Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules #842
Conversation
christopher-henderson
force-pushed
the
fix_ocsp
branch
from
0c5c9b2
to
f0455f6
Compare
| @@ -74,11 +74,11 @@ func TestOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth(t *testing.T) { | |||
| }, { | |||
| Name: "o1s0ep0a0nc0", | |||
| Filename: "o1s0ep0a0nc0.pem", | |||
| ExpectedResult: lint.NA, | |||
There was a problem hiding this comment.
These are tests certs that do not have server auth, so they now apply.
christopher-henderson
changed the title
|
@zakird howdy sir. Could I solicit a quick glance at this PR? It's not PKI related so it's a bit difficult to garnish interest in a review. 🙏 |
|
Offhand, this feels like adding in an exception path to bypass fixing scoping of lints rather than fixing that our lints are currently not scoped correctly. Why not instead change the |
|
This PR seems just fine to me. It adds the capability for a lint to do its own pre-flight applicability check, which sometimes can be useful when the general (framework) applicability pre-flight check would unwantedly exclude a certificate from such lint. Relying on |
|
@zakird ah yes, here's some added context. As @defacto64 brought up in his own experience, there are handful of times where a governing document declares requirements on a classification of certificates that are otherwise normally outside of the document's domain. Concretely, in this case, CABF/BRs has an odd handful of requirements against OCSP responder certificates. This would be fine were it not for the fact that the framework applies it's own
This is generally great and avoids a lot of mistakes from being made. It does, however, cause edge case certificates (such as the aforementioned OCSP responder certs) to go silently unloved. |
|
Yeah, I'm with you that we'd have to update a huge number of CABF certs. I guess the question is, do we want this to be explicit and update all the lints or have it be implicit with a bypass mechanism. We'd have to do a lot fewer updates to lints, but it does make it more likely that we'll have this bug again in the future if someone doesn't know what they have to opt out of something. In general, ZLint tries to be pretty explicit about everything to avoid this kind of complication, but I also don't know if I'm putting code cleanliness over all practicality. I don't know if I have too strong an opinion. @dadrian what's your take? |
|
It seems like |
|
To help bring this conversation back to the ground, I'd like to point out that this issue was raised because of precisely one lint that has existed for over four years and had gone unnoticed until @defacto64 read the code base carefully. So I am quite allergic to altering the fundamental scoping strategy of the project. If there is no solution that even a plurality of folks are comfortable with, then I would sooner leave the issue unresolved than risk major changes. |
|
Right. |
Addresses #838
The core issue here was CABF places requirements, by-and-large, on server certificates. Thus, the framework did a kindness to CABF lints by baking in a pre-flight
IsServerAuthcheck for all CABF lints.This however, precluded that ability to lint certificates that are governed by CABF, but are not themselves server certificates. A prime example is
v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.gowhich is a CABF requirement placed on OCSP signing certificates.As such, we would like for individual lints to be able to opt out of the framework's pre-flight applicability rules when necessary.w
Thank you @defacto64 for reporting the issue and thank you to @toddgaunt-gs for the cleaner boolean flag idea (I had forgotten that we had concrete structs available to us, rather than just interfaces that lints implement).