Cs add aia lints#1036
Conversation
| lint.RegisterCertificateLint(&lint.CertificateLint{ | ||
| LintMetadata: lint.LintMetadata{ | ||
| Name: "e_cs_aia_missing_ca_issuers_http_url", | ||
| Description: "The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers).", |
There was a problem hiding this comment.
Perhaps I am confused here, but I am seeing SHOULD language from the CABF. Could you help me find MUST language for this?
From what I can find...
CABF 1.2.
It SHOULD also contain the HTTP URL of the Issuing CA’s certificate
(accessMethod = 1.3.6.1.5.5.7.48.2). See Section 13.2.1 for details.
CABF 2.2.6.
| Access Method | OID | Access Location | Presence | Maximum | Description |
|---|---|---|---|---|---|
| id-ad-caIssuers | 1.3.6.1.5.5.7.48.2 | uniformResourceIdentifier | SHOULD | * | A HTTP URL of the Issuing CA’s certificate |
We also have w_sub_cert_aia_does_not_contain_issuing_ca_url which is returning a warning on this SHOULD language.
There was a problem hiding this comment.
In the latest code signing cabf requirements (v3.10.0 section 7.1.2.3c) it has it as MUST for subca and code signing certs
authorityInformationAccess
This extension MUST be present. It MUST NOT be marked critical.
It MUST contain the HTTP URL of the Issuing CA’s certificate (accessMethod = 1.3.6.1.5.5.7.48.2). If the CA provides OCSP responses, it MUST contain the HTTP URL of the Issuing CA’s OCSP responder (accessMethod = 1.3.6.1.5.5.7.48.1).
There was a problem hiding this comment.
Ahhh there's the disconnect, I was looking at server certs 😮💨 Yeah I see it now.
Thank you for clearing that up!
Added code signing lints for the following requirements:
The requirement is the same for subscriber and subCA certificates, so these will apply to both.