +func (l *eKUCrit) Execute(c *x509.Certificate) *lint.LintResult { + if e := util.GetExtFromCert(c, util.EkuSynOid); e.Critical { + return &lint.LintResult{Status: lint.Error} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go index 838c6eedb60..7e7b2d19889 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_nc_intersects_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go index e65f7155239..875690c9dcc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_contains_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go index 90d2dcf0f9c..d2ab4147051 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_critical_with_subject_dn.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go index 57d04837597..f299c4b746e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_directory_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go index ace3eb211b7..e883544a89d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_edi_party_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go index 70f2c4e823a..17cecfac20f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go index a54cff2961f..693ac5f9180 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_other_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go index ad9e44edd18..1206b1fbd4c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_registered_id_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go index 62da4b7950a..1e181c1f6f3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_rfc822_name_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go index 8a070caf0a9..daa6e0478a3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_san_uniform_resource_identifier_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go new file mode 100644 index 00000000000..73d0d24c56c --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_subject_key_identifier_not_recommended_subscriber.go @@ -0,0 +1,70 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subjectKeyIdNotRecommendedSubscriber struct{} + +/********************************************************************** +RFC5280 suggested the addition of SKI extension, but CABF BR SC62 +marked the extension as NOT RECOMMENDED for subscriber certificates + +Warning: +Users of zlint will trigger either +`w_ext_subject_key_identifier_not_recommended_subscriber` (this lint) +or `w_ext_subject_key_identifier_missing_sub_cert` the one enforcing +RFC5280's behavior. + +Users are expected to specifically ignore one or the other lint +depending on which one apply to them. + +See: + - https://github.com/zmap/zlint/issues/749 + - https://github.com/zmap/zlint/issues/762 +**********************************************************************/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "w_ext_subject_key_identifier_not_recommended_subscriber", + Description: "Subscriber certificates use of Subject Key Identifier is NOT RECOMMENDED", + Citation: "BRs v2: 7.1.2.7.6", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubjectKeyIdNotRecommendedSubscriber, + }) +} + +func NewSubjectKeyIdNotRecommendedSubscriber() lint.LintInterface { + return &subjectKeyIdNotRecommendedSubscriber{} +} + +func (l *subjectKeyIdNotRecommendedSubscriber) CheckApplies(cert *x509.Certificate) bool { + return util.IsSubscriberCert(cert) +} + +func (l *subjectKeyIdNotRecommendedSubscriber) Execute(cert *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(cert, util.SubjectKeyIdentityOID) { + return &lint.LintResult{Status: lint.Warn} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go index f288831b920..c4b5db833ed 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ext_tor_service_descriptor_hash_invalid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go index 824ceed4ad4..95feb2b81f2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_extra_subject_common_names.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go index aeaf8a55dc9..b6bcd92a869 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_certificate_version.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go new file mode 100644 index 00000000000..b4710e2058b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_invalid_subject_rdn_order.go @@ -0,0 +1,145 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_br + +import ( + "crypto/x509/pkix" + "encoding/asn1" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_invalid_subject_rdn_order", + Description: "Subject field attributes (RDNs) SHALL be encoded in a specific order", + Citation: "BRs: 7.1.4.2", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewInvalidSubjectRDNOrder, + }) +} + +type invalidSubjectRDNOrder struct{} + +func NewInvalidSubjectRDNOrder() lint.LintInterface { + return &invalidSubjectRDNOrder{} +} + +func (l *invalidSubjectRDNOrder) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func getShortOIDName(oid string) string { + switch oid { + case "0.9.2342.19200300.100.1.25": + return "DC" + case "2.5.4.6": + return "C" + case "2.5.4.8": + return "ST" + case "2.5.4.7": + return "L" + case "2.5.4.17": + return "postalCode" + case "2.5.4.9": + return "street" + case "2.5.4.10": + return "O" + case "2.5.4.4": + return "SN" + case "2.5.4.42": + return "givenName" + case "2.5.4.11": + return "OU" + case "2.5.4.3": + return "CN" + default: + return "" + } +} + +func findElement(arr []string, target string) (int, bool) { + for i, value := range arr { + if value == target { + return i, true + } + } + return -1, false +} + +func checkOrder(actualOrder []string, expectedOrder []string) bool { + var prevPosition int + prevPosition = 0 + + for _, targetElement := range actualOrder { + position, found := findElement(expectedOrder, targetElement) + if found { + if position < prevPosition { + return false + } + prevPosition = position + } + } + return true +} + +func checkSubjectRDNOrder(cert *x509.Certificate) bool { + + rawSubject := cert.RawSubject + + var rdnSequence pkix.RDNSequence + _, err := asn1.Unmarshal(rawSubject, &rdnSequence) + if err != nil { + return false + } + + var rdnOrder []string + + for _, rdn := range rdnSequence { + for _, atv := range rdn { + rdnShortName := getShortOIDName(atv.Type.String()) + if rdnShortName != "" { + rdnOrder = append(rdnOrder, rdnShortName) + } + } + } + + // Expected order of RDNs as per CABF BR section 7.1.4.2 + expectedRDNOrder := []string{"DC", "C", "ST", "L", "postalCode", "street", "O", "SN", "givenName", "OU", "CN"} + + return checkOrder(rdnOrder, expectedRDNOrder) +} + +func (l *invalidSubjectRDNOrder) Execute(c *x509.Certificate) *lint.LintResult { + + var out lint.LintResult + + if checkSubjectRDNOrder(c) { + out.Status = lint.Pass + } else { + out.Status = lint.Error + } + return &out +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go index 8ce71e64996..47790642a60 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_no_underscores_before_1_6_2.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go index 2539f590b3a..ecc0d8cba97 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go index a1637a5f746..e16c9a06c10 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_root_ca_rsa_mod_less_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go index 8cd670ddf49..527d8e3b458 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_ca_rsa_mod_less_than_1024_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go index d27c4c0ad46..03af2178289 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_old_sub_cert_rsa_mod_less_than_1024_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go index 62a666dc665..bf8b1e09429 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_organizational_unit_name_prohibited.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go index 29e4585ac32..56177b66ba5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_policy_qualifiers_other_than_cps_not_permitted.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go index 6263e6cc655..21c6076c37a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_prohibit_dsa_usage.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go index 7fce2e798f3..24096b46f1b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_public_key_type_not_allowed.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go index e00bec6964c..cf9da0bb438 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_basic_constraints_path_len_constraint_field_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go index 91a1692c38f..aff346cbfc4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_contains_cert_policy.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go index 14ba991af5c..4be1f786f82 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_extended_key_usage_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go index 3768d0801b6..f7009eb2b90 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_must_be_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go index 65ec01fcde7..463720b8131 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_root_ca_key_usage_present.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go index 1c983ba6b52..81c0961d510 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_factors_smaller_than_752_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go index 66745bdb9dc..e2eb036a030 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_less_than_2048_bits.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go index e18e9baa3b5..0ab938329ac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_mod_not_odd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go index e95f173b37c..69a193944fb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_in_range.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go index 19aab90e8c2..af71f1d2336 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_not_odd.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go index 41c33f156bc..351cbb67d0b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_rsa_public_exponent_too_small.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go index 7455bfa6f28..0751e9b8da3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_invalid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go index 0376d4dcf80..fcbf64afddb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_san_dns_name_onion_not_ev_cert.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go index 87c82c68648..e80c303af01 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_signature_algorithm_not_supported.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go index d10c2efde80..c65bced54d1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_does_not_contain_issuing_ca_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go index 1dec74e97a5..249ef4b2e98 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_aia_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go index 9bf3bac2bee..858ed64b184 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go index 68742d27b39..8a4e8ebb222 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_certificate_policies_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go index 7d0cf98cb43..8401a683313 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_does_not_contain_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go index 332745ea974..65f266c373a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go index 6e94546b6da..4dda8d6b0a5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_crl_distribution_points_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go index 5b03cce467f..7d80cc5b0de 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go index b641ac719f8..444023ac31d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go index d4f72bf21ee..999458fa807 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_eku_valid_fields.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go index 9b16234583a..bbdebdc7091 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_ca_name_constraints_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go index 049c22edb7a..837f925d9be 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_contains_internal_names.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -15,6 +15,7 @@ package cabf_br */ import ( + "net" "net/url" "time" @@ -53,7 +54,7 @@ func NewSubCertAIAInternalName() lint.LintInterface { } func (l *subCertAIAInternalName) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.AiaOID) } func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { @@ -62,6 +63,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { if err != nil { return &lint.LintResult{Status: lint.Error} } + + if net.ParseIP(purl.Host) != nil { + continue + } + if !util.HasValidTLD(purl.Hostname(), time.Now()) { return &lint.LintResult{Status: lint.Warn} } @@ -71,6 +77,11 @@ func (l *subCertAIAInternalName) Execute(c *x509.Certificate) *lint.LintResult { if err != nil { return &lint.LintResult{Status: lint.Error} } + + if net.ParseIP(purl.Host) != nil { + continue + } + if !util.HasValidTLD(purl.Hostname(), time.Now()) { return &lint.LintResult{Status: lint.Warn} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go index c7d6b8fad4c..3fa1f12c132 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_issuing_ca_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -26,9 +26,11 @@ type subCertIssuerUrl struct{} /************************************************************************ BRs: 7.1.2.3 -cRLDistributionPoints -This extension MAY be present. If present, it MUST NOT be marked critical, and it MUST contain the -HTTP URL of the CA’s CRL service. +authorityInformationAccess +This extension MUST be present. It MUST NOT be marked critical, and it MUST contain +the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1). +It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMethod = +1.3.6.1.5.5.7.48.2). *************************************************************************/ func init() { diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go index 6c3a73559e7..e97335a9441 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_does_not_contain_ocsp_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -36,11 +36,12 @@ It SHOULD also contain the HTTP URL of the Issuing CA’s certificate (accessMet func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_sub_cert_aia_does_not_contain_ocsp_url", - Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_sub_cert_aia_does_not_contain_ocsp_url", + Description: "Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_2_0_0_Date, }, Lint: NewSubCertOcspUrl, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go index de6eb15502e..67fee73052e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go index 43f8133562a..894009790f7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go index fc67dfd3438..0c76a10b284 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go index 18ad6683080..198ec4f6662 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_cert_policy_empty.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go index 59c1e5c0009..33c968117ae 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go index d97365c6e93..54bfeb4a858 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_certificate_policies_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go index db0ddb0571e..ffae34b0b46 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_country_name_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go index facab3aaf56..3cd2333b7a0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_does_not_contain_url.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go index 763ed5694f8..eef345c16d8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_crl_distribution_points_marked_critical.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go new file mode 100644 index 00000000000..c5ef84c39a0 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_check.go @@ -0,0 +1,81 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subExtKeyUsageCheck struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_sub_cert_eku_check", + Description: "Subscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsage", + Citation: "BRs: 7.1.2.7.10 Subscriber Certificate Extended Key Usage", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewSubExtKeyUsageCheck, + }) +} + +func NewSubExtKeyUsageCheck() lint.LintInterface { + return &subExtKeyUsageCheck{} +} + +func (l *subExtKeyUsageCheck) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.EkuSynOid) +} + +func (l *subExtKeyUsageCheck) Execute(c *x509.Certificate) *lint.LintResult { + var hasClientAuthEKU, hasServerAuthEKU bool + + for _, eku := range c.ExtKeyUsage { + switch eku { + case x509.ExtKeyUsageServerAuth: + hasServerAuthEKU = true + + case x509.ExtKeyUsageClientAuth: + hasClientAuthEKU = true + + case x509.ExtKeyUsageAny, x509.ExtKeyUsageCodeSigning, x509.ExtKeyUsageTimeStamping, + x509.ExtKeyUsageOcspSigning, x509.ExtKeyUsageEmailProtection: + + return &lint.LintResult{Status: lint.Error, Details: fmt.Sprintf("%s MUST NOT be present", util.GetEKUString(eku))} + } + } + + if !hasServerAuthEKU { + return &lint.LintResult{Status: lint.Error, Details: "id-kp-serverAuth MUST be present"} + } + + for _, eku := range c.UnknownExtKeyUsage { + if eku.Equal(util.PreCertificateSigningCertificateEKU) { + return &lint.LintResult{Status: lint.Error, Details: "Precertificate Signing Certificate extKeyUsage MUST NOT be present"} + } + } + + if (len(c.ExtKeyUsage) > 2 && !hasClientAuthEKU) || len(c.UnknownExtKeyUsage) > 0 { + return &lint.LintResult{Status: lint.Warn, Details: "any other value than id-kp-serverAuth and id-kp-clientAuth is NOT RECOMMENDED"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go index 8e324a45726..c7d1f182cd2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_extra_values.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,11 +34,12 @@ present. func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "w_sub_cert_eku_extra_values", - Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "w_sub_cert_eku_extra_values", + Description: "Subscriber Certificate: extKeyUsage values other than id-kp-serverAuth, id-kp-clientAuth, and id-kp-emailProtection SHOULD NOT be present.", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_2_0_0_Date, }, Lint: NewSubExtKeyUsageLegalUsage, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go index 7efd18e4a46..3781ef22688 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go index 05041889144..adb67b4d09a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_eku_server_auth_client_auth_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -34,11 +34,12 @@ present. func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ - Name: "e_sub_cert_eku_server_auth_client_auth_missing", - Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", - Citation: "BRs: 7.1.2.3", - Source: lint.CABFBaselineRequirements, - EffectiveDate: util.CABEffectiveDate, + Name: "e_sub_cert_eku_server_auth_client_auth_missing", + Description: "Subscriber certificates MUST have either id-kp-serverAuth or id-kp-clientAuth or both present in extKeyUsage", + Citation: "BRs: 7.1.2.3", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABEffectiveDate, + IneffectiveDate: util.CABFBRs_2_0_0_Date, }, Lint: NewSubExtKeyUsageClientOrServer, }) diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go index b408defe29b..dfc2c1933af 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_gn_sn_contains_policy.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go index 401a83ab2d6..940c12be2f0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_is_ca.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go index c3834393cab..bc7d912ff15 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_cert_sign_bit_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go index fa71a41280c..c154ef03387 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_key_usage_crl_sign_bit_set.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go index 9e239dd9e40..090d8797a6a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go index fb46a5a2037..c2578e5c55d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_locality_name_must_not_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go index f0a5f2fe915..37da133d4f2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_or_sub_ca_using_sha1.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go index 98b843c7557..bfc7a29e583 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_postal_code_prohibited.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go index b4acd756eb0..480804d6aed 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go index 0413acacc2f..2b3e50346da 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_province_must_not_appear.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go index 931c4a09c7f..14d33bcbeb1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_sha1_expiration_too_long.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go index 508ebe18a6f..831c607b881 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_street_address_should_not_exist.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go index 6d508b1433e..71e9d36b6d5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_39_months.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go index 289f99278dc..7290fbcc323 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_sub_cert_valid_time_longer_than_825_days.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go new file mode 100644 index 00000000000..c9aebb23a65 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subj_orgunit_in_ca_cert.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package cabf_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subj_orgunit_in_ca_cert", + Description: "The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.", + Citation: "CABF BR §7.1.2.10.2 (CA Certificate Naming)", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.CABFBRs_2_0_0_Date, + }, + Lint: NewSubjectOrgUnitInCACert, + }) +} + +type subjectOrgUnitInCACert struct { + CrossCert bool `comment:"Set this to true if the certificate to be linted is a cross-certificate"` +} + +func NewSubjectOrgUnitInCACert() lint.LintInterface { + return &subjectOrgUnitInCACert{ + CrossCert: false, + } +} + +func (l *subjectOrgUnitInCACert) Configure() interface{} { + return l +} + +func (l *subjectOrgUnitInCACert) CheckApplies(c *x509.Certificate) bool { + return util.IsCACert(c) +} + +func (l *subjectOrgUnitInCACert) Execute(c *x509.Certificate) *lint.LintResult { + if c.Subject.OrganizationalUnit != nil { + if !l.CrossCert { + return &lint.LintResult{ + Status: lint.Error, + Details: "The OU attribute in the Subject is prohibited in Root and TLS CA certificates", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go index 4b2b0fd81e3..e3463595783 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go index 999ba86ce71..6eb502563a7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_included_sc62.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go index f30852edf83..b73b38d58f2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_exactly_from_san.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go index 24dc16c447b..a394e95cef0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_common_name_not_from_san.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go index 894d09126ab..209b46f5b70 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go index 15cd0578ae5..93341102131 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go index f44d1fa8a8f..ac694a5f070 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_organizational_unit_name_and_no_organization_name.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go index 590352cae96..b1f0fc4525e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go index a9b84ca1825..188a11bf151 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_contains_reserved_ip.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go index 097f743f3c7..2ef0a9e5e45 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_country_not_iso.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go index 62cb64c1756..d27a61ad01c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_public_key_info_improper_algorithm_object_identifier_encoding.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go new file mode 100644 index 00000000000..26b286ea8ce --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_subject_rdns_correct_encoding.go @@ -0,0 +1,155 @@ +package cabf_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subjectRdnsCorrectEncoding struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_rdns_correct_encoding", + Description: "CAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attribute", + Citation: "BRs 2.0.0: 7.1.4.2, Table 77 and Table 78", + Source: lint.CABFBaselineRequirements, + EffectiveDate: util.SC62EffectiveDate, + }, + Lint: NewSubjectRdnsCorrectEncoding, + }) +} + +func NewSubjectRdnsCorrectEncoding() lint.LintInterface { + return &subjectRdnsCorrectEncoding{} +} + +func (l *subjectRdnsCorrectEncoding) CheckApplies(c *x509.Certificate) bool { + return true +} + +func (l *subjectRdnsCorrectEncoding) Execute(c *x509.Certificate) *lint.LintResult { + rdnSequence := util.RawRDNSequence{} + if rest, err := asn1.Unmarshal(c.RawSubject, &rdnSequence); err != nil || len(rest) > 0 { + return &lint.LintResult{Status: lint.Fatal} + } + + for _, attrTypeAndValueSet := range rdnSequence { + for _, attrTypeAndValue := range attrTypeAndValueSet { + oid := attrTypeAndValue.Type.String() + tag := attrTypeAndValue.Value.Tag + + errors := []string{} + + result := isIA5String("0.9.2342.19200300.100.1.25", oid, tag, "domainComponent") + errors = append(errors, result) + result = isPrintable("2.5.4.6", oid, tag, "countryName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.8", oid, tag, "stateOrProvinceName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.7", oid, tag, "localityName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.17", oid, tag, "postalCode") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.9", oid, tag, "streetAddress") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.10", oid, tag, "organizationName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.4", oid, tag, "surname") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.42", oid, tag, "givenName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.11", oid, tag, "organizationalUnitName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.3", oid, tag, "commonName") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.15", oid, tag, "businessCategory") + errors = append(errors, result) + result = isPrintable("1.3.6.1.4.1.311.60.2.1.3", oid, tag, "jurisdictionCountry") + errors = append(errors, result) + result = isPrintableOrUTF8("1.3.6.1.4.1.311.60.2.1.2", oid, tag, "jurisdictionStateOrProvince") + errors = append(errors, result) + result = isPrintableOrUTF8("1.3.6.1.4.1.311.60.2.1.1", oid, tag, "jurisdictionLocality") + errors = append(errors, result) + result = isPrintable("2.5.4.5", oid, tag, "serialNumber") + errors = append(errors, result) + result = isPrintableOrUTF8("2.5.4.97", oid, tag, "organizationIdentifier") + errors = append(errors, result) + + for _, encodingError := range errors { + if encodingError != "" { + return &lint.LintResult{Status: lint.Error, Details: encodingError} + } + } + + } + } + return &lint.LintResult{Status: lint.Pass} +} + +func isPrintableOrUTF8(referenceOid string, oid string, tag int, attributeName string) string { + if referenceOid == oid && tag != 19 && tag != 12 { + return fmt.Sprintf("Attribute %s in subjectDN has the wrong encoding %s.", attributeName, getEncodingName(tag)) + } + return "" +} + +func isPrintable(referenceOid string, oid string, tag int, attributeName string) string { + if referenceOid == oid && tag != 19 { + return fmt.Sprintf("Attribute %s in subjectDN has the wrong encoding %s.", attributeName, getEncodingName(tag)) + } + return "" +} +func isIA5String(referenceOid string, oid string, tag int, attributeName string) string { + if referenceOid == oid && tag != 22 { + return fmt.Sprintf("Attribute %s in subjectDN has the wrong encoding %s.", attributeName, getEncodingName(tag)) + } + return "" +} + +//Tag BMPString: 0x1e = 30 +//Tag UTF8String: 0x0c = 12 +//Tag TeletexString: 0x14 = 20 +//Tag UniversalString: 0x1c = 28 +//Tag PrintableString: 0x13 = 19 +//Tag IA5String: 0x16 = 22 + +func getEncodingName(tag int) string { + if tag == 12 { + return "UTF8String" + } + if tag == 19 { + return "PrintableString" + } + if tag == 20 { + return "TeletexString" + } + if tag == 22 { + return "IA5String" + } + if tag == 28 { + return "UniversalString" + } + if tag == 30 { + return "BMPString" + } + return "Unknown" +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go index bd861da8a8d..183d5510010 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_not_permissible_in_dnsname.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go index 269cd07bb21..422218b7676 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_permissible_in_dnsname_if_valid_when_replaced.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go index 71c010ec0b7..3460cdc3b85 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_underscore_present_with_too_long_validity.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go index d257039b9f5..2b1c3db9ef5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_br/lint_w_sub_ca_aia_missing.go @@ -1,7 +1,7 @@ package cabf_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go new file mode 100644 index 00000000000..dfda904f35b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_crl_distribution_points.go @@ -0,0 +1,62 @@ +package cabf_cs_br + +import ( + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/*7.1.2.3 b. cRLDistributionPoints +This extension MUST be present. It MUST NOT be marked critical, and it MUST contain the +HTTP URL of the CA’s CRL service*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_crl_distribution_points", + Description: "This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service", + Citation: "CABF CS BRs 7.1.2.3.b", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCrlDistributionPoints, + }) +} + +type crlDistributionPoints struct{} + +func NewCrlDistributionPoints() lint.LintInterface { + return &crlDistributionPoints{} +} + +func (l *crlDistributionPoints) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) || util.IsSubCA(c) +} + +func (l *crlDistributionPoints) Execute(c *x509.Certificate) *lint.LintResult { + cdp := util.GetExtFromCert(c, util.CrlDistOID) + if cdp == nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "The cRLDistributionPoints extension MUST be present."} + } + + if cdp.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "The cRLDistributionPoints MUST NOT be marked critical."} + } + + // MUST contain the HTTP URL of the CA’s CRL service + for _, uri := range c.CRLDistributionPoints { + if !strings.HasPrefix(uri, "http://") { + return &lint.LintResult{Status: lint.Error, Details: "cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service"} + } + } + + return &lint.LintResult{ + Status: lint.Pass, + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go new file mode 100644 index 00000000000..91ac6701104 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_eku_required.go @@ -0,0 +1,87 @@ +package cabf_cs_br + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/* 7.1.2.3 Code signing and Timestamp Certificate +f. extKeyUsage +If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present +and the following EKUs MAY be present: + • Lifetime Signing OID (1.3.6.1.4.1.311.10.3.13) + • id-kp-emailProtection + • Document Signing (1.3.6.1.4.1.311.3.10.3.12) + +If the Certificate is a Timestamp Certificate, then id-kp-timeStamping MUST be present +and MUST be marked critical. +Additionally, the following EKUs MUST NOT be present: + • anyExtendedKeyUsage + • id-kp-serverAuth + +Other values SHOULD NOT be present. If any other value is present, the CA MUST have a +business agreement with a Platform vendor requiring that EKU in order to issue a +Platform‐specific code signing certificate with that EKU. +*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_eku_required", + Description: "If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present.", + Citation: "CABF CS BRs 7.1.2.3.f", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsEKURequired, + }) +} + +type csEKURequired struct{} + +func NewCsEKURequired() lint.LintInterface { + return &csEKURequired{} +} + +func (l *csEKURequired) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) || util.IsSubCA(c) +} + +func (l *csEKURequired) Execute(c *x509.Certificate) *lint.LintResult { + prohibitedEKUs := map[x509.ExtKeyUsage]struct{}{ + x509.ExtKeyUsageAny: {}, + x509.ExtKeyUsageServerAuth: {}, + } + + if util.IsSubCA(c) { + prohibitedEKUs[x509.ExtKeyUsageEmailProtection] = struct{}{} + } + + hasCodeSigningEKU := false + + for _, eku := range c.ExtKeyUsage { + if eku == x509.ExtKeyUsageCodeSigning { + hasCodeSigningEKU = true + } + + if _, isProhibited := prohibitedEKUs[eku]; isProhibited { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("Code Signing certificate includes prohibited EKU: %v", eku), + } + } + } + + if !hasCodeSigningEKU { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing certificate missing required Code Signing EKU", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go new file mode 100644 index 00000000000..686b4405bf7 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_key_usage_required.go @@ -0,0 +1,79 @@ +package cabf_cs_br + +import ( + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/* 7.1.2.3 Code signing and Timestamp Certificate +e. keyUsage +This extension MUST be present and MUST be marked critical. +The bit position for digitalSignature MUST be set. Bit positions for keyCertSign and +cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set. +*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_key_usage_required", + Description: "This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.", + Citation: "CABF CS BRs 7.1.2.3e", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsKeyUsageRequired, + }) +} + +type csKeyUsageRequired struct{} + +func NewCsKeyUsageRequired() lint.LintInterface { + return &csKeyUsageRequired{} +} + +func (l *csKeyUsageRequired) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *csKeyUsageRequired) Execute(c *x509.Certificate) *lint.LintResult { + ku := util.GetExtFromCert(c, util.KeyUsageOID) + if ku == nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "Key usage extension MUST be present.", + } + } + + if !ku.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "Key usage extension MUST be marked critical", + } + } + + if (c.KeyUsage & x509.KeyUsageDigitalSignature) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing certificate must have digitalSignature key usage", + } + } + + // keyCertSign and cRLSign bits MUST NOT be set. + if (c.KeyUsage & (x509.KeyUsageCertSign | x509.KeyUsageCRLSign)) != 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "keyCertSign and cRLSign key usages MUST NOT be set", + } + } + + // All other bit positions SHOULD NOT be set. + if c.KeyUsage & ^x509.KeyUsageDigitalSignature != 0 { + return &lint.LintResult{ + Status: lint.Warn, + Details: "Only digitalSignature key usage is recommended. Other key usages SHOULD NOT be set."} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go new file mode 100644 index 00000000000..493e3793d7c --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_cs_br/lint_cs_rsa_key_size.go @@ -0,0 +1,58 @@ +package cabf_cs_br + +import ( + "crypto/rsa" + + "github.com/zmap/zcrypto/x509" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +/*6.1.5.2 Code signing Certificate and Timestamp Authority key sizes +For Keys corresponding to Subscriber code signing and Timestamp Authority Certificates: +• If the Key is RSA, then the modulus MUST be at least 3072 bits in length. +• If the Key is ECDSA, then the curve MUST be one of NIST P‐256, P‐384, or P‐521. +• If the Key is DSA, then one of the following key parameter options MUST be used: +• Key length (L) of 2048 bits and modulus length (N) of 224 bits +• Key length (L) of 2048 bits and modulus length (N) of 256 bits*/ + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cs_rsa_key_size", + Description: "If the Key is RSA, then the modulus MUST be at least 3072 bits in length", + Citation: "CABF CS BRs 6.1.5.2", + Source: lint.CABFCSBaselineRequirements, + EffectiveDate: util.CABF_CS_BRs_1_2_Date, + }, + Lint: NewCsRsaKeySize, + }) +} + +type csRsaKeySize struct{} + +func NewCsRsaKeySize() lint.CertificateLintInterface { + return &csRsaKeySize{} +} + +func (l *csRsaKeySize) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) +} + +func (l *csRsaKeySize) Execute(c *x509.Certificate) *lint.LintResult { + rsaKey, ok := c.PublicKey.(*rsa.PublicKey) + if !ok { + return &lint.LintResult{Status: lint.NA} + } + + // If the Key is RSA, then the modulus MUST be at least 3072 bits in length. + if rsaKey.N.BitLen() < 3072 { + return &lint.LintResult{ + Status: lint.Error, + Details: "Code Signing RSA key modulus MUST be at least 3072 bits in length.", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go new file mode 100644 index 00000000000..1830f14ff37 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_cabf_org_identifier_psd_vat_has_state.go @@ -0,0 +1,57 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cabf_org_identifier_psd_vat_has_state", + Description: "The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.", + Citation: "9.2.8", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.SC17EffectiveDate, + }, + Lint: NewCabfOrgIdentifierPsdVatHasState, + }) +} + +type CabfOrgIdentifierPsdVatHasState struct{} + +func NewCabfOrgIdentifierPsdVatHasState() lint.LintInterface { + return &CabfOrgIdentifierPsdVatHasState{} +} + +func (l *CabfOrgIdentifierPsdVatHasState) CheckApplies(c *x509.Certificate) bool { + for _, ext := range c.Extensions { + if ext.Id.Equal(util.CabfExtensionOrganizationIdentifier) && (c.CABFOrganizationIdentifier.Scheme == "PSD" || c.CABFOrganizationIdentifier.Scheme == "VAT") { + return true + } + } + return false +} + +func (l *CabfOrgIdentifierPsdVatHasState) Execute(c *x509.Certificate) *lint.LintResult { + if c.CABFOrganizationIdentifier.State == "" { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go index 5eadf688c5d..445ccff3cf1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_business_category_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go index 94ac320a1e7..80eadfd4fd0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_country_name_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go new file mode 100644 index 00000000000..9e57c207d82 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_invalid_business_category.go @@ -0,0 +1,69 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_invalid_business_category", + Description: "Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3", + Citation: "EVGs 7.1.4.2.3", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.ZeroDate, + }, + Lint: NewInvalidBusinessCategory, + }) +} + +type invalidBusinessCategory struct{} + +func NewInvalidBusinessCategory() lint.LintInterface { + return &invalidBusinessCategory{} +} + +func (l *invalidBusinessCategory) CheckApplies(c *x509.Certificate) bool { + return util.IsEV(c.PolicyIdentifiers) && util.IsSubscriberCert(c) +} + +func (l *invalidBusinessCategory) Execute(c *x509.Certificate) *lint.LintResult { + + for _, v := range c.Subject.Names { + if util.BusinessOID.Equal(v.Type) { + businessCategory := v.Value + if (businessCategory == "Private Organization") || + (businessCategory == "Government Entity") || + (businessCategory == "Business Entity") || + (businessCategory == "Non-Commercial Entity") { + return &lint.LintResult{Status: lint.Pass} + } else { + return &lint.LintResult{Status: lint.Error} + } + } + } + + // businessCategory missing: that's an error, but is not this lint's business + return &lint.LintResult{Status: lint.NA} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go index ce982fb6192..f0ed4bcc561 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_not_wildcard.