Include rules section
This commit is contained in:
parent
59d66153ee
commit
01b475af4b
1 changed files with 34 additions and 47 deletions
79
README.md
79
README.md
|
|
@ -36,53 +36,40 @@ keys it finds. It does **not** cryptographically verify them:
|
|||
Treat a green report as "the record is well-formed and DNSSEC-signed",
|
||||
not as "the key is trustworthy".
|
||||
|
||||
## Tests run
|
||||
## Rules
|
||||
|
||||
All findings are tagged by severity (`info` / `warn` / `crit`) so the
|
||||
rule engine can fold them into a single `CheckState`.
|
||||
|
||||
### DNS (both record types)
|
||||
|
||||
| Code | Severity | What it catches |
|
||||
| --- | --- | --- |
|
||||
| `dns_query_failed` | crit | The resolver returned an error or did not answer. |
|
||||
| `dns_no_record` | crit | The authoritative answer has no record at the expected owner. |
|
||||
| `dnssec_not_validated` | crit / warn | The validating resolver did not set `AD`. RFC 7929/8162 mandate DNSSEC; the severity is configurable via `requireDNSSEC`. |
|
||||
| `dns_record_mismatch` | warn | The record returned by DNS differs from the one declared in the service (typically a stale zone on the authoritative servers). |
|
||||
| `owner_hash_mismatch` | crit | Record owner-name first label is not `sha256(localpart)[:28]`; mail clients will never find it. |
|
||||
|
||||
### OpenPGP-specific (RFC 7929)
|
||||
|
||||
| Code | Severity | What it catches |
|
||||
| --- | --- | --- |
|
||||
| `pgp_parse_error` | crit | Malformed base64 or OpenPGP packet stream. |
|
||||
| `pgp_no_entity` | crit | Record decoded but carries no valid entity. |
|
||||
| `pgp_primary_revoked` | crit | Primary key has a revocation signature. |
|
||||
| `pgp_primary_expired` | crit | Self-signature expired; clients will refuse to encrypt. |
|
||||
| `pgp_primary_expiring_soon` | warn | Expires within the `certExpiryWarnDays` window (default 30). |
|
||||
| `pgp_weak_algorithm` | warn | Uses DSA / ElGamal (phase-out). |
|
||||
| `pgp_weak_key_size` | crit / warn | RSA below 2048 bits is critical, 2048-3071 is a warn. |
|
||||
| `pgp_no_encryption_subkey` | crit | No active key in the entity advertises encryption capability. |
|
||||
| `pgp_no_identity` | warn | No self-signed User ID. |
|
||||
| `pgp_uid_mismatch` | info | None of the UIDs reference `<username@…>`. |
|
||||
| `pgp_multiple_entities` | warn | Record carries more than one entity (RFC 7929 recommends one). |
|
||||
| `pgp_record_too_large` | warn | Raw key > 4 KiB; forces UDP→TCP fallback on every lookup. |
|
||||
|
||||
### SMIMEA-specific (RFC 8162)
|
||||
|
||||
| Code | Severity | What it catches |
|
||||
| --- | --- | --- |
|
||||
| `smimea_bad_usage` / `_selector` / `_match_type` | crit | Field outside the allowed range. |
|
||||
| `smimea_cert_parse_error` | crit | Hex-encoded blob is not a valid X.509 certificate / SPKI. |
|
||||
| `smimea_cert_expired` / `_not_yet_valid` | crit | `notBefore` / `notAfter` gate the current time out. |
|
||||
| `smimea_cert_expiring_soon` | warn | Within the `certExpiryWarnDays` window. |
|
||||
| `smimea_no_email_protection_eku` | crit / warn | Missing `emailProtection` EKU (RFC 8550/8551 agents will reject). |
|
||||
| `smimea_missing_key_usage` | warn | Neither `digitalSignature` nor `keyEncipherment` key-usage is set. |
|
||||
| `smimea_email_mismatch` | info | No email SAN starts with `<username>@`. |
|
||||
| `smimea_weak_signature_algorithm` | crit | MD5 / SHA-1 based signature. |
|
||||
| `smimea_weak_key_size` | crit / warn | RSA < 2048 / 3072 bits. |
|
||||
| `smimea_self_signed` | info | Self-signed certificate paired with PKIX-EE usage. |
|
||||
| `smimea_hash_only` | info | Matching-type 1/2 only carries a digest; certificate can't be inspected. |
|
||||
| Code | Description | Severity |
