Skip to main content

pkix_lint_cabf/
lib.rs

1//! # pkix-lint-cabf
2//!
3//! **Reference CA/Browser Forum lint bundles for [`pkix-lint`]. Not authoritative.**
4//!
5//! CA/B Forum Baseline Requirements (TLS BR, S/MIME BR) change on a ballot
6//! cycle. The lint bundles in this crate are a small, curated snapshot of
7//! marquee BR requirements. They are intended as a starting point: fork and
8//! adapt to your deployment's current interpretation of the BR text, which is
9//! the only canonical source.
10//!
11//! For the current Baseline Requirements:
12//! - <https://cabforum.org/baseline-requirements/> (TLS)
13//! - <https://cabforum.org/smime-br/> (S/MIME)
14//!
15//! Maintained on a best-effort basis. If your deployment depends on bit-exact
16//! CA/B Forum conformance, you SHOULD vendor and review the relevant rule
17//! definitions yourself, or use `pkix-policy-zlint` (see below).
18//!
19//! ## Unprincipled exception
20//!
21//! This crate is an **explicit, bounded violation** of the workspace's
22//! no-transcription rule (AGENTS.md non-negotiable #5, three-mode policy-class
23//! architecture). Under that rule, industry-forum / vendor policies (CA/B
24//! Forum BR, Mozilla / Apple / Microsoft root programs, ETSI, DoD, FedRAMP,
25//! individual CA CPSs) are NOT transcribed into Rust — they are consumed via
26//! sibling policy-adapter crates (`pkix-policy-zlint`, `pkix-policy-pkilint`)
27//! that defer to the upstream maintainer's tool at runtime.
28//!
29//! This crate does contain Rust transcriptions of CA/B Forum BR rules and
30//! does violate that rule. It exists because (a) CA/B Forum BR is the
31//! most-asked-about industry-forum spec, and (b) a small marquee-violation
32//! reference is useful for downstream consumers comparing their interpretation
33//! against the workspace's.
34//!
35//! The exception is **not a template.** No equivalent `pkix-lint-mozilla`,
36//! `pkix-lint-fedramp`, `pkix-lint-dod`, or `pkix-lint-etsi` crates are
37//! admitted without explicit human re-decision. For comprehensive CA/B Forum
38//! coverage (matching zlint's ~700-lint scope), use `pkix-policy-zlint`
39//! (PKIX-jy95).
40//!
41//! ## Reporting divergences
42//!
43//! This crate is a snapshot interpretation of the CA/B Forum Baseline
44//! Requirements. The canonical source is the CA/B Forum's published BR
45//! text; this crate is reference, not authoritative. See `divergences.md`
46//! in this crate's source tree for the spec versions last refreshed
47//! against and the known intentional divergences.
48//!
49//! If you find that a lint in this crate differs from what the current
50//! CA/B Forum BR says — wrong section reference, outdated rule, missing
51//! new ballot — please open an issue or PR at
52//! <https://github.com/MarkAtwood/crate-pkix>. Divergence fixes are
53//! welcomed from anyone in the community; you do not need to be a
54//! maintainer.
55//!
56//! Canonical BR sources:
57//!
58//! - TLS BR: <https://github.com/cabforum/servercert/blob/main/docs/BR.md>
59//! - S/MIME BR: <https://github.com/cabforum/smime/blob/main/SBR.md>
60//! - Code Signing BR: <https://github.com/cabforum/code-signing/blob/main/docs/CSBR.md>
61//! - EV Guidelines: <https://github.com/cabforum/servercert/blob/main/docs/EVG.md>
62//!
63//! ## Modules
64//!
65//! - [`cabf_tls_br`] — CA/B Forum TLS Baseline Requirements lints: SC-081
66//!   phased validity caps, SHA-1 prohibition, RSA min-key-size, SAN/EKU
67//!   presence, and `BasicConstraints` cA-flag checks. Individual `Lint`
68//!   impls plus the canonical [`cabf_tls_br::all_lints`] constructor; the
69//!   `LintProfile` bundling lives on
70//!   `pkix_profiles_cabf::WebPkiProfile`.
71//!
72//! ## Stance cross-references
73//!
74//! - AGENTS.md non-negotiable #5 — three-mode policy-class architecture,
75//!   including the unprincipled-exception clause that admits this crate.
76//! - Stance / epic: [PKIX-amgn].
77//!
78//! ## Limitations
79//!
80//! - **Reference, not authoritative.** See the unprincipled-exception
81//!   clause above. The BR text is the only canonical source; this crate
82//!   ships a curated subset of marquee BR predicates as Lint impls.
83//! - **Not predicate-comprehensive.** [`cabf_tls_br`] covers SC-081
84//!   phased validity caps, SHA-1 prohibition, RSA min-key-size, SAN/EKU
85//!   presence, and `BasicConstraints` cA-flag checks. Full TLS BR
86//!   predicate coverage (matching zlint's CA/B Forum lints, roughly
87//!   one Lint per BR sub-section) is the job of `pkix-policy-zlint`
88//!   (tracked under `PKIX-jy95.10`).
89//! - **No S/MIME BR or Code Signing BR lint module yet.** The
90//!   `pkix-profiles-cabf` crate ships the corresponding [`Profile`]
91//!   types (`SmimeProfile`, `CodeSigningProfile`); per-predicate Lint
92//!   coverage for those BRs is comprehensive via `pkix-policy-zlint`.
93//! - **No `-mozilla`, `-fedramp`, `-dod`, `-etsi`.** The unprincipled
94//!   exception applies to CA/B Forum content only. Other industry-forum,
95//!   government, or vendor policies must come in via policy-adapter
96//!   crates that defer to upstream tools.
97//!
98//! [PKIX-amgn]: https://github.com/MarkAtwood/crate-pkix
99//! [`pkix-lint`]: https://docs.rs/pkix-lint
100//! [`Profile`]: https://docs.rs/pkix-path/latest/pkix_path/trait.Profile.html
101
102#![cfg_attr(docsrs, feature(doc_cfg))]
103#![forbid(unsafe_code)]
104#![warn(missing_docs, rust_2018_idioms)]
105
106pub mod cabf_tls_br;