Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issue extracting email addresses from otherName SAN values #52

Merged
merged 1 commit into from
Nov 3, 2023

Conversation

hablutzel1
Copy link

Mailbox Addresses in otherName values of type id-on-SmtpUTF8Mailbox are not being found while validating the mail addresses in the subject CN or SAN entries of type dirName. This fails to comply with the following from the S/MIME BRs:

7.1.4.2.1 Subject alternative name extension
...
All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be
repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this
extension.

@CBonnell CBonnell changed the base branch from main to smtputf8mailbox_fix November 3, 2023 18:10
@CBonnell
Copy link
Collaborator

CBonnell commented Nov 3, 2023

Thanks for finding this bug and submitting a patch to fix, @hablutzel1! I'll add another test case and will cut a release with this bug fix shortly.

@CBonnell CBonnell merged commit f3094fb into digicert:smtputf8mailbox_fix Nov 3, 2023
4 checks passed
@CBonnell CBonnell mentioned this pull request Nov 3, 2023
hablutzel1 added a commit to hablutzel1/pkilint that referenced this pull request Nov 11, 2023
* Bump version to prepare for bugfix release

* Fix issue extracting email addresses from otherName SAN values. (digicert#52)

* Add a few test cases, update changelog

---------

Co-authored-by: Jaime Hablutzel <[email protected]>
CBonnell added a commit that referenced this pull request Jun 14, 2024
* Bump version, add ASN.1 modules

* Add determination of ETSI webauth cert type

* Add EVCP

* Better cert type determination, add validator for empty PSP roles

* Add support for pre-certs and final certs

* Rename NCP and QNCP legal person and natural person certificate types

* STNDS-403 Refactor OrgId validators for better code sharing (subtask STNDS-404)

* raised specific error for invalid country codes

* added 3 tests for country codes

* made code less redundant and put class for country codes all in one class

* named class to be more specific

* qcretention period checking done as well as added DS Store to the gitignore

* STNDS-403 Implement OrgId attribute validator for legal persons (#4)

* qc type ready for testing

* Stnds 409 - Add lint to validate QcEuPDS statement (#6)

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>

* STNDS-412 Differentiate between EIDAS qualified and non-EIDAS qualified (#5)

* STNDS-412 Differentiate between EIDAS qualified and non-EIDAS qualified

* Bump download-artifact version

* Fix finding filters for CABF cert types

* Add ETSI linters to validation reporter test

* Add PKIX/CABF findings to QcType crttest files

* Add PKIX/CABF findings to PDS crttest files, address a few PEP warnings

* almost there, got to figure out how to add the check only if the cert is psd2, right now it's every time, some reason it's classifying the cert as something else

* got to change where it qualifies on a cert for the test run

* Stnds 422 - Verify that NCAName is in "Latin" characters (#9)

* requirements for queulimitvalue (#8)

* added iso639

* added iso4217

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>

* qc_eupds_missing works as expected

* STNDS-430 Disallow policyMappings, policyConstrants, and inhibitAnyPolicy in EE certs (#10)

* Stnds 423 - Verify the syntax of NCAId (#12)

* STNDS-447 Flag use of id-qcs-pkixQCSyntax-v1 semanticsIdentifier (#15)

* STNDS-447 A simpler implementation

* STNDS-429 validate natural person IDs (#14)

* natural person logic created

* logic for multiple cn and country names work

* added test files

* STNDS-424 Check PSD OrgId format in EU PSD2 certs (#19)

* Remove unused PSP role mapping

* STNDS-449 Check for at least one URI in NRA in SemanticsInformation (#18)

* STNDS 448 - Policy extension should not be marked critical (#16)

* Stnds 454 - CRL distribution points not marked critical (#24)

* Stnds 453 - Extended key usage not marked critical (#23)

* Stnds 451 - Issuer alternative name not marked critical

* Stnds 450 - Subject alternative name not marked critical

* STNDS-444: The pseudonym attribute shall not be present if the givenName and surname attribute are present

Co-authored-by: Alex Campbell <campbellalex321@gmail>

* STNDS-452: Add PKIX validator for IAN criticality (#26)

* Fix acknowledgements table formatting

* Fix integration tests for VATEL, bump version to 0.11

* STNDS-442 (#27)

* Simplify duplicate attribute detection logic

* Simplify attribute count logic

* STNDS-462 (#29)

* Switch all uses of magic strings to new KeyUsage bit name class

* STNDS-462

* Fix build

* Rename ETSI cert smoke test

* Add graceful decode error handling to ETSI CLI

* STNDS-455 CRLDP + AIA lints (#32)

* STNDS-465 Add Certificate Policies lint (#33)

* STNDS-467: Add validators for EN 319 412-3 clause 4.2.1 (#35)

* STNDS-467: Add validators for EN 319 412-3 clause 4.2.1

* Fix build

* STNDS-469: Add support for unbounded value lengths for selected attributes (#36)

* Add finding introduced after merge

* STNDS-466 - qcStatements extension shall not be marked as critical (#34)