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go index c10274e77b5..695b909c6cc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_id_missing.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go index d4c202f28cd..8250c3c2cad 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_organization_name_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go new file mode 100644 index 00000000000..d22312eaba3 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_orgid_inconsistent_subj_and_ext.go @@ -0,0 +1,143 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package cabf_ev + +import ( + "fmt" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_ev_orgid_inconsistent_subj_and_ext", + Description: "Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent", + Citation: "EVGs 9.2.8 and 9.8.2", + Source: lint.CABFEVGuidelines, + EffectiveDate: util.CABFEV_Sec9_2_8_Date, + }, + Lint: NewOrgIdInconsistentSubjAndExt, + }) +} + +// According to EVGs 9.2.8 +type OrganizationIdentifier struct { + ParseAsPSD bool + Scheme string + Country string + State string + Reference string +} + +func (o OrganizationIdentifier) Parse(orgId string) (OrganizationIdentifier, error) { + re := o.regexForOrgID() + if !re.MatchString(orgId) { + return o, fmt.Errorf("Cannot parse organizationIdentifier ('%s'): it is probably invalid", orgId) + } + names := re.SubexpNames() + match := re.FindStringSubmatch(orgId) + // Initialize a map to hold group names and values + result := make(map[string]string) + // Populate the map + for i, name := range names { + if i != 0 && name != "" { // Skip the whole match and unnamed groups + result[name] = match[i] + } + } + o.Scheme = result["scheme"] + o.Country = result["country"] + o.State = result["state"] + o.Reference = result["reference"] + return o, nil +} + +func (o OrganizationIdentifier) regexForOrgID() *regexp.Regexp { + // This is according to the EVG (stricter than ETSI EN 319 412-1) + const OrgIdPattern = `^(?P[A-Z]{3})(?P[A-Z]{2})(?:\+(?P[A-Z]{2}))?\-(?P.+)$` + const PsdOrgIdPattern = `^(?P[A-Z]{3})(?P[A-Z]{2})(?:\+(?P[A-Z]{2}))?\-(?P[A-Z]*)\-(?P.+)$` + var pattern string + if o.ParseAsPSD { + pattern = PsdOrgIdPattern + } else { + pattern = OrgIdPattern + } + return regexp.MustCompile(pattern) +} + +type orgIdInconsistentSubjAndExt struct{} + +func NewOrgIdInconsistentSubjAndExt() lint.LintInterface { + return &orgIdInconsistentSubjAndExt{} +} + +func (l *orgIdInconsistentSubjAndExt) CheckApplies(c *x509.Certificate) bool { + // It is actually mandatory that, if orgId is present, cabfOrgId be present as well, + // however this is already checked by another lint + return util.IsEV(c.PolicyIdentifiers) && (len(c.Subject.OrganizationIDs) > 0) && + util.IsExtInCert(c, util.CabfExtensionOrganizationIdentifier) +} + +func (l *orgIdInconsistentSubjAndExt) Execute(c *x509.Certificate) *lint.LintResult { + // It should be safe to assume there is only one element in OrganizationIDs + orgId, err := OrganizationIdentifier{ParseAsPSD: false}.Parse(c.Subject.OrganizationIDs[0]) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "the organizationIdentifier Subject attribute probably has an invalid value"} + } + + if (c.CABFOrganizationIdentifier.Scheme != orgId.Scheme) || + (c.CABFOrganizationIdentifier.Country != orgId.Country) || + (c.CABFOrganizationIdentifier.State != orgId.State) || + (c.CABFOrganizationIdentifier.Reference != orgId.Reference) { + + if orgId.Scheme != "PSD" { + + return &lint.LintResult{ + Status: lint.Error, + Details: "CABFOrganizationIdentifier is NOT consistent with organizationIdentifier"} + } + + psdOrgId, err := OrganizationIdentifier{ParseAsPSD: true}.Parse(c.Subject.OrganizationIDs[0]) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "the organizationIdentifier Subject attribute probably has an invalid value"} + } + + if (c.CABFOrganizationIdentifier.Scheme != psdOrgId.Scheme) || + (c.CABFOrganizationIdentifier.Country != psdOrgId.Country) || + (c.CABFOrganizationIdentifier.State != psdOrgId.State) || + (c.CABFOrganizationIdentifier.Reference != psdOrgId.Reference) { + + return &lint.LintResult{ + Status: lint.Error, + Details: "CABFOrganizationIdentifier is NOT consistent with organizationIdentifier"} + } + + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go index 3123bce5f75..cb5d41c45c3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_san_ip_address_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go index f65114edbd7..aff09c83195 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_serial_number_missing.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go index a66203177ab..ab8be5f8adc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_ev_valid_time_too_long.go @@ -1,7 +1,7 @@ package cabf_ev /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go index 2a7a74c1060..6995650712e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_ev/lint_onion_subject_validity_time_too_large.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go index bbcc56f51ff..e37074d3a6e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_legacy_multipurpose_criticality.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go index 85b45c2395d..73603ea9125 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_adobe_extensions_strict_presence.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go index 987871fe903..f22551fd46b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_aia_contains_internal_names.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go new file mode 100644 index 00000000000..a8c3835b571 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_authority_key_identifier.go @@ -0,0 +1,85 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "fmt" + + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type keyIdentifier struct { + KeyIdentifier asn1.RawValue `asn1:"optional,tag:0"` + AuthorityCertIssuer asn1.RawValue `asn1:"optional,tag:1"` + AuthorityCertSerialNumber asn1.RawValue `asn1:"optional,tag:2"` +} + +type authorityKeyIdentifierCorrect struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_authority_key_identifier_correct", + Description: "authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.", + Citation: "7.1.2.3.g", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewAuthorityKeyIdentifierCorrect, + }) +} + +func NewAuthorityKeyIdentifierCorrect() lint.LintInterface { + return &authorityKeyIdentifierCorrect{} +} + +func (l *authorityKeyIdentifierCorrect) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *authorityKeyIdentifierCorrect) Execute(c *x509.Certificate) *lint.LintResult { + ext := util.GetExtFromCert(c, util.AuthkeyOID) + if ext == nil { + return &lint.LintResult{Status: lint.Error, Details: "missing authorityKeyIdentifier"} + } + if ext.Critical { + return &lint.LintResult{Status: lint.Error, Details: "authorityKeyIdentifier is critical"} + } + + var keyID keyIdentifier + if _, err := asn1.Unmarshal(ext.Value, &keyID); err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: fmt.Sprintf("error unmarshalling authority key identifier extension: %v", err), + } + } + + hasKeyID := len(keyID.KeyIdentifier.Bytes) > 0 + hasCertIssuer := len(keyID.AuthorityCertIssuer.Bytes) > 0 + hasCertSerial := len(keyID.AuthorityCertSerialNumber.Bytes) > 0 + if !hasKeyID { + return &lint.LintResult{Status: lint.Error, Details: "keyIdentifier not present"} + } + if hasCertIssuer { + return &lint.LintResult{Status: lint.Error, Details: "authorityCertIssuer is present"} + } + if hasCertSerial { + return &lint.LintResult{Status: lint.Error, Details: "authorityCertSerialNumber is present"} + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go new file mode 100644 index 00000000000..b68a66d63f2 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_commonname_mailbox_validated.go @@ -0,0 +1,58 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_commonname_mailbox_validated", + Description: "If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address", + Citation: "S/MIME BRs: 7.1.4.2.2a", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewCommonNameMailboxValidated, + }) +} + +type commonNameMailboxValidated struct{} + +func NewCommonNameMailboxValidated() lint.LintInterface { + return &commonNameMailboxValidated{} +} + +func (l *commonNameMailboxValidated) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) && util.IsSubscriberCert(c) +} + +func (l *commonNameMailboxValidated) Execute(c *x509.Certificate) *lint.LintResult { + var commonNames []string + if c.Subject.CommonName != "" { + commonNames = append(commonNames, c.Subject.CommonName) + } + commonNames = append(commonNames, c.Subject.CommonNames...) + for _, cn := range commonNames { + if !util.IsMailboxAddress(cn) { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go index bfe8e45d0fb..664b4fc36a8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go index 79efb32ce8b..659288ac71b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_ecpublickey_other_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go index cd277034c74..d89c18d7ac0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_edwardspublickey_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go index 49552916b50..5e1fb0bb19a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_criticality.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go index da996722d05..994b5ee0733 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_key_usage_presence.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go index cb741ae1c9f..8aa198fd20b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legacy_aia_has_one_http.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go new file mode 100644 index 00000000000..0cd6b6bbeb5 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_legal_entity_identifier.go @@ -0,0 +1,83 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_legal_entity_identifier", + Description: "Mailbox/individual: prohibited. Organization/sponsor: may be present", + Citation: "7.1.2.3.l", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewLegalEntityIdentifier, + }) +} + +type legalEntityIdentifier struct{} + +func NewLegalEntityIdentifier() lint.LintInterface { + return &legalEntityIdentifier{} +} + +func (l *legalEntityIdentifier) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *legalEntityIdentifier) Execute(c *x509.Certificate) *lint.LintResult { + leiPresent := util.IsExtInCert(c, util.LegalEntityIdentifierOID) + leiExt := util.GetExtFromCert(c, util.LegalEntityIdentifierOID) + leiRolePresent := util.IsExtInCert(c, util.LegalEntityIdentifierRoleOID) + leiRoleExt := util.GetExtFromCert(c, util.LegalEntityIdentifierRoleOID) + + switch { + case util.IsMailboxValidatedCertificate(c), util.IsIndividualValidatedCertificate(c): + if leiPresent { + // Mailbox-validated and Individual-validated prohibited. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present"} + } + case util.IsOrganizationValidatedCertificate(c): + if leiPresent && leiExt.Critical { + // LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"} + } + if leiRolePresent { + // This is affirming the negative. Sponsor validated certificates MAY have an LEI Role, so + // it is being taken here that not explicitly as such for organization validated certificates + // implies that they are not allowed. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present"} + } + case util.IsSponsorValidatedCertificate(c): + if leiPresent && leiExt.Critical { + // LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"} + } + if leiRolePresent && leiRoleExt.Critical { + // LEI Role (1.3.6.1.4.1.52266.2) MAY be present and SHALL NOT be marked critical. + return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present and critical"} + } + default: + return &lint.LintResult{Status: lint.Error, Details: "Unknown validation type"} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go new file mode 100644 index 00000000000..da37a90beb6 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_qc_statements_not_critical.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_smime_qc_statements_must_not_be_critical", + Description: "This extension MAY be present and SHALL NOT be marked critical.", + Citation: "7.1.2.3.k", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewQCStatementNotCritical, + }) +} + +type qcStatementNotCritical struct{} + +func NewQCStatementNotCritical() lint.LintInterface { + return &qcStatementNotCritical{} +} + +func (l *qcStatementNotCritical) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsExtInCert(c, util.QcStateOid) && util.IsSMIMEBRCertificate(c) +} + +func (l *qcStatementNotCritical) Execute(c *x509.Certificate) *lint.LintResult { + san := util.GetExtFromCert(c, util.QcStateOid) + if san.Critical { + return &lint.LintResult{ + Status: lint.Error, + Details: "qc statements extension is marked critical", + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go index 2d421c78569..b5a2d24d3b4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_registration_scheme_id_matches_subject_country.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go index cf17470a12d..eb318106a2f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_legacy_multipurpose.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go index 8815b5b9f38..b61de15eef1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_key_usage_strict.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go index 8182cc533ef..b16d86780f3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_rsa_other_key_usages.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go index bbd5aa91b57..60b2d5e3dc2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_shall_be_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go index 6d8a00964d1..a963d2675d9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_san_should_not_be_critical.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go index 82b6b5c70ee..d9731d55992 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_if_present.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -16,22 +16,40 @@ package cabf_smime_br import ( "fmt" + "net/mail" "github.com/zmap/zcrypto/x509" "github.com/zmap/zlint/v3/lint" "github.com/zmap/zlint/v3/util" ) +/************************************************************************* +7.1.4.2.1 Subject alternative name extension + +All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be +repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this +extension. + +7.1.4.2.2 Subject distinguished name fields + +h. Certificate Field: subject:emailAddress (1.2.840.113549.1.9.1) Contents: If present, the +subject:emailAddress SHALL contain a single Mailbox Address as verified under +Section 3.2.2. + +Combining these requirements, this lint checks for malformed email addresses in SAN entries +covering the case of a non-single Mailbox Address. +*************************************************************************/ + func init() { lint.RegisterCertificateLint(&lint.CertificateLint{ LintMetadata: lint.LintMetadata{ Name: "e_single_email_if_present", - Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", - Citation: "7.1.4.2.h", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address. All Mailbox Addresses in the subject field SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in SAN extension.", + Citation: "7.1.4.2.1 and 7.1.4.2.2.h", Source: lint.CABFSMIMEBaselineRequirements, EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, }, - Lint: func() lint.LintInterface { return &singleEmailIfPresent{} }, + Lint: NewSingleEmailIfPresent, }) } @@ -42,19 +60,18 @@ func NewSingleEmailIfPresent() lint.LintInterface { } func (l *singleEmailIfPresent) CheckApplies(c *x509.Certificate) bool { - return util.IsSubscriberCert(c) && c.EmailAddresses != nil && len(c.EmailAddresses) != 0 && util.IsSMIMEBRCertificate(c) + addresses := c.EmailAddresses + return util.IsSubscriberCert(c) && addresses != nil && len(addresses) != 0 && util.IsSMIMEBRCertificate(c) } func (l *singleEmailIfPresent) Execute(c *x509.Certificate) *lint.LintResult { - if len(c.EmailAddresses) == 1 { - return &lint.LintResult{ - Status: lint.Pass, - } - } else { - return &lint.LintResult{ - Status: lint.Error, - Details: fmt.Sprintf("subject:emailAddress was present and contained %d names (%s)", len(c.EmailAddresses), c.EmailAddresses), - LintMetadata: lint.LintMetadata{}, + for _, email := range c.EmailAddresses { + if _, err := mail.ParseAddress(email); err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("san:emailAddress was present and contained an invalid email address (%s)", email), + } } } + return &lint.LintResult{Status: lint.Pass} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go new file mode 100644 index 00000000000..1958a95d57c --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_single_email_subject_if_present.go @@ -0,0 +1,60 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "fmt" + "net/mail" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_single_email_subject_if_present", + Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", + Citation: "7.1.4.2.2.h", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSingleEmailSubjectIfPresent, + }) +} + +type singleEmailSubjectIfPresent struct{} + +func NewSingleEmailSubjectIfPresent() lint.LintInterface { + return &singleEmailSubjectIfPresent{} +} + +func (l *singleEmailSubjectIfPresent) CheckApplies(c *x509.Certificate) bool { + emailAddress := c.Subject.EmailAddress + return util.IsSubscriberCert(c) && emailAddress != nil && len(emailAddress) != 0 && util.IsSMIMEBRCertificate(c) +} + +func (l *singleEmailSubjectIfPresent) Execute(c *x509.Certificate) *lint.LintResult { + for _, email := range c.Subject.EmailAddress { + if _, err := mail.ParseAddress(email); err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("subject:emailAddress was present and contained an invalid email address (%s)", email), + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go index e47da6a31d5..61bd8666afa 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_strict_aia_has_http_only.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go new file mode 100644 index 00000000000..07a7dfd02c2 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_country_name.go @@ -0,0 +1,55 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "strings" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subject_country_name", + Description: "If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject", + Citation: "S/MIME BRs: 7.1.4.2.2n", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubjectCountryName, + }) +} + +type subjectCountryName struct{} + +func NewSubjectCountryName() lint.LintInterface { + return &subjectCountryName{} +} + +func (l *subjectCountryName) CheckApplies(c *x509.Certificate) bool { + return util.IsMailboxValidatedCertificate(c) +} + +func (l *subjectCountryName) Execute(c *x509.Certificate) *lint.LintResult { + for _, cc := range c.Subject.Country { + if !util.IsISOCountryCode(cc) && strings.ToUpper(cc) != "XX" { + return &lint.LintResult{Status: lint.Error} + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go new file mode 100644 index 00000000000..13215469b67 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subject_dir_attr.go @@ -0,0 +1,52 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +type subDirAttr struct{} + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_strict_multipurpose_smime_ext_subject_directory_attr", + Description: "SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributes", + Citation: "BRs: 7.1.2.3j", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubDirAttr, + }) +} + +func NewSubDirAttr() lint.LintInterface { + return &subDirAttr{} +} + +func (l *subDirAttr) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && (util.IsStrictSMIMECertificate(c) || util.IsMultipurposeSMIMECertificate(c)) +} + +func (l *subDirAttr) Execute(c *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(c, util.SubjectDirAttrOID) { + return &lint.LintResult{Status: lint.Error} + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go new file mode 100644 index 00000000000..3333e36ba32 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_crl_distribution_points_are_http.go @@ -0,0 +1,77 @@ +/* + * ZLint Copyright 2023 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package cabf_smime_br + +import ( + "net/url" + + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subscribers_crl_distribution_points_are_http", + Description: "cRLDistributionPoints SHALL have URI scheme HTTP.", + Citation: "7.1.2.3.b", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + }, + Lint: NewSubscriberCrlDistributionPointsHTTP, + }) +} + +type subscriberCrlDistributionPointsHTTP struct{} + +func NewSubscriberCrlDistributionPointsHTTP() lint.LintInterface { + return &subscriberCrlDistributionPointsHTTP{} +} + +func (l *subscriberCrlDistributionPointsHTTP) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && util.IsSMIMEBRCertificate(c) +} + +func (l *subscriberCrlDistributionPointsHTTP) Execute(c *x509.Certificate) *lint.LintResult { + httpCount := 0 + for _, dp := range c.CRLDistributionPoints { + parsed, err := url.Parse(dp) + if err != nil { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid CRL distribution point", + } + } + if parsed.Scheme == "http" { + httpCount++ + } + } + + if (util.IsMultipurposeSMIMECertificate(c) || util.IsStrictSMIMECertificate(c)) && httpCount != len(c.CRLDistributionPoints) { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains invalid URI scheme in CRL distribution point", + } + } + if util.IsLegacySMIMECertificate(c) && httpCount == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "SMIME certificate contains no HTTP URI schemes as CRL distribution points", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go index 67e7dedcfb5..2fe6043601b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/lint_subscribers_shall_have_crl_distribution_points.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go new file mode 100644 index 00000000000..139b051d666 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_address_from_san.go @@ -0,0 +1,124 @@ +package cabf_smime_br + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/encoding/asn1" + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zcrypto/x509/pkix" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +// MailboxAddressFromSAN - linter to enforce MAY/SHALL NOT requirements for SMIME certificates +type MailboxAddressFromSAN struct { +} + +func init() { + lint.RegisterLint(&lint.Lint{ + Name: "e_mailbox_address_shall_contain_an_rfc822_name", + Description: "All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension", + Citation: "SMIME BRs: 7.1.4.2.1", + Source: lint.CABFSMIMEBaselineRequirements, + EffectiveDate: util.CABF_SMIME_BRs_1_0_0_Date, + Lint: NewMailboxAddressFromSAN, + }) +} + +// NewMailboxAddressFromSAN creates a new linter to enforce the requirement that all Mailbox Addresses in SMIME BR certificates must be copied from the SAN +func NewMailboxAddressFromSAN() lint.LintInterface { + return &MailboxAddressFromSAN{} +} + +// CheckApplies is returns true if the certificate's policies assert that it conforms to the SMIME BRs +func (l *MailboxAddressFromSAN) CheckApplies(c *x509.Certificate) bool { + + if !(util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c)) { + return false + } + + toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c)) + + for _, dirName := range c.DirectoryNames { + toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...) + } + + return len(toFindMailboxAddresses) > 0 + +} + +// Execute checks all the places where Mailbox Addresses may be found in an SMIME certificate and confirms that they are present in the SAN rfc822Name or SAN otherName +func (l *MailboxAddressFromSAN) Execute(c *x509.Certificate) *lint.LintResult { + lintErr := &lint.LintResult{ + Status: lint.Error, + Details: "all certificate mailbox addresses must be present in san:emailAddresses or san:otherNames in addition to any other field they may appear", + } + + // build list of Mailbox addresses from subject:commonName, subject:emailAddress, dirName + + toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c)) + + for _, dirName := range c.DirectoryNames { + toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...) + } + + sanNames := map[string]bool{} + for _, rfc822Name := range c.EmailAddresses { + sanNames[rfc822Name] = true + } + + for _, otherName := range c.OtherNames { + if otherName.TypeID.Equal(util.OidIdOnSmtpUtf8Mailbox) { + // The otherName needs to be specially unmarshalled since it is + // stored as a UTF-8 string rather than what the asn1 package + // describes as a PrintableString. + var otherNameValue string + rest, err := asn1.UnmarshalWithParams(otherName.Value.Bytes, &otherNameValue, "utf8") + if len(rest) > 0 || err != nil { + return lintErr + } + + sanNames[otherNameValue] = true + } + } + + for _, mailboxAddress := range toFindMailboxAddresses { + if _, found := sanNames[mailboxAddress]; !found { + return lintErr + } + } + + return &lint.LintResult{Status: lint.Pass} +} + +func getMailboxAddressesFromDistinguishedName(name pkix.Name, includeCN bool) []string { + mailboxAddresses := []string{} + + if includeCN { + for _, commonName := range name.CommonNames { + if util.IsMailboxAddress(commonName) { + mailboxAddresses = append(mailboxAddresses, commonName) + } + } + } + + for _, emailAddress := range name.EmailAddress { + if util.IsMailboxAddress(emailAddress) { + mailboxAddresses = append(mailboxAddresses, emailAddress) + } + } + + return mailboxAddresses +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go index 782d35ef622..64ce52bd714 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/mailbox_validated_enforce_subject_field_restrictions.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go index a3257ca553e..8f3ac35e1c4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_legacy_multipurpose_eku_check.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -20,7 +20,7 @@ import ( "github.com/zmap/zlint/v3/util" ) -// shallHaveCrlDistributionPoints - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU +// legacyMultipurposeEKUCheck - linter to enforce requirement that SMIME certificates SHALL contain emailProtecton EKU type legacyMultipurposeEKUCheck struct { } @@ -37,7 +37,7 @@ func init() { }) } -// NewShallHaveCrlDistributionPoints creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs +// NewLegacyMultipurposeEKUCheck creates a new linter to enforce MAY/SHALL NOT field requirements for mailbox validated SMIME certs func NewLegacyMultipurposeEKUCheck() lint.CertificateLintInterface { return &legacyMultipurposeEKUCheck{} } diff --git a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go index a7bc1a9afc1..49154001297 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go +++ b/vendor/github.com/zmap/zlint/v3/lints/cabf_smime_br/smime_strict_eku_check.go @@ -1,7 +1,7 @@ package cabf_smime_br /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go index 3e0ed613f49..7b31c3171c2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_bare_wildcard.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go index bc6c46681fe..4dfa36eb1d6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_includes_null_char.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go index 7e816446e85..0207e5d8f0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_dns_name_starts_with_period.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go index 1b3df4a8573..a62cf458f1f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_iana_pub_suffix_empty.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go index 9cf2197a6d3..56e4210e53e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_ian_wildcard_not_first.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go index 9c326d7e701..7c374dfc699 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_is_redacted_cert.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go index b7c71ecbb04..dbb15974408 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_leading_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go index 1a4928a754e..5372a207b0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_dn_trailing_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go index cfa69fcfe71..fa81020b2ba 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_issuer_multiple_rdn.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go index c22626e6fc8..dc0b4a0a8fc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_exp_negative.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go index 0238c26a4d6..1bca73c2109 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_fermat_factorization.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go index c56df61d867..0539a19d591 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_rsa_no_public_key.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go index 645b672c74a..437b8146d66 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_bare_wildcard.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go index f120bbcd127..f4aa71a70c5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_duplicate.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go index 3e0c55251a8..32fa169a48f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_includes_null_char.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go index ef5739f7b41..9a08549ae55 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_dns_name_starts_with_period.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go index 9c84d970e25..ba0de82eebf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_iana_pub_suffix_empty.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go index 0c1f0ba052c..a31e90edbad 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_san_wildcard_not_first.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go new file mode 100644 index 00000000000..2c3ccbe8b6a --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subj_country_not_uppercase.go @@ -0,0 +1,62 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package community + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "regexp" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_subj_country_not_uppercase", + Description: "Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z", + Citation: "ISO 3166-2:2020(E) section 5.1", + Source: lint.Community, + EffectiveDate: util.ZeroDate, + }, + Lint: NewSubjCountryNotUppercase, + }) +} + +type subjCountryNotUppercase struct{} + +func NewSubjCountryNotUppercase() lint.LintInterface { + return &subjCountryNotUppercase{} +} + +func (l *subjCountryNotUppercase) CheckApplies(c *x509.Certificate) bool { + return true +} + +var re = regexp.MustCompile("^[A-Z]+$") + +func (l *subjCountryNotUppercase) Execute(c *x509.Certificate) *lint.LintResult { + // There should be only one countryName attribute in the Subject, normally, + // but checking this is not our business here, so let's scan them all + for _, cc := range c.Subject.Country { + if !re.MatchString(cc) { + return &lint.LintResult{ + Status: lint.Error, + Details: "Country codes must be comprised of uppercase A-Z letters", + } + } + } + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go index 4f1e44c3693..e4b51d04e69 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_leading_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go index 7fe70c988b5..50c471a40ff 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_dn_trailing_whitespace.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go index 3794ee3c8b9..a19821f69ec 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_subject_multiple_rdn.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go index 79e6ccf19ea..aa610ba7931 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/community/lint_validity_time_not_positive.go @@ -1,7 +1,7 @@ package community /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go index 3c2bb02ea0e..88126e40185 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_present_qcs_critical.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go index b7df5163507..52c2e1362f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_etsi_type_as_statem.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go index abed3568e67..a32fe53a0f9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_mandatory_etsi_statems.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go index 67440ae3a92..0cd43967338 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qccompliance_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go index aaa8e1fbdf9..2ed1db22439 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qclimitvalue_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go index 83aa604f194..244286d2fe6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_lang_case.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go index 70ac2d9a34b..8dfd352308d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcpds_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go index ef3f8d3bbff..ecece31df52 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcretentionperiod_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go index 0951efdc3ba..b4ba4d8c7c5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qcsscd_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go index 6338f6dc815..0add14df4ac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_valid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go index a3a5f4a0d8e..680820c9e0d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go +++ b/vendor/github.com/zmap/zlint/v3/lints/etsi/lint_qcstatem_qctype_web.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go index 50f0c34693d..af8370c60e6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_e_prohibit_dsa_usage.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go index 9e578da863e..4db414db764 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_allowed_eku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go index 6bf0f20f468..c18c41f8774 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_authority_key_identifier_correct.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go index e9dab7b8dd1..f170e2747a2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_pub_key_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go index c3c11f0aba4..0a86abe87ba 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_ecdsa_signature_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go index 105a9b8c06c..05e4fbc2384 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_exponent_cannot_be_one.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go index 632494f9f21..2a15354d4f2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_2048_bits_or_more.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go index ba3111565a6..fea9f485790 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_modulus_must_be_divisible_by_8.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go index e9e78416935..122749baba1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_pss_parameters_encoding_correct.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go index 6d580c243ad..0a884d70fcf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go +++ b/vendor/github.com/zmap/zlint/v3/lints/mozilla/lint_mp_rsassa-pss_in_spki.go @@ -1,7 +1,7 @@ package mozilla /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go index 276f20e6187..015517c3d7e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_basic_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go index d43e75400cf..7befaa686b2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ca_subject_field_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go index 840ce8bbab1..ba8462df394 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_contains_unique_identifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go new file mode 100644 index 00000000000..578444af6e7 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_ext_invalid_der.go @@ -0,0 +1,119 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "fmt" + "math/big" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_cert_ext_invalid_der", + Description: "Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)", + Citation: "RFC 5280 $4.2", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewCertExtensionInvalidDER, + }) +} + +type certExtensionInvalidDER struct{} + +/* + * Modified syntax w/respect to RFC 5280, so we can detect whether + * the critical field is actually present in the DER encoding + */ +type Extension struct { + Id asn1.ObjectIdentifier + // This is either the 'critical' or the 'extnValue' field (see RFC 5280 section 4.1) + // We can discriminate based on tag, since the two fields are of different ASN.1 types + Field2 asn1.RawValue + // If this is present, it can only be the 'extnValue' field + // We need to be able to capture it, but we do not deal with it + Field3 asn1.RawValue `asn1:"optional"` +} + +// This is just plain RFC 5280 +type Certificate struct { + TbsCertificate TBSCertificate + SignatureAlgorithm pkix.AlgorithmIdentifier + SignatureValue asn1.BitString +} + +// Simplified with respect to RFC 5280, as we are not interested in most fields here +type TBSCertificate struct { + Version int `asn1:"optional,explicit,default:0,tag:0"` + SerialNumber *big.Int + SignatureAlgo pkix.AlgorithmIdentifier + Issuer asn1.RawValue + Validity asn1.RawValue + Subject asn1.RawValue + PublicKey asn1.RawValue + IssuerUniqueId asn1.BitString `asn1:"optional,tag:1"` + SubjectUniqueId asn1.BitString `asn1:"optional,tag:2"` + Extensions []Extension `asn1:"omitempty,optional,explicit,tag:3"` +} + +func NewCertExtensionInvalidDER() lint.LintInterface { + return &certExtensionInvalidDER{} +} + +func (l *certExtensionInvalidDER) CheckApplies(c *x509.Certificate) bool { + // This lint applies to any kind of certificate + return true +} + +func (l *certExtensionInvalidDER) Execute(c *x509.Certificate) *lint.LintResult { + + // Re-decode certificate based on an ad-hoc target struct + var cert Certificate + _, err := asn1.Unmarshal(c.Raw, &cert) + + // This should never happen + if err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Failed to decode certificate", + } + } + + for _, ext := range cert.TbsCertificate.Extensions { + if ext.Field2.Tag == asn1.TagBoolean { + // This is the 'critical' flag + if ext.Field2.Bytes[0] == 0 { + // This a BOOLEAN FALSE + return &lint.LintResult{ + Status: lint.Error, + Details: fmt.Sprintf("The %v extension is not properly DER-encoded ('critical' must be absent when FALSE)", ext.Id), + } + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go index 5e2491f1403..c19282ffd00 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_extensions_version_not_3.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go index d03b4c8a1bc..6b250b612dc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_cert_unique_identifier_version_not_2_or_3.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go new file mode 100644 index 00000000000..fec36bc4733 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_empty_revoked_certificates.go @@ -0,0 +1,101 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "crypto/x509/pkix" + "encoding/asn1" + "math/big" + "time" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_empty_revoked_certificates", + Description: "When there are no revoked certificates, the revoked certificates list MUST be absent", + Citation: "RFC5280 §5.