|
||||
|-----------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
|
||||
| `dns_query_failed` | Verifies that the DNS lookup for the OPENPGPKEY/SMIMEA record succeeds. | CRITICAL |
|
||||
| `dns_no_record` | Verifies that an OPENPGPKEY/SMIMEA record is published at the expected owner name. | CRITICAL |
|
||||
| `dns_record_mismatch` | Verifies that the record returned by DNS matches the service-declared record. | WARNING |
|
||||
| `dnssec_not_validated` | Verifies that the record is authenticated by DNSSEC (AD flag set). | CRITICAL |
|
||||
| `owner_hash_mismatch` | Verifies that the owner-name first label equals hex(sha256(username))[:28]. | CRITICAL |
|
||||
| `pgp_parse_error` | Verifies that the OPENPGPKEY record decodes as a valid OpenPGP key. | CRITICAL |
|
||||
| `pgp_primary_revoked` | Verifies that the OpenPGP primary key carries no revocation signature. | CRITICAL |
|
||||
| `pgp_primary_expired` | Verifies that the OpenPGP primary key has not passed its self-signature expiry. | CRITICAL |
|
||||
| `pgp_primary_expiring_soon` | Warns when the OpenPGP primary key expires within the configured window. | WARNING |
|
||||
| `pgp_weak_algorithm` | Verifies that OpenPGP keys do not use legacy algorithms (DSA/ElGamal). | WARNING |
|
||||
| `pgp_weak_key_size` | Verifies that OpenPGP RSA keys meet the minimum 2048-bit size (3072+ preferred). | CRITICAL |
|
||||
| `pgp_no_encryption_subkey` | Verifies that at least one active OpenPGP key advertises encryption capability. | CRITICAL |
|
||||
| `pgp_no_identity` | Verifies that the OpenPGP key carries at least one self-signed User ID. | WARNING |
|
||||
| `pgp_uid_mismatch` | Checks that at least one OpenPGP UID references <username@...>. | INFO |
|
||||
| `pgp_multiple_entities` | Verifies that the record carries a single OpenPGP entity (RFC 7929). | WARNING |
|
||||
| `pgp_record_too_large` | Verifies that the OPENPGPKEY record stays below 4 KiB to fit typical UDP answers. | WARNING |
|
||||
| `smimea_bad_usage` | Verifies that the SMIMEA usage field is 0, 1, 2, or 3. | CRITICAL |
|
||||
| `smimea_bad_selector` | Verifies that the SMIMEA selector field is 0 (Cert) or 1 (SPKI). | CRITICAL |
|
||||
| `smimea_bad_match_type` | Verifies that the SMIMEA matching type is 0 (Full), 1 (SHA-256), or 2 (SHA-512). | CRITICAL |
|
||||
| `smimea_cert_parse_error` | Verifies that the SMIMEA record decodes as a valid X.509 certificate or SPKI. | CRITICAL |
|
||||
| `smimea_cert_not_yet_valid` | Verifies that the S/MIME certificate's NotBefore is in the past. | CRITICAL |
|
||||
| `smimea_cert_expired` | Verifies that the S/MIME certificate's NotAfter is in the future. | CRITICAL |
|
||||
| `smimea_cert_expiring_soon` | Warns when the S/MIME certificate expires within the configured window. | WARNING |
|
||||
| `smimea_no_email_protection_eku` | Verifies that the S/MIME certificate advertises the emailProtection EKU. | CRITICAL |
|
||||
| `smimea_missing_key_usage` | Verifies that the certificate carries digitalSignature and/or keyEncipherment key usage. | WARNING |
|
||||
| `smimea_weak_signature_algorithm` | Verifies that the certificate is not signed with a deprecated algorithm (MD2/MD5/SHA-1). | CRITICAL |
|
||||
| `smimea_weak_key_size` | Verifies that SMIMEA RSA keys meet the minimum 2048-bit size (3072+ preferred). | CRITICAL |
|
||||
| `smimea_self_signed` | Flags self-signed certificates paired with PKIX-EE (usage 1). | INFO |
|
||||
| `smimea_email_mismatch` | Checks that at least one email SAN on the certificate begins with <username>@. | INFO |
|
||||
| `smimea_hash_only` | Notes that SMIMEA matching types 1/2 transport only a digest, preventing certificate inspection. | INFO |
|
||||
|
||||
## Options
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue