Apple Lint 06

README.md

@@ -42,7 +42,7 @@ A complete table of available flags:
 | expectgood | Tell the linter to expect a good OCSP response | `./ocsp_status -expectgood google.com:443` |
 | expectrevoked | Tell the linter to expect a revoked OCSP response | `./ocsp_status -expectrevoked revokedgrc.com:443` |
 | cacert | Tell the linter that you are inputting a CA cert | `./ocsp_status -cacert -incert googleissuer_cert.der` |
-| nonissuedcert | Tell the linter that you are inputting a non-issued cert | `./ocsp_status -nonissuedcert -ocspurl=ocsp.google.com facebook.com:443` |
+| nonissued | Tell the linter that you are inputting a non-issued cert | `./ocsp_status -nonissuedcert -ocspurl=ocsp.google.com facebook.com:443` |
 | v | Print information on all lints (including passed lints) | `./ocsp_status -verbose google.com:443`|
 
 Note you can also do `./ocsp_status -help` to see a list of all possible flags and their descriptions.

linter/linter.go

@@ -43,6 +43,11 @@ var Lints = []*LintStruct{
 		"Apple Lint 04",
 		LintNextUpdateDate,
 	},
+	{
+		"Check OCSP response status for non-issued certificate",
+		"Apple Lint 06",
+		LintStatusForNonIssuedCert,
+	},
 }
 
 // LinterInterface is an interface containing the functions that are exported from this file

linter/lintfuncs.go

@@ -48,6 +48,9 @@ func CheckSignature(resp *ocsp.Response, issuerCert *x509.Certificate, lintOpts
 // issued by the issuing CA either by comparing public key hashes or names
 // Source: Apple Lint 13
 func CheckResponder(resp *ocsp.Response, issuerCert *x509.Certificate, lintOpts *LintOpts) (LintStatus, string) {
+	if issuerCert == nil {
+		return Unknown, "Issuer certificate not provided, can't check responder"		
+	}
 	// Exactly one of RawResponderName and ResponderKeyHash is set.
 	ocspResponder := resp.RawResponderName
 
@@ -162,3 +165,17 @@ func LintNextUpdateDate(resp *ocsp.Response, issuerCert *x509.Certificate, lintO
 		resp.NextUpdate, DurationToString[NextUpdateLimitSubscriber], resp.ThisUpdate)
 
 }
+
+// LintStatusForNonIssuedCert checks that an OCSP response for a non-issued certificate does not have status Good
+// Source: Apple Lint 06
+func LintStatusForNonIssuedCert(resp *ocsp.Response, issuerCert *x509.Certificate, lintOpts *LintOpts) (LintStatus, string) {
+	if !lintOpts.LeafCertNonIssued {
+		return Passed, "OCSP Response is for issued certificate"
+	}
+
+	if resp.Status != ocsp.Good {
+		return Passed, "OCSP Response for non-issued certificate does not have status Good"
+	}
+
+	return Failed, "OCSP Response for non-issued certificate has status Good"
+}

linter/lintfuncs_test.go

@@ -4,6 +4,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"github.com/googleinterns/ocsp-response-linter/ocsptools"
+	"golang.org/x/crypto/ocsp"
 	"testing"
 	"time"
 )
@@ -176,7 +177,7 @@ func TestLintNextUpdateDate(t *testing.T) {
 		LeafCertNonIssued: false,
 		ExpectedStatus: None,
 	}
-	
+
 	ocspResp, err := ocsptools.Tools{}.ReadOCSPResp(RespBadDates)
 	if err != nil {
 		panic(fmt.Sprintf("Could not read OCSP Response file %s: %s", RespBadDates, err))
@@ -197,3 +198,42 @@ func TestLintNextUpdateDate(t *testing.T) {
 		}
 	})
 }
+
+// TestLintStatusForNonIssuedCert tests LintStatusForNonIssuedCert, which checks that an
+// OCSP Response for a non issued certificate has a status that is not Good
+// Source: Apple Lint 06
+func TestLintStatusForNonIssuedCert(t *testing.T) {
+	mockLintOpts := &LintOpts{
+		LeafCertType: Subscriber,
+		LeafCertNonIssued: false,
+		ExpectedStatus: None,
+	}
+
+	ocspResp, err := ocsptools.Tools{}.ReadOCSPResp(RespBadDates)
+	if err != nil {
+		panic(fmt.Sprintf("Could not read OCSP Response file %s: %s", RespBadDates, err))
+	}
+
+	t.Run("Issued Certificate", func(t *testing.T) {
+		status, info := LintStatusForNonIssuedCert(ocspResp, nil, mockLintOpts)
+		if status != Passed {
+			t.Errorf("Lint should have passed, instead got status %s: %s", status, info)
+		}
+	})
+
+	mockLintOpts.LeafCertNonIssued = true
+	t.Run("Non issued certificate with status good", func(t *testing.T) {
+		status, info := LintStatusForNonIssuedCert(ocspResp, nil, mockLintOpts)
+		if status != Failed {
+			t.Errorf("Lint should have failed, instead got status %s: %s", status, info)
+		}
+	})
+
+	ocspResp.Status = ocsp.Revoked
+	t.Run("Non issued certificate with status revoked", func(t *testing.T) {
+		status, info := LintStatusForNonIssuedCert(ocspResp, nil, mockLintOpts)
+		if status != Passed {
+			t.Errorf("Lint should have passed, instead got status %s: %s", status, info)
+		}
+	})
+}

ocsp_status.go

@@ -124,7 +124,7 @@ func main() {
 	expectRevoke := flag.Bool("expectrevoke", false, "Whether to expect revoked OCSP response")
 
 	caCert := flag.Bool("cacert", false, "Whether certificate is for a CA")
-	nonIssuedCert := flag.Bool("nonissuedcert", false, "Whether certificate is not issued by CA")
+	nonIssuedCert := flag.Bool("nonissued", false, "Whether certificate is not issued by CA")
 
 	verbose := flag.Bool("v", false, "Whether to use verbose printing for printing lints")