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewEmptyRevokedCertificates, + }) +} + +type emptyRevokedCertificates struct{} + +type RevokedCertificate struct { + UserCertificate *big.Int + RevocationDate time.Time + CrlEntryExtensions asn1.RawValue `asn1:"optional"` +} + +type TBSCertList struct { + Version int `asn1:"optional"` + Signature pkix.AlgorithmIdentifier + Issuer asn1.RawValue + ThisUpdate time.Time + NextUpdate time.Time `asn1:"optional"` + RevokedCertificates []RevokedCertificate `asn1:"optional"` + CrlExtensions asn1.RawValue `asn1:"tag:0,optional"` +} + +type CertificateList struct { + TbsCertList TBSCertList + SignatureAlgorithm pkix.AlgorithmIdentifier + SignatureValue asn1.BitString +} + +func NewEmptyRevokedCertificates() lint.RevocationListLintInterface { + return &emptyRevokedCertificates{} +} + +func (l *emptyRevokedCertificates) CheckApplies(c *x509.RevocationList) bool { + return true +} + +func (l *emptyRevokedCertificates) Execute(c *x509.RevocationList) *lint.LintResult { + + // We have to re-unmarshal the CRL in our own way, as x.509 RevocationList + // does not allow the verification we want to do here + var certList CertificateList + _, err := asn1.Unmarshal(c.Raw, &certList) + if err != nil { + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Failed to decode CRL", + } + } + + if certList.TbsCertList.RevokedCertificates != nil { + if len(certList.TbsCertList.RevokedCertificates) == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "CRL contains an empty revokedCertificates element", + } + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go index 70dd461dd28..d881307e006 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_has_next_update.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go new file mode 100644 index 00000000000..cbe28b232f4 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_missing_crl_number.go @@ -0,0 +1,62 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + * of ACTALIS S.p.A. (www.actalis.com). + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_missing_crl_number", + Description: "CRL issuers conforming to this profile MUST include this extension in all CRLs", + Citation: "RFC5280 §5.2.3", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewMissingCRLNumber, + }) +} + +type missingCRLNumber struct{} + +func NewMissingCRLNumber() lint.RevocationListLintInterface { + return &missingCRLNumber{} +} + +func (l *missingCRLNumber) CheckApplies(c *x509.RevocationList) bool { + return true +} + +func (l *missingCRLNumber) Execute(c *x509.RevocationList) *lint.LintResult { + for _, e := range c.Extensions { + if e.Id.Equal(util.CRLNumberOID) { + return &lint.LintResult{Status: lint.Pass} + } + } + + return &lint.LintResult{ + Status: lint.Error, + Details: "This CRL lacks the mandatory CRL Number extension", + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go new file mode 100644 index 00000000000..4ab576d376b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_revoked_certificates_field_empty.go @@ -0,0 +1,114 @@ +package rfc + +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + "golang.org/x/crypto/cryptobyte" + cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1" +) + +type revokedCertificates struct{} + +/* +RFC 5280: 5.1.2.6 + + When there are no revoked certificates, the revoked certificates list + MUST be absent. +*/ +func init() { + lint.RegisterRevocationListLint(&lint.RevocationListLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_crl_revoked_certificates_field_must_be_empty", + Description: "When the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structure.", + Citation: "RFC 5280: 5.1.2.6", + Source: lint.RFC5280, + EffectiveDate: util.RFC5280Date, + }, + Lint: NewEmptyRevokedCerts, + }) +} + +func NewEmptyRevokedCerts() lint.RevocationListLintInterface { + return &revokedCertificates{} +} + +func (l *revokedCertificates) CheckApplies(c *x509.RevocationList) bool { + // This lint is to verify that the TBSCertList.revokedCertificates field, + // when empty, is indeed missing from the DER-encoded ASN.1 bytes. + if c != nil && len(c.RevokedCertificates) == 0 { + return true + } + + return false +} + +func (l *revokedCertificates) Execute(c *x509.RevocationList) *lint.LintResult { + // This is a modified version of x509.ParseRevocationList that extracts the + // raw DER-encoded bytes that comprise a CRL and parses away layers until + // the optional `revokedCertificates` field of a TBSCertList is either found + // or confirmed to be missing from the ASN.1 data structure. + input := cryptobyte.String(c.Raw) + + // Extract the CertificateList + if !input.ReadASN1(&input, cryptobyte_asn1.SEQUENCE) { + return &lint.LintResult{Status: lint.Fatal, Details: "malformed CRL"} + } + + var tbs cryptobyte.String + // Extract the TBSCertList from the CertificateList + if !input.ReadASN1(&tbs, cryptobyte_asn1.SEQUENCE) { + return &lint.LintResult{Status: lint.Fatal, Details: "malformed TBS CRL"} + } + + // Skip optional version + tbs.SkipOptionalASN1(cryptobyte_asn1.INTEGER) + + // Skip the signature + tbs.SkipASN1(cryptobyte_asn1.SEQUENCE) + + // Skip the issuer + tbs.SkipASN1(cryptobyte_asn1.SEQUENCE) + + // SkipOptionalASN1 is identical to SkipASN1 except that it also does a + // peek. We'll handle the non-optional thisUpdate with these double peeks + // because there's no harm doing so. + skipTime := func(s *cryptobyte.String) { + switch { + case s.PeekASN1Tag(cryptobyte_asn1.UTCTime): + s.SkipOptionalASN1(cryptobyte_asn1.UTCTime) + case s.PeekASN1Tag(cryptobyte_asn1.GeneralizedTime): + s.SkipOptionalASN1(cryptobyte_asn1.GeneralizedTime) + } + } + + // Skip thisUpdate + skipTime(&tbs) + + // Skip optional nextUpdate + skipTime(&tbs) + + // Finally, the field which we care about: revokedCertificates. This will + // not trigger on the next field `crlExtensions` because that has + // context-specific tag [0] and EXPLICIT encoding, not `SEQUENCE` and is + // therefore a safe place to end this venture. + if tbs.PeekASN1Tag(cryptobyte_asn1.SEQUENCE) { + return &lint.LintResult{Status: lint.Error, Details: "When there are no revoked certificates, the revoked certificates list MUST be absent."} + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go index 602ec1823fa..20bbb2303d6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_crl_valid_reason_codes.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go index e14577c7906..c3b53dbdf55 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_incomplete.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go index 7629b249b1e..4640f887753 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_distribution_point_missing_ldap_or_uri.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go index a26991cc421..0b9f7b70c2a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_contains_empty_label.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go index 26b47ecd420..9ab2060f67b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_hyphen_in_sld.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go index d1f97f93323..5aad650d89f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_label_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go index b213b416f76..ae2604d0018 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_sld.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go index a7849fff4a7..380d84cc77f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_dnsname_underscore_in_trd.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go index 61653c92949..a2e89f71f7e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_allowed_ku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go index c7b263ac08d..2400115e983 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go index 4969fd2d91a..84d3403e700 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_eku_critical_improperly.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go new file mode 100644 index 00000000000..d6f47a2c88b --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_empty_sct_list.go @@ -0,0 +1,99 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" + + "encoding/asn1" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_empty_sct_list", + Description: "At least one SCT MUST be included in the SignedCertificateTimestampList extension", + Citation: "RFC 6962 section 3.3", + Source: lint.RFC6962, + EffectiveDate: util.RFC6962Date, + }, + Lint: NewEmptySCTList, + }) +} + +type emptySCTList struct{} + +func NewEmptySCTList() lint.LintInterface { + return &emptySCTList{} +} + +// CheckApplies returns true for any subscriber certificates that are not precertificates +// (i.e. that do not have the CT poison extension defined in RFC 6962) +func (l *emptySCTList) CheckApplies(c *x509.Certificate) bool { + return util.IsSubscriberCert(c) && !util.IsExtInCert(c, util.CtPoisonOID) +} + +func (l *emptySCTList) Execute(c *x509.Certificate) *lint.LintResult { + + var sctListExtValue []byte + + for _, e := range c.Extensions { + if e.Id.Equal(util.TimestampOID) { + sctListExtValue = e.Value + break + } + } + + // SCT extension not found, so there is nothing to check + if sctListExtValue == nil { + return &lint.LintResult{Status: lint.Pass} + } + + var octetString []byte + + _, err := asn1.Unmarshal(sctListExtValue, &octetString) + if err != nil { + // This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Error decoding the SignedCertificateTimestampList extension", + } + } + + // Per RFC 5246, the SCT list must begin with a two-bytes length field + if len(octetString) < 2 { + // This will probably never happen, as at this point the extension has already been parsed by an upper Zlint layer + return &lint.LintResult{ + Status: lint.Fatal, + Details: "Invalid SCT list encoding (missing length field)", + } + } + + // If the SCT list length (first two bytes) is zero, then it's an invalid SCT list per RFC 6962 + if octetString[0] == 0 && octetString[1] == 0 { + return &lint.LintResult{ + Status: lint.Error, + Details: "At least one SCT MUST be included in the SignedCertificateTimestampList extension", + } + } + + return &lint.LintResult{Status: lint.Pass} +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go index 6a1f321b63d..c57bad1634d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_access_location_missing.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go index c8d221f9346..2257957f78d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_aia_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go index 04703e51812..51cea0cc88f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go index da91e566715..81103b46f55 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_authority_key_identifier_no_key_identifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go index 0f954f13024..19944aa3589 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_contains_noticeref.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go index 4ab2ece9ad5..002af303d49 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_disallowed_any_policy_qualifier.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go index 9c2e0a5abc7..d6b446029c6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_duplicate.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go index 4919a709863..66d86b4fff8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go index 60d260d5fd5..3db9981bc45 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_includes_control.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go index 976cde025eb..bd9350234c9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_nfc.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go index 26ed42561ca..ec7ec651e2e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_not_utf8.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go index a5b12b1376a..023b130fe21 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_cert_policy_explicit_text_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go index 7e827bfd33d..4d4e2a4a137 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_crl_distribution_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go index e76f47fd9a1..431f19aaddc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_duplicate_extension.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go index d710b9a17bd..5f198ff8b97 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_freshest_crl_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go index 5a79abda3d6..5e6f4c31949 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go index ff4ab8170f9..49fa5f9481d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_dns_not_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go index ffcd291e19a..75f657d2109 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_empty_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go index 473d9bf2f43..85191ea0d1b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_no_entries.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go index 1bb41766bdf..37f65e0cba0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_rfc822_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go index 369008d1dcf..02177c03353 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_space_dns_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go index 4843bb6b96f..bb93397b3ca 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go index fd6977aea8f..6e344a9bb45 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_host_not_fqdn_or_ip.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go index b459bf3f91b..48f66868d9b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_not_ia5.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go index c4e61b09dc1..ae489ada5ac 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_ian_uri_relative.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go index f8dfcb4b039..1edac2988e2 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_cert_sign_without_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go index 74067d6b01a..fb35aafecf7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go index fe30ad81c68..6c2ab82f99c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_key_usage_without_bits.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go index 2a6c5120bc1..88f5086c42d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go index edc5ae09844..1f44017eef7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_name_constraints_not_in_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go index 30f9577c9ce..54e6128617b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go index f3e680bd380..91873c9fa0a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_constraints_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go index 64fed3d7fd2..2df3f9f0d89 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_any_policy.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go index 08b3071162f..b0531ef0f1b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go index c0b46d83b27..dc8b8a0599d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_policy_map_not_in_cert_policy.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go index 34228b648c2..5095558f5a6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_name_too_long.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go index de3953e2c3e..7849fe6bba6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_dns_not_ia5_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go index 86db09f4043..8dd70b39beb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_empty_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go index 5f51e09ac17..02969f71ecf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_no_entries.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go index 034d52f5368..396169f400c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_not_critical_without_subject.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go index a6d1793352f..80c1cb72e79 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_rfc822_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go index 3fa4a304016..7f4bc1c3c87 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_space_dns_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go index 60c5565344f..783f9b47deb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_format_invalid.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go index 6eb42763b1c..410c1fd0060 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_host_not_fqdn_or_ip.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go index d0cad9208fd..2437889562d 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_not_ia5.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go index 6d0f66e9511..78cb772b0b1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_san_uri_relative.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go index 75edd8bda10..ba54e83a491 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_directory_attr_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go index 495777f50ee..5b589f4bfb4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go index 6c4e2a8e559..df6d46d27df 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_ca.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go index fc66e1b398d..948a00d4328 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go index 312dc9ddacd..17928a96078 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_does_not_include_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go index c6c4ed992a2..4b0e5be4efd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_includes_fraction_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go index 492513dc01b..415b4011c60 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_generalized_time_not_in_zulu.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go index 3b7b19472f0..ec9c01027e7 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_malformed_unicode.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go index 8b3917df6c2..970f5bb51bb 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_idn_dnsname_must_be_nfc.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go index 55ed709c1a2..51de2e854e1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_incorrect_ku_encoding.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go index e7e81dbfec2..4e22b9aa3dd 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_inhibit_any_policy_not_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go index ed442e47d5d..956017a77cc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_dn_country_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go index 5041e88ccc5..1c5e2bae179 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_issuer_field_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go index df017fc6c15..f49c5919f6e 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_and_extended_key_usage_inconsistent.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go index 1a875568dab..d9366961769 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_key_usage_incorrect_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go index 8fcc372bb34..dcdb358fb33 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_empty.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go index 78b0029d5d0..ff6ebd212a1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_maximum_not_absent.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go index 113ce13ecf6..ca05fc14b63 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_minimum_non_zero.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go index 38a352d1932..e359024eec8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_not_fqdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go index ed34a08f9a6..42bc2a7f1a0 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_edi_party_name.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go index 16371bd801f..6ac32ff23cf 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_registered_id.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go index dcd2b5d3a91..54cece228e9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_name_constraint_on_x400.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go index a229cfccae0..ddce296a606 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_improperly_included.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go index c2441ea85f1..ac8133a01f6 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_path_len_constraint_zero_or_less.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go new file mode 100644 index 00000000000..a84b7a41783 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_precert_with_sct_list.go @@ -0,0 +1,59 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +/* + * Contributed by Adriano Santoni + */ + +package rfc + +import ( + "github.com/zmap/zcrypto/x509" + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/util" +) + +func init() { + lint.RegisterCertificateLint(&lint.CertificateLint{ + LintMetadata: lint.LintMetadata{ + Name: "e_precert_with_sct_list", + Description: "SCTs must be embedded in the final certificate, not in a precertificate", + Citation: "RFC 6962 §3.3", + Source: lint.RFC6962, + EffectiveDate: util.RFC6962Date, + }, + Lint: NewPreCertWithSCTList, + }) +} + +type preCertWithSCTList struct{} + +func NewPreCertWithSCTList() lint.LintInterface { + return &preCertWithSCTList{} +} + +func (l *preCertWithSCTList) CheckApplies(c *x509.Certificate) bool { + return util.IsExtInCert(c, util.CtPoisonOID) +} + +func (l *preCertWithSCTList) Execute(c *x509.Certificate) *lint.LintResult { + if util.IsExtInCert(c, util.TimestampOID) { + return &lint.LintResult{ + Status: lint.Error, + Details: "Precertificates must not contain the SignedCertificateTimestampList extension", + } + } else { + return &lint.LintResult{Status: lint.Pass} + } +} diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go index aff892a3c71..9e9677ad6d9 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go index d15134a4740..45c9e137ee4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_ee.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go index f35f259551b..8e234995ba3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_rsa_allowed_ku_no_encipherment_ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go index 20114ae1f4a..500bcefb4e4 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_longer_than_20_octets.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go index 0efb8f078fa..709872ea1df 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_serial_number_not_positive.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go index b5bf7317b9a..a55ada9d716 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_spki_rsa_encryption_parameter_not_null.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go index 1d8e4f147cd..9126548ace1 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_common_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go index e996906f4ba..7c1236ac86a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_country_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go index 347f5140236..d3a04187e7a 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_not_printable_characters.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go index c448d1d02c1..3a983c4664c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go index a0595a86861..b772635b01b 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_dn_serial_number_not_printable_string.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go index 6c57dd073ca..e4ca16bc06f 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_email_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go index 62d578f1d14..d53d9630505 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_empty_without_san.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go index f2321dfd531..b86e8eec868 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go index 95d0d9e58a2..fab70f3cc70 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_given_name_recommended_max_length.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go index 50e3baad891..85b9ffdee22 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_info_access_marked_critical.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go index 677e5d9bbd0..643368bc265 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_locality_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go index e7802639679..9256742f841 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_not_dn.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go index a1b35e26d19..469968a6a09 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organization_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go index a29f7677b5d..15c2edcc8c5 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_organizational_unit_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go index 8495c317956..e812e737525 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_postal_code_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go index f43a9401c77..a5da6ebc510 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_printable_string_badalpha.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go index 8a56d940ca9..0b38c3f14ec 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_state_name_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go index c3fea203de9..2359cff3697 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_street_address_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go index 3053f0d47cc..5fc3d20d5d8 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_max_length.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go index dec500954df..652b085f1cc 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_subject_surname_recommended_max_length.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go index 0502475514c..54f44fe4a76 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_superfluous_ku_encoding.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go index a8ebeb0d6a2..04b577aa23c 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_alg_matches_cert_signature_alg.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go index 7b22fa75abe..4731106e887 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_tbs_signature_rsa_encryption_parameter_not_null.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go index 5502b2a6046..971b1e2d392 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_does_not_include_seconds.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go index f2d31ffe912..f14c477cbc3 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_utc_time_not_in_zulu.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go index b7ff29caed2..7cff5857401 100644 --- a/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go +++ b/vendor/github.com/zmap/zlint/v3/lints/rfc/lint_wrong_time_format_pre2050.go @@ -1,7 +1,7 @@ package rfc /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/newLint.sh b/vendor/github.com/zmap/zlint/v3/newLint.sh index fde173dc42f..859d8e93f5e 100644 --- a/vendor/github.com/zmap/zlint/v3/newLint.sh +++ b/vendor/github.com/zmap/zlint/v3/newLint.sh @@ -1,51 +1,102 @@ -# Script to create new lint from template +#!/usr/bin/env bash -USAGE="Usage: $0 +function usage() { + echo "./newLint.sh [-h|--help] -r|--req -f|--file -s|--struct " + echo "" + echo "Options:" + echo " -h|--help Prints this help text." + echo " -r|--req The name of the requirements body governing this lint. Valid options are $(valid_requirement_names)." + echo " -f|--file The target filename for the given lint (no file extension is required)." + echo " -s|--struct The name of the Golang struct to create." + echo "" + echo "Example:" + echo " $ ./newLint.sh --req rfc --file crl_must_be_good --struct CrlMustBeGood " + echo " Created lint file /home/chris/projects/zlint/v3/lints/rfc/lint_crl_must_be_good.go with struct name CrlMustBeGood" + echo " Created test file /home/chris/projects/zlint/v3/lints/rfc/lint_crl_must_be_good_test.go" +} -ARG1: Path_name -ARG2: File_name/TestName (no 'lint_' prefix) -ARG3: Struct_name" +function git_root() { + git rev-parse --show-toplevel +} -if [ $# -eq 0 ]; then - echo "No arguments provided..." - echo "$USAGE" - exit 1 -fi +# Searches within the v3/lints directory for a subdirectory matching +# the name of the governing requirements body provided by the -r|--req flag. +# +# Exits with error code 1 if no such directory is found +function requirement_dir_exists() { + exists=$(find "$(git_root)/v3/lints/" -maxdepth 1 -type d -not -name lints -name "${1}") + if [ -z "${exists}" ]; then + echo "Unknown requirements body (${1}). Valid options are $(valid_requirement_names)." + usage + exit 1 + fi +} -if [ $# -eq 1 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 -fi +# Echoes out a comma separated list of directories within v3/lints +function valid_requirement_names() { + names=$(find "$(git_root)/v3/lints/" -type d -not -name "lints" -exec basename {} \;) + echo -n "${names}" | tr '\n' ', ' +} -if [ $# -eq 2 ]; then - echo "Not enough arguments provided..." - echo "$USAGE" - exit 1 -fi +while [[ $# -gt 0 ]]; do + case "$1" in + -r | --req) + requirement_dir_exists "${2}" + REQUIREMENT="${2}" + shift 2 + ;; + -f | --file) + LINTNAME="${2}" + FILENAME="lint_${LINTNAME}.go" + TEST_FILENAME="lint_${LINTNAME}_test.go" + shift 2 + ;; + -s | --struct) + STRUCTNAME="$2" + shift 2 + ;; + -h | --help) + usage + exit 0 + ;; + *) + echo "Unknown option: $1" + usage + exit 1 + ;; + esac +done -if [ ! -d lints/$1 ] -then - echo "Directory 'lints/$1' does not exist. Can't make new file." - exit 1 +if [ -z "${REQUIREMENT}" ]; then + echo "The -r|--req flag is required. Valid options are $(valid_requirement_names)" + usage + exit 1 fi +if [ -z "${LINTNAME}" ]; then + echo "The -f|--file flag is required." + usage + exit 1 +fi -if [ -e lints/$1/lint_$2.go ] -then - echo "File already exists. Can't make new file." - exit 1 +if [ -z "${STRUCTNAME}" ]; then + echo "The -s|--strut flag is required." + usage + exit 1 fi -PATHNAME=$1 -LINTNAME=$2 -# Remove the first two characters from ${LINTNAME} and save the resulting string into FILENAME -FILENAME=${LINTNAME:2} -STRUCTNAME=$3 +PATHNAME="$(git_root)/v3/lints/${REQUIREMENT}/${FILENAME}" +TEST_PATHNAME="$(git_root)/v3/lints/${REQUIREMENT}/${TEST_FILENAME}" + +sed -e "s/PACKAGE/${REQUIREMENT}/" \ + -e "s/PASCAL_CASE_SUBST/${STRUCTNAME^}/g" \ + -e "s/SUBST/${STRUCTNAME}/g" \ + -e "s/SUBTEST/${LINTNAME}/g" "$(git_root)/v3/template" > "${PATHNAME}" -sed -e "s/PACKAGE/${PATHNAME}/" \ +sed -e "s/PACKAGE/${REQUIREMENT}/" \ -e "s/PASCAL_CASE_SUBST/${STRUCTNAME^}/g" \ -e "s/SUBST/${STRUCTNAME}/g" \ - -e "s/SUBTEST/${LINTNAME}/g" template > lints/${PATHNAME}/lint_${FILENAME}.go + -e "s/SUBTEST/${LINTNAME}/g" "$(git_root)/v3/test_template" > "${TEST_PATHNAME}" -echo "Created file lints/${PATHNAME}/lint_${FILENAME}.go with struct name ${STRUCTNAME}" +echo "Created lint file ${PATHNAME} with struct name ${STRUCTNAME}" +echo "Created test file ${TEST_PATHNAME}" diff --git a/vendor/github.com/zmap/zlint/v3/profileTemplate b/vendor/github.com/zmap/zlint/v3/profileTemplate index 109dc7d2566..a65f3443ef7 100644 --- a/vendor/github.com/zmap/zlint/v3/profileTemplate +++ b/vendor/github.com/zmap/zlint/v3/profileTemplate @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/resultset.go b/vendor/github.com/zmap/zlint/v3/resultset.go index 343a00d9ecc..5fd34d8146b 100644 --- a/vendor/github.com/zmap/zlint/v3/resultset.go +++ b/vendor/github.com/zmap/zlint/v3/resultset.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/template b/vendor/github.com/zmap/zlint/v3/template index f3780cdf413..224791623d1 100644 --- a/vendor/github.com/zmap/zlint/v3/template +++ b/vendor/github.com/zmap/zlint/v3/template @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/test_template b/vendor/github.com/zmap/zlint/v3/test_template new file mode 100644 index 00000000000..fdc41ce91e8 --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/test_template @@ -0,0 +1,31 @@ +/* + * ZLint Copyright 2024 Regents of the University of Michigan + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy + * of the License at http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + * implied. See the License for the specific language governing + * permissions and limitations under the License. + */ + +package PACKAGE + +import ( + "testing" + + "github.com/zmap/zlint/v3/lint" + "github.com/zmap/zlint/v3/test" +) + +func TestPASCAL_CASE_SUBST(t *testing.T) { + inputPath := "TEST_CERT.pem" + expected := lint.Error + out := test.TestLint("LINT_NAME", inputPath) + if out.Status != expected { + t.Errorf("%s: expected %s, got %s", inputPath, expected, out.Status) + } +} diff --git a/vendor/github.com/zmap/zlint/v3/util/ca.go b/vendor/github.com/zmap/zlint/v3/util/ca.go index 8a1bb550439..c6242114797 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ca.go +++ b/vendor/github.com/zmap/zlint/v3/util/ca.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -52,7 +52,7 @@ func IsDelegatedOCSPResponderCert(cert *x509.Certificate) bool { } func IsServerAuthCert(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { return true } for _, eku := range cert.ExtKeyUsage { @@ -60,21 +60,30 @@ func IsServerAuthCert(cert *x509.Certificate) bool { return true } } + for _, policy := range cert.PolicyIdentifiers { + if policy.Equal(BRDomainValidatedOID) || policy.Equal(BROrganizationValidatedOID) || + policy.Equal(BRIndividualValidatedOID) || policy.Equal(BRExtendedValidatedOID) { + return true + } + } return false } // IsEmailProtectionCert returns true if the certificate presented is for use protecting emails. -// A certificate is for use protecting emails if it contains the Any Purpose or emailProtection -// EKUs or if the certificate contains no EKUs. This last point is a way of being overly cautious -// and choosing to prefer false positives over false negatives. +// The S/MIME BRs say the certificate can be identified by an EKU for id-kp-emailProtection +// and the inclusion of a rfc822Name SAN or an otherName of type id-on-SmtpUTF8Mailbox. +// As a way of being overly cautious and choosing to prefer false positives over false negatives, +// also include certificates that have no EKUs, the any purpose EKU, or one of the policy OIDs. func IsEmailProtectionCert(cert *x509.Certificate) bool { - if len(cert.ExtKeyUsage) == 0 { - return true - } - for _, eku := range cert.ExtKeyUsage { - if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + if HasEmailSAN(cert) { + if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 { return true } + for _, eku := range cert.ExtKeyUsage { + if eku == x509.ExtKeyUsageAny || eku == x509.ExtKeyUsageEmailProtection { + return true + } + } } - return false + return IsSMIMEBRCertificate(cert) } diff --git a/vendor/github.com/zmap/zlint/v3/util/countries.go b/vendor/github.com/zmap/zlint/v3/util/countries.go index 2ec04aee9d0..01915433dfd 100644 --- a/vendor/github.com/zmap/zlint/v3/util/countries.go +++ b/vendor/github.com/zmap/zlint/v3/util/countries.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/cs.go b/vendor/github.com/zmap/zlint/v3/util/cs.go new file mode 100644 index 00000000000..5191ba285fa --- /dev/null +++ b/vendor/github.com/zmap/zlint/v3/util/cs.go @@ -0,0 +1,18 @@ +package util + +import "github.com/zmap/zcrypto/encoding/asn1" + +const ( + evCodeSigningPolicy = "2.23.140.1.3" + codeSigningPolicy = "2.23.140.1.4.1" +) + +func IsCodeSigning(policies []asn1.ObjectIdentifier) bool { + for _, policy := range policies { + if policy.String() == evCodeSigningPolicy || policy.String() == codeSigningPolicy { + return true + } + } + + return false +} diff --git a/vendor/github.com/zmap/zlint/v3/util/encodings.go b/vendor/github.com/zmap/zlint/v3/util/encodings.go index 31621744056..ca192675f4e 100644 --- a/vendor/github.com/zmap/zlint/v3/util/encodings.go +++ b/vendor/github.com/zmap/zlint/v3/util/encodings.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ev.go b/vendor/github.com/zmap/zlint/v3/util/ev.go index 54729f7dcaf..e3d3c1b322f 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ev.go +++ b/vendor/github.com/zmap/zlint/v3/util/ev.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/fqdn.go b/vendor/github.com/zmap/zlint/v3/util/fqdn.go index bcf3f8e2360..ff4859da34e 100644 --- a/vendor/github.com/zmap/zlint/v3/util/fqdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/fqdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld.go b/vendor/github.com/zmap/zlint/v3/util/gtld.go index 6a7fb64f3c3..c39429e566f 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go index 6fb589b4508..ab5244a5128 100644 --- a/vendor/github.com/zmap/zlint/v3/util/gtld_map.go +++ b/vendor/github.com/zmap/zlint/v3/util/gtld_map.go @@ -2,7 +2,7 @@ // This file was generated by zlint-gtld-update. /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -481,7 +481,7 @@ var tldMap = map[string]GTLDPeriod{ "avianca": { GTLD: "avianca", DelegationDate: "2016-03-09", - RemovalDate: "", + RemovalDate: "2024-03-27", }, "aw": { GTLD: "aw", @@ -536,7 +536,7 @@ var tldMap = map[string]GTLDPeriod{ "bananarepublic": { GTLD: "bananarepublic", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2024-01-22", }, "band": { GTLD: "band", @@ -1426,7 +1426,7 @@ var tldMap = map[string]GTLDPeriod{ "comcast": { GTLD: "comcast", DelegationDate: "2016-07-07", - RemovalDate: "", + RemovalDate: "2024-02-06", }, "commbank": { GTLD: "commbank", @@ -1631,7 +1631,7 @@ var tldMap = map[string]GTLDPeriod{ "dabur": { GTLD: "dabur", DelegationDate: "2015-01-24", - RemovalDate: "", + RemovalDate: "2024-09-25", }, "dad": { GTLD: "dad", @@ -2771,7 +2771,7 @@ var tldMap = map[string]GTLDPeriod{ "guardian": { GTLD: "guardian", DelegationDate: "2016-05-13", - RemovalDate: "", + RemovalDate: "2024-03-05", }, "gucci": { GTLD: "gucci", @@ -4416,7 +4416,7 @@ var tldMap = map[string]GTLDPeriod{ "natura": { GTLD: "natura", DelegationDate: "2016-02-11", - RemovalDate: "", + RemovalDate: "2024-06-12", }, "navy": { GTLD: "navy", @@ -4676,7 +4676,7 @@ var tldMap = map[string]GTLDPeriod{ "oldnavy": { GTLD: "oldnavy", DelegationDate: "2016-08-04", - RemovalDate: "", + RemovalDate: "2024-01-22", }, "ollo": { GTLD: "ollo", @@ -5701,7 +5701,7 @@ var tldMap = map[string]GTLDPeriod{ "shaw": { GTLD: "shaw", DelegationDate: "2016-03-22", - RemovalDate: "", + RemovalDate: "2024-07-09", }, "shell": { GTLD: "shell", @@ -6956,7 +6956,7 @@ var tldMap = map[string]GTLDPeriod{ "xfinity": { GTLD: "xfinity", DelegationDate: "2016-07-07", - RemovalDate: "", + RemovalDate: "2024-02-06", }, "xihuan": { GTLD: "xihuan", diff --git a/vendor/github.com/zmap/zlint/v3/util/idna.go b/vendor/github.com/zmap/zlint/v3/util/idna.go index 45d14daab76..c96f6ab04ca 100644 --- a/vendor/github.com/zmap/zlint/v3/util/idna.go +++ b/vendor/github.com/zmap/zlint/v3/util/idna.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/ip.go b/vendor/github.com/zmap/zlint/v3/util/ip.go index 7aefe6797c0..a61c77344ea 100644 --- a/vendor/github.com/zmap/zlint/v3/util/ip.go +++ b/vendor/github.com/zmap/zlint/v3/util/ip.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/names.go b/vendor/github.com/zmap/zlint/v3/util/names.go index e8fc5c49e1b..abccb2b9457 100644 --- a/vendor/github.com/zmap/zlint/v3/util/names.go +++ b/vendor/github.com/zmap/zlint/v3/util/names.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/oid.go b/vendor/github.com/zmap/zlint/v3/util/oid.go index fd037e0a178..ec81a904142 100644 --- a/vendor/github.com/zmap/zlint/v3/util/oid.go +++ b/vendor/github.com/zmap/zlint/v3/util/oid.