---------

Co-authored-by: Michael Lettona <[email protected]>

* STNDS-472: Create legal person Key Usage value validator (#37)

* STNDS-472: Create legal person Key Usage value validator

* STNDS-494: Add TS 119 312 public key validators (#39)

* STNDS-494: Add TS 119 312 validators

* Fix RSA exponent upper bound check

* Clean up exponent check

* STNDS-496: Add DNSName-specific CN value validator (#40)

* STNDS-497: Add validator to check for presence of extensions (#41)

* STNDS-498: Create ETSI internal name validators for QNCP-w-gen (#42)

* Refactor internal name validators for better reuse

* Create ETSI validators for QNCP-w-gen

* Clean up validations a bit

* referenced subscriber server auth for qncp-w-gen code (#38)

* Merge remote-tracking branch 'origin/qualified' into STNDS-473

* removed no_eku

* added qncpwgenextusage validator

* qncp_w_gen_requirements done

* added validators

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* changed name of the validator

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_4.py

Co-authored-by: Corey Bonnell <[email protected]>

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>
Co-authored-by: Corey Bonnell <[email protected]>

* SC-72 implementation (#73) (#43)

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* Finalize 0.10.2 release

* Clean up README language

* Remove superfluous newline

* STNDS-503: Allow transnational country codes in orgId and serialNumbers (#45)

* SC-72 implementation (#73)

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* Finalize 0.10.2 release

* Clean up README language

* Remove superfluous newline

* All transnational country codes in orgId and serialNumbers

* Case-insensitive country codes, har har

* Test case-insensitive country codes

* STNDS-504: Flag unknown country codes in legal person certificates (#46)

* STNDS-504: Flag unknown country codes in legal person certificates

* Argh, case insensitivity

* Merge v0.10.3 from upstream (#47)

* SC-72 implementation (#73)

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* SC-72 implementation

* Improve static retriever class name

* Prepare changelog

* Finalize 0.10.2 release

* Clean up README language

* Remove superfluous newline

* Flag invalid domain name length in GeneralName types (#78)

* SMC-06 implementation (#74)

* SMC-06 implementation

* Update CHANGELOG, add test case for multi-OID string message

* Change to more intuitive collection type

* Add back new validator from botched merge

* STNDS-505: Ignore CABF validity period findings for certs with PSD2 policy OID (#48)

* Reformat and unused import cleanup

* STNDS-507: Do not allow unbounded CN for webauth certificate types (#49)

* STNDS-499: Add ETSI REST API linter group (#50)

* STNDS-499: Add ETSI REST API linter group

* Clean up certificate linter group init logic

* Clean up some nits (#51)

* Clean up some nits

* Add test case, adjust a message

* Add test case, adjust a message (part deux)

* STNDS-445: Add allowance checking for QCStatements (#52)

* STNDS-508: Add validator for eIDAS LegalPerson OrgId (#53)

* Undo STNDS-505 (#55)

* STNDS-509: Add check for TS 119 312 for sig alg (#54)

* STNDS-509: Add check for TS 119 312 for sig alg

* Move comment to better separate Schnorr vs. ECDSA

* Stnds 468 (#58)

* added class for np id validator

* added validation for natural person

* validation made but not working

* put in subjects validator

* eidas validator works

* final validator works

* Update pkilint/etsi/en_319_412_1.py

Co-authored-by: Corey Bonnell <[email protected]>

* Update pkilint/etsi/en_319_412_1.py

Co-authored-by: Corey Bonnell <[email protected]>

* stopped parsing if serial number length is too short

* fixed Corey's comments

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>
Co-authored-by: Corey Bonnell <[email protected]>

* STNDS-505, part trois (#57)

* Various qualified cleanup (#60)

* Ensure finding codes follow syntax

* Add CLI docs

* Change to use PDUNode children attribute

* Tweak .gitignore

* Prep CHANGELOG

* Fix non-webauth cert detection and QcType validator (#64)

* Fix non-webauth cert detection and QcType validator

* Change class name to anticipate linting CABF <-> ETSI OID per EN 319 411 1

* Add validator for CABF OID <-> non-qualified ETSI OID matching

* Don't add subject validators for DVCP

* Init code cleanup

* Massive fix for application of EN 319 412 -2 and -3 reqs for webauth certs

* Perform case-sensitive country code comparison (#65)

* Perform case-sensitive country code comparison

* Fix presence of QcsCompliance statement for non-EIDAS certs

* More fixes (#67)

* Enable pyasn1-fasder if installed, fix format nit

* Add support for additional validators

* Set release candidate version (#68)

* Some more nit cleanups (#69)

* Remove errant whitespace in link

* Remove reporting of duplicate OrgId syntax error finding (#70)

* Remove reporting of duplicate OrgId syntax error finding

* Clean up imports

* Getting ready for the big release

---------

Co-authored-by: Alex Campbell <campbellalex321@gmail>
Co-authored-by: campbellalex321 <[email protected]>
Co-authored-by: Mike <[email protected]>
Co-authored-by: Michael Lettona <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants