Add lint to detect HTML entities in Subject attributes

v3/integration/config.json

@@ -979,6 +979,9 @@
     },
     "e_ev_extra_subject_attribs": {
         "ErrCount": 12279
+    },
+    "e_subj_contains_html_entities": {
+        "ErrCount": 14
     }
   }
 }

v3/lints/community/lint_subj_contains_html_entities.go

@@ -0,0 +1,101 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package community
+
+import (
+	"github.com/zmap/zcrypto/x509"
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+
+	"fmt"
+	"reflect"
+	"regexp"
+)
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_subj_contains_html_entities",
+			Description:   "Detects the presence of HTML entities (e.g. '&') in the Subject, which probably shouldn't be there",
+			Source:        lint.Community,
+			EffectiveDate: util.ZeroDate,
+		},
+		Lint: NewSubjectContainsHTMLEntities,
+	})
+}
+
+type subjectContainsHTMLEntities struct {
+	Skip bool `comment:"Set this to true to skip this lint"`
+}
+
+func NewSubjectContainsHTMLEntities() lint.LintInterface {
+	return &subjectContainsHTMLEntities{
+		Skip: false,
+	}
+}
+
+func (l *subjectContainsHTMLEntities) Configure() interface{} {
+	return l
+}
+
+func (l *subjectContainsHTMLEntities) CheckApplies(c *x509.Certificate) bool {
+	return true
+}
+
+var htmlEntitiesRegExp = regexp.MustCompile("&#?[a-zA-Z0-9]+;")
+
+func containsHTMLEntities(s string) bool {
+	return htmlEntitiesRegExp.MatchString(s)
+}
+
+func (l *subjectContainsHTMLEntities) Execute(c *x509.Certificate) *lint.LintResult {
+
+	if l.Skip {
+		return &lint.LintResult{Status: lint.Pass}
+	}
+
+	targetFields := []string{
+		"GivenName",
+		"Surname",
+		"CommonNames",
+		"OrganizationalUnit",
+		"Organization",
+		"Locality",
+		"Province",
+		"StreetAddress",
+		"PostalCode",
+		"OrganizationIDs",
+		"JurisdictionLocality",
+		"JurisdictionProvince",
+	}
+
+	value := reflect.ValueOf(c.Subject)
+
+	for _, fieldName := range targetFields {
+		field := value.FieldByName(fieldName)
+		strSlice := field.Interface().([]string)
+
+		if len(strSlice) > 0 {
+			if containsHTMLEntities(strSlice[0]) {
+				return &lint.LintResult{
+					Status:  lint.Error,
+					Details: fmt.Sprintf("Subject.%s contains an HTML entity", fieldName),
+				}
+			}
+		}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}

v3/lints/community/lint_subj_contains_html_entities_test.go

@@ -0,0 +1,85 @@
+/*
+ * ZLint Copyright 2024 Regents of the University of Michigan
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not
+ * use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ * implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package community
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+/*
+   TEST CASES
+
+   File                Result      Description
+   ===============     ======      ===========
+   html_entity_ok1     Pass        Clean certificate (no HTML entities)
+   html_entity_ok2     Pass        With a pattern that resembles, but is not, an HTML entity
+   html_entity_ok3     Pass        With an HTML entity, but lint is bypassed via configuration
+   html_entity_ko1     Error       HTML entity in organization
+   html_entity_ko2     Error       HTML entity in stateOrProvince (Turks & Caicos Islands)
+   html_entity_ko3     Error       HTML entity in locality (La Roque-d'Anthéron)
+*/
+
+func TestSubjectContainsHTMLEntities(t *testing.T) {
+
+	type Data struct {
+		input  string
+		config string
+		want   lint.LintStatus
+	}
+
+	data := []Data{
+		{
+			input: "html_entity_ok1.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "html_entity_ok2.pem",
+			want:  lint.Pass,
+		},
+		{
+			input: "html_entity_ok3.pem",
+			config: `
+                [e_subj_contains_html_entities]
+                Skip = true
+                `,
+			want: lint.Pass,
+		},
+		{
+			input: "html_entity_ko1.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "html_entity_ko2.pem",
+			want:  lint.Error,
+		},
+		{
+			input: "html_entity_ko3.pem",
+			want:  lint.Error,
+		},
+	}
+	for _, testData := range data {
+		testData := testData
+		t.Run(testData.input, func(t *testing.T) {
+			out := test.TestLintWithConfig("e_subj_contains_html_entities", testData.input, testData.config)
+			if out.Status != testData.want {
+				t.Errorf("expected %s, got %s", testData.want, out.Status)
+			}
+		})
+	}
+
+}