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -24,37 +24,43 @@ import ( var ( //extension OIDs - AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension - AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension - AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access - AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier - BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints - CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies - CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points - CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison - EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax - FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL - InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy - IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name - KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage - LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext - NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints - OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check - PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints - PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings - PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period - QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements - TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List - SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities - SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name - SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes - SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax - SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier - ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code - // CA/B reserved policies - BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Domain-Validated - BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Organization-Validated - BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Individual-Validated + AdobeTimeStampOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 1} // Adobe Time-stamp x509 extension + AdobeArchiveRevInfoOID = asn1.ObjectIdentifier{1, 2, 840, 113583, 1, 1, 9, 2} // Adobe Archive Revocation Info x509 extension + AiaOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 1} // Authority Information Access + AuthkeyOID = asn1.ObjectIdentifier{2, 5, 29, 35} // Authority Key Identifier + BasicConstOID = asn1.ObjectIdentifier{2, 5, 29, 19} // Basic Constraints + CertPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 32} // Certificate Policies + CrlDistOID = asn1.ObjectIdentifier{2, 5, 29, 31} // CRL Distribution Points + CtPoisonOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3} // CT Poison + EkuSynOid = asn1.ObjectIdentifier{2, 5, 29, 37} // Extended Key Usage Syntax + FreshCRLOID = asn1.ObjectIdentifier{2, 5, 29, 46} // Freshest CRL + InhibitAnyPolicyOID = asn1.ObjectIdentifier{2, 5, 29, 54} // Inhibit Any Policy + IssuerAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 18} // Issuer Alt Name + KeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 15} // Key Usage + LegalEntityIdentifierOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 1} // Legal Entity Identifier + LegalEntityIdentifierRoleOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 52266, 2} // Legal Entity Identifier Role + LogoTypeOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 12} // Logo Type Ext + NameConstOID = asn1.ObjectIdentifier{2, 5, 29, 30} // Name Constraints + OscpNoCheckOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5} // OSCP No Check + PolicyConstOID = asn1.ObjectIdentifier{2, 5, 29, 36} // Policy Constraints + PolicyMapOID = asn1.ObjectIdentifier{2, 5, 29, 33} // Policy Mappings + PrivKeyUsageOID = asn1.ObjectIdentifier{2, 5, 29, 16} // Private Key Usage Period + QcStateOid = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 3} // QC Statements + TimestampOID = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 2} // Signed Certificate Timestamp List + SmimeOID = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 15} // Smime Capabilities + SubjectAlternateNameOID = asn1.ObjectIdentifier{2, 5, 29, 17} // Subject Alt Name + SubjectDirAttrOID = asn1.ObjectIdentifier{2, 5, 29, 9} // Subject Directory Attributes + SubjectInfoAccessOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 11} // Subject Info Access Syntax + SubjectKeyIdentityOID = asn1.ObjectIdentifier{2, 5, 29, 14} // Subject Key Identifier + ReasonCodeOID = asn1.ObjectIdentifier{2, 5, 29, 21} // CRL Reason Code + CRLNumberOID = asn1.ObjectIdentifier{2, 5, 29, 20} // CRL Number + // Extended Key Usage OIDs + PreCertificateSigningCertificateEKU = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 4} + // CA/B Reserved Certificate Policy Identifiers + BRExtendedValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 1} // CA/B BR Reserved Certificate Policy Identifiers - Extended Validation + BRDomainValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1} // CA/B BR Reserved Certificate Policy Identifiers - Domain-Validated + BROrganizationValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 2} // CA/B BR Reserved Certificate Policy Identifiers - Organization-Validated + BRIndividualValidatedOID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 3} // CA/B BR Reserved Certificate Policy Identifiers - Individual-Validated BRTorServiceDescriptor = asn1.ObjectIdentifier{2, 23, 140, 1, 31} // CA/B BR Tor Service Descriptor CabfExtensionOrganizationIdentifier = asn1.ObjectIdentifier{2, 23, 140, 3, 1} // CA/B EV 9.8.2 cabfOrganizationIdentifier SMIMEBRMailboxValidatedLegacyOID = asn1.ObjectIdentifier{2, 23, 140, 1, 5, 1, 1} // CA/B SMIME BR Mailbox Validated, Legacy @@ -158,6 +164,14 @@ func TypeInName(name *pkix.Name, oid asn1.ObjectIdentifier) bool { return false } +func GetTypesInName(name *pkix.Name) []asn1.ObjectIdentifier { + types := make([]asn1.ObjectIdentifier, 0) + for _, name := range name.Names { + types = append(types, name.Type) + } + return types +} + // helper function to parse policyMapping extensions, returns slices of CertPolicyIds separated by domain func GetMappedPolicies(polMap *pkix.Extension) ([][2]asn1.ObjectIdentifier, error) { if polMap == nil { diff --git a/vendor/github.com/zmap/zlint/v3/util/primes.go b/vendor/github.com/zmap/zlint/v3/util/primes.go index 20b04f8df70..6520a540035 100644 --- a/vendor/github.com/zmap/zlint/v3/util/primes.go +++ b/vendor/github.com/zmap/zlint/v3/util/primes.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go b/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go index a8f7c0a5e37..b258053d7aa 100644 --- a/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go +++ b/vendor/github.com/zmap/zlint/v3/util/qc_stmt.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/rdn.go b/vendor/github.com/zmap/zlint/v3/util/rdn.go index 3ce4dd989d8..6b94e923c98 100644 --- a/vendor/github.com/zmap/zlint/v3/util/rdn.go +++ b/vendor/github.com/zmap/zlint/v3/util/rdn.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy diff --git a/vendor/github.com/zmap/zlint/v3/util/san.go b/vendor/github.com/zmap/zlint/v3/util/san.go index d1f2f551ab0..a22bda7195e 100644 --- a/vendor/github.com/zmap/zlint/v3/util/san.go +++ b/vendor/github.com/zmap/zlint/v3/util/san.go @@ -1,6 +1,10 @@ package util -import "github.com/zmap/zcrypto/x509" +import ( + "net/mail" + + "github.com/zmap/zcrypto/x509" +) func HasEmailSAN(c *x509.Certificate) bool { for _, san := range c.EmailAddresses { @@ -17,3 +21,10 @@ func HasEmailSAN(c *x509.Certificate) bool { return false } + +// IsMailboxAddress returns true if the passed in string resembles an RFC 5322 +// mailbox address. +func IsMailboxAddress(address string) bool { + validAddress, err := mail.ParseAddress(address) + return err == nil && validAddress.Address == address +} diff --git a/vendor/github.com/zmap/zlint/v3/util/smime_policies.go b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go index afee1e234fd..f0f4eb3be49 100644 --- a/vendor/github.com/zmap/zlint/v3/util/smime_policies.go +++ b/vendor/github.com/zmap/zlint/v3/util/smime_policies.go @@ -1,7 +1,7 @@ package util /* - * ZLint Copyright 2021 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -18,9 +18,13 @@ import ( "github.com/zmap/zcrypto/x509" ) -func IsMailboxValidatedCertificate(c *x509.Certificate) bool { +func IsSMIMEBRCertificate(c *x509.Certificate) bool { + return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) +} + +func IsIndividualValidatedCertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { - if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { + if oid.Equal(SMIMEBRIndividualValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedStrictOID) { return true } } @@ -28,13 +32,9 @@ func IsMailboxValidatedCertificate(c *x509.Certificate) bool { return false } -func IsSMIMEBRCertificate(c *x509.Certificate) bool { - return IsLegacySMIMECertificate(c) || IsMultipurposeSMIMECertificate(c) || IsStrictSMIMECertificate(c) -} - -func IsLegacySMIMECertificate(c *x509.Certificate) bool { +func IsMailboxValidatedCertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { - if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBRMailboxValidatedStrictOID) { return true } } @@ -62,6 +62,16 @@ func IsSponsorValidatedCertificate(c *x509.Certificate) bool { return false } +func IsLegacySMIMECertificate(c *x509.Certificate) bool { + for _, oid := range c.PolicyIdentifiers { + if oid.Equal(SMIMEBRMailboxValidatedLegacyOID) || oid.Equal(SMIMEBROrganizationValidatedLegacyOID) || oid.Equal(SMIMEBRSponsorValidatedLegacyOID) || oid.Equal(SMIMEBRIndividualValidatedLegacyOID) { + return true + } + } + + return false +} + func IsMultipurposeSMIMECertificate(c *x509.Certificate) bool { for _, oid := range c.PolicyIdentifiers { if oid.Equal(SMIMEBRMailboxValidatedMultipurposeOID) || oid.Equal(SMIMEBROrganizationValidatedMultipurposeOID) || oid.Equal(SMIMEBRSponsorValidatedMultipurposeOID) || oid.Equal(SMIMEBRIndividualValidatedMultipurposeOID) { diff --git a/vendor/github.com/zmap/zlint/v3/util/time.go b/vendor/github.com/zmap/zlint/v3/util/time.go index 2db1b9a3382..c0c9ee3e6ed 100644 --- a/vendor/github.com/zmap/zlint/v3/util/time.go +++ b/vendor/github.com/zmap/zlint/v3/util/time.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -37,6 +37,7 @@ var ( RFC4630Date = time.Date(2006, time.August, 1, 0, 0, 0, 0, time.UTC) RFC5280Date = time.Date(2008, time.May, 1, 0, 0, 0, 0, time.UTC) RFC6818Date = time.Date(2013, time.January, 1, 0, 0, 0, 0, time.UTC) + RFC6962Date = time.Date(2013, time.June, 1, 0, 0, 0, 0, time.UTC) RFC8813Date = time.Date(2020, time.August, 1, 0, 0, 0, 0, time.UTC) CABEffectiveDate = time.Date(2012, time.July, 1, 0, 0, 0, 0, time.UTC) CABReservedIPDate = time.Date(2016, time.October, 1, 0, 0, 0, 0, time.UTC) @@ -74,13 +75,18 @@ var ( AppleReducedLifetimeDate = time.Date(2020, time.September, 1, 0, 0, 0, 0, time.UTC) CABFBRs_1_7_9_Date = time.Date(2021, time.August, 16, 0, 0, 0, 0, time.UTC) CABFBRs_1_8_0_Date = time.Date(2021, time.August, 25, 0, 0, 0, 0, time.UTC) + CABFBRs_2_0_0_Date = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) NoReservedDomainLabelsDate = time.Date(2021, time.October, 1, 0, 0, 0, 0, time.UTC) CABFBRs_OU_Prohibited_Date = time.Date(2022, time.September, 1, 0, 0, 0, 0, time.UTC) + SC17EffectiveDate = time.Date(2019, time.June, 21, 0, 0, 0, 0, time.UTC) CABF_SMIME_BRs_1_0_0_Date = time.Date(2023, time.September, 1, 0, 0, 0, 0, time.UTC) // Enforcement date of CRL reason codes from Ballot SC 061 CABFBRs_1_8_7_Date = time.Date(2023, time.July, 15, 0, 0, 0, 0, time.UTC) // Updates to the CABF BRs and EVGLs from Ballot SC 062 https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/ SC62EffectiveDate = time.Date(2023, time.September, 15, 0, 0, 0, 0, time.UTC) + // Date when section 9.2.8 of CABF EVG became effective + CABFEV_Sec9_2_8_Date = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC) + CABF_CS_BRs_1_2_Date = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC) ) var ( diff --git a/vendor/github.com/zmap/zlint/v3/zlint.go b/vendor/github.com/zmap/zlint/v3/zlint.go index 7cb773f884f..93c7a2e1498 100644 --- a/vendor/github.com/zmap/zlint/v3/zlint.go +++ b/vendor/github.com/zmap/zlint/v3/zlint.go @@ -1,5 +1,5 @@ /* - * ZLint Copyright 2023 Regents of the University of Michigan + * ZLint Copyright 2024 Regents of the University of Michigan * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy @@ -23,6 +23,7 @@ import ( "github.com/zmap/zlint/v3/lint" _ "github.com/zmap/zlint/v3/lints/apple" _ "github.com/zmap/zlint/v3/lints/cabf_br" + _ "github.com/zmap/zlint/v3/lints/cabf_cs_br" _ "github.com/zmap/zlint/v3/lints/cabf_ev" _ "github.com/zmap/zlint/v3/lints/cabf_smime_br" _ "github.com/zmap/zlint/v3/lints/community" diff --git a/vendor/modules.txt b/vendor/modules.txt index 0a2d3187c1d..1ad53832503 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -287,12 +287,13 @@ github.com/zmap/zcrypto/util github.com/zmap/zcrypto/x509 github.com/zmap/zcrypto/x509/ct github.com/zmap/zcrypto/x509/pkix -# github.com/zmap/zlint/v3 v3.6.0 +# github.com/zmap/zlint/v3 v3.6.4 ## explicit; go 1.18 github.com/zmap/zlint/v3 github.com/zmap/zlint/v3/lint github.com/zmap/zlint/v3/lints/apple github.com/zmap/zlint/v3/lints/cabf_br +github.com/zmap/zlint/v3/lints/cabf_cs_br github.com/zmap/zlint/v3/lints/cabf_ev github.com/zmap/zlint/v3/lints/cabf_smime_br github.com/zmap/zlint/v3/lints/community From 62299362bd8fab5fcdbaaef227c0ef52713f7e34 Mon Sep 17 00:00:00 2001 From: James Renken Date: Wed, 18 Dec 2024 14:23:13 -0800 Subject: [PATCH 2/6] ra/ratelimits: Update tests, use new TransactionBuilder constructor, fix ARI rate limit exception (#7869) Add a new `ratelimits.NewTransactionBuilderWithLimits` constructor which takes pre-populated rate limit data, instead of filenames for reading it off disk. Use this new constructor to change rate limits during RA tests, instead of using extra `testdata` files. Fix ARI renewals' exception from rate limits: consider `isARIRenewal` as part of the `isRenewal` arg to `checkNewOrderLimits`. Remove obsolete RA tests for rate limits that are now only checked in the WFE. Update remaining new order rate limit tests from deprecated `ratelimit`s to new Redis `ratelimits`. --- cmd/boulder-ra/main.go | 2 +- cmd/boulder-wfe2/main.go | 2 +- ra/ra_test.go | 369 ++---------------- .../one-failed-validation-before-pausing.yml | 4 - ratelimits/gcra.go | 6 +- ratelimits/gcra_test.go | 5 +- ratelimits/limit.go | 158 +++++--- ratelimits/limit_test.go | 94 +++-- ratelimits/limiter.go | 26 +- ratelimits/limiter_test.go | 26 +- ratelimits/transaction.go | 25 +- ratelimits/transaction_test.go | 46 ++- wfe2/wfe.go | 19 +- wfe2/wfe_test.go | 110 +++++- 14 files changed, 382 insertions(+), 510 deletions(-) delete mode 100644 ra/testdata/one-failed-validation-before-pausing.yml diff --git a/cmd/boulder-ra/main.go b/cmd/boulder-ra/main.go index 9710e4b5176..e71cbb37bc8 100644 --- a/cmd/boulder-ra/main.go +++ b/cmd/boulder-ra/main.go @@ -273,7 +273,7 @@ func main() { source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, scope) limiter, err = ratelimits.NewLimiter(clk, source, scope) cmd.FailOnError(err, "Failed to create rate limiter") - txnBuilder, err = ratelimits.NewTransactionBuilder(c.RA.Limiter.Defaults, c.RA.Limiter.Overrides) + txnBuilder, err = ratelimits.NewTransactionBuilderFromFiles(c.RA.Limiter.Defaults, c.RA.Limiter.Overrides) cmd.FailOnError(err, "Failed to create rate limits transaction builder") } diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go index 699ed0d787d..2ad988180fc 100644 --- a/cmd/boulder-wfe2/main.go +++ b/cmd/boulder-wfe2/main.go @@ -365,7 +365,7 @@ func main() { source := ratelimits.NewRedisSource(limiterRedis.Ring, clk, stats) limiter, err = ratelimits.NewLimiter(clk, source, stats) cmd.FailOnError(err, "Failed to create rate limiter") - txnBuilder, err = ratelimits.NewTransactionBuilder(c.WFE.Limiter.Defaults, c.WFE.Limiter.Overrides) + txnBuilder, err = ratelimits.NewTransactionBuilderFromFiles(c.WFE.Limiter.Defaults, c.WFE.Limiter.Overrides) cmd.FailOnError(err, "Failed to create rate limits transaction builder") } diff --git a/ra/ra_test.go b/ra/ra_test.go index e7f439d688e..143178e4ead 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -261,55 +261,6 @@ var ( var ctx = context.Background() -// dummyRateLimitConfig satisfies the rl.RateLimitConfig interface while -// allowing easy mocking of the individual RateLimitPolicy's -type dummyRateLimitConfig struct { - CertificatesPerNamePolicy ratelimit.RateLimitPolicy - RegistrationsPerIPPolicy ratelimit.RateLimitPolicy - RegistrationsPerIPRangePolicy ratelimit.RateLimitPolicy - PendingAuthorizationsPerAccountPolicy ratelimit.RateLimitPolicy - NewOrdersPerAccountPolicy ratelimit.RateLimitPolicy - InvalidAuthorizationsPerAccountPolicy ratelimit.RateLimitPolicy - CertificatesPerFQDNSetPolicy ratelimit.RateLimitPolicy - CertificatesPerFQDNSetFastPolicy ratelimit.RateLimitPolicy -} - -func (r *dummyRateLimitConfig) CertificatesPerName() ratelimit.RateLimitPolicy { - return r.CertificatesPerNamePolicy -} - -func (r *dummyRateLimitConfig) RegistrationsPerIP() ratelimit.RateLimitPolicy { - return r.RegistrationsPerIPPolicy -} - -func (r *dummyRateLimitConfig) RegistrationsPerIPRange() ratelimit.RateLimitPolicy { - return r.RegistrationsPerIPRangePolicy -} - -func (r *dummyRateLimitConfig) PendingAuthorizationsPerAccount() ratelimit.RateLimitPolicy { - return r.PendingAuthorizationsPerAccountPolicy -} - -func (r *dummyRateLimitConfig) NewOrdersPerAccount() ratelimit.RateLimitPolicy { - return r.NewOrdersPerAccountPolicy -} - -func (r *dummyRateLimitConfig) InvalidAuthorizationsPerAccount() ratelimit.RateLimitPolicy { - return r.InvalidAuthorizationsPerAccountPolicy -} - -func (r *dummyRateLimitConfig) CertificatesPerFQDNSet() ratelimit.RateLimitPolicy { - return r.CertificatesPerFQDNSetPolicy -} - -func (r *dummyRateLimitConfig) CertificatesPerFQDNSetFast() ratelimit.RateLimitPolicy { - return r.CertificatesPerFQDNSetFastPolicy -} - -func (r *dummyRateLimitConfig) LoadPolicies(contents []byte) error { - return nil // NOP - unrequired behaviour for this mock -} - func newAcctKey(t *testing.T) []byte { key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) jwk := &jose.JSONWebKey{Key: key.Public()} @@ -392,7 +343,7 @@ func initAuthorities(t *testing.T) (*DummyValidationAuthority, sapb.StorageAutho rlSource := ratelimits.NewInmemSource() limiter, err := ratelimits.NewLimiter(fc, rlSource, stats) test.AssertNotError(t, err, "making limiter") - txnBuilder, err := ratelimits.NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "making transaction composer") testKeyPolicy, err := goodkey.NewPolicy(nil, nil) @@ -844,8 +795,14 @@ func TestPerformValidation_FailedValidationsTriggerPauseIdentifiersRatelimit(t * out: pauseChan, } - // Override the default ratelimits to only allow one failed validation per 24 hours. - txnBuilder, err := ratelimits.NewTransactionBuilder("testdata/one-failed-validation-before-pausing.yml", "") + // Set the default ratelimits to only allow one failed validation per 24 + // hours before pausing. + txnBuilder, err := ratelimits.NewTransactionBuilder(ratelimits.LimitConfigs{ + ratelimits.FailedAuthorizationsForPausingPerDomainPerAccount.String(): &ratelimits.LimitConfig{ + Burst: 1, + Count: 1, + Period: config.Duration{Duration: time.Hour * 24}}, + }) test.AssertNotError(t, err, "making transaction composer") ra.txnBuilder = txnBuilder @@ -1055,101 +1012,6 @@ func TestCertificateKeyNotEqualAccountKey(t *testing.T) { test.AssertEquals(t, err.Error(), "certificate public key must be different than account key") } -func TestNewOrderRateLimiting(t *testing.T) { - _, _, ra, _, fc, cleanUp := initAuthorities(t) - defer cleanUp() - - // Create a dummy rate limit config that sets a NewOrdersPerAccount rate - // limit with a very low threshold/short window - rateLimitDuration := 5 * time.Minute - ra.rlPolicies = &dummyRateLimitConfig{ - NewOrdersPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 1, - Window: config.Duration{Duration: rateLimitDuration}, - }, - } - - orderOne := &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"first.example.com"}, - } - orderTwo := &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"second.example.com"}, - } - - // To start, it should be possible to create a new order - _, err := ra.NewOrder(ctx, orderOne) - test.AssertNotError(t, err, "NewOrder for orderOne failed") - - // Advance the clock 1s to separate the orders in time - fc.Add(time.Second) - - // Creating an order immediately after the first with different names - // should fail - _, err = ra.NewOrder(ctx, orderTwo) - test.AssertError(t, err, "NewOrder for orderTwo succeeded, should have been ratelimited") - - // Creating the first order again should succeed because of order reuse, no - // new pending order is produced. - _, err = ra.NewOrder(ctx, orderOne) - test.AssertNotError(t, err, "Reuse of orderOne failed") - - // Advancing the clock by 2 * the rate limit duration should allow orderTwo to - // succeed - fc.Add(2 * rateLimitDuration) - _, err = ra.NewOrder(ctx, orderTwo) - test.AssertNotError(t, err, "NewOrder for orderTwo failed after advancing clock") -} - -// TestEarlyOrderRateLimiting tests that NewOrder applies the certificates per -// name/per FQDN rate limits against the order names. -func TestEarlyOrderRateLimiting(t *testing.T) { - _, _, ra, _, _, cleanUp := initAuthorities(t) - defer cleanUp() - - rateLimitDuration := 5 * time.Minute - - domain := "early-ratelimit-example.com" - - // Set a mock RL policy with a CertificatesPerName threshold for the domain - // name so low if it were enforced it would prevent a new order for any names. - ra.rlPolicies = &dummyRateLimitConfig{ - CertificatesPerNamePolicy: ratelimit.RateLimitPolicy{ - Threshold: 10, - Window: config.Duration{Duration: rateLimitDuration}, - // Setting the Threshold to 0 skips applying the rate limit. Setting an - // override to 0 does the trick. - Overrides: map[string]int64{ - domain: 0, - }, - }, - NewOrdersPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 10, - Window: config.Duration{Duration: rateLimitDuration}, - }, - } - - // Request an order for the test domain - newOrder := &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{domain}, - } - - // With the feature flag enabled the NewOrder request should fail because of - // the CertificatesPerNamePolicy. - _, err := ra.NewOrder(ctx, newOrder) - test.AssertError(t, err, "NewOrder did not apply cert rate limits with feature flag enabled") - - var bErr *berrors.BoulderError - test.Assert(t, errors.As(err, &bErr), "NewOrder did not return a boulder error") - test.AssertEquals(t, bErr.RetryAfter, rateLimitDuration) - - // The err should be the expected rate limit error - expected := "too many certificates already issued for \"early-ratelimit-example.com\". Retry after 2020-03-04T05:05:00Z: see https://letsencrypt.org/docs/rate-limits/#new-orders-per-account" - test.AssertEquals(t, bErr.Error(), expected) -} - // mockInvalidAuthorizationsAuthority is a mock which claims that the given // domain has one invalid authorization. type mockInvalidAuthorizationsAuthority struct { @@ -1169,16 +1031,18 @@ func TestAuthzFailedRateLimitingNewOrder(t *testing.T) { _, _, ra, _, _, cleanUp := initAuthorities(t) defer cleanUp() - ra.rlPolicies = &dummyRateLimitConfig{ - InvalidAuthorizationsPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 1, - Window: config.Duration{Duration: 1 * time.Hour}, - }, - } + txnBuilder, err := ratelimits.NewTransactionBuilder(ratelimits.LimitConfigs{ + ratelimits.FailedAuthorizationsForPausingPerDomainPerAccount.String(): &ratelimits.LimitConfig{ + Burst: 1, + Count: 1, + Period: config.Duration{Duration: time.Hour * 1}}, + }) + test.AssertNotError(t, err, "making transaction composer") + ra.txnBuilder = txnBuilder limit := ra.rlPolicies.InvalidAuthorizationsPerAccount() ra.SA = &mockInvalidAuthorizationsAuthority{domainWithFailures: "all.i.do.is.lose.com"} - err := ra.checkInvalidAuthorizationLimits(ctx, Registration.Id, + err = ra.checkInvalidAuthorizationLimits(ctx, Registration.Id, []string{"charlie.brown.com", "all.i.do.is.lose.com"}, limit) test.AssertError(t, err, "checkInvalidAuthorizationLimits did not encounter expected rate limit error") test.AssertEquals(t, err.Error(), "too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account") @@ -1541,8 +1405,7 @@ func (m mockSAWithFQDNSet) FQDNSetTimestampsForWindow(_ context.Context, req *sa } } -// TestExactPublicSuffixCertLimit tests the behaviour of issue #2681 with and -// without the feature flag for the fix enabled. +// TestExactPublicSuffixCertLimit tests the behaviour of issue #2681. // See https://github.com/letsencrypt/boulder/issues/2681 func TestExactPublicSuffixCertLimit(t *testing.T) { _, _, ra, _, fc, cleanUp := initAuthorities(t) @@ -1637,8 +1500,14 @@ func TestDeactivateAuthorization_Pausing(t *testing.T) { features.Set(features.Config{AutomaticallyPauseZombieClients: true}) defer features.Reset() - // Override the default ratelimits to only allow one failed validation. - txnBuilder, err := ratelimits.NewTransactionBuilder("testdata/one-failed-validation-before-pausing.yml", "") + // Set the default ratelimits to only allow one failed validation per 24 + // hours before pausing. + txnBuilder, err := ratelimits.NewTransactionBuilder(ratelimits.LimitConfigs{ + ratelimits.FailedAuthorizationsForPausingPerDomainPerAccount.String(): &ratelimits.LimitConfig{ + Burst: 1, + Count: 1, + Period: config.Duration{Duration: time.Hour * 24}}, + }) test.AssertNotError(t, err, "making transaction composer") ra.txnBuilder = txnBuilder @@ -2392,113 +2261,6 @@ func TestNewOrder_AuthzReuse_NoPending(t *testing.T) { test.AssertNotEquals(t, new.V2Authorizations[0], extant.V2Authorizations[0]) } -// mockSACountPendingFails has a CountPendingAuthorizations2 implementation -// that always returns error -type mockSACountPendingFails struct { - sapb.StorageAuthorityClient -} - -func (mock *mockSACountPendingFails) CountPendingAuthorizations2(ctx context.Context, req *sapb.RegistrationID, _ ...grpc.CallOption) (*sapb.Count, error) { - return nil, errors.New("counting is slow and boring") -} - -// Ensure that we don't bother to call the SA to count pending authorizations -// when an "unlimited" limit is set. -func TestPendingAuthorizationsUnlimited(t *testing.T) { - _, _, ra, _, _, cleanUp := initAuthorities(t) - defer cleanUp() - - ra.rlPolicies = &dummyRateLimitConfig{ - PendingAuthorizationsPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 1, - Window: config.Duration{Duration: 24 * time.Hour}, - RegistrationOverrides: map[int64]int64{ - 13: -1, - }, - }, - } - - ra.SA = &mockSACountPendingFails{} - - limit := ra.rlPolicies.PendingAuthorizationsPerAccount() - err := ra.checkPendingAuthorizationLimit(context.Background(), 13, limit) - test.AssertNotError(t, err, "checking pending authorization limit") -} - -// An authority that returns nonzero failures for CountInvalidAuthorizations2, -// and also returns existing authzs for the same domain from GetAuthorizations2 -type mockInvalidPlusValidAuthzAuthority struct { - mockSAWithAuthzs - domainWithFailures string -} - -func (sa *mockInvalidPlusValidAuthzAuthority) CountInvalidAuthorizations2(ctx context.Context, req *sapb.CountInvalidAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Count, error) { - if req.DnsName == sa.domainWithFailures { - return &sapb.Count{Count: 1}, nil - } else { - return &sapb.Count{}, nil - } -} - -// Test that the failed authorizations limit is checked before authz reuse. -func TestNewOrderCheckFailedAuthorizationsFirst(t *testing.T) { - _, _, ra, _, clk, cleanUp := initAuthorities(t) - defer cleanUp() - - // Create an order (and thus a pending authz) for example.com - ctx := context.Background() - order, err := ra.NewOrder(ctx, &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"example.com"}, - }) - test.AssertNotError(t, err, "adding an initial order for regA") - test.AssertNotNil(t, order.Id, "initial order had a nil ID") - test.AssertEquals(t, numAuthorizations(order), 1) - - // Now treat example.com as if it had a recent failure, but also a valid authz. - expires := clk.Now().Add(24 * time.Hour) - ra.SA = &mockInvalidPlusValidAuthzAuthority{ - mockSAWithAuthzs: mockSAWithAuthzs{ - authzs: []*core.Authorization{ - { - ID: "1", - Identifier: identifier.NewDNS("example.com"), - RegistrationID: Registration.Id, - Expires: &expires, - Status: "valid", - Challenges: []core.Challenge{ - { - Type: core.ChallengeTypeHTTP01, - Status: core.StatusValid, - Token: core.NewToken(), - }, - }, - }, - }, - }, - domainWithFailures: "example.com", - } - - // Set a very restrictive police for invalid authorizations - one failure - // and you're done for a day. - ra.rlPolicies = &dummyRateLimitConfig{ - InvalidAuthorizationsPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 1, - Window: config.Duration{Duration: 24 * time.Hour}, - }, - } - - // Creating an order for example.com should error with the "too many failed - // authorizations recently" error. - _, err = ra.NewOrder(ctx, &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"example.com"}, - }) - - test.AssertError(t, err, "expected error for domain with too many failures") - test.AssertEquals(t, err.Error(), "too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account") -} - // mockSAWithAuthzs has a GetAuthorizations2 method that returns the protobuf // version of its authzs struct member. It also has a fake GetOrderForNames // which always fails, and a fake NewOrderAndAuthzs which always succeeds, to @@ -4622,83 +4384,6 @@ func TestAdministrativelyRevokeCertificate(t *testing.T) { test.AssertError(t, err, "AdministrativelyRevokeCertificate should have failed with just serial for keyCompromise") } -func TestNewOrderRateLimitingExempt(t *testing.T) { - _, _, ra, _, _, cleanUp := initAuthorities(t) - defer cleanUp() - - // Set up a rate limit policy that allows 1 order every 5 minutes. - rateLimitDuration := 5 * time.Minute - ra.rlPolicies = &dummyRateLimitConfig{ - NewOrdersPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 1, - Window: config.Duration{Duration: rateLimitDuration}, - }, - } - - exampleOrderOne := &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"first.example.com", "second.example.com"}, - } - exampleOrderTwo := &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"first.example.com", "third.example.com"}, - } - - // Create an order immediately. - _, err := ra.NewOrder(ctx, exampleOrderOne) - test.AssertNotError(t, err, "orderOne should have succeeded") - - // Create another order immediately. This should fail. - _, err = ra.NewOrder(ctx, exampleOrderTwo) - test.AssertError(t, err, "orderTwo should have failed") - - // Exempt orderTwo from rate limiting. - exampleOrderTwo.IsARIRenewal = true - _, err = ra.NewOrder(ctx, exampleOrderTwo) - test.AssertNotError(t, err, "orderTwo should have succeeded") -} - -func TestNewOrderFailedAuthzRateLimitingExempt(t *testing.T) { - _, _, ra, _, _, cleanUp := initAuthorities(t) - defer cleanUp() - - exampleOrder := &rapb.NewOrderRequest{ - RegistrationID: Registration.Id, - DnsNames: []string{"example.com"}, - } - - // Create an order, and thus a pending authz, for "example.com". - ctx := context.Background() - order, err := ra.NewOrder(ctx, exampleOrder) - test.AssertNotError(t, err, "adding an initial order for regA") - test.AssertNotNil(t, order.Id, "initial order had a nil ID") - test.AssertEquals(t, numAuthorizations(order), 1) - - // Mock SA that has a failed authorization for "example.com". - ra.SA = &mockInvalidPlusValidAuthzAuthority{ - mockSAWithAuthzs{authzs: []*core.Authorization{}}, - "example.com", - } - - // Set up a rate limit policy that allows 1 order every 24 hours. - ra.rlPolicies = &dummyRateLimitConfig{ - InvalidAuthorizationsPerAccountPolicy: ratelimit.RateLimitPolicy{ - Threshold: 1, - Window: config.Duration{Duration: 24 * time.Hour}, - }, - } - - // Requesting a new order for "example.com" should fail due to too many - // failed authorizations. - _, err = ra.NewOrder(ctx, exampleOrder) - test.AssertError(t, err, "expected error for domain with too many failures") - - // Exempt the order from rate limiting. - exampleOrder.IsARIRenewal = true - _, err = ra.NewOrder(ctx, exampleOrder) - test.AssertNotError(t, err, "limit exempt order should have succeeded") -} - // An authority that returns an error from NewOrderAndAuthzs if the // "ReplacesSerial" field of the request is empty. type mockNewOrderMustBeReplacementAuthority struct { diff --git a/ra/testdata/one-failed-validation-before-pausing.yml b/ra/testdata/one-failed-validation-before-pausing.yml deleted file mode 100644 index 57bf710666f..00000000000 --- a/ra/testdata/one-failed-validation-before-pausing.yml +++ /dev/null @@ -1,4 +0,0 @@ -FailedAuthorizationsForPausingPerDomainPerAccount: - count: 1 - burst: 1 - period: 24h diff --git a/ratelimits/gcra.go b/ratelimits/gcra.go index 5a6ff27b8b9..24ae21859ba 100644 --- a/ratelimits/gcra.go +++ b/ratelimits/gcra.go @@ -10,7 +10,7 @@ import ( // returns a Decision struct with the result of the decision and the updated // TAT. The cost must be 0 or greater and <= the burst capacity of the limit. func maybeSpend(clk clock.Clock, txn Transaction, tat time.Time) *Decision { - if txn.cost < 0 || txn.cost > txn.limit.Burst { + if txn.cost < 0 || txn.cost > txn.limit.burst { // The condition above is the union of the conditions checked in Check // and Spend methods of Limiter. If this panic is reached, it means that // the caller has introduced a bug. @@ -67,7 +67,7 @@ func maybeSpend(clk clock.Clock, txn Transaction, tat time.Time) *Decision { // or greater. A cost will only be refunded up to the burst capacity of the // limit. A partial refund is still considered successful. func maybeRefund(clk clock.Clock, txn Transaction, tat time.Time) *Decision { - if txn.cost < 0 || txn.cost > txn.limit.Burst { + if txn.cost < 0 || txn.cost > txn.limit.burst { // The condition above is checked in the Refund method of Limiter. If // this panic is reached, it means that the caller has introduced a bug. panic("invalid cost for maybeRefund") @@ -80,7 +80,7 @@ func maybeRefund(clk clock.Clock, txn Transaction, tat time.Time) *Decision { // The TAT is in the past, therefore the bucket is full. return &Decision{ allowed: false, - remaining: txn.limit.Burst, + remaining: txn.limit.burst, retryIn: time.Duration(0), resetIn: time.Duration(0), newTAT: tat, diff --git a/ratelimits/gcra_test.go b/ratelimits/gcra_test.go index 26b2ca0d082..7f9fb2ca3d2 100644 --- a/ratelimits/gcra_test.go +++ b/ratelimits/gcra_test.go @@ -5,13 +5,14 @@ import ( "time" "github.com/jmhodges/clock" + "github.com/letsencrypt/boulder/config" "github.com/letsencrypt/boulder/test" ) func TestDecide(t *testing.T) { clk := clock.NewFake() - limit := &limit{Burst: 10, Count: 1, Period: config.Duration{Duration: time.Second}} + limit := &limit{burst: 10, count: 1, period: config.Duration{Duration: time.Second}} limit.precompute() // Begin by using 1 of our 10 requests. @@ -138,7 +139,7 @@ func TestDecide(t *testing.T) { func TestMaybeRefund(t *testing.T) { clk := clock.NewFake() - limit := &limit{Burst: 10, Count: 1, Period: config.Duration{Duration: time.Second}} + limit := &limit{burst: 10, count: 1, period: config.Duration{Duration: time.Second}} limit.precompute() // Begin by using 1 of our 10 requests. diff --git a/ratelimits/limit.go b/ratelimits/limit.go index c6999f1aa83..16dc65ac962 100644 --- a/ratelimits/limit.go +++ b/ratelimits/limit.go @@ -15,11 +15,12 @@ import ( // currently configured. var errLimitDisabled = errors.New("limit disabled") -// limit defines the configuration for a rate limit or a rate limit override. +// LimitConfig defines the exportable configuration for a rate limit or a rate +// limit override, without a `limit`'s internal fields. // -// The zero value of this struct is invalid, because some of the fields must -// be greater than zero. -type limit struct { +// The zero value of this struct is invalid, because some of the fields must be +// greater than zero. +type LimitConfig struct { // Burst specifies maximum concurrent allowed requests at any given time. It // must be greater than zero. Burst int64 @@ -31,6 +32,26 @@ type limit struct { // Period is the duration of time in which the count (of requests) is // allowed. It must be greater than zero. Period config.Duration +} + +type LimitConfigs map[string]*LimitConfig + +// limit defines the configuration for a rate limit or a rate limit override. +// +// The zero value of this struct is invalid, because some of the fields must +// be greater than zero. +type limit struct { + // burst specifies maximum concurrent allowed requests at any given time. It + // must be greater than zero. + burst int64 + + // count is the number of requests allowed per period. It must be greater + // than zero. + count int64 + + // period is the duration of time in which the count (of requests) is + // allowed. It must be greater than zero. + period config.Duration // name is the name of the limit. It must be one of the Name enums defined // in this package. @@ -59,19 +80,19 @@ func (l *limit) isOverride() bool { // precompute calculates the emissionInterval and burstOffset for the limit. func (l *limit) precompute() { - l.emissionInterval = l.Period.Nanoseconds() / l.Count - l.burstOffset = l.emissionInterval * l.Burst + l.emissionInterval = l.period.Nanoseconds() / l.count + l.burstOffset = l.emissionInterval * l.burst } func validateLimit(l *limit) error { - if l.Burst <= 0 { - return fmt.Errorf("invalid burst '%d', must be > 0", l.Burst) + if l.burst <= 0 { + return fmt.Errorf("invalid burst '%d', must be > 0", l.burst) } - if l.Count <= 0 { - return fmt.Errorf("invalid count '%d', must be > 0", l.Count) + if l.count <= 0 { + return fmt.Errorf("invalid count '%d', must be > 0", l.count) } - if l.Period.Duration <= 0 { - return fmt.Errorf("invalid period '%s', must be > 0", l.Period) + if l.period.Duration <= 0 { + return fmt.Errorf("invalid period '%s', must be > 0", l.period) } return nil } @@ -79,8 +100,8 @@ func validateLimit(l *limit) error { type limits map[string]*limit // loadDefaults marshals the defaults YAML file at path into a map of limits. -func loadDefaults(path string) (limits, error) { - lm := make(limits) +func loadDefaults(path string) (LimitConfigs, error) { + lm := make(LimitConfigs) data, err := os.ReadFile(path) if err != nil { return nil, err @@ -93,7 +114,7 @@ func loadDefaults(path string) (limits, error) { } type overrideYAML struct { - limit `yaml:",inline"` + LimitConfig `yaml:",inline"` // Ids is a list of ids that this override applies to. Ids []struct { Id string `yaml:"id"` @@ -142,30 +163,31 @@ func parseOverrideNameId(key string) (Name, string, error) { return name, id, nil } -// loadAndParseOverrideLimits loads override limits from YAML. The YAML file -// must be formatted as a list of maps, where each map has a single key -// representing the limit name and a value that is a map containing the limit -// fields and an additional 'ids' field that is a list of ids that this override -// applies to. -func loadAndParseOverrideLimits(path string) (limits, error) { - fromFile, err := loadOverrides(path) - if err != nil { - return nil, err - } +// parseOverrideLimits validates a YAML list of override limits. It must be +// formatted as a list of maps, where each map has a single key representing the +// limit name and a value that is a map containing the limit fields and an +// additional 'ids' field that is a list of ids that this override applies to. +func parseOverrideLimits(newOverridesYAML overridesYAML) (limits, error) { parsed := make(limits) - for _, ov := range fromFile { + for _, ov := range newOverridesYAML { for k, v := range ov { - limit := &v.limit - err = validateLimit(limit) - if err != nil { - return nil, fmt.Errorf("validating override limit %q: %w", k, err) - } name, ok := stringToName[k] if !ok { return nil, fmt.Errorf("unrecognized name %q in override limit, must be one of %v", k, limitNames) } - v.limit.name = name + + lim := &limit{ + burst: v.Burst, + count: v.Count, + period: v.Period, + name: name, + } + + err := validateLimit(lim) + if err != nil { + return nil, fmt.Errorf("validating override limit %q: %w", k, err) + } for _, entry := range v.Ids { id := entry.Id @@ -174,42 +196,45 @@ func loadAndParseOverrideLimits(path string) (limits, error) { return nil, fmt.Errorf( "validating name %s and id %q for override limit %q: %w", name, id, k, err) } - limit.overrideKey = joinWithColon(name.EnumString(), id) + lim.overrideKey = joinWithColon(name.EnumString(), id) if name == CertificatesPerFQDNSet { // FQDNSet hashes are not a nice thing to ask for in a // config file, so we allow the user to specify a // comma-separated list of FQDNs and compute the hash here. id = fmt.Sprintf("%x", core.HashNames(strings.Split(id, ","))) } - limit.precompute() - parsed[joinWithColon(name.EnumString(), id)] = limit + lim.precompute() + parsed[joinWithColon(name.EnumString(), id)] = lim } } } return parsed, nil } -// loadAndParseDefaultLimits loads default limits from YAML, validates them, and -// parses them into a map of limits keyed by 'Name'. -func loadAndParseDefaultLimits(path string) (limits, error) { - fromFile, err := loadDefaults(path) - if err != nil { - return nil, err - } - parsed := make(limits, len(fromFile)) +// parseDefaultLimits validates a map of default limits and rekeys it by 'Name'. +func parseDefaultLimits(newDefaultLimits LimitConfigs) (limits, error) { + parsed := make(limits) - for k, v := range fromFile { - err := validateLimit(v) - if err != nil { - return nil, fmt.Errorf("parsing default limit %q: %w", k, err) - } + for k, v := range newDefaultLimits { name, ok := stringToName[k] if !ok { return nil, fmt.Errorf("unrecognized name %q in default limit, must be one of %v", k, limitNames) } - v.name = name - v.precompute() - parsed[name.EnumString()] = v + + lim := &limit{ + burst: v.Burst, + count: v.Count, + period: v.Period, + name: name, + } + + err := validateLimit(lim) + if err != nil { + return nil, fmt.Errorf("parsing default limit %q: %w", k, err) + } + + lim.precompute() + parsed[name.EnumString()] = lim } return parsed, nil } @@ -222,26 +247,39 @@ type limitRegistry struct { overrides limits } -func newLimitRegistry(defaults, overrides string) (*limitRegistry, error) { - var err error - registry := &limitRegistry{} - registry.defaults, err = loadAndParseDefaultLimits(defaults) +func newLimitRegistryFromFiles(defaults, overrides string) (*limitRegistry, error) { + defaultsData, err := loadDefaults(defaults) if err != nil { return nil, err } if overrides == "" { - // No overrides specified, initialize an empty map. - registry.overrides = make(limits) - return registry, nil + return newLimitRegistry(defaultsData, nil) + } + + overridesData, err := loadOverrides(overrides) + if err != nil { + return nil, err + } + + return newLimitRegistry(defaultsData, overridesData) +} + +func newLimitRegistry(defaults LimitConfigs, overrides overridesYAML) (*limitRegistry, error) { + regDefaults, err := parseDefaultLimits(defaults) + if err != nil { + return nil, err } - registry.overrides, err = loadAndParseOverrideLimits(overrides) + regOverrides, err := parseOverrideLimits(overrides) if err != nil { return nil, err } - return registry, nil + return &limitRegistry{ + defaults: regDefaults, + overrides: regOverrides, + }, nil } // getLimit returns the limit for the specified by name and bucketKey, name is diff --git a/ratelimits/limit_test.go b/ratelimits/limit_test.go index 805a97e4cca..56cecc37a89 100644 --- a/ratelimits/limit_test.go +++ b/ratelimits/limit_test.go @@ -9,6 +9,32 @@ import ( "github.com/letsencrypt/boulder/test" ) +// loadAndParseDefaultLimits is a helper that calls both loadDefaults and +// parseDefaultLimits to handle a YAML file. +// +// TODO(#7901): Update the tests to test these functions individually. +func loadAndParseDefaultLimits(path string) (limits, error) { + fromFile, err := loadDefaults(path) + if err != nil { + return nil, err + } + + return parseDefaultLimits(fromFile) +} + +// loadAndParseOverrideLimits is a helper that calls both loadOverrides and +// parseOverrideLimits to handle a YAML file. +// +// TODO(#7901): Update the tests to test these functions individually. +func loadAndParseOverrideLimits(path string) (limits, error) { + fromFile, err := loadOverrides(path) + if err != nil { + return nil, err + } + + return parseOverrideLimits(fromFile) +} + func TestParseOverrideNameId(t *testing.T) { // 'enum:ipv4' // Valid IPv4 address. @@ -42,14 +68,14 @@ func TestParseOverrideNameId(t *testing.T) { } func TestValidateLimit(t *testing.T) { - err := validateLimit(&limit{Burst: 1, Count: 1, Period: config.Duration{Duration: time.Second}}) + err := validateLimit(&limit{burst: 1, count: 1, period: config.Duration{Duration: time.Second}}) test.AssertNotError(t, err, "valid limit") // All of the following are invalid. for _, l := range []*limit{ - {Burst: 0, Count: 1, Period: config.Duration{Duration: time.Second}}, - {Burst: 1, Count: 0, Period: config.Duration{Duration: time.Second}}, - {Burst: 1, Count: 1, Period: config.Duration{Duration: 0}}, + {burst: 0, count: 1, period: config.Duration{Duration: time.Second}}, + {burst: 1, count: 0, period: config.Duration{Duration: time.Second}}, + {burst: 1, count: 1, period: config.Duration{Duration: 0}}, } { err = validateLimit(l) test.AssertError(t, err, "limit should be invalid") @@ -61,29 +87,29 @@ func TestLoadAndParseOverrideLimits(t *testing.T) { l, err := loadAndParseOverrideLimits("testdata/working_override.yml") test.AssertNotError(t, err, "valid single override limit") expectKey := joinWithColon(NewRegistrationsPerIPAddress.EnumString(), "10.0.0.2") - test.AssertEquals(t, l[expectKey].Burst, int64(40)) - test.AssertEquals(t, l[expectKey].Count, int64(40)) - test.AssertEquals(t, l[expectKey].Period.Duration, time.Second) + test.AssertEquals(t, l[expectKey].burst, int64(40)) + test.AssertEquals(t, l[expectKey].count, int64(40)) + test.AssertEquals(t, l[expectKey].period.Duration, time.Second) // Load single valid override limit with a 'domain' Id. l, err = loadAndParseOverrideLimits("testdata/working_override_regid_domain.yml") test.AssertNotError(t, err, "valid single override limit with Id of regId:domain") expectKey = joinWithColon(CertificatesPerDomain.EnumString(), "example.com") - test.AssertEquals(t, l[expectKey].Burst, int64(40)) - test.AssertEquals(t, l[expectKey].Count, int64(40)) - test.AssertEquals(t, l[expectKey].Period.Duration, time.Second) + test.AssertEquals(t, l[expectKey].burst, int64(40)) + test.AssertEquals(t, l[expectKey].count, int64(40)) + test.AssertEquals(t, l[expectKey].period.Duration, time.Second) // Load multiple valid override limits with 'regId' Ids. l, err = loadAndParseOverrideLimits("testdata/working_overrides.yml") test.AssertNotError(t, err, "multiple valid override limits") expectKey1 := joinWithColon(NewRegistrationsPerIPAddress.EnumString(), "10.0.0.2") - test.AssertEquals(t, l[expectKey1].Burst, int64(40)) - test.AssertEquals(t, l[expectKey1].Count, int64(40)) - test.AssertEquals(t, l[expectKey1].Period.Duration, time.Second) + test.AssertEquals(t, l[expectKey1].burst, int64(40)) + test.AssertEquals(t, l[expectKey1].count, int64(40)) + test.AssertEquals(t, l[expectKey1].period.Duration, time.Second) expectKey2 := joinWithColon(NewRegistrationsPerIPv6Range.EnumString(), "2001:0db8:0000::/48") - test.AssertEquals(t, l[expectKey2].Burst, int64(50)) - test.AssertEquals(t, l[expectKey2].Count, int64(50)) - test.AssertEquals(t, l[expectKey2].Period.Duration, time.Second*2) + test.AssertEquals(t, l[expectKey2].burst, int64(50)) + test.AssertEquals(t, l[expectKey2].count, int64(50)) + test.AssertEquals(t, l[expectKey2].period.Duration, time.Second*2) // Load multiple valid override limits with 'fqdnSet' Ids, as follows: // - CertificatesPerFQDNSet:example.com @@ -97,15 +123,15 @@ func TestLoadAndParseOverrideLimits(t *testing.T) { test.AssertNotError(t, err, "valid fqdnSet with three domains should not fail") l, err = loadAndParseOverrideLimits("testdata/working_overrides_regid_fqdnset.yml") test.AssertNotError(t, err, "multiple valid override limits with 'fqdnSet' Ids") - test.AssertEquals(t, l[firstEntryKey].Burst, int64(40)) - test.AssertEquals(t, l[firstEntryKey].Count, int64(40)) - test.AssertEquals(t, l[firstEntryKey].Period.Duration, time.Second) - test.AssertEquals(t, l[secondEntryKey].Burst, int64(50)) - test.AssertEquals(t, l[secondEntryKey].Count, int64(50)) - test.AssertEquals(t, l[secondEntryKey].Period.Duration, time.Second*2) - test.AssertEquals(t, l[thirdEntryKey].Burst, int64(60)) - test.AssertEquals(t, l[thirdEntryKey].Count, int64(60)) - test.AssertEquals(t, l[thirdEntryKey].Period.Duration, time.Second*3) + test.AssertEquals(t, l[firstEntryKey].burst, int64(40)) + test.AssertEquals(t, l[firstEntryKey].count, int64(40)) + test.AssertEquals(t, l[firstEntryKey].period.Duration, time.Second) + test.AssertEquals(t, l[secondEntryKey].burst, int64(50)) + test.AssertEquals(t, l[secondEntryKey].count, int64(50)) + test.AssertEquals(t, l[secondEntryKey].period.Duration, time.Second*2) + test.AssertEquals(t, l[thirdEntryKey].burst, int64(60)) + test.AssertEquals(t, l[thirdEntryKey].count, int64(60)) + test.AssertEquals(t, l[thirdEntryKey].period.Duration, time.Second*3) // Path is empty string. _, err = loadAndParseOverrideLimits("") @@ -152,19 +178,19 @@ func TestLoadAndParseDefaultLimits(t *testing.T) { // Load a single valid default limit. l, err := loadAndParseDefaultLimits("testdata/working_default.yml") test.AssertNotError(t, err, "valid single default limit") - test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].Burst, int64(20)) - test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].Count, int64(20)) - test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].Period.Duration, time.Second) + test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].burst, int64(20)) + test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].count, int64(20)) + test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].period.Duration, time.Second) // Load multiple valid default limits. l, err = loadAndParseDefaultLimits("testdata/working_defaults.yml") test.AssertNotError(t, err, "multiple valid default limits") - test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].Burst, int64(20)) - test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].Count, int64(20)) - test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].Period.Duration, time.Second) - test.AssertEquals(t, l[NewRegistrationsPerIPv6Range.EnumString()].Burst, int64(30)) - test.AssertEquals(t, l[NewRegistrationsPerIPv6Range.EnumString()].Count, int64(30)) - test.AssertEquals(t, l[NewRegistrationsPerIPv6Range.EnumString()].Period.Duration, time.Second*2) + test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].burst, int64(20)) + test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].count, int64(20)) + test.AssertEquals(t, l[NewRegistrationsPerIPAddress.EnumString()].period.Duration, time.Second) + test.AssertEquals(t, l[NewRegistrationsPerIPv6Range.EnumString()].burst, int64(30)) + test.AssertEquals(t, l[NewRegistrationsPerIPv6Range.EnumString()].count, int64(30)) + test.AssertEquals(t, l[NewRegistrationsPerIPv6Range.EnumString()].period.Duration, time.Second*2) // Path is empty string. _, err = loadAndParseDefaultLimits("") diff --git a/ratelimits/limiter.go b/ratelimits/limiter.go index 0654787b6ec..ef119d1819a 100644 --- a/ratelimits/limiter.go +++ b/ratelimits/limiter.go @@ -117,8 +117,8 @@ func (d *Decision) Result(now time.Time) error { return berrors.RegistrationsPerIPAddressError( retryAfter, "too many new registrations (%d) from this IP address in the last %s, retry after %s", - d.transaction.limit.Burst, - d.transaction.limit.Period.Duration, + d.transaction.limit.burst, + d.transaction.limit.period.Duration, retryAfterTs, ) @@ -126,16 +126,16 @@ func (d *Decision) Result(now time.Time) error { return berrors.RegistrationsPerIPv6RangeError( retryAfter, "too many new registrations (%d) from this /48 subnet of IPv6 addresses in the last %s, retry after %s", - d.transaction.limit.Burst, - d.transaction.limit.Period.Duration, + d.transaction.limit.burst, + d.transaction.limit.period.Duration, retryAfterTs, ) case NewOrdersPerAccount: return berrors.NewOrdersPerAccountError( retryAfter, "too many new orders (%d) from this account in the last %s, retry after %s", - d.transaction.limit.Burst, - d.transaction.limit.Period.Duration, + d.transaction.limit.burst, + d.transaction.limit.period.Duration, retryAfterTs, ) @@ -149,9 +149,9 @@ func (d *Decision) Result(now time.Time) error { return berrors.FailedAuthorizationsPerDomainPerAccountError( retryAfter, "too many failed authorizations (%d) for %q in the last %s, retry after %s", - d.transaction.limit.Burst, + d.transaction.limit.burst, domain, - d.transaction.limit.Period.Duration, + d.transaction.limit.period.Duration, retryAfterTs, ) @@ -165,9 +165,9 @@ func (d *Decision) Result(now time.Time) error { return berrors.CertificatesPerDomainError( retryAfter, "too many certificates (%d) already issued for %q in the last %s, retry after %s", - d.transaction.limit.Burst, + d.transaction.limit.burst, domain, - d.transaction.limit.Period.Duration, + d.transaction.limit.period.Duration, retryAfterTs, ) @@ -175,8 +175,8 @@ func (d *Decision) Result(now time.Time) error { return berrors.CertificatesPerFQDNSetError( retryAfter, "too many certificates (%d) already issued for this exact set of domains in the last %s, retry after %s", - d.transaction.limit.Burst, - d.transaction.limit.Period.Duration, + d.transaction.limit.burst, + d.transaction.limit.period.Duration, retryAfterTs, ) @@ -285,7 +285,7 @@ func (l *Limiter) BatchSpend(ctx context.Context, txns []Transaction) (*Decision d := maybeSpend(l.clk, txn, storedTAT) if txn.limit.isOverride() { - utilization := float64(txn.limit.Burst-d.remaining) / float64(txn.limit.Burst) + utilization := float64(txn.limit.burst-d.remaining) / float64(txn.limit.burst) l.overrideUsageGauge.WithLabelValues(txn.limit.name.String(), txn.limit.overrideKey).Set(utilization) } diff --git a/ratelimits/limiter_test.go b/ratelimits/limiter_test.go index cf18fe271f5..902f4c13435 100644 --- a/ratelimits/limiter_test.go +++ b/ratelimits/limiter_test.go @@ -32,7 +32,7 @@ func newTestLimiter(t *testing.T, s Source, clk clock.FakeClock) *Limiter { // - 'NewRegistrationsPerIPAddress' burst: 20 count: 20 period: 1s // - 'NewRegistrationsPerIPAddress:10.0.0.2' burst: 40 count: 40 period: 1s func newTestTransactionBuilder(t *testing.T) *TransactionBuilder { - c, err := NewTransactionBuilder("testdata/working_default.yml", "testdata/working_override.yml") + c, err := NewTransactionBuilderFromFiles("testdata/working_default.yml", "testdata/working_override.yml") test.AssertNotError(t, err, "should not error") return c } @@ -484,8 +484,8 @@ func TestRateLimitError(t *testing.T) { transaction: Transaction{ limit: &limit{ name: NewRegistrationsPerIPAddress, - Burst: 10, - Period: config.Duration{Duration: time.Hour}, + burst: 10, + period: config.Duration{Duration: time.Hour}, }, }, }, @@ -500,8 +500,8 @@ func TestRateLimitError(t *testing.T) { transaction: Transaction{ limit: &limit{ name: NewRegistrationsPerIPv6Range, - Burst: 5, - Period: config.Duration{Duration: time.Hour}, + burst: 5, + period: config.Duration{Duration: time.Hour}, }, }, }, @@ -516,8 +516,8 @@ func TestRateLimitError(t *testing.T) { transaction: Transaction{ limit: &limit{ name: NewOrdersPerAccount, - Burst: 2, - Period: config.Duration{Duration: time.Hour}, + burst: 2, + period: config.Duration{Duration: time.Hour}, }, }, }, @@ -532,8 +532,8 @@ func TestRateLimitError(t *testing.T) { transaction: Transaction{ limit: &limit{ name: FailedAuthorizationsPerDomainPerAccount, - Burst: 7, - Period: config.Duration{Duration: time.Hour}, + burst: 7, + period: config.Duration{Duration: time.Hour}, }, bucketKey: "4:12345:example.com", }, @@ -549,8 +549,8 @@ func TestRateLimitError(t *testing.T) { transaction: Transaction{ limit: &limit{ name: CertificatesPerDomain, - Burst: 3, - Period: config.Duration{Duration: time.Hour}, + burst: 3, + period: config.Duration{Duration: time.Hour}, }, bucketKey: "5:example.org", }, @@ -566,8 +566,8 @@ func TestRateLimitError(t *testing.T) { transaction: Transaction{ limit: &limit{ name: CertificatesPerDomainPerAccount, - Burst: 3, - Period: config.Duration{Duration: time.Hour}, + burst: 3, + period: config.Duration{Duration: time.Hour}, }, bucketKey: "6:12345678:example.net", }, diff --git a/ratelimits/transaction.go b/ratelimits/transaction.go index fc5df72c547..b5fd1653269 100644 --- a/ratelimits/transaction.go +++ b/ratelimits/transaction.go @@ -129,7 +129,7 @@ func validateTransaction(txn Transaction) (Transaction, error) { if txn.cost < 0 { return Transaction{}, ErrInvalidCost } - if txn.limit.Burst == 0 { + if txn.limit.burst == 0 { // This should never happen. If the limit was loaded from a file, // Burst was validated then. If this is a zero-valued Transaction // (that is, an allow-only transaction), then validateTransaction @@ -137,7 +137,7 @@ func validateTransaction(txn Transaction) (Transaction, error) { // valid. return Transaction{}, fmt.Errorf("invalid limit, burst must be > 0") } - if txn.cost > txn.limit.Burst { + if txn.cost > txn.limit.burst { return Transaction{}, ErrInvalidCostOverLimit } return txn, nil @@ -183,12 +183,23 @@ type TransactionBuilder struct { *limitRegistry } +// NewTransactionBuilderFromFiles returns a new *TransactionBuilder. The +// provided defaults and overrides paths are expected to be paths to YAML files +// that contain the default and override limits, respectively. Overrides is +// optional, defaults is required. +func NewTransactionBuilderFromFiles(defaults, overrides string) (*TransactionBuilder, error) { + registry, err := newLimitRegistryFromFiles(defaults, overrides) + if err != nil { + return nil, err + } + return &TransactionBuilder{registry}, nil +} + // NewTransactionBuilder returns a new *TransactionBuilder. The provided -// defaults and overrides paths are expected to be paths to YAML files that -// contain the default and override limits, respectively. Overrides is optional, -// defaults is required. -func NewTransactionBuilder(defaults, overrides string) (*TransactionBuilder, error) { - registry, err := newLimitRegistry(defaults, overrides) +// defaults map is expected to contain default limit data. Overrides are not +// supported. Defaults is required. +func NewTransactionBuilder(defaults LimitConfigs) (*TransactionBuilder, error) { + registry, err := newLimitRegistry(defaults, nil) if err != nil { return nil, err } diff --git a/ratelimits/transaction_test.go b/ratelimits/transaction_test.go index f8003e2f404..8cf0b798a1e 100644 --- a/ratelimits/transaction_test.go +++ b/ratelimits/transaction_test.go @@ -5,17 +5,19 @@ import ( "net" "sort" "testing" + "time" + "github.com/letsencrypt/boulder/config" "github.com/letsencrypt/boulder/core" "github.com/letsencrypt/boulder/test" ) -func TestNewTransactionBuilder_WithBadLimitsPath(t *testing.T) { +func TestNewTransactionBuilderFromFiles_WithBadLimitsPath(t *testing.T) { t.Parallel() - _, err := NewTransactionBuilder("testdata/does-not-exist.yml", "") + _, err := NewTransactionBuilderFromFiles("testdata/does-not-exist.yml", "") test.AssertError(t, err, "should error") - _, err = NewTransactionBuilder("testdata/defaults.yml", "testdata/does-not-exist.yml") + _, err = NewTransactionBuilderFromFiles("testdata/defaults.yml", "testdata/does-not-exist.yml") test.AssertError(t, err, "should error") } @@ -29,7 +31,7 @@ func sortTransactions(txns []Transaction) []Transaction { func TestNewRegistrationsPerIPAddressTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "creating TransactionBuilder") // A check-and-spend transaction for the global limit. @@ -42,7 +44,7 @@ func TestNewRegistrationsPerIPAddressTransactions(t *testing.T) { func TestNewRegistrationsPerIPv6AddressTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "creating TransactionBuilder") // A check-and-spend transaction for the global limit. @@ -55,7 +57,7 @@ func TestNewRegistrationsPerIPv6AddressTransactions(t *testing.T) { func TestNewOrdersPerAccountTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "creating TransactionBuilder") // A check-and-spend transaction for the global limit. @@ -68,7 +70,7 @@ func TestNewOrdersPerAccountTransactions(t *testing.T) { func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml") test.AssertNotError(t, err, "creating TransactionBuilder") // A check-only transaction for the default per-account limit. @@ -105,7 +107,7 @@ func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) { func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml") test.AssertNotError(t, err, "creating TransactionBuilder") // A transaction for the per-account limit override. @@ -119,7 +121,7 @@ func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testin func TestCertificatesPerDomainTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "creating TransactionBuilder") // One check-only transaction for the global limit. @@ -140,7 +142,7 @@ func TestCertificatesPerDomainTransactions(t *testing.T) { func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "testdata/working_override_13371338.yml") test.AssertNotError(t, err, "creating TransactionBuilder") // We only expect a single check-only transaction for the per-account limit @@ -191,7 +193,7 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) { func TestCertificatesPerFQDNSetTransactions(t *testing.T) { t.Parallel() - tb, err := NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + tb, err := NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "creating TransactionBuilder") // A single check-only transaction for the global limit. @@ -202,3 +204,25 @@ func TestCertificatesPerFQDNSetTransactions(t *testing.T) { test.Assert(t, txn.checkOnly(), "should be check-only") test.Assert(t, !txn.limit.isOverride(), "should not be an override") } + +func TestNewTransactionBuilder(t *testing.T) { + t.Parallel() + + expectedBurst := int64(10000) + expectedCount := int64(10000) + expectedPeriod := config.Duration{Duration: time.Hour * 168} + + tb, err := NewTransactionBuilder(LimitConfigs{ + NewRegistrationsPerIPAddress.String(): &LimitConfig{ + Burst: expectedBurst, + Count: expectedCount, + Period: expectedPeriod}, + }) + test.AssertNotError(t, err, "creating TransactionBuilder") + + newRegDefault, ok := tb.limitRegistry.defaults[NewRegistrationsPerIPAddress.EnumString()] + test.Assert(t, ok, "NewRegistrationsPerIPAddress was not populated in registry") + test.AssertEquals(t, newRegDefault.burst, expectedBurst) + test.AssertEquals(t, newRegDefault.count, expectedCount) + test.AssertEquals(t, newRegDefault.period, expectedPeriod) +} diff --git a/wfe2/wfe.go b/wfe2/wfe.go index 19063b7cd2f..75768ea1e6b 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2406,14 +2406,17 @@ func (wfe *WebFrontEndImpl) NewOrder( return } - refundLimits, err := wfe.checkNewOrderLimits(ctx, acct.ID, names, isRenewal) - if err != nil && features.Get().UseKvLimitsForNewOrder { - if errors.Is(err, berrors.RateLimit) { - wfe.sendError(response, logEvent, probs.RateLimited(err.Error()), err) - return - } else { - wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While checking rate limits"), err) - return + refundLimits := func() {} + if !isARIRenewal { + refundLimits, err = wfe.checkNewOrderLimits(ctx, acct.ID, names, isRenewal || isARIRenewal) + if err != nil && features.Get().UseKvLimitsForNewOrder { + if errors.Is(err, berrors.RateLimit) { + wfe.sendError(response, logEvent, probs.RateLimited(err.Error()), err) + return + } else { + wfe.sendError(response, logEvent, web.ProblemDetailsForError(err, "While checking rate limits"), err) + return + } } } diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index c8229f58a7f..a49a31c915a 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -36,6 +36,7 @@ import ( "google.golang.org/protobuf/types/known/timestamppb" "github.com/letsencrypt/boulder/cmd" + "github.com/letsencrypt/boulder/config" "github.com/letsencrypt/boulder/core" corepb "github.com/letsencrypt/boulder/core/proto" berrors "github.com/letsencrypt/boulder/errors" @@ -410,7 +411,7 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) { // Setup rate limiting. limiter, err := ratelimits.NewLimiter(fc, ratelimits.NewInmemSource(), stats) test.AssertNotError(t, err, "making limiter") - txnBuilder, err := ratelimits.NewTransactionBuilder("../test/config-next/wfe2-ratelimit-defaults.yml", "") + txnBuilder, err := ratelimits.NewTransactionBuilderFromFiles("../test/config-next/wfe2-ratelimit-defaults.yml", "") test.AssertNotError(t, err, "making transaction composer") unpauseSigner, err := unpause.NewJWTSigner(cmd.HMACKeyConfig{KeyFile: "../test/secrets/sfe_unpause_key"}) @@ -4224,20 +4225,26 @@ func Test_sendErrorInternalServerError(t *testing.T) { test.AssertEquals(t, testResponse.Header().Get("Retry-After"), "60") } -type mockSA struct { +// mockSAForARI provides a mock SA with the methods required for an issuance and +// a renewal with the ARI `Replaces` field. +type mockSAForARI struct { sapb.StorageAuthorityReadOnlyClient cert *corepb.Certificate } +func (sa *mockSAForARI) FQDNSetExists(ctx context.Context, in *sapb.FQDNSetExistsRequest, opts ...grpc.CallOption) (*sapb.Exists, error) { + return &sapb.Exists{Exists: false}, nil +} + // GetCertificate returns the inner certificate if it matches the given serial. -func (sa *mockSA) GetCertificate(ctx context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.Certificate, error) { +func (sa *mockSAForARI) GetCertificate(ctx context.Context, req *sapb.Serial, _ ...grpc.CallOption) (*corepb.Certificate, error) { if req.Serial == sa.cert.Serial { return sa.cert, nil } return nil, berrors.NotFoundError("certificate with serial %q not found", req.Serial) } -func (sa *mockSA) ReplacementOrderExists(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*sapb.Exists, error) { +func (sa *mockSAForARI) ReplacementOrderExists(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*sapb.Exists, error) { if in.Serial == sa.cert.Serial { return &sapb.Exists{Exists: false}, nil @@ -4245,11 +4252,11 @@ func (sa *mockSA) ReplacementOrderExists(ctx context.Context, in *sapb.Serial, o return &sapb.Exists{Exists: true}, nil } -func (sa *mockSA) IncidentsForSerial(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*sapb.Incidents, error) { +func (sa *mockSAForARI) IncidentsForSerial(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*sapb.Incidents, error) { return &sapb.Incidents{}, nil } -func (sa *mockSA) GetCertificateStatus(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*corepb.CertificateStatus, error) { +func (sa *mockSAForARI) GetCertificateStatus(ctx context.Context, in *sapb.Serial, opts ...grpc.CallOption) (*corepb.CertificateStatus, error) { return &corepb.CertificateStatus{Serial: in.Serial, Status: string(core.OCSPStatusGood)}, nil } @@ -4267,7 +4274,7 @@ func TestOrderMatchesReplacement(t *testing.T) { mockDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "failed to create test certificate") - wfe.sa = &mockSA{ + wfe.sa = &mockSAForARI{ cert: &corepb.Certificate{ RegistrationID: 1, Serial: expectSerial.String(), @@ -4414,9 +4421,10 @@ func TestCountNewOrderWithReplaces(t *testing.T) { wfe, _, signer := setupWFE(t) expectExpiry := time.Now().AddDate(0, 0, 1) - var expectAKID []byte + // Pick a random issuer to "issue" expectCert. + var issuer *issuance.Certificate for _, v := range wfe.issuerCertificates { - expectAKID = v.SubjectKeyId + issuer = v break } testKey, _ := rsa.GenerateKey(rand.Reader, 1024) @@ -4425,7 +4433,7 @@ func TestCountNewOrderWithReplaces(t *testing.T) { NotAfter: expectExpiry, DNSNames: []string{"example.com"}, SerialNumber: expectSerial, - AuthorityKeyId: expectAKID, + AuthorityKeyId: issuer.SubjectKeyId, } expectCertId, err := makeARICertID(expectCert) test.AssertNotError(t, err, "failed to create test cert id") @@ -4433,7 +4441,7 @@ func TestCountNewOrderWithReplaces(t *testing.T) { test.AssertNotError(t, err, "failed to create test certificate") // MockSA that returns the certificate with the expected serial. - wfe.sa = &mockSA{ + wfe.sa = &mockSAForARI{ cert: &corepb.Certificate{ RegistrationID: 1, Serial: core.SerialToString(expectSerial), @@ -4456,3 +4464,83 @@ func TestCountNewOrderWithReplaces(t *testing.T) { test.AssertEquals(t, responseWriter.Code, http.StatusCreated) test.AssertMetricWithLabelsEquals(t, wfe.stats.ariReplacementOrders, prometheus.Labels{"isReplacement": "true", "limitsExempt": "true"}, 1) } + +func TestNewOrderRateLimits(t *testing.T) { + wfe, fc, signer := setupWFE(t) + + features.Set(features.Config{UseKvLimitsForNewOrder: true}) + defer features.Reset() + + // Set the default ratelimits to only allow one new order per account per 24 + // hours. + txnBuilder, err := ratelimits.NewTransactionBuilder(ratelimits.LimitConfigs{ + ratelimits.NewOrdersPerAccount.String(): &ratelimits.LimitConfig{ + Burst: 1, + Count: 1, + Period: config.Duration{Duration: time.Hour * 24}}, + }) + test.AssertNotError(t, err, "making transaction composer") + wfe.txnBuilder = txnBuilder + + // Pick a random issuer to "issue" extantCert. + var issuer *issuance.Certificate + for _, v := range wfe.issuerCertificates { + issuer = v + break + } + testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + test.AssertNotError(t, err, "failed to create test key") + extantCert := &x509.Certificate{ + NotBefore: fc.Now(), + NotAfter: fc.Now().AddDate(0, 0, 90), + DNSNames: []string{"example.com"}, + SerialNumber: big.NewInt(1337), + AuthorityKeyId: issuer.SubjectKeyId, + } + extantCertId, err := makeARICertID(extantCert) + test.AssertNotError(t, err, "failed to create test cert id") + extantDer, err := x509.CreateCertificate(rand.Reader, extantCert, extantCert, &testKey.PublicKey, testKey) + test.AssertNotError(t, err, "failed to create test certificate") + + // Mock SA that returns the certificate with the expected serial. + wfe.sa = &mockSAForARI{ + cert: &corepb.Certificate{ + RegistrationID: 1, + Serial: core.SerialToString(extantCert.SerialNumber), + Der: extantDer, + Issued: timestamppb.New(extantCert.NotBefore), + Expires: timestamppb.New(extantCert.NotAfter), + }, + } + + // Set the fake clock forward to 1s past the suggested renewal window start + // time. + renewalWindowStart := core.RenewalInfoSimple(extantCert.NotBefore, extantCert.NotAfter).SuggestedWindow.Start + fc.Set(renewalWindowStart.Add(time.Second)) + + mux := wfe.Handler(metrics.NoopRegisterer) + + // Request the certificate for the first time. Because we mocked together + // the certificate, it will have been issued 60 days ago. + r := signAndPost(signer, newOrderPath, "http://localhost"+newOrderPath, + `{"Identifiers": [{"type": "dns", "value": "example.com"}]}`) + responseWriter := httptest.NewRecorder() + mux.ServeHTTP(responseWriter, r) + test.AssertEquals(t, responseWriter.Code, http.StatusCreated) + + // Request another, identical certificate. This should fail for violating + // the NewOrdersPerAccount rate limit. + r = signAndPost(signer, newOrderPath, "http://localhost"+newOrderPath, + `{"Identifiers": [{"type": "dns", "value": "example.com"}]}`) + responseWriter = httptest.NewRecorder() + mux.ServeHTTP(responseWriter, r) + test.AssertEquals(t, responseWriter.Code, http.StatusTooManyRequests) + + // Make a request with the "Replaces" field, which should satisfy ARI checks + // and therefore bypass the rate limit. + r = signAndPost(signer, newOrderPath, "http://localhost"+newOrderPath, + fmt.Sprintf(`{"Identifiers": [{"type": "dns", "value": "example.com"}], "Replaces": %q}`, extantCertId)) + responseWriter = httptest.NewRecorder() + mux.ServeHTTP(responseWriter, r) + test.AssertEquals(t, responseWriter.Code, http.StatusCreated) +} From d42865c187c5201c31c95e4aadd04ffc4ff3061d Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 19 Dec 2024 10:11:50 -0800 Subject: [PATCH 3/6] sa: add Limit field to CountFQDNSetsRequest (#7887) This allows us to replace FQDNSetExists with a call to FQDNSetTimestampsForWindow, with Limit set to 1. That, in turn, will allow us to log the time since issuance of the most recent certificate with a given FQDNSet. --- sa/proto/sa.pb.go | 1235 +++++++++++++++++++++++---------------------- sa/proto/sa.proto | 1 + sa/sa_test.go | 9 + sa/saro.go | 11 +- 4 files changed, 642 insertions(+), 614 deletions(-) diff --git a/sa/proto/sa.pb.go b/sa/proto/sa.pb.go index 1a89b42f816..c8b42859f3e 100644 --- a/sa/proto/sa.pb.go +++ b/sa/proto/sa.pb.go @@ -733,6 +733,7 @@ type CountFQDNSetsRequest struct { DnsNames []string `protobuf:"bytes,2,rep,name=dnsNames,proto3" json:"dnsNames,omitempty"` Window *durationpb.Duration `protobuf:"bytes,3,opt,name=window,proto3" json:"window,omitempty"` + Limit int64 `protobuf:"varint,4,opt,name=limit,proto3" json:"limit,omitempty"` } func (x *CountFQDNSetsRequest) Reset() { @@ -781,6 +782,13 @@ func (x *CountFQDNSetsRequest) GetWindow() *durationpb.Duration { return nil } +func (x *CountFQDNSetsRequest) GetLimit() int64 { + if x != nil { + return x.Limit + } + return 0 +} + type FQDNSetExistsRequest struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -2998,633 +3006,634 @@ var file_sa_proto_rawDesc = []byte{ 0x74, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x44, 0x12, 0x1f, 0x0a, 0x05, 0x72, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x05, - 0x72, 0x61, 0x6e, 0x67, 0x65, 0x22, 0x6b, 0x0a, 0x14, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x46, 0x51, - 0x44, 0x4e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, - 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x31, 0x0a, 0x06, 0x77, 0x69, 0x6e, - 0x64, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x4a, 0x04, 0x08, 0x01, - 0x10, 0x02, 0x22, 0x32, 0x0a, 0x14, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, - 0x73, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x6e, - 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, - 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x20, 0x0a, 0x06, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, - 0x12, 0x16, 0x0a, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, - 0x52, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0xb8, 0x01, 0x0a, 0x10, 0x41, 0x64, 0x64, - 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, - 0x05, 0x72, 0x65, 0x67, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x72, 0x65, - 0x67, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x34, 0x0a, 0x07, 0x63, - 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, + 0x72, 0x61, 0x6e, 0x67, 0x65, 0x22, 0x81, 0x01, 0x0a, 0x14, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x46, + 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, + 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x31, 0x0a, 0x06, 0x77, 0x69, + 0x6e, 0x64, 0x6f, 0x77, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x77, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x12, 0x14, 0x0a, + 0x05, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x6c, 0x69, + 0x6d, 0x69, 0x74, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x22, 0x32, 0x0a, 0x14, 0x46, 0x51, 0x44, + 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x01, 0x20, + 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x20, 0x0a, + 0x06, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, + 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, + 0xb8, 0x01, 0x0a, 0x10, 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x49, 0x44, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x03, 0x52, 0x05, 0x72, 0x65, 0x67, 0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, + 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x12, 0x34, 0x0a, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, + 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, + 0x72, 0x65, 0x73, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, + 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4a, 0x04, + 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0xc7, 0x01, 0x0a, 0x15, 0x41, + 0x64, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0c, 0x52, 0x03, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x49, 0x44, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x72, 0x65, 0x67, 0x49, 0x44, 0x12, 0x32, 0x0a, 0x06, + 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, - 0x64, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x06, 0x20, 0x01, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, + 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, + 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, + 0x6d, 0x65, 0x49, 0x44, 0x12, 0x22, 0x0a, 0x0c, 0x6f, 0x63, 0x73, 0x70, 0x4e, 0x6f, 0x74, 0x52, + 0x65, 0x61, 0x64, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x6f, 0x63, 0x73, 0x70, + 0x4e, 0x6f, 0x74, 0x52, 0x65, 0x61, 0x64, 0x79, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, + 0x08, 0x04, 0x10, 0x05, 0x22, 0x1e, 0x0a, 0x0c, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x02, 0x69, 0x64, 0x22, 0x9d, 0x02, 0x0a, 0x0f, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, + 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, + 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, + 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, + 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, + 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, + 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x03, 0x52, 0x10, 0x76, 0x32, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x26, + 0x0a, 0x0e, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x73, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x73, + 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x36, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x4a, 0x04, + 0x08, 0x02, 0x10, 0x03, 0x22, 0x89, 0x02, 0x0a, 0x0f, 0x4e, 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, + 0x7a, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x30, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, + 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, 0x0a, + 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x49, 0x44, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x09, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, + 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x63, 0x68, 0x61, 0x6c, + 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x54, 0x79, 0x70, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x0e, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x54, 0x79, 0x70, 0x65, 0x73, + 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, + 0x10, 0x03, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, + 0x08, 0x06, 0x10, 0x07, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, + 0x22, 0x7e, 0x0a, 0x18, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x6e, 0x64, 0x41, + 0x75, 0x74, 0x68, 0x7a, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2f, 0x0a, 0x08, + 0x6e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, + 0x2e, 0x73, 0x61, 0x2e, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x52, 0x08, 0x6e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x31, 0x0a, + 0x09, 0x6e, 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x13, 0x2e, 0x73, 0x61, 0x2e, 0x4e, 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x09, 0x6e, 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, + 0x22, 0x52, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, + 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, + 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, + 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, + 0x72, 0x72, 0x6f, 0x72, 0x22, 0x4c, 0x0a, 0x22, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, + 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, + 0x63, 0x74, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x61, 0x63, 0x63, 0x74, + 0x49, 0x44, 0x22, 0x4d, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, + 