simpler

v3/lint/base.go

@@ -89,6 +89,8 @@ type LintMetadata struct {
 	// true but with NotBefore >= IneffectiveDate. This check is bypassed if
 	// IneffectiveDate is zero. Please see CheckEffective for more information.
 	IneffectiveDate time.Time `json:"-"`
+
+	OverrideFrameworkFilter bool
 }
 
 // A Lint struct represents a single lint, e.g.
@@ -218,11 +220,13 @@ func (l *CertificateLint) CheckEffective(c *x509.Certificate) bool {
 // CheckEffective()
 // Execute()
 func (l *CertificateLint) Execute(cert *x509.Certificate, config Configuration) *LintResult {
-	if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
-		return &LintResult{Status: NA}
-	}
-	if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
-		return &LintResult{Status: NA}
+	if !l.OverrideFrameworkFilter {
+		if l.Source == CABFBaselineRequirements && !util.IsServerAuthCert(cert) {
+			return &LintResult{Status: NA}
+		}
+		if l.Source == CABFSMIMEBaselineRequirements && !((util.IsEmailProtectionCert(cert) && util.HasEmailSAN(cert)) || util.IsSMIMEBRCertificate(cert)) {
+			return &LintResult{Status: NA}
+		}
 	}
 	lint := l.Lint()
 	err := config.MaybeConfigure(lint, l.Name)

v3/lints/cabf_br/lint_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth.go

@@ -28,9 +28,10 @@ func init() {
 			Name: "e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth",
 			Description: "OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as" +
 				" defined by RFC6960",
-			Citation:      "BRs: 4.9.9",
-			Source:        lint.CABFBaselineRequirements,
-			EffectiveDate: util.CABEffectiveDate,
+			Citation:                "BRs: 4.9.9",
+			Source:                  lint.CABFBaselineRequirements,
+			EffectiveDate:           util.CABEffectiveDate,
+			OverrideFrameworkFilter: true,
 		},
 		Lint: NewOCSPIDPKIXOCSPNocheckExtNotIncludedServerAuth,
 	})