Add lint to check for certain extensions to have at least 1 element according to RFC 5280#1028
Merged
christopher-henderson merged 6 commits intoMar 22, 2026
Conversation
christopher-henderson
approved these changes
Mar 22, 2026
|
|
||
| SequenceOfSomething := []asn1.RawValue{} | ||
|
|
||
| for extOid := range targetExtensionsMap { |
There was a problem hiding this comment.
Very easy to read, thank you!
christopher-henderson
approved these changes
Mar 22, 2026
| LintMetadata: lint.LintMetadata{ | ||
| Name: "e_ext_cannot_be_empty_sequence", | ||
| Description: "Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element", | ||
| Citation: "All of RFC 5280", |
There was a problem hiding this comment.
This got a chuckle outta me 😆
"Which part?"
"Yes."
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Several standard PKIX extensions, defined in RFC 5280, have an ASN.1 syntax that requires their value to be a SEQUENCE OF... (something) with a minimum length of 1. For instance, in the case of the
CertificatePoliciesextension, the extension value is defined as follows:certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation...and similarly for several other extensions. This means that, if such an extension is present in the certificate, its value MUST be a sequence that includes at least 1 element. ZLint does not currently perform this check specifically, so I thought it useful to propose this lint to fill the gap. In the test corpus, there are a couple dozen certificates that fail this lint, fortunately quite old. But you never know.
A note on my implementation: in theory, a certificate could contain more than one extension with the aforementioned flaw, so one might consider reporting them all in the error message (details). However, it seems quite unlikely that even a single extension with this flaw would be present in a certificate these days, so it should be acceptable to stop parsing extensions at the first occurrence of the problem.