zlint icon indicating copy to clipboard operation
zlint copied to clipboard
verified publisher icon zmap

lint_single_email_if_present.go Checks SANs instead of Subject

Open jdkasten opened this issue 1 year ago • 2 comments

I believe the lint Name: "e_single_email_if_present", Description: "If present, the subject:emailAddress SHALL contain a single Mailbox Address", Citation: "7.1.4.2.h"

refers to this requirement which is specifically about the subject's relative distingished names rather than subject alternative names.

The lint's code iterates over c.EmailAddresses, which is the the subject alternative name email addresses and not those potentially contained in the subject [documentation]. There should only be one email address in the subject's distinguished name.

I also believe that the citation should be changed to 7.1.4.2.2.h rather than its current 7.1.4.2.h.

jdkasten avatar Feb 12 '24 19:02 jdkasten

You're right about the reference, it should be 7.1.4.2.2.h.

You're also right that the target of the current check is the SANs and not the subject as specified in the BR. I can work on a patch for that.

Please note that the referenced requirement does not state that only one Subject EmailAddress field is allowed in a compliant certificate, but that each Subject EmailAddress field contains only a single email address. Currently this lint is technically wrong per reference but not practically wrong in implementation: each Subject EmailAddress must appear as a SAN in the certificate, and therefore each SAN EmailAddress should also only contain a single email address.

cardonator avatar Feb 12 '24 22:02 cardonator

@jdkasten and @cardonator is the discussion in this issue covered by PR #808? If yes, this issue could be closed.

mtgag avatar Apr 02 '24 06:04 mtgag