Skip to content

Add cs sig alg lint#1033

Merged
christopher-henderson merged 4 commits into
zmap:masterfrom
digirenpeter:add-cs-sig-alg
Apr 5, 2026
Merged

Add cs sig alg lint#1033
christopher-henderson merged 4 commits into
zmap:masterfrom
digirenpeter:add-cs-sig-alg

Conversation

@digirenpeter

@digirenpeter digirenpeter commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

Added a lint for code signing allowed signature algorithms as part of filling in the remainder of the code signing requirements

7.1.3.2 Signature AlgorithmIdentifier

All objects signed by a CA Private Key MUST conform to these requirements on the use of the AlgorithmIdentifier or AlgorithmIdentifier-derived type in the context of signatures.

In particular, it applies to all of the following objects and fields:

    The signatureAlgorithm field of a Certificate.
    The signature field of a TBSCertificate.
    The signatureAlgorithm field of a CertificateList
    The signature field of a TBSCertList
    The signatureAlgorithm field of a BasicOCSPResponse
    The digestAlgorithms field of a SignedData corresponding to a Timestamp token

7.1.3.2.1 RSA

The CA SHALL use one of the following signature algorithms:

    RSASSA-PKCS1-v1_5 with SHA-256
    RSASSA-PKCS1-v1_5 with SHA-384
    RSASSA-PKCS1-v1_5 with SHA-512
    RSASSA-PSS with SHA-256
    RSASSA-PSS with SHA-384
    RSASSA-PSS with SHA-512

In addition, the CA MAY use RSASSA-PKCS1-v1_5 with SHA-1 if one of the following conditions are met:

    It is used within Timestamp Authority Certificate and the date of the notBefore field is not greater than 2022-04-30; or,
    It is used within an OCSP response; or,
    It is used within a CRL; or,
    It is used within a Timestamp Token and the date of the genTime field is not greater than 2022-04-30.

7.1.3.2.2 ECDSA

The CA SHALL use one of the following signature algorithms:

    ECDSA with SHA-256
    ECDSA with SHA-384
    ECDSA with SHA-512

7.1.3.2.3 DSA

The CA SHALL use the following signature algorithm:

    DSA with SHA-256

In addition, the CA MAY use DSA with SHA-1 if one of the following conditions are met:

    It is used within Timestamp Authority Certificate and the date of the notBefore field is not greater than 2022-04-30; or,
    It is used within an OCSP response; or,
    It is used within a CRL; or,
    It is used within a Timestamp Token and the date of the genTime field is not greater than 2022-04-30.

I didn't include support for the older timestamp signature algorithms because they're around 4 years old and I feel like it doesn't make sense to add a new lint with support for that old of requirements.

@digirenpeter digirenpeter changed the title Add cs sig alg Add cs sig alg lint Apr 2, 2026
christopher-henderson
christopher-henderson approved these changes Apr 5, 2026
View reviewed changes

@christopher-henderson christopher-henderson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No notes, this looks great. Thank you!

@christopher-henderson christopher-henderson merged commit 215f568 into zmap:master Apr 5, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christopher-henderson christopher-henderson christopher-henderson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@digirenpeter @christopher-henderson