v3/testdata/html_entity_ko1.pem

@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            4f:47:38:4f:0f:c3:45:b6:91:f7:9d:15:ee:77:03:11
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Dec 18 11:12:37 2024 GMT
+            Not After : Dec 18 11:12:37 2025 GMT
+        Subject: C = DE, ST = Hamburg, L = Hamburg, O = "Steinway & Sons", CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:b2:e8:30:07:2e:bb:73:1c:e9:9d:f7:96:5c:ee:
+                    54:5c:10:0f:9c:92:e5:53:d8:b5:ba:0c:3f:82:9f:
+                    e2:66:bd:a4:a8:16:8f:d1:c0:5d:c3:f4:9f:65:17:
+                    9e:f5:ec:e8:79:c4:4e:8b:38:ca:2a:76:4d:e9:0c:
+                    1f:0c:ac:8b:b4:5c:55:29:f0:25:e6:59:2f:b0:74:
+                    44:cf:2e:0a:85:1d:31:9e:11:36:76:4a:77:97:68:
+                    43:81:1e:05:ed:99:13:73:30:45:ee:97:ce:27:5b:
+                    d3:1b:29:df:7a:8f:91:94:ee:7a:18:48:9d:c2:9f:
+                    be:57:ad:57:a5:d8:47:8a:8c:93:fa:a2:4b:f5:b8:
+                    ce:c0:88:c0:86:c0:a8:58:44:7c:e0:5a:92:e5:3f:
+                    b1:fc:42:bf:76:ed:4c:75:91:0e:8e:36:e2:2f:42:
+                    72:92:50:d6:6b:62:0c:84:bf:dc:a6:67:3a:38:5e:
+                    6f:73:b9:af:ab:a0:7c:d1:80:b4:73:83:0e:9b:0c:
+                    a1:d1:4f:8a:d9:40:90:6a:fe:6d:5b:49:44:5d:6d:
+                    4f:e0:42:bd:84:c6:de:43:fd:82:6b:33:3c:4c:26:
+                    3b:e5:9b:17:b0:e8:fb:2d:46:78:d1:d4:bf:05:20:
+                    f9:6d:16:64:28:cd:a2:94:2c:2d:b0:f0:1a:ba:4e:
+                    37:4d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                AA:E8:51:AF:70:29:30:58:1B:94:D5:D2:1E:7A:2B:EB:95:92:60:C6
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         89:44:f7:34:c9:a2:c0:7d:3a:65:0a:11:39:69:79:09:ba:b0:
+         d8:e2:14:e9:a7:81:0a:c8:cc:a3:1d:ca:b2:bf:21:7c:f1:67:
+         e0:08:0c:c6:7b:09:26:1d:b1:e9:f4:5f:7b:bb:36:c2:63:10:
+         14:cc:90:25:52:3a:62:58:20:17:56:7b:77:47:cd:e2:45:90:
+         f7:22:f3:f6:fe:90:e9:f6:50:f1:84:58:e0:35:24:20:dd:fc:
+         ec:b4:8c:c2:88:cf:0f:1b:3f:de:95:a2:26:f8:db:d6:c7:b1:
+         bc:8a:0f:4c:53:e7:ea:cf:3f:2c:ac:66:94:9c:d0:d7:70:9f:
+         cc:9c:f2:b9:ec:1c:77:63:33:b4:6b:65:4b:a8:43:84:e5:99:
+         bd:c1:16:4d:ed:ee:ec:5d:4f:ae:bc:93:9e:77:b0:de:eb:1b:
+         f5:b4:e7:88:26:0b:18:0a:b3:2e:2a:b3:e5:5b:50:d3:e6:e3:
+         87:c5:48:fa:be:6d:a0:52:9c:38:13:dd:08:59:ad:da:28:54:
+         36:df:ea:0e:b2:fa:56:a5:bb:5d:62:ca:59:8b:66:3a:df:b0:
+         a5:d2:40:0a:13:0f:07:b8:cf:55:ad:e7:fb:3e:fb:23:44:11:
+         32:3d:e8:c7:7b:7b:ae:15:7c:8f:c5:a7:66:72:80:84:e8:40:
+         a0:62:a9:c3
+-----BEGIN CERTIFICATE-----
+MIIEaTCCA1GgAwIBAgIQT0c4Tw/DRbaR950V7ncDETANBgkqhkiG9w0BAQsFADBD
+MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD
+QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDEyMTgxMTEyMzdaFw0yNTEyMTgxMTEy
+MzdaMGUxCzAJBgNVBAYTAkRFMRAwDgYDVQQIEwdIYW1idXJnMRAwDgYDVQQHEwdI
+YW1idXJnMRwwGgYDVQQKDBNTdGVpbndheSAmYW1wOyBTb25zMRQwEgYDVQQDEwtl
+eGFtcGxlLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLoMAcu
+u3Mc6Z33llzuVFwQD5yS5VPYtboMP4Kf4ma9pKgWj9HAXcP0n2UXnvXs6HnETos4
+yip2TekMHwysi7RcVSnwJeZZL7B0RM8uCoUdMZ4RNnZKd5doQ4EeBe2ZE3MwRe6X
+zidb0xsp33qPkZTuehhIncKfvletV6XYR4qMk/qiS/W4zsCIwIbAqFhEfOBakuU/
+sfxCv3btTHWRDo424i9CcpJQ1mtiDIS/3KZnOjheb3O5r6ugfNGAtHODDpsModFP
+itlAkGr+bVtJRF1tT+BCvYTG3kP9gmszPEwmO+WbF7Do+y1GeNHUvwUg+W0WZCjN
+opQsLbDwGrpON00CAwEAAaOCATUwggExMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0OBBYEFKroUa9wKTBYG5TV0h56
+K+uVkmDGMB8GA1UdIwQYMBaAFOi29nZL0DvlRqX5VNR+B7PeDWA+MGQGCCsGAQUF
+BwEBBFgwVjApBggrBgEFBQcwAYYdaHR0cDovL2NhLnNvbWVjYS1pbmMuY29tL29j
+c3AwKQYIKwYBBQUHMAKGHWh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9yb290MBYG
+A1UdEQQPMA2CC2V4YW1wbGUub3JnMBMGA1UdIAQMMAowCAYGZ4EMAQICMC0GA1Ud
+HwQmMCQwIqAgoB6GHGh0dHA6Ly9jYS5zb21lY2EtaW5jLmNvbS9jcmwwDQYJKoZI
+hvcNAQELBQADggEBAIlE9zTJosB9OmUKETlpeQm6sNjiFOmngQrIzKMdyrK/IXzx
+Z+AIDMZ7CSYdsen0X3u7NsJjEBTMkCVSOmJYIBdWe3dHzeJFkPci8/b+kOn2UPGE
+WOA1JCDd/Oy0jMKIzw8bP96Voib429bHsbyKD0xT5+rPPyysZpSc0Ndwn8yc8rns
+HHdjM7RrZUuoQ4Tlmb3BFk3t7uxdT668k553sN7rG/W054gmCxgKsy4qs+VbUNPm
+44fFSPq+baBSnDgT3QhZrdooVDbf6g6y+lalu11iylmLZjrfsKXSQAoTDwe4z1Wt
+5/s++yNEETI96Md7e64VfI/Fp2ZygIToQKBiqcM=
+-----END CERTIFICATE-----