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, + 0x06, 0x61, 0x63, 0x63, 0x74, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x61, + 0x63, 0x63, 0x74, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, + 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, + 0x73, 0x22, 0x54, 0x0a, 0x14, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, + 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x11, 0x63, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0xa0, 0x01, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, + 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, + 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x3a, 0x0a, 0x0a, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x55, 0x6e, 0x74, 0x69, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x55, + 0x6e, 0x74, 0x69, 0x6c, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x22, 0x3d, 0x0a, 0x0e, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2b, 0x0a, 0x06, + 0x61, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, + 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x06, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x22, 0x24, 0x0a, 0x10, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x73, 0x12, 0x10, 0x0a, + 0x03, 0x69, 0x64, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x69, 0x64, 0x73, 0x22, + 0x22, 0x0a, 0x10, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x49, 0x44, 0x32, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, + 0x02, 0x69, 0x64, 0x22, 0x92, 0x02, 0x0a, 0x18, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, + 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, + 0x12, 0x2e, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x04, 0x64, 0x61, 0x74, 0x65, + 0x12, 0x36, 0x0a, 0x08, 0x62, 0x61, 0x63, 0x6b, 0x64, 0x61, 0x74, 0x65, 0x18, 0x09, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, + 0x62, 0x61, 0x63, 0x6b, 0x64, 0x61, 0x74, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x72, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, + 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x4a, 0x04, 0x08, 0x03, + 0x10, 0x04, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x22, 0xea, 0x02, 0x0a, 0x1c, 0x46, 0x69, 0x6e, + 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, + 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, - 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, - 0x04, 0x10, 0x05, 0x22, 0xc7, 0x01, 0x0a, 0x15, 0x41, 0x64, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, - 0x03, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x64, 0x65, 0x72, 0x12, - 0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, - 0x72, 0x65, 0x67, 0x49, 0x44, 0x12, 0x32, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x18, - 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x64, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, - 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, 0x22, 0x0a, - 0x0c, 0x6f, 0x63, 0x73, 0x70, 0x4e, 0x6f, 0x74, 0x52, 0x65, 0x61, 0x64, 0x79, 0x18, 0x06, 0x20, - 0x01, 0x28, 0x08, 0x52, 0x0c, 0x6f, 0x63, 0x73, 0x70, 0x4e, 0x6f, 0x74, 0x52, 0x65, 0x61, 0x64, - 0x79, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0x1e, 0x0a, - 0x0c, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, - 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x22, 0x9d, 0x02, - 0x0a, 0x0f, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, 0x70, - 0x69, 0x72, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, - 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, - 0x1a, 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, - 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x10, 0x76, - 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, - 0x04, 0x20, 0x03, 0x28, 0x03, 0x52, 0x10, 0x76, 0x32, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x70, 0x6c, 0x61, - 0x63, 0x65, 0x73, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0e, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x73, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, - 0x36, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, - 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x66, - 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x22, 0x89, 0x02, - 0x0a, 0x0f, 0x4e, 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x12, 0x30, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x18, - 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, - 0x69, 0x65, 0x72, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, - 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x34, 0x0a, 0x07, 0x65, - 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, - 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x63, 0x68, 0x61, 0x6c, 0x6c, 0x65, 0x6e, 0x67, 0x65, 0x54, 0x79, - 0x70, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x68, 0x61, 0x6c, 0x6c, - 0x65, 0x6e, 0x67, 0x65, 0x54, 0x79, 0x70, 0x65, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, - 0x65, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x4a, - 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x04, 0x10, - 0x05, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x4a, 0x04, 0x08, - 0x07, 0x10, 0x08, 0x4a, 0x04, 0x08, 0x08, 0x10, 0x09, 0x22, 0x7e, 0x0a, 0x18, 0x4e, 0x65, 0x77, - 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x6e, 0x64, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2f, 0x0a, 0x08, 0x6e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, - 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x61, 0x2e, 0x4e, 0x65, 0x77, - 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x08, 0x6e, 0x65, - 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x31, 0x0a, 0x09, 0x6e, 0x65, 0x77, 0x41, 0x75, 0x74, - 0x68, 0x7a, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x61, 0x2e, 0x4e, - 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x52, 0x09, - 0x6e, 0x65, 0x77, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x22, 0x52, 0x0a, 0x14, 0x53, 0x65, 0x74, - 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, - 0x64, 0x12, 0x2a, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44, - 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x4c, 0x0a, - 0x22, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x02, 0x69, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x63, 0x74, 0x49, 0x44, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x03, 0x52, 0x06, 0x61, 0x63, 0x63, 0x74, 0x49, 0x44, 0x22, 0x4d, 0x0a, 0x17, 0x47, - 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x63, 0x74, 0x49, 0x44, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x61, 0x63, 0x63, 0x74, 0x49, 0x44, 0x12, 0x1a, - 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x54, 0x0a, 0x14, 0x46, 0x69, - 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, - 0x69, 0x64, 0x12, 0x2c, 0x0a, 0x11, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, - 0x22, 0xa0, 0x01, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, - 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, - 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x64, 0x6e, 0x73, 0x4e, 0x61, 0x6d, 0x65, - 0x73, 0x12, 0x3a, 0x0a, 0x0a, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x55, 0x6e, 0x74, 0x69, 0x6c, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x52, 0x0a, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x55, 0x6e, 0x74, 0x69, 0x6c, 0x4a, 0x04, 0x08, - 0x03, 0x10, 0x04, 0x22, 0x3d, 0x0a, 0x0e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2b, 0x0a, 0x06, 0x61, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x18, - 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x61, 0x75, 0x74, 0x68, - 0x7a, 0x73, 0x22, 0x24, 0x0a, 0x10, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x69, 0x64, 0x73, 0x18, 0x01, 0x20, - 0x03, 0x28, 0x09, 0x52, 0x03, 0x69, 0x64, 0x73, 0x22, 0x22, 0x0a, 0x10, 0x41, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x32, 0x12, 0x0e, 0x0a, 0x02, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x22, 0x92, 0x02, 0x0a, - 0x18, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, - 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x03, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x2e, 0x0a, 0x04, 0x64, 0x61, 0x74, - 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x52, 0x04, 0x64, 0x61, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x08, 0x62, 0x61, 0x63, - 0x6b, 0x64, 0x61, 0x74, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x08, 0x62, 0x61, 0x63, 0x6b, 0x64, 0x61, 0x74, - 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x0c, 0x52, 0x08, 0x72, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1a, 0x0a, - 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x18, 0x06, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x08, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x68, 0x61, - 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x07, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, - 0x72, 0x64, 0x49, 0x64, 0x78, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x05, 0x10, - 0x06, 0x22, 0xea, 0x02, 0x0a, 0x1c, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, - 0x69, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x78, - 0x70, 0x69, 0x72, 0x65, 0x73, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, - 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x74, 0x74, 0x65, 0x6d, 0x70, 0x74, 0x65, 0x64, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x74, 0x74, 0x65, 0x6d, 0x70, 0x74, 0x65, 0x64, 0x12, 0x44, - 0x0a, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x63, 0x6f, - 0x72, 0x64, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x63, 0x6f, 0x72, 0x65, - 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x72, - 0x64, 0x52, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x63, - 0x6f, 0x72, 0x64, 0x73, 0x12, 0x3e, 0x0a, 0x0f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, - 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, - 0x69, 0x6c, 0x73, 0x52, 0x0f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, - 0x72, 0x72, 0x6f, 0x72, 0x12, 0x3c, 0x0a, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x6d, 0x70, 0x74, 0x65, - 0x64, 0x41, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, - 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x6d, 0x70, 0x74, 0x65, 0x64, - 0x41, 0x74, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x07, 0x10, 0x08, 0x22, 0xb8, - 0x01, 0x0a, 0x14, 0x41, 0x64, 0x64, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x4b, 0x65, 0x79, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x48, 0x61, - 0x73, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x48, 0x61, 0x73, - 0x68, 0x12, 0x30, 0x0a, 0x05, 0x61, 0x64, 0x64, 0x65, 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, + 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x74, 0x74, 0x65, 0x6d, + 0x70, 0x74, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x61, 0x74, 0x74, 0x65, + 0x6d, 0x70, 0x74, 0x65, 0x64, 0x12, 0x44, 0x0a, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x16, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x12, 0x3e, 0x0a, 0x0f, 0x76, + 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x06, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x50, 0x72, 0x6f, 0x62, + 0x6c, 0x65, 0x6d, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x52, 0x0f, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x3c, 0x0a, 0x0b, 0x61, + 0x74, 0x74, 0x65, 0x6d, 0x70, 0x74, 0x65, 0x64, 0x41, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x05, 0x61, 0x64, - 0x64, 0x65, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x63, - 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, - 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, - 0x42, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, - 0x64, 0x42, 0x79, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x22, 0x24, 0x0a, 0x08, 0x53, 0x50, 0x4b, - 0x49, 0x48, 0x61, 0x73, 0x68, 0x12, 0x18, 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x22, - 0xa4, 0x01, 0x0a, 0x08, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, - 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0b, - 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x54, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x54, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x10, - 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, - 0x12, 0x34, 0x0a, 0x07, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x42, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x72, - 0x65, 0x6e, 0x65, 0x77, 0x42, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, - 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, - 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0x37, 0x0a, 0x09, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x73, 0x12, 0x2a, 0x0a, 0x09, 0x69, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, - 0x64, 0x65, 0x6e, 0x74, 0x52, 0x09, 0x69, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x22, - 0x41, 0x0a, 0x19, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, 0x63, - 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x24, 0x0a, 0x0d, - 0x69, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x54, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0d, 0x69, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x54, 0x61, 0x62, - 0x6c, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x53, - 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x26, 0x0a, - 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x49, 0x44, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x49, 0x44, 0x12, - 0x42, 0x0a, 0x0e, 0x6c, 0x61, 0x73, 0x74, 0x4e, 0x6f, 0x74, 0x69, 0x63, 0x65, 0x53, 0x65, 0x6e, - 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, + 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0b, 0x61, 0x74, + 0x74, 0x65, 0x6d, 0x70, 0x74, 0x65, 0x64, 0x41, 0x74, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, + 0x04, 0x08, 0x07, 0x10, 0x08, 0x22, 0xb8, 0x01, 0x0a, 0x14, 0x41, 0x64, 0x64, 0x42, 0x6c, 0x6f, + 0x63, 0x6b, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18, + 0x0a, 0x07, 0x6b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, + 0x07, 0x6b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x12, 0x30, 0x0a, 0x05, 0x61, 0x64, 0x64, 0x65, + 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x52, 0x0e, 0x6c, 0x61, 0x73, 0x74, 0x4e, 0x6f, 0x74, 0x69, 0x63, 0x65, 0x53, - 0x65, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0xae, 0x02, 0x0a, 0x16, 0x47, 0x65, - 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, - 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, - 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, 0x3e, 0x0a, 0x0c, 0x65, 0x78, 0x70, 0x69, - 0x72, 0x65, 0x73, 0x41, 0x66, 0x74, 0x65, 0x72, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, + 0x61, 0x6d, 0x70, 0x52, 0x05, 0x61, 0x64, 0x64, 0x65, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x6f, + 0x75, 0x72, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x6f, 0x75, 0x72, + 0x63, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6d, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09, + 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x42, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, + 0x09, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x42, 0x79, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, + 0x22, 0x24, 0x0a, 0x08, 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, 0x73, 0x68, 0x12, 0x18, 0x0a, 0x07, + 0x6b, 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x6b, + 0x65, 0x79, 0x48, 0x61, 0x73, 0x68, 0x22, 0xa4, 0x01, 0x0a, 0x08, 0x49, 0x6e, 0x63, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, + 0x02, 0x69, 0x64, 0x12, 0x20, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x54, 0x61, 0x62, + 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, + 0x54, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x34, 0x0a, 0x07, 0x72, 0x65, 0x6e, 0x65, 0x77, + 0x42, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x52, 0x07, 0x72, 0x65, 0x6e, 0x65, 0x77, 0x42, 0x79, 0x12, 0x18, 0x0a, + 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, + 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0x37, 0x0a, + 0x09, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x2a, 0x0a, 0x09, 0x69, 0x6e, + 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x0c, 0x2e, + 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x09, 0x69, 0x6e, 0x63, + 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x41, 0x0a, 0x19, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, + 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x69, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x54, + 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x69, 0x6e, 0x63, 0x69, + 0x64, 0x65, 0x6e, 0x74, 0x54, 0x61, 0x62, 0x6c, 0x65, 0x22, 0xb4, 0x01, 0x0a, 0x0e, 0x49, 0x6e, + 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x16, 0x0a, 0x06, + 0x73, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x65, + 0x72, 0x69, 0x61, 0x6c, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, + 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, + 0x6f, 0x72, 0x64, 0x65, 0x72, 0x49, 0x44, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x6f, + 0x72, 0x64, 0x65, 0x72, 0x49, 0x44, 0x12, 0x42, 0x0a, 0x0e, 0x6c, 0x61, 0x73, 0x74, 0x4e, 0x6f, + 0x74, 0x69, 0x63, 0x65, 0x53, 0x65, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0c, 0x65, 0x78, 0x70, 0x69, - 0x72, 0x65, 0x73, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, 0x40, 0x0a, 0x0d, 0x65, 0x78, 0x70, 0x69, - 0x72, 0x65, 0x73, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x65, 0x78, 0x70, - 0x69, 0x72, 0x65, 0x73, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x12, 0x40, 0x0a, 0x0d, 0x72, 0x65, - 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x72, - 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, 0x12, 0x1a, 0x0a, 0x08, - 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, - 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, - 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, 0x22, 0x8e, 0x01, 0x0a, 0x10, 0x52, - 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, - 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, - 0x65, 0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, - 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x3c, 0x0a, - 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0b, - 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, 0x61, 0x74, 0x65, 0x22, 0xb0, 0x01, 0x0a, 0x14, - 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, - 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, - 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, 0x20, 0x0a, 0x0b, 0x6d, 0x69, 0x6e, 0x53, - 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x6d, - 0x69, 0x6e, 0x53, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x12, 0x20, 0x0a, 0x0b, 0x6d, 0x61, - 0x78, 0x53, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x0b, 0x6d, 0x61, 0x78, 0x53, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x12, 0x30, 0x0a, 0x05, - 0x75, 0x6e, 0x74, 0x69, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x05, 0x75, 0x6e, 0x74, 0x69, 0x6c, 0x22, 0x57, - 0x0a, 0x15, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, - 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, - 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, - 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x73, - 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73, - 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x22, 0xcf, 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, - 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, - 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, - 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, - 0x78, 0x12, 0x3a, 0x0a, 0x0a, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0e, 0x6c, 0x61, 0x73, 0x74, + 0x4e, 0x6f, 0x74, 0x69, 0x63, 0x65, 0x53, 0x65, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x04, 0x10, 0x05, + 0x22, 0xae, 0x02, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, + 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x69, + 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, + 0x3e, 0x0a, 0x0c, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x66, 0x74, 0x65, 0x72, 0x18, + 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x52, 0x0a, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x3a, 0x0a, - 0x0a, 0x6e, 0x65, 0x78, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x6e, - 0x65, 0x78, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x22, 0x41, 0x0a, 0x0b, 0x49, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x32, 0x0a, 0x0b, 0x69, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, - 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, - 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x6a, 0x0a, 0x0c, - 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x32, 0x0a, 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, - 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x72, 0x65, - 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, 0x0b, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x4e, 0x0a, 0x18, 0x50, 0x61, 0x75, 0x73, - 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x61, 0x75, 0x73, 0x65, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x70, 0x61, 0x75, 0x73, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08, - 0x72, 0x65, 0x70, 0x61, 0x75, 0x73, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, - 0x72, 0x65, 0x70, 0x61, 0x75, 0x73, 0x65, 0x64, 0x22, 0x66, 0x0a, 0x20, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, - 0x6e, 0x74, 0x61, 0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, - 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73, - 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73, - 0x22, 0x58, 0x0a, 0x1c, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x10, 0x0a, 0x03, 0x6a, 0x77, 0x6b, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6a, 0x77, 0x6b, 0x32, 0xd2, 0x0e, 0x0a, 0x18, 0x53, - 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, - 0x65, 0x61, 0x64, 0x4f, 0x6e, 0x6c, 0x79, 0x12, 0x53, 0x0a, 0x18, 0x43, 0x6f, 0x75, 0x6e, 0x74, - 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x42, 0x79, 0x4e, 0x61, - 0x6d, 0x65, 0x73, 0x12, 0x23, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, - 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, - 0x75, 0x6e, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x1b, - 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x25, 0x2e, 0x73, 0x61, - 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, - 0x32, 0x0a, 0x0b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x73, 0x12, 0x16, - 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x73, 0x52, + 0x70, 0x52, 0x0c, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x66, 0x74, 0x65, 0x72, 0x12, + 0x40, 0x0a, 0x0d, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x42, 0x65, 0x66, 0x6f, 0x72, 0x65, + 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x52, 0x0d, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x42, 0x65, 0x66, 0x6f, 0x72, + 0x65, 0x12, 0x40, 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x42, 0x65, 0x66, 0x6f, + 0x72, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x42, 0x65, 0x66, + 0x6f, 0x72, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x4a, + 0x04, 0x08, 0x02, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x03, 0x10, 0x04, 0x4a, 0x04, 0x08, 0x04, 0x10, + 0x05, 0x22, 0x8e, 0x01, 0x0a, 0x10, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x24, + 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65, 0x61, 0x73, 0x6f, 0x6e, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x52, 0x65, + 0x61, 0x73, 0x6f, 0x6e, 0x12, 0x3c, 0x0a, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, + 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, + 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0b, 0x72, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x44, 0x61, + 0x74, 0x65, 0x22, 0xb0, 0x01, 0x0a, 0x14, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, + 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x69, + 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, + 0x20, 0x0a, 0x0b, 0x6d, 0x69, 0x6e, 0x53, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x6d, 0x69, 0x6e, 0x53, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, + 0x78, 0x12, 0x20, 0x0a, 0x0b, 0x6d, 0x61, 0x78, 0x53, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x6d, 0x61, 0x78, 0x53, 0x68, 0x61, 0x72, 0x64, + 0x49, 0x64, 0x78, 0x12, 0x30, 0x0a, 0x05, 0x75, 0x6e, 0x74, 0x69, 0x6c, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x05, + 0x75, 0x6e, 0x74, 0x69, 0x6c, 0x22, 0x57, 0x0a, 0x15, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, + 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x22, + 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, + 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x22, 0xcf, + 0x01, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, + 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x22, 0x0a, 0x0c, 0x69, 0x73, 0x73, 0x75, + 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, + 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, + 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, + 0x73, 0x68, 0x61, 0x72, 0x64, 0x49, 0x64, 0x78, 0x12, 0x3a, 0x0a, 0x0a, 0x74, 0x68, 0x69, 0x73, + 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, + 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x74, 0x68, 0x69, 0x73, 0x55, 0x70, + 0x64, 0x61, 0x74, 0x65, 0x12, 0x3a, 0x0a, 0x0a, 0x6e, 0x65, 0x78, 0x74, 0x55, 0x70, 0x64, 0x61, + 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x6e, 0x65, 0x78, 0x74, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, + 0x22, 0x41, 0x0a, 0x0b, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, + 0x32, 0x0a, 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x52, 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, + 0x65, 0x72, 0x73, 0x22, 0x6a, 0x0a, 0x0c, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x32, 0x0a, 0x0b, 0x69, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x10, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, + 0x65, 0x72, 0x52, 0x0b, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, + 0x4e, 0x0a, 0x18, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, + 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, + 0x61, 0x75, 0x73, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x70, 0x61, 0x75, + 0x73, 0x65, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x70, 0x61, 0x75, 0x73, 0x65, 0x64, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x72, 0x65, 0x70, 0x61, 0x75, 0x73, 0x65, 0x64, 0x22, + 0x66, 0x0a, 0x20, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, 0x1a, 0x0a, 0x08, 0x63, + 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x63, + 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x73, 0x22, 0x58, 0x0a, 0x1c, 0x55, 0x70, 0x64, 0x61, 0x74, + 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, + 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, + 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x12, + 0x10, 0x0a, 0x03, 0x6a, 0x77, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x6a, 0x77, + 0x6b, 0x32, 0xd2, 0x0e, 0x0a, 0x18, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x65, 0x61, 0x64, 0x4f, 0x6e, 0x6c, 0x79, 0x12, 0x53, + 0x0a, 0x18, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x73, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x23, 0x2e, 0x73, 0x61, 0x2e, + 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, + 0x73, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, + 0x73, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x1b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, + 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x32, 0x12, 0x25, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, + 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, + 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, + 0x72, 0x64, 0x65, 0x72, 0x73, 0x12, 0x16, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, + 0x4f, 0x72, 0x64, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, + 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x1b, 0x43, 0x6f, + 0x75, 0x6e, 0x74, 0x50, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, + 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, + 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x37, 0x0a, 0x0d, 0x46, 0x51, + 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x18, 0x2e, 0x73, 0x61, + 0x2e, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, + 0x73, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x1a, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x54, 0x69, + 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x46, 0x6f, 0x72, 0x57, 0x69, 0x6e, 0x64, 0x6f, + 0x77, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x46, 0x51, 0x44, 0x4e, + 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x73, 0x61, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x22, 0x00, 0x12, 0x40, 0x0a, + 0x11, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x32, 0x12, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x32, 0x1a, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, + 0x48, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x0e, 0x47, 0x65, 0x74, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, + 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x15, + 0x47, 0x65, 0x74, 0x4c, 0x69, 0x6e, 0x74, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, + 0x6c, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, + 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x17, 0x2e, 0x63, 0x6f, 0x72, + 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, + 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x78, 0x45, + 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, + 0x79, 0x1a, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x00, 0x12, + 0x2b, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x10, 0x2e, 0x73, 0x61, + 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, + 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x10, + 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, + 0x12, 0x1b, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, + 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, + 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0f, + 0x47, 0x65, 0x74, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, + 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x49, 0x44, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x3c, 0x0a, 0x14, 0x47, 0x65, 0x74, + 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x79, 0x4b, 0x65, + 0x79, 0x12, 0x0e, 0x2e, 0x73, 0x61, 0x2e, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, + 0x79, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x52, 0x65, + 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, + 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x14, 0x2e, 0x73, 0x61, 0x2e, + 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x22, 0x00, 0x12, 0x41, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, + 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x1a, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, + 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x0e, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x22, 0x00, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, + 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x13, + 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x42, 0x79, 0x41, 0x63, 0x63, 0x6f, + 0x75, 0x6e, 0x74, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, + 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x2f, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x53, 0x65, + 0x72, 0x69, 0x61, 0x6c, 0x73, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, + 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, 0x73, 0x68, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, + 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x52, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x56, + 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x32, 0x12, 0x21, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, + 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, + 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x5c, 0x0a, 0x1c, + 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x26, 0x2e, 0x73, + 0x61, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x12, 0x49, 0x6e, + 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x46, 0x6f, 0x72, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, + 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x0d, 0x2e, 0x73, + 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x00, 0x12, 0x28, 0x0a, + 0x0a, 0x4b, 0x65, 0x79, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x12, 0x0c, 0x2e, 0x73, 0x61, + 0x2e, 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, 0x73, 0x68, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, + 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x16, 0x52, 0x65, 0x70, 0x6c, 0x61, + 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x78, 0x69, 0x73, 0x74, + 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x0a, 0x2e, + 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x12, 0x53, + 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, + 0x74, 0x12, 0x1d, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, + 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x53, 0x65, + 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x3d, 0x0a, 0x16, 0x43, 0x68, 0x65, 0x63, + 0x6b, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x50, 0x61, 0x75, 0x73, + 0x65, 0x64, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0f, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, + 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x50, 0x61, + 0x75, 0x73, 0x65, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, + 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x49, 0x44, 0x1a, 0x0f, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, + 0x69, 0x65, 0x72, 0x73, 0x22, 0x00, 0x32, 0xec, 0x1a, 0x0a, 0x10, 0x53, 0x74, 0x6f, 0x72, 0x61, + 0x67, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x53, 0x0a, 0x18, 0x43, + 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, + 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x23, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, + 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x42, 0x79, + 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x73, + 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x00, + 0x12, 0x51, 0x0a, 0x1b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, + 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, + 0x25, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, + 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, - 0x74, 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x1b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x50, 0x65, 0x6e, 0x64, - 0x69, 0x6e, 0x67, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x32, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, - 0x74, 0x22, 0x00, 0x12, 0x37, 0x0a, 0x0d, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, - 0x69, 0x73, 0x74, 0x73, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, - 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0a, - 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x1a, - 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, - 0x73, 0x46, 0x6f, 0x72, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, - 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x73, 0x61, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x73, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x12, 0x14, 0x2e, 0x73, 0x61, - 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, - 0x32, 0x1a, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x1c, - 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, - 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x22, 0x00, 0x12, 0x31, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, - 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x4c, 0x69, 0x6e, 0x74, - 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x0a, - 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, - 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x00, 0x12, - 0x3d, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x1a, 0x17, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, 0x48, - 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x78, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, - 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x00, 0x12, 0x2b, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x4f, - 0x72, 0x64, 0x65, 0x72, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, - 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, - 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1b, 0x2e, 0x73, 0x61, 0x2e, 0x47, - 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, - 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x52, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x12, 0x2e, 0x63, - 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x22, 0x00, 0x12, 0x3c, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x2e, 0x73, 0x61, 0x2e, - 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, - 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, - 0x12, 0x39, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x1a, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, 0x41, 0x0a, 0x0f, 0x47, - 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x1a, - 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, - 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x63, 0x6f, 0x72, - 0x65, 0x2e, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x00, 0x30, 0x01, 0x12, 0x35, - 0x0a, 0x11, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, - 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, - 0x61, 0x74, 0x61, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, - 0x61, 0x6c, 0x73, 0x42, 0x79, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x12, 0x2e, 0x73, + 0x74, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, + 0x72, 0x73, 0x12, 0x16, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, 0x72, 0x64, + 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, + 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x1b, 0x43, 0x6f, 0x75, 0x6e, 0x74, + 0x50, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, + 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, + 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x37, 0x0a, 0x0d, 0x46, 0x51, 0x44, 0x4e, 0x53, + 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x51, + 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, + 0x12, 0x48, 0x0a, 0x1a, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x73, 0x46, 0x6f, 0x72, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x12, 0x18, + 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, + 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x73, 0x61, 0x2e, 0x54, 0x69, + 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x11, 0x47, 0x65, + 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x12, + 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x49, 0x44, 0x32, 0x1a, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x12, + 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x32, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, + 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x00, 0x12, 0x38, 0x0a, 0x15, 0x47, 0x65, 0x74, + 0x4c, 0x69, 0x6e, 0x74, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x11, + 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, + 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x17, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, + 0x22, 0x00, 0x12, 0x48, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x78, 0x45, 0x78, 0x70, 