Add lints for S/MIME BR 7.1.2.3l

[bitlux]

This PR adds lints for S/MIME BR 7.1.2.3l legal entity identifier.

This PR also organizes the functions in smime_policies.go to group them by validation type and cert type.

[christopher-henderson]

Some help with legibility and one possible discussion regarding the presence of an LEI role for an organization validated certificate.

[christopher-henderson]

If you are agreeable, then I believe that moving some of these util calls to named variables will help with legibility.

func (l *legalEntityIdentifier) Execute(c *x509.Certificate) *lint.LintResult {
	lei := util.GetExtFromCert(c, util.LegalEntityIdentifierOID)
	lei_present := util.IsExtInCert(c, util.LegalEntityIdentifierOID)
	lei_role := util.GetExtFromCert(c, util.LegalEntityIdentifierRoleOID)
	lei_role_present := util.IsExtInCert(c, util.LegalEntityIdentifierRoleOID)
	switch {
	case util.IsMailboxValidatedCertificate(c), util.IsIndividualValidatedCertificate(c):
		if lei_present {
			// Mailbox-validated and Individualvalidated prohibited.
			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present"}
		}
	case util.IsOrganizationValidatedCertificate(c):
		if lei_present && lei.Critical {
			// LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical.
			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension resent and critical"}
		}
		if lei_role_present {
			// This is affirming the negative. Sponsor validated certificates MAY have an LEI Role, so
			// it is being taken here that not explicitly as such for organization validated certificates
			// implies that they are not allowed.
			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present"}
		}
	case util.IsSponsorValidatedCertificate(c):
		if lei_present && lei.Critical {
			// LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical.
			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier extension present and critical"}
		}
		if lei_role_present && lei_role.Critical {
			// LEI Role (1.3.6.1.4.1.52266.2) MAY be present and SHALL NOT be marked critical.
			return &lint.LintResult{Status: lint.Error, Details: "Legal Entity Identifier Role extension present and critical"}
		}
	default:
		return &lint.LintResult{Status: lint.Error, Details: "Unknown validation type"}
	}

	return &lint.LintResult{Status: lint.Pass}
}

Note this comment in particular,

This is affirming the negative. Sponsor validated certificates MAY have an LEI Role, so it is being taken here that not explicitly as such for organization validated certificates implies that they are not allowed.

That is, the lack of a MAY is not necessarily the presence of a MUST NOT. This is, unfortunately, ambiguity in the original source text. This is technically a logical fallacy, although I am somewhat inclined to believe that it was the original intent.

[bitlux]

Thanks for the review. I agree with your assessment of the fallacy in the organization-validated certificate logic.