v3/testdata/html_entity_ko2.pem

@@ -0,0 +1,100 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            47:7b:e1:33:e3:20:b3:49:9c:d4:c2:06:02:46:97:71
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = XX, O = Some CA, CN = Fake CA for zlint testing
+        Validity
+            Not Before: Dec 18 11:19:10 2024 GMT
+            Not After : Dec 18 11:19:10 2025 GMT
+        Subject: C = TC, ST = "Turks & Caicos Islands", L = Cockburn Town, O = Grand Lodge, CN = example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:be:2f:1e:62:8d:04:cf:2c:7f:90:e8:c3:11:f2:
+                    51:1d:95:4e:a8:0f:f1:4f:28:c1:c4:ea:8a:14:70:
+                    62:9a:b1:72:42:bf:ea:bb:5c:d5:7c:33:32:a8:89:
+                    43:9e:48:11:62:d0:a7:6c:74:b9:e9:21:13:d1:6f:
+                    00:ee:7b:7f:a2:7c:84:06:04:d8:9d:44:91:56:eb:
+                    4e:d3:f0:c3:9e:51:4a:b5:7e:87:81:10:17:23:7a:
+                    46:d8:61:44:78:d5:28:40:fe:48:37:cc:00:85:86:
+                    32:82:ff:72:11:8a:c0:49:64:da:04:70:74:f6:ae:
+                    e4:7f:93:04:6f:a3:60:b3:1d:d0:98:dc:03:08:3b:
+                    db:f0:38:36:34:9a:4d:0f:4f:95:14:94:2e:dc:97:
+                    4a:83:4c:f0:3f:df:7f:f5:cd:61:19:52:ec:3c:6b:
+                    34:ff:2b:91:98:2e:f1:06:dd:a2:1b:3c:28:3d:28:
+                    6b:98:26:45:e3:e0:92:cb:18:04:f4:ce:07:d5:85:
+                    23:2f:e8:70:75:72:5a:e8:bc:07:ef:ae:05:3f:4d:
+                    02:21:bc:b2:99:ee:0c:95:b1:7d:22:8a:68:bf:e6:
+                    a1:a0:1c:83:c6:90:41:50:b4:ac:e9:b4:da:d6:5a:
+                    c7:35:81:92:7a:47:5d:ff:87:d5:a9:77:e7:c6:36:
+                    76:09
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Client Authentication, TLS Web Server Authentication
+            X509v3 Subject Key Identifier: 
+                9B:41:57:4E:12:2C:2C:01:30:5C:01:08:4B:5C:25:0E:A8:AA:D3:10
+            X509v3 Authority Key Identifier: 
+                keyid:E8:B6:F6:76:4B:D0:3B:E5:46:A5:F9:54:D4:7E:07:B3:DE:0D:60:3E
+
+            Authority Information Access: 
+                OCSP - URI:http://ca.someca-inc.com/ocsp
+                CA Issuers - URI:http://ca.someca-inc.com/root
+
+            X509v3 Subject Alternative Name: 
+                DNS:example.org
+            X509v3 Certificate Policies: 
+                Policy: 2.23.140.1.2.2
+
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://ca.someca-inc.com/crl
+
+    Signature Algorithm: sha256WithRSAEncryption
+         63:44:de:77:d7:94:56:70:1c:cb:8f:50:87:7d:9c:e6:4b:91:
