Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lint07 #22

Open
wants to merge 2 commits into
base: lint06
Choose a base branch
from
Open

Lint07 #22

wants to merge 2 commits into from

Conversation

tnarg999
Copy link
Collaborator

No description provided.

@tnarg999 tnarg999 requested review from aokeke and wuhelena September 16, 2020 23:03
aokeke
aokeke approved these changes Sep 17, 2020
View reviewed changes
Copy link
Collaborator

@aokeke aokeke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 Comment on the. readme but LGTM

CONTRIBUTING.md
Comment on lines 7 to 28
Example:

```go
// LintProducedAtDate checks that an OCSP Response ProducedAt date is no more than ProducedAtLimit in the past
// Source: Apple Lints 03 & 05
func LintProducedAtDate(resp *ocsp.Response, leafCert *x509.Certificate, issuerCert *x509.Certificate) (LintStatus, string) {
// default assume certificate being checked is a subscriber certificate
certType := "subscriber certificate"
producedAtLimit := ProducedAtLimitSubscriber
if leafCert != nil && leafCert.IsCA {
certType = "subordinate CA certificate"
producedAtLimit = ProducedAtLimitCA
// CheckStatus checks that the status of the OCSP response matches what the user expects it to be
// Source: Apple Lint 07
func CheckStatus(resp *ocsp.Response, leafCert *x509.Certificate, issuerCert *x509.Certificate, lintOpts *LintOpts) (LintStatus, string) {
if lintOpts.ExpectedStatus == None {
return Passed, fmt.Sprintf("User did not specify an expected status (fyi OCSP response status was %s)", StatusIntMap[resp.Status])
}

expectedStatus := ocsp.Good
if lintOpts.ExpectedStatus == Revoked {
expectedStatus = ocsp.Revoked
}

limit, err := time.ParseDuration(producedAtLimit)

if err != nil {
return Error, fmt.Sprintf("Could not parse time duration %s", producedAtLimit)
}

if time.Since(resp.ProducedAt) > limit {
return Failed, fmt.Sprintf("OCSP Response producedAt date %s for %s is more than %s in the past",
resp.ProducedAt, certType, DurationToString[producedAtLimit])
if resp.Status != expectedStatus {
return Failed, fmt.Sprintf("Expected status %s, OCSP response status was %s", lintOpts.ExpectedStatus, StatusIntMap[resp.Status])
}

return Passed, fmt.Sprintf("OCSP Response producedAt date %s for %s is within %s of the past",
resp.ProducedAt, certType, DurationToString[producedAtLimit])
return Passed, fmt.Sprintf("OCSP Response status matched expected status of %s", lintOpts.ExpectedStatus)
}
```
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like I think I mentioned in another PR, every time the code changes you'll have to. remember to come back and update this too. It might be better to just point to a file and a function in the file rather than copy-pasting the whole code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aokeke aokeke aokeke approved these changes

@wuhelena wuhelena Awaiting requested review from wuhelena

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tnarg999 @aokeke