Skip to content

Replace CA-enforcement for MaxNames with Custom Lint #8739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ezekiel merged 11 commits into from
May 4, 2026
Merged

Replace CA-enforcement for MaxNames with Custom Lint #8739

Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
11027e3
Create lint for SAN count
ezekiel Apr 28, 2026
7b01c25
Merge branch 'main' into ezekiel/replace-ca-maxnames-with-lint
ezekiel Apr 28, 2026
156cf35
Merge remote-tracking branch 'upstream/main' into ezekiel/replace-ca-…
ezekiel Apr 28, 2026
af0bac4
Better CheckApplies. Updated comments and Description.
ezekiel Apr 28, 2026
a3939d5
Remove boulder-ca enforcement of MaxNames.
ezekiel Apr 28, 2026
1286866
Merge remote-tracking branch 'upstream/main' into ezekiel/replace-ca-…
ezekiel Apr 28, 2026
1d98fd0
Merge remote-tracking branch 'upstream/main' into ezekiel/replace-ca-…
ezekiel Apr 29, 2026
e1d1858
Complete removal of maxNames enforcement from CA.
ezekiel Apr 29, 2026
b09b0f9
style: empty line after each error return
ezekiel Apr 29, 2026
fd524d2
Merge remote-tracking branch 'upstream/main' into ezekiel/replace-ca-…
ezekiel May 4, 2026
64671bf
Deprecate maxNames in CA config instead of immediate removal.
ezekiel May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions linter/lints/cpcps/lint_cert_has_san_count_out_of_bounds.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
package cpcps

import (
"github.com/zmap/zcrypto/x509"
"github.com/zmap/zlint/v3/lint"
"github.com/zmap/zlint/v3/util"

"github.com/letsencrypt/boulder/linter/lints"
)

type certSubjectAltNamesCountOutOfBounds struct{}

func init() {
lint.RegisterCertificateLint(&lint.CertificateLint{
LintMetadata: lint.LintMetadata{
Name: "e_cert_has_san_count_out_of_bounds",
Description: "Let's Encrypt Subscriber Certificaes must have a count of subjectAlternateNames within specific bounds defined by our CPS",
Citation: "CPS: 7.1",
Source: lints.LetsEncryptCPS,
EffectiveDate: lints.CPSV33Date, // TODO: probably earlier?
},
Lint: CertNamesCountOutOfBounds,
})
}

func CertNamesCountOutOfBounds() lint.CertificateLintInterface {
return &certSubjectAltNamesCountOutOfBounds{}
}

func (l *certSubjectAltNamesCountOutOfBounds) CheckApplies(c *x509.Certificate) bool {
return util.IsExtInCert(c, util.SubjectAlternateNameOID) && (len(c.DNSNames) > 0 || len(c.IPAddresses) > 0)
Comment thread
ezekiel marked this conversation as resolved.
Outdated
}

func (l *certSubjectAltNamesCountOutOfBounds) Execute(c *x509.Certificate) *lint.LintResult {
/*
* CP/CPS 7.1: "A sequence of 1 to 100 dNSNames or ipAddresses (critical if no CN)"
*
* more likely to encounter certs with greater than 100 than with fewer than 1
* so testing that failure first
*/
Comment thread
ezekiel marked this conversation as resolved.
Outdated
totalSANs := len(c.DNSNames) + len(c.IPAddresses)

if totalSANs > 100 || totalSANs < 1 {
return &lint.LintResult{Status: lint.Error}
}

return &lint.LintResult{Status: lint.Pass}
}
Loading