E qcstatem correct national scheme #949
Conversation
|
Thank you @mtgag! I'll start reviewing this (which will likely take longer than usual because we have historical context to catch up on). Including @defacto64 because you were party to the conversation last fall in #861 |
| @@ -1,5 +1,5 @@ | |||
| /* | |||
| * ZLint Copyright 2024 Regents of the University of Michigan | |||
| * ZLint Copyright 2025 Regents of the University of Michigan | |||
There was a problem hiding this comment.
It took me a bit to understand the changes in this file, but from what I can see it's simply lifting out complex blocks into their own functions.
Is there anything that you would like to call out for closer review? It's difficult to tell what is new and what is simply re-arranging code for readability.
There was a problem hiding this comment.
There were some older PRs that didn't make it to the main branch. I believe this version was used in those PRs and should include all the necessary functionality related to QC. So it is a mix of extracting existing functionality and adding features that are not currently required. Since the other ETSI lint tests are running fine, I do not think it is necessary to take a closer look.
v3/util/alt_reg_num_ev.go
Outdated
| Rsi, Country, StateOrProvince, RegRef string | ||
| } | ||
|
|
||
| func GetSubjectOrgId(rawSubject []byte) parsedSubjectElement { |
There was a problem hiding this comment.
I'm surprised that the linter isn't complaining that a public function is returning a private type. 🤷 I can't say that I'm a huge fan of golangci.
There was a problem hiding this comment.
refactored the code to address it.
v3/util/alt_reg_num_ev.go
Outdated
|
|
||
| rest, err := asn1.Unmarshal(rawSubject, &nl) // parse the sequence of sets, i.e. each list element in nl will be a set | ||
| if err != nil { | ||
| return parsedSubjectElement{IsPresent: false, Value: "", ErrorString: "error parsing outer SEQ of subject DN"} |
There was a problem hiding this comment.
Would you mind including the original error in the message? It'll help with debugging some day, I am sure of it.
|
|
||
| qcs2 := qcs2Generic.(util.DecodedQcS2) | ||
| semanticsId := qcs2.Decoded.SemanticsId | ||
| re := regexp.MustCompile(`^.{2}:`) |
There was a problem hiding this comment.
| re := regexp.MustCompile(`^.{2}:`) | |
| re := regexp.MustCompile(`^[a-zA-Z]{2}:`) |
I am not 100% certain of this, but do at least consider making this a bit more precise (if possible).
There was a problem hiding this comment.
sounds good. Changed.
| } | ||
| } | ||
|
|
||
| if semanticsId.Equal(util.IdEtsiQcsSemanticsIdLegal) { |
There was a problem hiding this comment.
I am unsure of this block. The psuedo-code that describes it is...
[ (legal person semantics identifier is included) AND (two characters according to local ... are present in organizationIdentifier) ]
However, it will also succeed if there are simply no orgIDs or if none of the orgIDs that are present match the ^.{2}: regex. Are you expecting both of these scenarios to also generate a PASS?
There was a problem hiding this comment.
The CheckApplies should cover this. If the certificate does not have any orgIDs or none of the orgIDs that are present match the regexp then it is an NA.
| } | ||
|
|
||
| if semanticsId.Equal(util.IdEtsiQcsSemanticsIdLegal) { | ||
| re := regexp.MustCompile(`^.{2}:`) |
There was a problem hiding this comment.
Would you mind placing this regex in the global context so that CheckApplies and Execute use the precise same object?
|
Hello! My first observation is that this PR includes quite a bit of code that is not really needed for the specific lint proposed. I am referring to a number of structs and utility functions (mostly in the Apart from the said additions, the rest of the changes made to the On this specific lint I have a couple of doubts:
This seems more important to me than verifying that the subject identifier has two characters and a "-" after the ":". |
I am a bit concerned as well and not entirely satisfied with the current code. It might be useful in the future, but it is difficult to estimate how much effort we could invest in the ETSI lints. If you or the project team do not consider this a showstopper, I suppose we can proceed as is. Otherwise, I suggest we close this PR for now until I have the opportunity to refactor the code.
We could simply check whether IdQcsPkixQCSyntaxV2 is present and return true from CheckApplies. Would that resolve the issue?
When I reviewed the specification a few days ago, it also seemed more important to me. This should be implemented as a new lint. |
|
My first doubt on this specific lint ("On this specific lint I have a couple of doubts...") is mainly a matter of taste: I tend to avoid doing the same thing twice if it's not really necessary, even when the performance impact is negligible. If it was me to code this lint, I would somehow "memorize" some of the results of the checks made in By the way, @mtgag: would you point us to some real certificates that would not pass this lint (AS IS) ? |
|
I've been thinking about this lint a bit more and have one more point to make, in addition to what I said above. This lint performs a check that is a subset of a broader check that I think would be worth performing instead. |
|
If I am understanding your thinking @defacto64, you would like Rust is, perhaps, a better tool to visualize this difference since it has explicit, enforced, mutability rules. Essentially, it would be the difference between... // Immutable
fn check_applies(&self, cert: &Certificate) -> bool {}// Mutable
fn check_applies(&mut self, cert: &Certificate) -> bool {}
This is certainly true of the CLI usage of ZLint. However, I too frequently forget that CAs use ZLint as a library. Given that we store these lint structs in a global registry, that means that we have invited the devil into our house - As such, I think that I would prefer it if we simply eat the computational cost and keep these structs as stateless as is reasonable. With regard to dead code Although it does make code reviews more difficult, which then reduces due diligence from reviewers (we are all human, after all). With regard to the interpretation of the requirements, I admit that I am quite far from caught up on these documents. @mtgag it sounds like you are not quite confident in these changes either, and that you would like to put this lint back into the oven? |
Rather than wanting it, let's say I had hypothesized it, but what you say convinces me that it would not be a good idea. I also forgot that ZLint is also used as a library. |
I am afraid I cannot provide any real world certificates. Also the test corpus does not contain one. It would be quite interesting to locate a few ETSI/PSD certificates to run some tests. Trying https://crt.sh/?CAName=%25QSEAL%25 or https://crt.sh/?CAName=%25PSD%25 does locate a few CAs, but as far as I can tell they have not issued many certificates. |
You may find some interesting lints about ETSI/PSD on this branch https://github.com/mtgag/zlint/tree/all/v3/lints/etsi.
You may take a quick view to see if any lint addresses your suggestion. We can then reactivate it and suggest a PR. We could also just try to integrate all of them into the project. If I have a significant amount of ETSI certificates I could test the lints against them to assess their quality. |
I would prefer to test this and other ETSI lints against real certificates as @defacto64 suggested. Please let us wait, if we can locate a good number of ETSI certificates to test against. |
4 participants
This PR replaces the previous PR (PR #861) based on our discussion there. I will close the original PR so we can continue work here.
This lint implements the following pseudocode:
IF
[ (natural person semantics identifier is included) AND (two characters according to local ... are present in serialNumber) ]
OR
[ (legal person semantics identifier is included) AND (two characters according to local ... are present in organizationIdentifier) ]
THEN
check that the remainder of the string also fulfills the national scheme syntax.