try a different approach

zmap · May 11, 2024 · d6ccdfb · d6ccdfb
1 parent 63b24e2
commit d6ccdfb
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 8 deletions.
diff --git a/v3/lint/base.go b/v3/lint/base.go
@@ -15,7 +15,6 @@ package lint
  */
 
 import (
-	"github.com/zmap/zlint/v3/lints/cabf_br"
 	"time"
 
 	"github.com/zmap/zcrypto/x509"
@@ -27,6 +26,11 @@ import (
 // @deprecated - use CertificateLintInterface instead.
 type LintInterface = CertificateLintInterface
 
+type Overrider interface {
+	LintInterface
+	OverrideFrameworkCheck(c *x509.Certificate) *LintResult
+}
+
 // RevocationListLintInterface is implemented by each revocation list linter.
 type RevocationListLintInterface interface {
 	// CheckApplies runs once per revocation list. It returns true if the
@@ -219,14 +223,19 @@ func (l *CertificateLint) CheckEffective(c *x509.Certificate) bool {
 // CheckEffective()
 // Execute()
 func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) *LintResult {
-	if l.Source == CABFBaselineRequirements {
-		_, ocspCertLint := l.Lint().(*cabf_br.OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth)
-		if !util.IsServerAuthCert(cert) && !ocspCertLint {
+	override, ok := l.Lint().(Overrider)
+	if ok {
+		result := override.OverrideFrameworkCheck(cert)
+		if result != nil {
+			return result
+		}
+	} else {
+		if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
+			return &LintResult{Status: NA}
+		}
+		if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
 			return &LintResult{Status: NA}
 		}
-	}
-	if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
-		return &LintResult{Status: NA}
 	}
 	lint := l.Lint()
 	err := config.MaybeConfigure(lint, l.Name)

diff --git a/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go b/v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go
@@ -40,8 +40,12 @@ func NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth() lint.LintInterface {
 	return &OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth{}
 }
 
+func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) OverrideFrameworkCheck(c *x509.Certificate) *lint.LintResult {
+	return nil
+}
+
 func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) CheckApplies(c *x509.Certificate) bool {
-	return util.IsDelegatedOCSPResponderCert(c) && util.IsServerAuthCert(c)
+	return util.IsDelegatedOCSPResponderCert(c)
 }
 
 func (l *OCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth) Execute(c *x509.Certificate) *lint.LintResult {