+         8a:aa:71:6d:28:a3:f4:60:e6:43:87:0e:99:e9:e1:93:9d:d0:
+         85:52:48:1f:3f:53:bc:cf:85:60:a9:b9:50:10:9a:5c:c4:55:
+         bb:14:42:75:91:80:c6:e4:e5:ed:cd:52:f2:f4:0d:25:8d:d7:
+         50:20:a8:12:7e:c8:0b:6b:da:cf:d0:f5:20:fc:6c:bd:8f:0a:
+         16:6d:31:48:e5:59:db:de:34:12:b5:ec:47:e7:7e:ce:76:7a:
+         b6:c6:fd:ad:16:cd:93:58:c6:27:47:67:1d:f8:ab:b8:d6:e7:
+         4f:be:f8:f7:2b:7f:3a:ac:32:36:c3:d6:65:d8:22:97:68:4a:
+         8b:34:43:9f:f4:a5:91:1a:2e:16:45:04:05:7d:78:2f:0b:a5:
+         68:e2:f3:9c:ac:75:99:11:05:8f:1d:24:e7:3c:e0:8f:62:c8:
+         13:3e:9b:48:e3:0c:f4:d4:78:21:65:04:ea:08:20:dd:f3:9f:
+         f1:47:ff:70:28:0d:f1:1a:17:a6:73:ec:b7:85:3b:d6:ae:5c:
+         4a:7f:37:4f:25:c6:9c:04:eb:4e:f0:fb:f6:67:f5:b3:83:d3:
+         ac:74:7e:da:68:0e:32:9f:4f:50:95:64:ac:db:54:40:16:85:
+         00:e6:23:e8
+-----BEGIN CERTIFICATE-----
+MIIEejCCA2KgAwIBAgIQR3vhM+Mgs0mc1MIGAkaXcTANBgkqhkiG9w0BAQsFADBD
+MQswCQYDVQQGEwJYWDEQMA4GA1UEChMHU29tZSBDQTEiMCAGA1UEAxMZRmFrZSBD
+QSBmb3IgemxpbnQgdGVzdGluZzAeFw0yNDEyMTgxMTE5MTBaFw0yNTEyMTgxMTE5
+MTBaMHYxCzAJBgNVBAYTAlRDMSMwIQYDVQQIDBpUdXJrcyAmYW1wOyBDYWljb3Mg
+SXNsYW5kczEWMBQGA1UEBxMNQ29ja2J1cm4gVG93bjEUMBIGA1UEChMLR3JhbmQg
+TG9kZ2UxFDASBgNVBAMTC2V4YW1wbGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAvi8eYo0Ezyx/kOjDEfJRHZVOqA/xTyjBxOqKFHBimrFyQr/q
+u1zVfDMyqIlDnkgRYtCnbHS56SET0W8A7nt/onyEBgTYnUSRVutO0/DDnlFKtX6H
+gRAXI3pG2GFEeNUoQP5IN8wAhYYygv9yEYrASWTaBHB09q7kf5MEb6Ngsx3QmNwD
+CDvb8Dg2NJpND0+VFJQu3JdKg0zwP99/9c1hGVLsPGs0/yuRmC7xBt2iGzwoPShr
+mCZF4+CSyxgE9M4H1YUjL+hwdXJa6LwH764FP00CIbyyme4MlbF9Iopov+ahoByD
+xpBBULSs6bTa1lrHNYGSekdd/4fVqXfnxjZ2CQIDAQABo4IBNTCCATEwDgYDVR0P
+AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAdBgNVHQ4E
+FgQUm0FXThIsLAEwXAEIS1wlDqiq0xAwHwYDVR0jBBgwFoAU6Lb2dkvQO+VGpflU
+1H4Hs94NYD4wZAYIKwYBBQUHAQEEWDBWMCkGCCsGAQUFBzABhh1odHRwOi8vY2Eu
+c29tZWNhLWluYy5jb20vb2NzcDApBggrBgEFBQcwAoYdaHR0cDovL2NhLnNvbWVj
+YS1pbmMuY29tL3Jvb3QwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwEwYDVR0gBAww
+CjAIBgZngQwBAgIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL2NhLnNvbWVjYS1p
+bmMuY29tL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAY0Ted9eUVnAcy49Qh32c5kuR
+iqpxbSij9GDmQ4cOmenhk53QhVJIHz9TvM+FYKm5UBCaXMRVuxRCdZGAxuTl7c1S
+8vQNJY3XUCCoEn7IC2vaz9D1IPxsvY8KFm0xSOVZ2940ErXsR+d+znZ6tsb9rRbN
+k1jGJ0dnHfiruNbnT7749yt/OqwyNsPWZdgil2hKizRDn/SlkRouFkUEBX14Lwul
+aOLznKx1mREFjx0k5zzgj2LIEz6bSOMM9NR4IWUE6ggg3fOf8Uf/cCgN8RoXpnPs
+t4U71q5cSn83TyXGnATrTvD79mf1s4PTrHR+2mgOMp9PUJVkrNtUQBaFAOYj6A==
+-----END CERTIFICATE-----