From 308a138ee20193335072c10b9b6ce7dec3d950c9 Mon Sep 17 00:00:00 2001
From: MTG <36234449+mtgag@users.noreply.github.com>
Date: Sun, 7 Apr 2024 15:04:05 +0200
Subject: [PATCH] Limit scope for cn checking in SAN (#825)

* lint about the encoding of qcstatements for PSD2

* Revert "lint about the encoding of qcstatements for PSD2"

This reverts commit 6c2367080d148f4b8c01f96a4c80e3ac55d1ef26.

* util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC

* always check and perform the operation in the execution

* synchronised with project

* synchronised with project

* synchronised with project

* synchronised with project

* fixed merge error

* synchronised with project

* address comments of PR #809

* trying to decrease cyclomatic complexity

* reverted commit in this branch

---------

Co-authored-by: mtg <git@mtg.de>
Co-authored-by: GitHub <noreply@github.com>
Co-authored-by: Christopher Henderson <chris@chenderson.org>
---
 .../cabf_smime_br/mailbox_address_from_san.go | 29 ++++++++++++++-----
 .../mailbox_address_from_san_test.go          |  6 ++--
 2 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/v3/lints/cabf_smime_br/mailbox_address_from_san.go b/v3/lints/cabf_smime_br/mailbox_address_from_san.go
index 9e2c75c2b..139b051d6 100644
--- a/v3/lints/cabf_smime_br/mailbox_address_from_san.go
+++ b/v3/lints/cabf_smime_br/mailbox_address_from_san.go
@@ -44,7 +44,19 @@ func NewMailboxAddressFromSAN() lint.LintInterface {
 
 // CheckApplies is returns true if the certificate's policies assert that it conforms to the SMIME BRs
 func (l *MailboxAddressFromSAN) CheckApplies(c *x509.Certificate) bool {
-	return util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c)
+
+	if !(util.IsSMIMEBRCertificate(c) && util.IsSubscriberCert(c)) {
+		return false
+	}
+
+	toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c))
+
+	for _, dirName := range c.DirectoryNames {
+		toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...)
+	}
+
+	return len(toFindMailboxAddresses) > 0
+
 }
 
 // Execute checks all the places where Mailbox Addresses may be found in an SMIME certificate and confirms that they are present in the SAN rfc822Name or SAN otherName
@@ -55,10 +67,11 @@ func (l *MailboxAddressFromSAN) Execute(c *x509.Certificate) *lint.LintResult {
 	}
 
 	// build list of Mailbox addresses from subject:commonName, subject:emailAddress, dirName
-	toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject)
+
+	toFindMailboxAddresses := getMailboxAddressesFromDistinguishedName(c.Subject, util.IsMailboxValidatedCertificate(c))
 
 	for _, dirName := range c.DirectoryNames {
-		toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName)...)
+		toFindMailboxAddresses = append(toFindMailboxAddresses, getMailboxAddressesFromDistinguishedName(dirName, false)...)
 	}
 
 	sanNames := map[string]bool{}
@@ -90,12 +103,14 @@ func (l *MailboxAddressFromSAN) Execute(c *x509.Certificate) *lint.LintResult {
 	return &lint.LintResult{Status: lint.Pass}
 }
 
-func getMailboxAddressesFromDistinguishedName(name pkix.Name) []string {
+func getMailboxAddressesFromDistinguishedName(name pkix.Name, includeCN bool) []string {
 	mailboxAddresses := []string{}
 
-	for _, commonName := range name.CommonNames {
-		if util.IsMailboxAddress(commonName) {
-			mailboxAddresses = append(mailboxAddresses, commonName)
+	if includeCN {
+		for _, commonName := range name.CommonNames {
+			if util.IsMailboxAddress(commonName) {
+				mailboxAddresses = append(mailboxAddresses, commonName)
+			}
 		}
 	}
 
diff --git a/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go b/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go
index 3d3d23542..a4c652739 100644
--- a/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go
+++ b/v3/lints/cabf_smime_br/mailbox_address_from_san_test.go
@@ -45,13 +45,13 @@ func TestMailboxAddressFromSANLint(t *testing.T) {
 			Name:          "pass - only contains one san:emailAddress value",
 			InputFilename: "WithOnlySANEmail.pem",
 
-			ExpectedResult: lint.Pass,
+			ExpectedResult: lint.NA,
 		},
 		{
 			Name:          "pass - only contains one san:otherName value",
 			InputFilename: "WithOnlySANOtherName.pem",
 
-			ExpectedResult: lint.Pass,
+			ExpectedResult: lint.NA,
 		},
 		{
 			Name:          "NE - before effective date",
@@ -97,7 +97,7 @@ func TestMailboxAddressFromSANLint(t *testing.T) {
 			Name:          "pass - subject:commonName is personal name, san:emailAddress contains an email",
 			InputFilename: "sponsorValidatedMultipurposePersonalNameInCN.pem",
 
-			ExpectedResult: lint.Pass,
+			ExpectedResult: lint.NA,
 		},
 	}