0x69, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1a, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x00, 0x12, 0x2b, 0x0a, 0x08, + 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, + 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, + 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x10, 0x47, 0x65, 0x74, + 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1b, 0x2e, + 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, + 0x6d, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, + 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0f, 0x47, 0x65, 0x74, + 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, - 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, - 0x12, 0x2f, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x42, 0x79, - 0x4b, 0x65, 0x79, 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, 0x73, - 0x68, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, - 0x01, 0x12, 0x52, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, - 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x21, 0x2e, 0x73, - 0x61, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x5c, 0x0a, 0x1c, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, - 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x26, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x61, - 0x6c, 0x69, 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, - 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x12, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, - 0x46, 0x6f, 0x72, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, - 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x0d, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, - 0x65, 0x6e, 0x74, 0x73, 0x22, 0x00, 0x12, 0x28, 0x0a, 0x0a, 0x4b, 0x65, 0x79, 0x42, 0x6c, 0x6f, - 0x63, 0x6b, 0x65, 0x64, 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, - 0x73, 0x68, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, - 0x12, 0x32, 0x0a, 0x16, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4f, - 0x72, 0x64, 0x65, 0x72, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, - 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, - 0x74, 0x73, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x12, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, - 0x6f, 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x1d, 0x2e, 0x73, 0x61, 0x2e, - 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, - 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x49, - 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, - 0x01, 0x12, 0x3d, 0x0a, 0x16, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x66, 0x69, 0x65, 0x72, 0x73, 0x50, 0x61, 0x75, 0x73, 0x65, 0x64, 0x12, 0x10, 0x2e, 0x73, 0x61, - 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0f, 0x2e, - 0x73, 0x61, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x00, - 0x12, 0x3d, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x50, 0x61, 0x75, 0x73, 0x65, 0x64, 0x49, 0x64, 0x65, - 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x0f, 0x2e, 0x73, - 0x61, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x00, 0x32, - 0xec, 0x1a, 0x0a, 0x10, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x12, 0x53, 0x0a, 0x18, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x65, 0x72, - 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, - 0x12, 0x23, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, - 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x00, 0x12, 0x51, 0x0a, 0x1b, 0x43, 0x6f, 0x75, - 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x25, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, - 0x75, 0x6e, 0x74, 0x49, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x0b, - 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x73, 0x12, 0x16, 0x2e, 0x73, 0x61, - 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, - 0x12, 0x3e, 0x0a, 0x1b, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x50, 0x65, 0x6e, 0x64, 0x69, 0x6e, 0x67, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, - 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, - 0x12, 0x37, 0x0a, 0x0d, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, 0x69, 0x73, 0x74, - 0x73, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x45, 0x78, - 0x69, 0x73, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0a, 0x2e, 0x73, 0x61, - 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x1a, 0x46, 0x51, 0x44, - 0x4e, 0x53, 0x65, 0x74, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x46, 0x6f, - 0x72, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, - 0x6e, 0x74, 0x46, 0x51, 0x44, 0x4e, 0x53, 0x65, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x0e, 0x2e, 0x73, 0x61, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, - 0x73, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x12, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x32, 0x1a, 0x13, - 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x1c, 0x2e, 0x73, 0x61, - 0x2e, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, - 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, - 0x31, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x11, 0x2e, - 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x22, 0x00, 0x12, 0x38, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x4c, 0x69, 0x6e, 0x74, 0x50, 0x72, 0x65, - 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x0a, 0x2e, 0x73, 0x61, - 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x11, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x14, - 0x47, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, - 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, - 0x1a, 0x17, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x10, 0x47, - 0x65, 0x74, 0x4d, 0x61, 0x78, 0x45, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x22, 0x00, 0x12, 0x2b, 0x0a, 0x08, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, - 0x72, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, - 0x22, 0x00, 0x12, 0x3e, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, - 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1b, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x4f, - 0x72, 0x64, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, - 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, - 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, - 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, - 0x3c, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x0e, 0x2e, 0x73, 0x61, 0x2e, 0x4a, 0x53, 0x4f, - 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x39, 0x0a, - 0x13, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, - 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, - 0x1a, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, 0x41, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x52, - 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x73, 0x12, 0x1a, 0x2e, 0x73, 0x61, - 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x73, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, - 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x00, 0x30, 0x01, 0x12, 0x35, 0x0a, 0x11, 0x47, - 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x12, 0x2e, 0x73, - 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, - 0x22, 0x00, 0x12, 0x39, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, - 0x42, 0x79, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, - 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x0a, 0x2e, - 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x2f, 0x0a, - 0x0f, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x42, 0x79, 0x4b, 0x65, 0x79, - 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, 0x73, 0x68, 0x1a, 0x0a, - 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x52, - 0x0a, 0x17, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x21, 0x2e, 0x73, 0x61, 0x2e, 0x47, - 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, - 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, - 0x22, 0x00, 0x12, 0x5c, 0x0a, 0x1c, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x4f, 0x72, - 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x32, 0x12, 0x26, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, - 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, - 0x12, 0x31, 0x0a, 0x12, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x46, 0x6f, 0x72, - 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, - 0x61, 0x6c, 0x1a, 0x0d, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, - 0x73, 0x22, 0x00, 0x12, 0x28, 0x0a, 0x0a, 0x4b, 0x65, 0x79, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, - 0x64, 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x50, 0x4b, 0x49, 0x48, 0x61, 0x73, 0x68, 0x1a, - 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, 0x12, 0x32, 0x0a, - 0x16, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, - 0x72, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, - 0x00, 0x12, 0x4b, 0x0a, 0x12, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, - 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x1d, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, - 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, - 0x64, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x3d, - 0x0a, 0x16, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, - 0x72, 0x73, 0x50, 0x61, 0x75, 0x73, 0x65, 0x64, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, - 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0f, 0x2e, 0x73, 0x61, 0x2e, - 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x00, 0x12, 0x3d, 0x0a, - 0x14, 0x47, 0x65, 0x74, 0x50, 0x61, 0x75, 0x73, 0x65, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, - 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x0f, 0x2e, 0x73, 0x61, 0x2e, 0x49, - 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0d, - 0x41, 0x64, 0x64, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x18, 0x2e, - 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x4b, 0x65, 0x79, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, - 0x00, 0x12, 0x45, 0x0a, 0x0e, 0x41, 0x64, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x65, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, + 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x3c, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x52, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x0e, + 0x2e, 0x73, 0x61, 0x2e, 0x4a, 0x53, 0x4f, 0x4e, 0x57, 0x65, 0x62, 0x4b, 0x65, 0x79, 0x1a, 0x12, + 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x13, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x0a, 0x2e, 0x73, 0x61, + 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, + 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x00, 0x12, + 0x41, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, + 0x74, 0x73, 0x12, 0x1a, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x65, 0x76, 0x6f, 0x6b, + 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0e, + 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x43, 0x52, 0x4c, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x00, + 0x30, 0x01, 0x12, 0x35, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, + 0x69, 0x61, 0x6c, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x4d, + 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x13, 0x47, 0x65, 0x74, + 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x42, 0x79, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, + 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, + 0x22, 0x00, 0x30, 0x01, 0x12, 0x2f, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, + 0x6c, 0x73, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x50, 0x4b, + 0x49, 0x48, 0x61, 0x73, 0x68, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, + 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x52, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, + 0x64, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, + 0x12, 0x21, 0x2e, 0x73, 0x61, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x41, 0x75, + 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x5c, 0x0a, 0x1c, 0x47, 0x65, 0x74, + 0x56, 0x61, 0x6c, 0x69, 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, + 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x32, 0x12, 0x26, 0x2e, 0x73, 0x61, 0x2e, 0x47, + 0x65, 0x74, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, + 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x12, 0x49, 0x6e, 0x63, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x73, 0x46, 0x6f, 0x72, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x0a, 0x2e, + 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x0d, 0x2e, 0x73, 0x61, 0x2e, 0x49, + 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x73, 0x22, 0x00, 0x12, 0x28, 0x0a, 0x0a, 0x4b, 0x65, + 0x79, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, 0x64, 0x12, 0x0c, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x50, + 0x4b, 0x49, 0x48, 0x61, 0x73, 0x68, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x45, 0x78, 0x69, 0x73, + 0x74, 0x73, 0x22, 0x00, 0x12, 0x32, 0x0a, 0x16, 0x52, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, + 0x65, 0x6e, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x12, 0x0a, + 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x0a, 0x2e, 0x73, 0x61, 0x2e, + 0x45, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x12, 0x53, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x12, 0x1d, + 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x73, 0x46, 0x6f, 0x72, 0x49, 0x6e, + 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, + 0x73, 0x61, 0x2e, 0x49, 0x6e, 0x63, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x69, 0x61, + 0x6c, 0x22, 0x00, 0x30, 0x01, 0x12, 0x3d, 0x0a, 0x16, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x49, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x50, 0x61, 0x75, 0x73, 0x65, 0x64, 0x12, + 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x0f, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x73, 0x22, 0x00, 0x12, 0x3d, 0x0a, 0x14, 0x47, 0x65, 0x74, 0x50, 0x61, 0x75, 0x73, 0x65, + 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x12, 0x2e, 0x73, + 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, + 0x1a, 0x0f, 0x2e, 0x73, 0x61, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, + 0x73, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0d, 0x41, 0x64, 0x64, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x65, + 0x64, 0x4b, 0x65, 0x79, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x42, 0x6c, 0x6f, + 0x63, 0x6b, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x11, 0x41, 0x64, 0x64, 0x50, - 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x19, 0x2e, - 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, - 0x22, 0x00, 0x12, 0x41, 0x0a, 0x19, 0x53, 0x65, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x61, 0x64, 0x79, 0x12, - 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x1a, 0x16, 0x2e, 0x67, 0x6f, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x45, 0x0a, 0x0e, 0x41, 0x64, 0x64, 0x43, + 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, + 0x41, 0x64, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, + 0x48, 0x0a, 0x11, 0x41, 0x64, 0x64, 0x50, 0x72, 0x65, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x43, 0x65, 0x72, + 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x41, 0x0a, 0x19, 0x53, 0x65, 0x74, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, + 0x73, 0x52, 0x65, 0x61, 0x64, 0x79, 0x12, 0x0a, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x09, + 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, + 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x4a, 0x0a, 0x18, 0x44, 0x65, 0x61, + 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x12, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x32, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, - 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x09, 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, - 0x61, 0x6c, 0x12, 0x14, 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x64, 0x64, 0x53, 0x65, 0x72, 0x69, 0x61, - 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, - 0x22, 0x00, 0x12, 0x4a, 0x0a, 0x18, 0x44, 0x65, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, - 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x12, 0x14, - 0x2e, 0x73, 0x61, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x49, 0x44, 0x32, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x46, - 0x0a, 0x16, 0x44, 0x65, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, - 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x16, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, - 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x54, 0x0a, 0x16, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, - 0x7a, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, - 0x12, 0x20, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x75, - 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0d, - 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x18, 0x2e, - 0x73, 0x61, 0x2e, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65, 0x72, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, - 0x00, 0x12, 0x40, 0x0a, 0x11, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x6e, 0x64, - 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x4e, 0x65, 0x77, 0x4f, - 0x72, 0x64, 0x65, 0x72, 0x41, 0x6e, 0x64, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, - 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0f, 0x4e, 0x65, 0x77, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, - 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, - 0x12, 0x4b, 0x0a, 0x11, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, + 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x16, 0x44, 0x65, 0x61, 0x63, 0x74, 0x69, 0x76, + 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, + 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x49, 0x44, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x54, 0x0a, + 0x16, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x12, 0x20, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x69, 0x6e, + 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, + 0x79, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0d, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, + 0x72, 0x64, 0x65, 0x72, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, + 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, + 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x11, 0x4e, 0x65, 0x77, 0x4f, + 0x72, 0x64, 0x65, 0x72, 0x41, 0x6e, 0x64, 0x41, 0x75, 0x74, 0x68, 0x7a, 0x73, 0x12, 0x1c, 0x2e, + 0x73, 0x61, 0x2e, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x41, 0x6e, 0x64, 0x41, 0x75, + 0x74, 0x68, 0x7a, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, + 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0f, 0x4e, 0x65, + 0x77, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, + 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x11, 0x52, 0x65, 0x76, 0x6f, 0x6b, + 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, + 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, + 0x74, 0x79, 0x22, 0x00, 0x12, 0x43, 0x0a, 0x0d, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, + 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x74, 0x4f, 0x72, + 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x40, 0x0a, 0x12, 0x53, 0x65, 0x74, + 0x4f, 0x72, 0x64, 0x65, 0x72, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x12, + 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x12, 0x55, + 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, + 0x57, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x12, 0x24, 0x2e, 0x73, + 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, + 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x4f, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, + 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, + 0x79, 0x12, 0x20, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, + 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, + 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x52, 0x0a, 0x18, 0x55, 0x70, 0x64, + 0x61, 0x74, 0x65, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x43, 0x0a, - 0x0d, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x18, - 0x2e, 0x73, 0x61, 0x2e, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x45, 0x72, 0x72, 0x6f, - 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, - 0x22, 0x00, 0x12, 0x40, 0x0a, 0x12, 0x53, 0x65, 0x74, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x50, 0x72, - 0x6f, 0x63, 0x65, 0x73, 0x73, 0x69, 0x6e, 0x67, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x4f, 0x72, - 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, - 0x74, 0x79, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x12, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, - 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x63, 0x6f, 0x72, - 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x16, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x57, 0x0a, 0x19, 0x55, 0x70, 0x64, 0x61, - 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, - 0x6e, 0x74, 0x61, 0x63, 0x74, 0x12, 0x24, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, - 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, - 0x74, 0x61, 0x63, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x63, 0x6f, - 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, - 0x00, 0x12, 0x4f, 0x0a, 0x15, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, - 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x20, 0x2e, 0x73, 0x61, 0x2e, - 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x63, - 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x22, 0x00, 0x12, 0x52, 0x0a, 0x18, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x76, 0x6f, - 0x6b, 0x65, 0x64, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1c, - 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, - 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, - 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x0d, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, - 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x12, 0x18, 0x2e, 0x73, 0x61, 0x2e, 0x4c, 0x65, 0x61, - 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, - 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x45, - 0x0a, 0x0e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, - 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, - 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, - 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x44, 0x0a, 0x10, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, - 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x50, - 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x73, 0x61, - 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, - 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x31, 0x0a, 0x0e, 0x55, - 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x12, 0x2e, - 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, - 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, 0x75, 0x6e, 0x74, 0x22, 0x00, 0x42, 0x29, - 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, - 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, - 0x2f, 0x73, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x46, 0x0a, + 0x0d, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x12, 0x18, + 0x2e, 0x73, 0x61, 0x2e, 0x4c, 0x65, 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, + 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x4c, 0x65, + 0x61, 0x73, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x45, 0x0a, 0x0e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x43, + 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x12, 0x19, 0x2e, 0x73, 0x61, 0x2e, 0x55, 0x70, 0x64, + 0x61, 0x74, 0x65, 0x43, 0x52, 0x4c, 0x53, 0x68, 0x61, 0x72, 0x64, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x44, 0x0a, 0x10, + 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, + 0x12, 0x10, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x73, 0x61, 0x2e, 0x50, 0x61, 0x75, 0x73, 0x65, 0x49, 0x64, 0x65, + 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x22, 0x00, 0x12, 0x31, 0x0a, 0x0e, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63, 0x63, + 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x12, 0x2e, 0x73, 0x61, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, + 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x1a, 0x09, 0x2e, 0x73, 0x61, 0x2e, 0x43, 0x6f, + 0x75, 0x6e, 0x74, 0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, + 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65, 0x72, 0x2f, 0x73, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/sa/proto/sa.proto b/sa/proto/sa.proto index dba08d5fc8e..a44c97b657e 100644 --- a/sa/proto/sa.proto +++ b/sa/proto/sa.proto @@ -177,6 +177,7 @@ message CountFQDNSetsRequest { reserved 1; // Previously windowNS repeated string dnsNames = 2; google.protobuf.Duration window = 3; + int64 limit = 4; } message FQDNSetExistsRequest { diff --git a/sa/sa_test.go b/sa/sa_test.go index 002f3df9632..e358082ac68 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -811,6 +811,15 @@ func TestFQDNSetTimestampsForWindow(t *testing.T) { test.AssertNotError(t, err, "Failed to count name sets") test.AssertEquals(t, len(resp.Timestamps), 2) test.AssertEquals(t, firstIssued, resp.Timestamps[len(resp.Timestamps)-1].AsTime()) + + resp, err = sa.FQDNSetTimestampsForWindow(ctx, &sapb.CountFQDNSetsRequest{ + DnsNames: names, + Window: durationpb.New(window), + Limit: 1, + }) + test.AssertNotError(t, err, "Failed to count name sets") + test.AssertEquals(t, len(resp.Timestamps), 1) + test.AssertEquals(t, firstIssued, resp.Timestamps[len(resp.Timestamps)-1].AsTime()) } func TestFQDNSetsExists(t *testing.T) { diff --git a/sa/saro.go b/sa/saro.go index c684b3d411d..129b07daacc 100644 --- a/sa/saro.go +++ b/sa/saro.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "math" "math/big" "net" "regexp" @@ -434,10 +435,16 @@ func (ssa *SQLStorageAuthorityRO) CountOrders(ctx context.Context, req *sapb.Cou // FQDNSetTimestampsForWindow returns the issuance timestamps for each // certificate, issued for a set of domains, during a given window of time, // starting from the most recent issuance. +// +// If req.Limit is nonzero, it returns only the most recent `Limit` results func (ssa *SQLStorageAuthorityRO) FQDNSetTimestampsForWindow(ctx context.Context, req *sapb.CountFQDNSetsRequest) (*sapb.Timestamps, error) { if core.IsAnyNilOrZero(req.Window) || len(req.DnsNames) == 0 { return nil, errIncompleteRequest } + limit := req.Limit + if limit == 0 { + limit = math.MaxInt64 + } type row struct { Issued time.Time } @@ -448,9 +455,11 @@ func (ssa *SQLStorageAuthorityRO) FQDNSetTimestampsForWindow(ctx context.Context `SELECT issued FROM fqdnSets WHERE setHash = ? AND issued > ? - ORDER BY issued DESC`, + ORDER BY issued DESC + LIMIT ?`, core.HashNames(req.DnsNames), ssa.clk.Now().Add(-req.Window.AsDuration()), + limit, ) if err != nil { return nil, err From e8a49c5a0218c7fc61a1efef151fddc81a0039e0 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 19 Dec 2024 11:19:49 -0800 Subject: [PATCH 4/6] wfe: remove authz-v3 and chall-v3 paths (#7904) This removes the `handlerPath` parameter to various calls, which was used solely to distinguish the `-v3`-style paths from the `WithAccount` paths. Also, this removes `WithAccount` from all names that had it. The fact that these URLS include an account ID is now implicit. --- wfe2/wfe.go | 116 ++++---------- wfe2/wfe_test.go | 406 +++-------------------------------------------- 2 files changed, 56 insertions(+), 466 deletions(-) diff --git a/wfe2/wfe.go b/wfe2/wfe.go index 75768ea1e6b..fe0cf7c3603 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -50,31 +50,24 @@ import ( // lowercase plus hyphens. If you violate that assumption you should update // measured_http. const ( - directoryPath = "/directory" - newAcctPath = "/acme/new-acct" - acctPath = "/acme/acct/" - // When we moved to authzv2, we used a "-v3" suffix to avoid confusion - // regarding ACMEv2. More recently we moved back to using plain `/acme/authz/` - // and `/acme/chall/`, so the `-v3` paths are deprecated. - // TODO(#7683): Remove authz-v3 and chall-v3 once the new paths have been - // the default in prod for 30 days. - deprecatedAuthzPath = "/acme/authz-v3/" - authzPathWithAcct = "/acme/authz/" - deprecatedChallengePath = "/acme/chall-v3/" - challengePathWithAcct = "/acme/chall/" - certPath = "/acme/cert/" - revokeCertPath = "/acme/revoke-cert" - buildIDPath = "/build" - rolloverPath = "/acme/key-change" - newNoncePath = "/acme/new-nonce" - newOrderPath = "/acme/new-order" - orderPath = "/acme/order/" - finalizeOrderPath = "/acme/finalize/" + directoryPath = "/directory" + newAcctPath = "/acme/new-acct" + acctPath = "/acme/acct/" + authzPath = "/acme/authz/" + challengePath = "/acme/chall/" + certPath = "/acme/cert/" + revokeCertPath = "/acme/revoke-cert" + buildIDPath = "/build" + rolloverPath = "/acme/key-change" + newNoncePath = "/acme/new-nonce" + newOrderPath = "/acme/new-order" + orderPath = "/acme/order/" + finalizeOrderPath = "/acme/finalize/" getAPIPrefix = "/get/" getOrderPath = getAPIPrefix + "order/" - getAuthzPath = getAPIPrefix + "authz-v3/" - getChallengePath = getAPIPrefix + "chall-v3/" + getAuthzPath = getAPIPrefix + "authz/" + getChallengePath = getAPIPrefix + "chall/" getCertPath = getAPIPrefix + "cert/" // Draft or likely-to-change paths @@ -435,15 +428,13 @@ func (wfe *WebFrontEndImpl) Handler(stats prometheus.Registerer, oTelHTTPOptions // TODO(@cpu): After November 1st, 2020 support for "GET" to the following // endpoints will be removed, leaving only POST-as-GET support. wfe.HandleFunc(m, orderPath, wfe.GetOrder, "GET", "POST") - wfe.HandleFunc(m, deprecatedAuthzPath, wfe.DeprecatedAuthorizationHandler, "GET", "POST") - wfe.HandleFunc(m, authzPathWithAcct, wfe.AuthorizationHandler, "GET", "POST") - wfe.HandleFunc(m, deprecatedChallengePath, wfe.DeprecatedChallengeHandler, "GET", "POST") - wfe.HandleFunc(m, challengePathWithAcct, wfe.ChallengeHandler, "GET", "POST") + wfe.HandleFunc(m, authzPath, wfe.AuthorizationHandler, "GET", "POST") + wfe.HandleFunc(m, challengePath, wfe.ChallengeHandler, "GET", "POST") wfe.HandleFunc(m, certPath, wfe.Certificate, "GET", "POST") // Boulder-specific GET-able resource endpoints wfe.HandleFunc(m, getOrderPath, wfe.GetOrder, "GET") - wfe.HandleFunc(m, getAuthzPath, wfe.DeprecatedAuthorizationHandler, "GET") - wfe.HandleFunc(m, getChallengePath, wfe.DeprecatedChallengeHandler, "GET") + wfe.HandleFunc(m, getAuthzPath, wfe.AuthorizationHandler, "GET") + wfe.HandleFunc(m, getChallengePath, wfe.ChallengeHandler, "GET") wfe.HandleFunc(m, getCertPath, wfe.Certificate, "GET") // Endpoint for draft-ietf-acme-ari @@ -1089,22 +1080,6 @@ func (wfe *WebFrontEndImpl) RevokeCertificate( response.WriteHeader(http.StatusOK) } -// DeprecatedChallengeHandler handles POST requests to challenge URLs of the form /acme/chall-v3//. -// Such requests are clients' responses to the server's challenges. -func (wfe *WebFrontEndImpl) DeprecatedChallengeHandler( - ctx context.Context, - logEvent *web.RequestEvent, - response http.ResponseWriter, - request *http.Request) { - slug := strings.Split(request.URL.Path, "/") - if len(slug) != 2 { - wfe.sendError(response, logEvent, probs.NotFound("No such challenge"), nil) - return - } - - wfe.Challenge(ctx, logEvent, deprecatedChallengePath, response, request, slug[0], slug[1]) -} - // ChallengeHandler handles POST requests to challenge URLs of the form /acme/chall/{regID}/{authzID}/{challID}. func (wfe *WebFrontEndImpl) ChallengeHandler( ctx context.Context, @@ -1117,14 +1092,13 @@ func (wfe *WebFrontEndImpl) ChallengeHandler( return } // TODO(#7683): the regID is currently ignored. - wfe.Challenge(ctx, logEvent, challengePathWithAcct, response, request, slug[1], slug[2]) + wfe.Challenge(ctx, logEvent, response, request, slug[1], slug[2]) } // Challenge handles POSTS to both formats of challenge URLs. func (wfe *WebFrontEndImpl) Challenge( ctx context.Context, logEvent *web.RequestEvent, - handlerPath string, response http.ResponseWriter, request *http.Request, authorizationIDStr string, @@ -1182,11 +1156,11 @@ func (wfe *WebFrontEndImpl) Challenge( challenge := authz.Challenges[challengeIndex] switch request.Method { case "GET", "HEAD": - wfe.getChallenge(handlerPath, response, request, authz, &challenge, logEvent) + wfe.getChallenge(response, request, authz, &challenge, logEvent) case "POST": logEvent.ChallengeType = string(challenge.Type) - wfe.postChallenge(ctx, handlerPath, response, request, authz, challengeIndex, logEvent) + wfe.postChallenge(ctx, response, request, authz, challengeIndex, logEvent) } } @@ -1212,16 +1186,12 @@ func prepAccountForDisplay(acct *core.Registration) { // the client by filling in its URL field and clearing several unnecessary // fields. func (wfe *WebFrontEndImpl) prepChallengeForDisplay( - handlerPath string, request *http.Request, authz core.Authorization, challenge *core.Challenge, ) { // Update the challenge URL to be relative to the HTTP request Host - challenge.URL = web.RelativeEndpoint(request, fmt.Sprintf("%s%s/%s", deprecatedChallengePath, authz.ID, challenge.StringID())) - if handlerPath == challengePathWithAcct || handlerPath == authzPathWithAcct { - challenge.URL = web.RelativeEndpoint(request, fmt.Sprintf("%s%d/%s/%s", challengePathWithAcct, authz.RegistrationID, authz.ID, challenge.StringID())) - } + challenge.URL = web.RelativeEndpoint(request, fmt.Sprintf("%s%d/%s/%s", challengePath, authz.RegistrationID, authz.ID, challenge.StringID())) // Internally, we store challenge error problems with just the short form // (e.g. "CAA") of the problem type. But for external display, we need to @@ -1244,9 +1214,9 @@ func (wfe *WebFrontEndImpl) prepChallengeForDisplay( // prepAuthorizationForDisplay takes a core.Authorization and prepares it for // display to the client by preparing all its challenges. -func (wfe *WebFrontEndImpl) prepAuthorizationForDisplay(handlerPath string, request *http.Request, authz *core.Authorization) { +func (wfe *WebFrontEndImpl) prepAuthorizationForDisplay(request *http.Request, authz *core.Authorization) { for i := range authz.Challenges { - wfe.prepChallengeForDisplay(handlerPath, request, *authz, &authz.Challenges[i]) + wfe.prepChallengeForDisplay(request, *authz, &authz.Challenges[i]) } // Shuffle the challenges so no one relies on their order. @@ -1268,15 +1238,14 @@ func (wfe *WebFrontEndImpl) prepAuthorizationForDisplay(handlerPath string, requ } func (wfe *WebFrontEndImpl) getChallenge( - handlerPath string, response http.ResponseWriter, request *http.Request, authz core.Authorization, challenge *core.Challenge, logEvent *web.RequestEvent) { - wfe.prepChallengeForDisplay(handlerPath, request, authz, challenge) + wfe.prepChallengeForDisplay(request, authz, challenge) - authzURL := urlForAuthz(handlerPath, authz, request) + authzURL := urlForAuthz(authz, request) response.Header().Add("Location", challenge.URL) response.Header().Add("Link", link(authzURL, "up")) @@ -1291,7 +1260,6 @@ func (wfe *WebFrontEndImpl) getChallenge( func (wfe *WebFrontEndImpl) postChallenge( ctx context.Context, - handlerPath string, response http.ResponseWriter, request *http.Request, authz core.Authorization, @@ -1320,7 +1288,7 @@ func (wfe *WebFrontEndImpl) postChallenge( // challenge details, not a POST to initiate a challenge if string(body) == "" { challenge := authz.Challenges[challengeIndex] - wfe.getChallenge(handlerPath, response, request, authz, &challenge, logEvent) + wfe.getChallenge(response, request, authz, &challenge, logEvent) return } @@ -1370,9 +1338,9 @@ func (wfe *WebFrontEndImpl) postChallenge( // assumption: PerformValidation does not modify order of challenges challenge := returnAuthz.Challenges[challengeIndex] - wfe.prepChallengeForDisplay(handlerPath, request, authz, &challenge) + wfe.prepChallengeForDisplay(request, authz, &challenge) - authzURL := urlForAuthz(handlerPath, authz, request) + authzURL := urlForAuthz(authz, request) response.Header().Add("Location", challenge.URL) response.Header().Add("Link", link(authzURL, "up")) @@ -1538,15 +1506,6 @@ func (wfe *WebFrontEndImpl) deactivateAuthorization( return true } -// DeprecatedAuthorizationHandler handles requests to authorization URLs of the form /acme/authz/{authzID}. -func (wfe *WebFrontEndImpl) DeprecatedAuthorizationHandler( - ctx context.Context, - logEvent *web.RequestEvent, - response http.ResponseWriter, - request *http.Request) { - wfe.Authorization(ctx, deprecatedAuthzPath, logEvent, response, request, request.URL.Path) -} - // AuthorizationHandler handles requests to authorization URLs of the form /acme/authz/{regID}/{authzID}. func (wfe *WebFrontEndImpl) AuthorizationHandler( ctx context.Context, @@ -1559,14 +1518,13 @@ func (wfe *WebFrontEndImpl) AuthorizationHandler( return } // TODO(#7683): The regID is currently ignored. - wfe.Authorization(ctx, authzPathWithAcct, logEvent, response, request, slug[1]) + wfe.Authorization(ctx, logEvent, response, request, slug[1]) } // Authorization handles both `/acme/authz/{authzID}` and `/acme/authz/{regID}/{authzID}` requests, // after the calling function has parsed out the authzID. func (wfe *WebFrontEndImpl) Authorization( ctx context.Context, - handlerPath string, logEvent *web.RequestEvent, response http.ResponseWriter, request *http.Request, @@ -1657,7 +1615,7 @@ func (wfe *WebFrontEndImpl) Authorization( return } - wfe.prepAuthorizationForDisplay(handlerPath, request, &authz) + wfe.prepAuthorizationForDisplay(request, &authz) err = wfe.writeJsonResponse(response, logEvent, http.StatusOK, authz) if err != nil { @@ -2050,7 +2008,7 @@ func (wfe *WebFrontEndImpl) orderToOrderJSON(request *http.Request, order *corep respObj.Error.Type = probs.ErrorNS + respObj.Error.Type } for _, v2ID := range order.V2Authorizations { - respObj.Authorizations = append(respObj.Authorizations, web.RelativeEndpoint(request, fmt.Sprintf("%s%d/%d", authzPathWithAcct, order.RegistrationID, v2ID))) + respObj.Authorizations = append(respObj.Authorizations, web.RelativeEndpoint(request, fmt.Sprintf("%s%d/%d", authzPath, order.RegistrationID, v2ID))) } if respObj.Status == core.StatusValid { certURL := web.RelativeEndpoint(request, @@ -2766,10 +2724,6 @@ func extractRequesterIP(req *http.Request) (net.IP, error) { return net.ParseIP(host), nil } -func urlForAuthz(handlerPath string, authz core.Authorization, request *http.Request) string { - if handlerPath == challengePathWithAcct || handlerPath == authzPathWithAcct { - return web.RelativeEndpoint(request, fmt.Sprintf("%s%d/%s", authzPathWithAcct, authz.RegistrationID, authz.ID)) - } - - return web.RelativeEndpoint(request, deprecatedAuthzPath+authz.ID) +func urlForAuthz(authz core.Authorization, request *http.Request) string { + return web.RelativeEndpoint(request, fmt.Sprintf("%s%d/%s", authzPath, authz.RegistrationID, authz.ID)) } diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index a49a31c915a..04aac18ac8b 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -1041,13 +1041,13 @@ func TestHTTPMethods(t *testing.T) { // TODO(@cpu): Remove GET authz support, support only POST-as-GET { Name: "Authz path should be GET or POST only", - Path: deprecatedAuthzPath, + Path: authzPath, Allowed: getOrPost, }, // TODO(@cpu): Remove GET challenge support, support only POST-as-GET { Name: "Challenge path should be GET or POST only", - Path: deprecatedChallengePath, + Path: challengePath, Allowed: getOrPost, }, // TODO(@cpu): Remove GET certificate support, support only POST-as-GET @@ -1146,40 +1146,6 @@ func TestGetChallengeHandler(t *testing.T) { // token "token". challSlug := "7TyhFQ" - for _, method := range []string{"GET", "HEAD"} { - resp := httptest.NewRecorder() - - // We set req.URL.Path separately to emulate the path-stripping that - // Boulder's request handler does. - challengeURL := fmt.Sprintf("http://localhost/acme/chall-v3/1/%s", challSlug) - req, err := http.NewRequest(method, challengeURL, nil) - test.AssertNotError(t, err, "Could not make NewRequest") - req.URL.Path = fmt.Sprintf("1/%s", challSlug) - - wfe.DeprecatedChallengeHandler(ctx, newRequestEvent(), resp, req) - test.AssertEquals(t, resp.Code, http.StatusOK) - test.AssertEquals(t, resp.Header().Get("Location"), challengeURL) - test.AssertEquals(t, resp.Header().Get("Content-Type"), "application/json") - test.AssertEquals(t, resp.Header().Get("Link"), `;rel="up"`) - - // Body is only relevant for GET. For HEAD, body will - // be discarded by HandleFunc() anyway, so it doesn't - // matter what Challenge() writes to it. - if method == "GET" { - test.AssertUnmarshaledEquals( - t, resp.Body.String(), - `{"status": "valid", "type":"http-01","token":"token","url":"http://localhost/acme/chall-v3/1/7TyhFQ"}`) - } - } -} - -func TestGetChallengeHandlerWithAccount(t *testing.T) { - wfe, _, _ := setupWFE(t) - - // The slug "7TyhFQ" is the StringID of a challenge with type "http-01" and - // token "token". - challSlug := "7TyhFQ" - for _, method := range []string{"GET", "HEAD"} { resp := httptest.NewRecorder() @@ -1220,85 +1186,6 @@ func TestChallengeHandler(t *testing.T) { return makePostRequestWithPath(path, jwsBody) } - testCases := []struct { - Name string - Request *http.Request - ExpectedStatus int - ExpectedHeaders map[string]string - ExpectedBody string - }{ - { - Name: "Valid challenge", - Request: post("1/7TyhFQ"), - ExpectedStatus: http.StatusOK, - ExpectedHeaders: map[string]string{ - "Content-Type": "application/json", - "Location": "http://localhost/acme/chall-v3/1/7TyhFQ", - "Link": `;rel="up"`, - }, - ExpectedBody: `{"status": "valid", "type":"http-01","token":"token","url":"http://localhost/acme/chall-v3/1/7TyhFQ"}`, - }, - { - Name: "Expired challenge", - Request: post("3/7TyhFQ"), - ExpectedStatus: http.StatusNotFound, - ExpectedBody: `{"type":"` + probs.ErrorNS + `malformed","detail":"Expired authorization","status":404}`, - }, - { - Name: "Missing challenge", - Request: post("1/"), - ExpectedStatus: http.StatusNotFound, - ExpectedBody: `{"type":"` + probs.ErrorNS + `malformed","detail":"No such challenge","status":404}`, - }, - { - Name: "Unspecified database error", - Request: post("4/7TyhFQ"), - ExpectedStatus: http.StatusInternalServerError, - ExpectedBody: `{"type":"` + probs.ErrorNS + `serverInternal","detail":"Problem getting authorization","status":500}`, - }, - { - Name: "POST-as-GET, wrong owner", - Request: postAsGet(1, "5/7TyhFQ", ""), - ExpectedStatus: http.StatusForbidden, - ExpectedBody: `{"type":"` + probs.ErrorNS + `unauthorized","detail":"User account ID doesn't match account ID in authorization","status":403}`, - }, - { - Name: "Valid POST-as-GET", - Request: postAsGet(1, "1/7TyhFQ", ""), - ExpectedStatus: http.StatusOK, - ExpectedBody: `{"status": "valid", "type":"http-01", "token":"token", "url": "http://localhost/acme/chall-v3/1/7TyhFQ"}`, - }, - } - - for _, tc := range testCases { - t.Run(tc.Name, func(t *testing.T) { - responseWriter := httptest.NewRecorder() - wfe.DeprecatedChallengeHandler(ctx, newRequestEvent(), responseWriter, tc.Request) - // Check the response code, headers and body match expected - headers := responseWriter.Header() - body := responseWriter.Body.String() - test.AssertEquals(t, responseWriter.Code, tc.ExpectedStatus) - for h, v := range tc.ExpectedHeaders { - test.AssertEquals(t, headers.Get(h), v) - } - test.AssertUnmarshaledEquals(t, body, tc.ExpectedBody) - }) - } -} - -func TestChallengeHandlerWithAccount(t *testing.T) { - wfe, _, signer := setupWFE(t) - - post := func(path string) *http.Request { - signedURL := fmt.Sprintf("http://localhost/%s", path) - _, _, jwsBody := signer.byKeyID(1, nil, signedURL, `{}`) - return makePostRequestWithPath(path, jwsBody) - } - postAsGet := func(keyID int64, path, body string) *http.Request { - _, _, jwsBody := signer.byKeyID(keyID, nil, fmt.Sprintf("http://localhost/%s", path), body) - return makePostRequestWithPath(path, jwsBody) - } - testCases := []struct { Name string Request *http.Request @@ -1383,28 +1270,6 @@ func TestUpdateChallengeHandlerFinalizedAuthz(t *testing.T) { wfe.ra = &MockRAPerformValidationError{MockRegistrationAuthority{clk: fc}} responseWriter := httptest.NewRecorder() - signedURL := "http://localhost/1/7TyhFQ" - _, _, jwsBody := signer.byKeyID(1, nil, signedURL, `{}`) - request := makePostRequestWithPath("1/7TyhFQ", jwsBody) - wfe.DeprecatedChallengeHandler(ctx, newRequestEvent(), responseWriter, request) - - body := responseWriter.Body.String() - test.AssertUnmarshaledEquals(t, body, `{ - "status": "valid", - "type": "http-01", - "token": "token", - "url": "http://localhost/acme/chall-v3/1/7TyhFQ" - }`) -} - -// TestUpdateChallengeHandlerWithAccountFinalizedAuthz tests that POSTing a challenge associated -// with an already valid authorization just returns the challenge without calling -// the RA. -func TestUpdateChallengeHandlerWithAccountFinalizedAuthz(t *testing.T) { - wfe, fc, signer := setupWFE(t) - wfe.ra = &MockRAPerformValidationError{MockRegistrationAuthority{clk: fc}} - responseWriter := httptest.NewRecorder() - signedURL := "http://localhost/1/1/7TyhFQ" _, _, jwsBody := signer.byKeyID(1, nil, signedURL, `{}`) request := makePostRequestWithPath("1/1/7TyhFQ", jwsBody) @@ -1427,31 +1292,6 @@ func TestUpdateChallengeHandlerRAError(t *testing.T) { // Mock the RA to always fail PerformValidation wfe.ra = &MockRAPerformValidationError{MockRegistrationAuthority{clk: fc}} - // Update a pending challenge - signedURL := "http://localhost/2/7TyhFQ" - _, _, jwsBody := signer.byKeyID(1, nil, signedURL, `{}`) - responseWriter := httptest.NewRecorder() - request := makePostRequestWithPath("2/7TyhFQ", jwsBody) - - wfe.DeprecatedChallengeHandler(ctx, newRequestEvent(), responseWriter, request) - - // The result should be an internal server error problem. - body := responseWriter.Body.String() - test.AssertUnmarshaledEquals(t, body, `{ - "type": "urn:ietf:params:acme:error:serverInternal", - "detail": "Unable to update challenge", - "status": 500 - }`) -} - -// TestUpdateChallengeHandlerWithAccountRAError tests that when the RA returns an error from -// PerformValidation that the WFE returns an internal server error as expected -// and does not panic or otherwise bug out. -func TestUpdateChallengeHandlerWithAccountRAError(t *testing.T) { - wfe, fc, signer := setupWFE(t) - // Mock the RA to always fail PerformValidation - wfe.ra = &MockRAPerformValidationError{MockRegistrationAuthority{clk: fc}} - // Update a pending challenge signedURL := "http://localhost/1/2/7TyhFQ" _, _, jwsBody := signer.byKeyID(1, nil, signedURL, `{}`) @@ -1807,56 +1647,6 @@ func TestNewAccountNoID(t *testing.T) { func TestGetAuthorizationHandler(t *testing.T) { wfe, _, signer := setupWFE(t) - // Expired authorizations should be inaccessible - authzURL := "3" - responseWriter := httptest.NewRecorder() - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ - Method: "GET", - URL: mustParseURL(authzURL), - }) - test.AssertEquals(t, responseWriter.Code, http.StatusNotFound) - test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), - `{"type":"`+probs.ErrorNS+`malformed","detail":"Expired authorization","status":404}`) - responseWriter.Body.Reset() - - // Ensure that a valid authorization can't be reached with an invalid URL - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ - URL: mustParseURL("1d"), - Method: "GET", - }) - test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), - `{"type":"`+probs.ErrorNS+`malformed","detail":"Invalid authorization ID","status":400}`) - - _, _, jwsBody := signer.byKeyID(1, nil, "http://localhost/1", "") - postAsGet := makePostRequestWithPath("1", jwsBody) - - responseWriter = httptest.NewRecorder() - // Ensure that a POST-as-GET to an authorization works - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, postAsGet) - test.AssertEquals(t, responseWriter.Code, http.StatusOK) - body := responseWriter.Body.String() - test.AssertUnmarshaledEquals(t, body, ` - { - "identifier": { - "type": "dns", - "value": "not-an-example.com" - }, - "status": "valid", - "expires": "2070-01-01T00:00:00Z", - "challenges": [ - { - "status": "valid", - "type": "http-01", - "token":"token", - "url": "http://localhost/acme/chall-v3/1/7TyhFQ" - } - ] - }`) -} - -func TestGetAuthorizationHandlerWithAccount(t *testing.T) { - wfe, _, signer := setupWFE(t) - // Expired authorizations should be inaccessible authzURL := "1/3" responseWriter := httptest.NewRecorder() @@ -1909,24 +1699,6 @@ func TestGetAuthorizationHandlerWithAccount(t *testing.T) { func TestAuthorizationHandler500(t *testing.T) { wfe, _, _ := setupWFE(t) - responseWriter := httptest.NewRecorder() - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ - Method: "GET", - URL: mustParseURL("4"), - }) - expected := `{ - "type": "urn:ietf:params:acme:error:serverInternal", - "detail": "Problem getting authorization", - "status": 500 - }` - test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), expected) -} - -// TestAuthorizationHandlerWithAccount500 tests that internal errors on GetAuthorization result in -// a 500. -func TestAuthorizationHandlerWithAccount500(t *testing.T) { - wfe, _, _ := setupWFE(t) - responseWriter := httptest.NewRecorder() wfe.AuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ Method: "GET", @@ -1977,30 +1749,9 @@ func TestAuthorizationChallengeHandlerNamespace(t *testing.T) { wfe.ra = &RAWithFailedChallenge{clk: clk} responseWriter := httptest.NewRecorder() - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ - Method: "GET", - URL: mustParseURL("6"), - }) - - var authz core.Authorization - err := json.Unmarshal(responseWriter.Body.Bytes(), &authz) - test.AssertNotError(t, err, "Couldn't unmarshal returned authorization object") - test.AssertEquals(t, len(authz.Challenges), 1) - // The Challenge Error Type should have had the probs.ErrorNS prefix added - test.AssertEquals(t, string(authz.Challenges[0].Error.Type), probs.ErrorNS+"things:are:whack") - responseWriter.Body.Reset() -} - -// TestAuthorizationChallengeHandlerWithAccountNamespace tests that the runtime prefixing of -// Challenge Problem Types works as expected -func TestAuthorizationChallengeHandlerWithAccountNamespace(t *testing.T) { - wfe, clk, _ := setupWFE(t) - wfe.ra = &RAWithFailedChallenge{clk: clk} - - responseWriter := httptest.NewRecorder() - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ + wfe.AuthorizationHandler(ctx, newRequestEvent(), responseWriter, &http.Request{ Method: "GET", - URL: mustParseURL("6"), + URL: mustParseURL("1/6"), }) var authz core.Authorization @@ -2652,20 +2403,20 @@ func TestDeactivateAuthorizationHandler(t *testing.T) { responseWriter.Body.Reset() payload := `{"status":""}` - _, _, body := signer.byKeyID(1, nil, "http://localhost/1", payload) - request := makePostRequestWithPath("1", body) + _, _, body := signer.byKeyID(1, nil, "http://localhost/1/1", payload) + request := makePostRequestWithPath("1/1", body) - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, request) + wfe.AuthorizationHandler(ctx, newRequestEvent(), responseWriter, request) test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type": "`+probs.ErrorNS+`malformed","detail": "Invalid status value","status": 400}`) responseWriter.Body.Reset() payload = `{"status":"deactivated"}` - _, _, body = signer.byKeyID(1, nil, "http://localhost/1", payload) - request = makePostRequestWithPath("1", body) + _, _, body = signer.byKeyID(1, nil, "http://localhost/1/1", payload) + request = makePostRequestWithPath("1/1", body) - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, request) + wfe.AuthorizationHandler(ctx, newRequestEvent(), responseWriter, request) test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{ @@ -2680,48 +2431,7 @@ func TestDeactivateAuthorizationHandler(t *testing.T) { "status": "valid", "type": "http-01", "token": "token", - "url": "http://localhost/acme/chall-v3/1/7TyhFQ" - } - ] - }`) -} - -func TestDeactivateAuthorizationHandlerWithAccount(t *testing.T) { - wfe, _, signer := setupWFE(t) - responseWriter := httptest.NewRecorder() - - responseWriter.Body.Reset() - - payload := `{"status":""}` - _, _, body := signer.byKeyID(1, nil, "http://localhost/1", payload) - request := makePostRequestWithPath("1", body) - - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, request) - test.AssertUnmarshaledEquals(t, - responseWriter.Body.String(), - `{"type": "`+probs.ErrorNS+`malformed","detail": "Invalid status value","status": 400}`) - - responseWriter.Body.Reset() - payload = `{"status":"deactivated"}` - _, _, body = signer.byKeyID(1, nil, "http://localhost/1", payload) - request = makePostRequestWithPath("1", body) - - wfe.DeprecatedAuthorizationHandler(ctx, newRequestEvent(), responseWriter, request) - test.AssertUnmarshaledEquals(t, - responseWriter.Body.String(), - `{ - "identifier": { - "type": "dns", - "value": "not-an-example.com" - }, - "status": "deactivated", - "expires": "2070-01-01T00:00:00Z", - "challenges": [ - { - "status": "valid", - "type": "http-01", - "token": "token", - "url": "http://localhost/acme/chall-v3/1/7TyhFQ" + "url": "http://localhost/acme/chall/1/1/7TyhFQ" } ] }`) @@ -3681,33 +3391,7 @@ func TestPrepAuthzForDisplay(t *testing.T) { } // This modifies the authz in-place. - wfe.prepAuthorizationForDisplay(deprecatedAuthzPath, &http.Request{Host: "localhost"}, authz) - - // Ensure ID and RegID are omitted. - authzJSON, err := json.Marshal(authz) - test.AssertNotError(t, err, "Failed to marshal authz") - test.AssertNotContains(t, string(authzJSON), "\"id\":\"12345\"") - test.AssertNotContains(t, string(authzJSON), "\"registrationID\":\"1\"") -} - -func TestPrepAuthzWithAccountForDisplay(t *testing.T) { - t.Parallel() - wfe, _, _ := setupWFE(t) - - authz := &core.Authorization{ - ID: "12345", - Status: core.StatusPending, - RegistrationID: 1, - Identifier: identifier.NewDNS("example.com"), - Challenges: []core.Challenge{ - {Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "token"}, - {Type: core.ChallengeTypeHTTP01, Status: core.StatusPending, Token: "token"}, - {Type: core.ChallengeTypeTLSALPN01, Status: core.StatusPending, Token: "token"}, - }, - } - - // This modifies the authz in-place. - wfe.prepAuthorizationForDisplay(authzPathWithAcct, &http.Request{Host: "localhost"}, authz) + wfe.prepAuthorizationForDisplay(&http.Request{Host: "localhost"}, authz) // Ensure ID and RegID are omitted. authzJSON, err := json.Marshal(authz) @@ -3733,32 +3417,7 @@ func TestPrepRevokedAuthzForDisplay(t *testing.T) { } // This modifies the authz in-place. - wfe.prepAuthorizationForDisplay(deprecatedAuthzPath, &http.Request{Host: "localhost"}, authz) - - // All of the challenges should be revoked as well. - for _, chall := range authz.Challenges { - test.AssertEquals(t, chall.Status, core.StatusInvalid) - } -} - -func TestPrepRevokedAuthzWithAccountForDisplay(t *testing.T) { - t.Parallel() - wfe, _, _ := setupWFE(t) - - authz := &core.Authorization{ - ID: "12345", - Status: core.StatusInvalid, - RegistrationID: 1, - Identifier: identifier.NewDNS("example.com"), - Challenges: []core.Challenge{ - {Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "token"}, - {Type: core.ChallengeTypeHTTP01, Status: core.StatusPending, Token: "token"}, - {Type: core.ChallengeTypeTLSALPN01, Status: core.StatusPending, Token: "token"}, - }, - } - - // This modifies the authz in-place. - wfe.prepAuthorizationForDisplay(authzPathWithAcct, &http.Request{Host: "localhost"}, authz) + wfe.prepAuthorizationForDisplay(&http.Request{Host: "localhost"}, authz) // All of the challenges should be revoked as well. for _, chall := range authz.Challenges { @@ -3781,30 +3440,7 @@ func TestPrepWildcardAuthzForDisplay(t *testing.T) { } // This modifies the authz in-place. - wfe.prepAuthorizationForDisplay(deprecatedAuthzPath, &http.Request{Host: "localhost"}, authz) - - // The identifier should not start with a star, but the authz should be marked - // as a wildcard. - test.AssertEquals(t, strings.HasPrefix(authz.Identifier.Value, "*."), false) - test.AssertEquals(t, authz.Wildcard, true) -} - -func TestPrepWildcardAuthzWithAcountForDisplay(t *testing.T) { - t.Parallel() - wfe, _, _ := setupWFE(t) - - authz := &core.Authorization{ - ID: "12345", - Status: core.StatusPending, - RegistrationID: 1, - Identifier: identifier.NewDNS("*.example.com"), - Challenges: []core.Challenge{ - {Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "token"}, - }, - } - - // This modifies the authz in-place. - wfe.prepAuthorizationForDisplay(authzPathWithAcct, &http.Request{Host: "localhost"}, authz) + wfe.prepAuthorizationForDisplay(&http.Request{Host: "localhost"}, authz) // The identifier should not start with a star, but the authz should be marked // as a wildcard. @@ -3840,7 +3476,7 @@ func TestPrepAuthzForDisplayShuffle(t *testing.T) { // Prep the authz 100 times, and count where each challenge ended up each time. for range 100 { // This modifies the authz in place - wfe.prepAuthorizationForDisplay(deprecatedChallengePath, &http.Request{Host: "localhost"}, authz) + wfe.prepAuthorizationForDisplay(&http.Request{Host: "localhost"}, authz) for i, chall := range authz.Challenges { counts[chall.Type][i] += 1 } @@ -3937,12 +3573,12 @@ func TestGETAPIAuthorizationHandler(t *testing.T) { }{ { name: "fresh authz", - path: "1", + path: "1/1", expectTooFreshErr: true, }, { name: "old authz", - path: "2", + path: "1/2", expectTooFreshErr: false, }, } @@ -3951,7 +3587,7 @@ func TestGETAPIAuthorizationHandler(t *testing.T) { for _, tc := range testCases { responseWriter := httptest.NewRecorder() req, logEvent := makeGet(tc.path, getAuthzPath) - wfe.DeprecatedAuthorizationHandler(context.Background(), logEvent, responseWriter, req) + wfe.AuthorizationHandler(context.Background(), logEvent, responseWriter, req) if responseWriter.Code == http.StatusOK && tc.expectTooFreshErr { t.Errorf("expected too fresh error, got http.StatusOK") @@ -4015,12 +3651,12 @@ func TestGETAPIChallenge(t *testing.T) { }{ { name: "fresh authz challenge", - path: "1/7TyhFQ", + path: "1/1/7TyhFQ", expectTooFreshErr: true, }, { name: "old authz challenge", - path: "2/7TyhFQ", + path: "1/2/7TyhFQ", expectTooFreshErr: false, }, } @@ -4029,7 +3665,7 @@ func TestGETAPIChallenge(t *testing.T) { for _, tc := range testCases { responseWriter := httptest.NewRecorder() req, logEvent := makeGet(tc.path, getAuthzPath) - wfe.DeprecatedChallengeHandler(context.Background(), logEvent, responseWriter, req) + wfe.ChallengeHandler(context.Background(), logEvent, responseWriter, req) if responseWriter.Code == http.StatusOK && tc.expectTooFreshErr { t.Errorf("expected too fresh error, got http.StatusOK") From 179745038956c89688070f449168a2ec5d744ce5 Mon Sep 17 00:00:00 2001 From: Matthew McPherrin Date: Thu, 19 Dec 2024 12:11:24 -0800 Subject: [PATCH 5/6] Remove boulder invocation via symlinks (#7905) Boulder switched from multiple binaries to one by having symlinks for the old binaries, but we invoke boulder via subcommands now. This drops support for running via symlinks in Boulder, and drops them from the build process. This does explicitly list out the four binaries in the makefile, which I think explicitly listing them is fine given that we rarely add them. This also avoids needing to duplicate mentioning the special ct-test-srv in the deb/tar rules. We could probably just look at what's in `bin/` after `go install ./...`, but I didn't want to get too into makefile changes. We haven't used the symlinked versions of commands for a while, and can drop them from builds. This also drops the .rpm builds, which we also haven't used in a long time. --- Makefile | 26 +++++++------------------ cmd/boulder/main.go | 46 +++++++++++++++++++------------------------- link.sh | 8 -------- tools/make-assets.sh | 6 +++--- 4 files changed, 30 insertions(+), 56 deletions(-) delete mode 100755 link.sh diff --git a/Makefile b/Makefile index dfe15599d65..9522b89a72f 100644 --- a/Makefile +++ b/Makefile @@ -6,9 +6,8 @@ VERSION ?= 1.0.0 EPOCH ?= 1 MAINTAINER ?= "Community" -CMDS = $(shell find ./cmd -maxdepth 1 -mindepth 1 -type d | grep -v testdata) -CMD_BASENAMES = $(shell echo $(CMDS) | xargs -n1 basename) -CMD_BINS = $(addprefix bin/, $(CMD_BASENAMES) ) +CMDS = admin boulder ceremony ct-test-srv +CMD_BINS = $(addprefix bin/, $(CMDS) ) OBJECTS = $(CMD_BINS) # Build environment variables (referencing core/util.go) @@ -25,7 +24,7 @@ BUILD_TIME_VAR = github.com/letsencrypt/boulder/core.BuildTime GO_BUILD_FLAGS = -ldflags "-X \"$(BUILD_ID_VAR)=$(BUILD_ID)\" -X \"$(BUILD_TIME_VAR)=$(BUILD_TIME)\" -X \"$(BUILD_HOST_VAR)=$(BUILD_HOST)\"" -.PHONY: all build build_cmds rpm deb tar +.PHONY: all build build_cmds deb tar all: build build: $(OBJECTS) @@ -38,24 +37,13 @@ $(CMD_BINS): build_cmds build_cmds: | $(OBJDIR) echo $(OBJECTS) GOBIN=$(OBJDIR) GO111MODULE=on go install -mod=vendor $(GO_BUILD_FLAGS) ./... - ./link.sh -# Building an RPM requires `fpm` from https://github.com/jordansissel/fpm +# Building a .deb requires `fpm` from https://github.com/jordansissel/fpm # which you can install with `gem install fpm`. # It is recommended that maintainers use environment overrides to specify # Version and Epoch, such as: # -# VERSION=0.1.9 EPOCH=52 MAINTAINER="$(whoami)" ARCHIVEDIR=/tmp make build rpm -rpm: build - fpm -f -s dir -t rpm --rpm-digest sha256 --name "boulder" \ - --license "Mozilla Public License v2.0" --vendor "ISRG" \ - --url "https://github.com/letsencrypt/boulder" --prefix=/opt/boulder \ - --version "$(VERSION)" --iteration "$(COMMIT_ID)" --epoch "$(EPOCH)" \ - --package "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).x86_64.rpm" \ - --description "Boulder is an ACME-compatible X.509 Certificate Authority" \ - --maintainer "$(MAINTAINER)" \ - test/config/ sa/db data/ $(OBJECTS) - +# VERSION=0.1.9 EPOCH=52 MAINTAINER="$(whoami)" ARCHIVEDIR=/tmp make build deb deb: build fpm -f -s dir -t deb --name "boulder" \ --license "Mozilla Public License v2.0" --vendor "ISRG" \ @@ -64,10 +52,10 @@ deb: build --package "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).x86_64.deb" \ --description "Boulder is an ACME-compatible X.509 Certificate Authority" \ --maintainer "$(MAINTAINER)" \ - test/config/ sa/db data/ $(OBJECTS) bin/ct-test-srv + test/config/ sa/db data/ $(OBJECTS) tar: build fpm -f -s dir -t tar --name "boulder" --prefix=/opt/boulder \ --package "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).amd64.tar" \ - test/config/ sa/db data/ $(OBJECTS) bin/ct-test-srv + test/config/ sa/db data/ $(OBJECTS) gzip -f "$(ARCHIVEDIR)/boulder-$(VERSION)-$(COMMIT_ID).amd64.tar" diff --git a/cmd/boulder/main.go b/cmd/boulder/main.go index 51385616001..eb0ded802c9 100644 --- a/cmd/boulder/main.go +++ b/cmd/boulder/main.go @@ -85,37 +85,31 @@ var boulderUsage = fmt.Sprintf(`Usage: %s [flags] func main() { defer cmd.AuditPanic() - var command string - if core.Command() == "boulder" { - // Operator passed the boulder component as a subcommand. - if len(os.Args) <= 1 { - // No arguments passed. - fmt.Fprint(os.Stderr, boulderUsage) - return - } - if os.Args[1] == "--help" || os.Args[1] == "-help" { - // Help flag passed. - fmt.Fprint(os.Stderr, boulderUsage) - return - } + if len(os.Args) <= 1 { + // No arguments passed. + fmt.Fprint(os.Stderr, boulderUsage) + return + } - if os.Args[1] == "--list" || os.Args[1] == "-list" { - // List flag passed. - for _, c := range cmd.AvailableCommands() { - fmt.Println(c) - } - return - } - command = os.Args[1] + if os.Args[1] == "--help" || os.Args[1] == "-help" { + // Help flag passed. + fmt.Fprint(os.Stderr, boulderUsage) + return + } - // Remove the subcommand from the arguments. - os.Args = os.Args[1:] - } else { - // Operator ran a boulder component using a symlink. - command = core.Command() + if os.Args[1] == "--list" || os.Args[1] == "-list" { + // List flag passed. + for _, c := range cmd.AvailableCommands() { + fmt.Println(c) + } + return } + // Remove the subcommand from the arguments. + command := os.Args[1] + os.Args = os.Args[1:] + config := getConfigPath() if config != "" { // Config flag passed. diff --git a/link.sh b/link.sh deleted file mode 100755 index 77344d224cf..00000000000 --- a/link.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash -# -# Symlink the various boulder subcommands into place. -# -BINDIR="$PWD/bin" -for n in `"${BINDIR}/boulder" --list` ; do - ln -sf boulder "${BINDIR}/$n" -done diff --git a/tools/make-assets.sh b/tools/make-assets.sh index 812f56a3d1d..0826c37a07d 100755 --- a/tools/make-assets.sh +++ b/tools/make-assets.sh @@ -24,7 +24,7 @@ $(dirname -- "${0}")/fetch-and-verify-go.sh "${GO_VERSION}" sudo tar -C /usr/local -xzf go.tar.gz export PATH=/usr/local/go/bin:$PATH -# Install fpm, this is used in our Makefile to package Boulder as a deb or rpm. +# Install fpm, this is used in our Makefile to package Boulder as a deb. sudo gem install --no-document -v 1.14.0 fpm # @@ -38,5 +38,5 @@ export ARCHIVEDIR="${PWD}" # Set $VERSION to be a simulacrum of what is set in other build environments. export VERSION="${GO_VERSION}.$(date +%s)" -# Build Boulder and produce an RPM, a .deb, and a tar.gz file in $PWD. -make rpm deb tar +# Build Boulder and produce a .deb and a tar.gz file in $PWD. +make deb tar From 6402a2275fe9cad3441d2d3bca8e1c5cb5d035ea Mon Sep 17 00:00:00 2001 From: Samantha Frank Date: Fri, 20 Dec 2024 08:44:08 -0500 Subject: [PATCH 6/6] ratelimits: Remove a metric and some labels that we're not finding useful (#7902) --- ratelimits/limit.go | 21 ++++++++------------- ratelimits/limiter.go | 21 ++++----------------- ratelimits/limiter_test.go | 13 ------------- ratelimits/source_redis.go | 16 ---------------- ratelimits/transaction.go | 4 ++-- ratelimits/transaction_test.go | 24 ++++++++++++------------ 6 files changed, 26 insertions(+), 73 deletions(-) diff --git a/ratelimits/limit.go b/ratelimits/limit.go index 16dc65ac962..72fc3a1a555 100644 --- a/ratelimits/limit.go +++ b/ratelimits/limit.go @@ -69,13 +69,8 @@ type limit struct { // precomputed to avoid doing the same calculation on every request. burstOffset int64 - // overrideKey is the key used to look up this limit in the overrides map. - overrideKey string -} - -// isOverride returns true if the limit is an override. -func (l *limit) isOverride() bool { - return l.overrideKey != "" + // isOverride is true if the limit is an override. + isOverride bool } // precompute calculates the emissionInterval and burstOffset for the limit. @@ -178,11 +173,13 @@ func parseOverrideLimits(newOverridesYAML overridesYAML) (limits, error) { } lim := &limit{ - burst: v.Burst, - count: v.Count, - period: v.Period, - name: name, + burst: v.Burst, + count: v.Count, + period: v.Period, + name: name, + isOverride: true, } + lim.precompute() err := validateLimit(lim) if err != nil { @@ -196,14 +193,12 @@ func parseOverrideLimits(newOverridesYAML overridesYAML) (limits, error) { return nil, fmt.Errorf( "validating name %s and id %q for override limit %q: %w", name, id, k, err) } - lim.overrideKey = joinWithColon(name.EnumString(), id) if name == CertificatesPerFQDNSet { // FQDNSet hashes are not a nice thing to ask for in a // config file, so we allow the user to specify a // comma-separated list of FQDNs and compute the hash here. id = fmt.Sprintf("%x", core.HashNames(strings.Split(id, ","))) } - lim.precompute() parsed[joinWithColon(name.EnumString(), id)] = lim } } diff --git a/ratelimits/limiter.go b/ratelimits/limiter.go index ef119d1819a..f886cdc482a 100644 --- a/ratelimits/limiter.go +++ b/ratelimits/limiter.go @@ -37,8 +37,7 @@ type Limiter struct { source Source clk clock.Clock - spendLatency *prometheus.HistogramVec - overrideUsageGauge *prometheus.GaugeVec + spendLatency *prometheus.HistogramVec } // NewLimiter returns a new *Limiter. The provided source must be safe for @@ -52,17 +51,10 @@ func NewLimiter(clk clock.Clock, source Source, stats prometheus.Registerer) (*L }, []string{"limit", "decision"}) stats.MustRegister(spendLatency) - overrideUsageGauge := prometheus.NewGaugeVec(prometheus.GaugeOpts{ - Name: "ratelimits_override_usage", - Help: "Proportion of override limit used, by limit name and bucket key.", - }, []string{"limit", "bucket_key"}) - stats.MustRegister(overrideUsageGauge) - return &Limiter{ - source: source, - clk: clk, - spendLatency: spendLatency, - overrideUsageGauge: overrideUsageGauge, + source: source, + clk: clk, + spendLatency: spendLatency, }, nil } @@ -284,11 +276,6 @@ func (l *Limiter) BatchSpend(ctx context.Context, txns []Transaction) (*Decision storedTAT, bucketExists := tats[txn.bucketKey] d := maybeSpend(l.clk, txn, storedTAT) - if txn.limit.isOverride() { - utilization := float64(txn.limit.burst-d.remaining) / float64(txn.limit.burst) - l.overrideUsageGauge.WithLabelValues(txn.limit.name.String(), txn.limit.overrideKey).Set(utilization) - } - if d.allowed && (storedTAT != d.newTAT) && txn.spend { if !bucketExists { newBuckets[txn.bucketKey] = d.newTAT diff --git a/ratelimits/limiter_test.go b/ratelimits/limiter_test.go index 902f4c13435..5ccb7dfa0a9 100644 --- a/ratelimits/limiter_test.go +++ b/ratelimits/limiter_test.go @@ -8,7 +8,6 @@ import ( "time" "github.com/jmhodges/clock" - "github.com/prometheus/client_golang/prometheus" "github.com/letsencrypt/boulder/config" berrors "github.com/letsencrypt/boulder/errors" @@ -60,12 +59,6 @@ func TestLimiter_CheckWithLimitOverrides(t *testing.T) { testCtx, limiters, txnBuilder, clk, testIP := setup(t) for name, l := range limiters { t.Run(name, func(t *testing.T) { - // Verify our overrideUsageGauge is being set correctly. 0.0 == 0% - // of the bucket has been consumed. - test.AssertMetricWithLabelsEquals(t, l.overrideUsageGauge, prometheus.Labels{ - "limit": NewRegistrationsPerIPAddress.String(), - "bucket_key": joinWithColon(NewRegistrationsPerIPAddress.EnumString(), tenZeroZeroTwo)}, 0) - overriddenBucketKey, err := newIPAddressBucketKey(NewRegistrationsPerIPAddress, net.ParseIP(tenZeroZeroTwo)) test.AssertNotError(t, err, "should not error") overriddenLimit, err := txnBuilder.getLimit(NewRegistrationsPerIPAddress, overriddenBucketKey) @@ -87,12 +80,6 @@ func TestLimiter_CheckWithLimitOverrides(t *testing.T) { test.AssertEquals(t, d.remaining, int64(0)) test.AssertEquals(t, d.resetIn, time.Second) - // Verify our overrideUsageGauge is being set correctly. 1.0 == 100% - // of the bucket has been consumed. - test.AssertMetricWithLabelsEquals(t, l.overrideUsageGauge, prometheus.Labels{ - "limit_name": NewRegistrationsPerIPAddress.String(), - "bucket_key": joinWithColon(NewRegistrationsPerIPAddress.EnumString(), tenZeroZeroTwo)}, 1.0) - // Verify our RetryIn is correct. 1 second == 1000 milliseconds and // 1000/40 = 25 milliseconds per request. test.AssertEquals(t, d.retryIn, time.Millisecond*25) diff --git a/ratelimits/source_redis.go b/ratelimits/source_redis.go index 4d32f7c2a6d..ff32931efc2 100644 --- a/ratelimits/source_redis.go +++ b/ratelimits/source_redis.go @@ -99,10 +99,6 @@ func (r *RedisSource) BatchSet(ctx context.Context, buckets map[string]time.Time } totalLatency := r.clk.Since(start) - perSetLatency := totalLatency / time.Duration(len(buckets)) - for range buckets { - r.observeLatency("batchset_entry", perSetLatency, nil) - } r.observeLatency("batchset", totalLatency, nil) return nil @@ -128,17 +124,14 @@ func (r *RedisSource) BatchSetNotExisting(ctx context.Context, buckets map[strin alreadyExists := make(map[string]bool, len(buckets)) totalLatency := r.clk.Since(start) - perSetLatency := totalLatency / time.Duration(len(buckets)) for bucketKey, cmd := range cmds { success, err := cmd.Result() if err != nil { - r.observeLatency("batchsetnotexisting_entry", perSetLatency, err) return nil, err } if !success { alreadyExists[bucketKey] = true } - r.observeLatency("batchsetnotexisting_entry", perSetLatency, nil) } r.observeLatency("batchsetnotexisting", totalLatency, nil) @@ -163,11 +156,6 @@ func (r *RedisSource) BatchIncrement(ctx context.Context, buckets map[string]inc } totalLatency := r.clk.Since(start) - perSetLatency := totalLatency / time.Duration(len(buckets)) - for range buckets { - r.observeLatency("batchincrby_entry", perSetLatency, nil) - } - r.observeLatency("batchincrby", totalLatency, nil) return nil } @@ -211,7 +199,6 @@ func (r *RedisSource) BatchGet(ctx context.Context, bucketKeys []string) (map[st } totalLatency := r.clk.Since(start) - perEntryLatency := totalLatency / time.Duration(len(bucketKeys)) tats := make(map[string]time.Time, len(bucketKeys)) notFoundCount := 0 @@ -224,13 +211,10 @@ func (r *RedisSource) BatchGet(ctx context.Context, bucketKeys []string) (map[st r.observeLatency("batchget", r.clk.Since(start), err) return nil, err } - // Bucket key does not exist. - r.observeLatency("batchget_entry", perEntryLatency, err) notFoundCount++ continue } tats[bucketKeys[i]] = time.Unix(0, tatNano).UTC() - r.observeLatency("batchget_entry", perEntryLatency, nil) } var batchErr error diff --git a/ratelimits/transaction.go b/ratelimits/transaction.go index b5fd1653269..fa4b5e88715 100644 --- a/ratelimits/transaction.go +++ b/ratelimits/transaction.go @@ -403,7 +403,7 @@ func (builder *TransactionBuilder) certificatesPerDomainCheckOnlyTransactions(re return nil, err } if accountOverride { - if !perAccountLimit.isOverride() { + if !perAccountLimit.isOverride { return nil, fmt.Errorf("shouldn't happen: CertificatesPerDomainPerAccount limit is not an override") } perAccountPerDomainKey, err := NewRegIdDomainBucketKey(CertificatesPerDomainPerAccount, regId, name) @@ -481,7 +481,7 @@ func (builder *TransactionBuilder) CertificatesPerDomainSpendOnlyTransactions(re return nil, err } if accountOverride { - if !perAccountLimit.isOverride() { + if !perAccountLimit.isOverride { return nil, fmt.Errorf("shouldn't happen: CertificatesPerDomainPerAccount limit is not an override") } perAccountPerDomainKey, err := NewRegIdDomainBucketKey(CertificatesPerDomainPerAccount, regId, name) diff --git a/ratelimits/transaction_test.go b/ratelimits/transaction_test.go index 8cf0b798a1e..b4a25e837f0 100644 --- a/ratelimits/transaction_test.go +++ b/ratelimits/transaction_test.go @@ -79,14 +79,14 @@ func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) { test.AssertEquals(t, len(txns), 1) test.AssertEquals(t, txns[0].bucketKey, "4:123456789:so.many.labels.here.example.com") test.Assert(t, txns[0].checkOnly(), "should be check-only") - test.Assert(t, !txns[0].limit.isOverride(), "should not be an override") + test.Assert(t, !txns[0].limit.isOverride, "should not be an override") // A spend-only transaction for the default per-account limit. txn, err := tb.FailedAuthorizationsPerDomainPerAccountSpendOnlyTransaction(123456789, "so.many.labels.here.example.com") test.AssertNotError(t, err, "creating transaction") test.AssertEquals(t, txn.bucketKey, "4:123456789:so.many.labels.here.example.com") test.Assert(t, txn.spendOnly(), "should be spend-only") - test.Assert(t, !txn.limit.isOverride(), "should not be an override") + test.Assert(t, !txn.limit.isOverride, "should not be an override") // A check-only transaction for the per-account limit override. txns, err = tb.FailedAuthorizationsPerDomainPerAccountCheckOnlyTransactions(13371338, []string{"so.many.labels.here.example.com"}) @@ -94,14 +94,14 @@ func TestFailedAuthorizationsPerDomainPerAccountTransactions(t *testing.T) { test.AssertEquals(t, len(txns), 1) test.AssertEquals(t, txns[0].bucketKey, "4:13371338:so.many.labels.here.example.com") test.Assert(t, txns[0].checkOnly(), "should be check-only") - test.Assert(t, txns[0].limit.isOverride(), "should be an override") + test.Assert(t, txns[0].limit.isOverride, "should be an override") // A spend-only transaction for the per-account limit override. txn, err = tb.FailedAuthorizationsPerDomainPerAccountSpendOnlyTransaction(13371338, "so.many.labels.here.example.com") test.AssertNotError(t, err, "creating transaction") test.AssertEquals(t, txn.bucketKey, "4:13371338:so.many.labels.here.example.com") test.Assert(t, txn.spendOnly(), "should be spend-only") - test.Assert(t, txn.limit.isOverride(), "should be an override") + test.Assert(t, txn.limit.isOverride, "should be an override") } func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testing.T) { @@ -115,7 +115,7 @@ func TestFailedAuthorizationsForPausingPerDomainPerAccountTransactions(t *testin test.AssertNotError(t, err, "creating transaction") test.AssertEquals(t, txn.bucketKey, "8:13371338:so.many.labels.here.example.com") test.Assert(t, txn.check && txn.spend, "should be check and spend") - test.Assert(t, txn.limit.isOverride(), "should be an override") + test.Assert(t, txn.limit.isOverride, "should be an override") } func TestCertificatesPerDomainTransactions(t *testing.T) { @@ -153,7 +153,7 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) { test.AssertEquals(t, len(txns), 1) test.AssertEquals(t, txns[0].bucketKey, "6:13371338:example.com") test.Assert(t, txns[0].checkOnly(), "should be check-only") - test.Assert(t, txns[0].limit.isOverride(), "should be an override") + test.Assert(t, txns[0].limit.isOverride, "should be an override") // Same as above, but with multiple example.com domains. txns, err = tb.certificatesPerDomainCheckOnlyTransactions(13371338, []string{"so.many.labels.here.example.com", "z.example.com"}) @@ -161,7 +161,7 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) { test.AssertEquals(t, len(txns), 1) test.AssertEquals(t, txns[0].bucketKey, "6:13371338:example.com") test.Assert(t, txns[0].checkOnly(), "should be check-only") - test.Assert(t, txns[0].limit.isOverride(), "should be an override") + test.Assert(t, txns[0].limit.isOverride, "should be an override") // Same as above, but with different domains. txns, err = tb.certificatesPerDomainCheckOnlyTransactions(13371338, []string{"so.many.labels.here.example.com", "z.example.net"}) @@ -170,10 +170,10 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) { test.AssertEquals(t, len(txns), 2) test.AssertEquals(t, txns[0].bucketKey, "6:13371338:example.com") test.Assert(t, txns[0].checkOnly(), "should be check-only") - test.Assert(t, txns[0].limit.isOverride(), "should be an override") + test.Assert(t, txns[0].limit.isOverride, "should be an override") test.AssertEquals(t, txns[1].bucketKey, "6:13371338:example.net") test.Assert(t, txns[1].checkOnly(), "should be check-only") - test.Assert(t, txns[1].limit.isOverride(), "should be an override") + test.Assert(t, txns[1].limit.isOverride, "should be an override") // Two spend-only transactions, one for the global limit and one for the // per-account limit override. @@ -183,11 +183,11 @@ func TestCertificatesPerDomainPerAccountTransactions(t *testing.T) { txns = sortTransactions(txns) test.AssertEquals(t, txns[0].bucketKey, "5:example.com") test.Assert(t, txns[0].spendOnly(), "should be spend-only") - test.Assert(t, !txns[0].limit.isOverride(), "should not be an override") + test.Assert(t, !txns[0].limit.isOverride, "should not be an override") test.AssertEquals(t, txns[1].bucketKey, "6:13371338:example.com") test.Assert(t, txns[1].spendOnly(), "should be spend-only") - test.Assert(t, txns[1].limit.isOverride(), "should be an override") + test.Assert(t, txns[1].limit.isOverride, "should be an override") } func TestCertificatesPerFQDNSetTransactions(t *testing.T) { @@ -202,7 +202,7 @@ func TestCertificatesPerFQDNSetTransactions(t *testing.T) { namesHash := fmt.Sprintf("%x", core.HashNames([]string{"example.com", "example.net", "example.org"})) test.AssertEquals(t, txn.bucketKey, "7:"+namesHash) test.Assert(t, txn.checkOnly(), "should be check-only") - test.Assert(t, !txn.limit.isOverride(), "should not be an override") + test.Assert(t, !txn.limit.isOverride, "should not be an override") } func TestNewTransactionBuilder(t *testing.T) {