Releases: zmap/zlint
v3.6.2
ZLint v3.6.2
The ZMap team is happy to share ZLint v3.6.2.
Thank you to everyone who contributes to ZLint!
Bug Fixes
- Corrected an issue in e_single_email_if_present wherein only the SAN was checked for email addresses and the subject domain name was not.
- Limited the checking of common names in the SAN for
e_mailbox_address_shall_contain_an_rfc822_name
- Added an ineffective date to
e_dsa_correct_order_in_subgroup
,e_dsa_shorter_than_2048_bits
, ande_dsa_unique_correct_representation
.
New Lints
e_eku_critical
, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked criticale_crlissuer_must_not_be_present_in_cdp
, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.e_legal_entity_identifier
, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be presente_commonname_mailbox_validated
, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox addresse_subject_country_name
, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subjecte_cab_dv_subject_invalid_values
, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.e_invalid_subject_rdn_order
, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific ordere_subscribers_crl_distribution_points_are_http
, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.e_smime_qc_statements_must_not_be_critical
, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.e_mailbox_address_shall_contain_an_rfc822_name
, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extensione_authority_key_identifier_correct
, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.e_strict_multipurpose_smime_ext_subject_directory_attr
, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributew_ext_subject_key_identifier_not_recommended_subscriber
, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED
Changelog
- ae3b1f3 Correct test descriptions (#829)
- 308a138 Limit scope for cn checking in SAN (#825)
- 2980c72 Add ineffective date to DSA lints. (#827)
- f9496fa Use help Method beforeoron instead of (#717)
- 9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
- e99e725 feat: Test EKU Criticality (#816)
- 38cfd72 cRLIssuer MUST NOT be present (#814)
- 990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
- 32bba7a Update single email if present (#808)
- e33bae9 Update single email subject if present (#802)
- 7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
- e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
- 8d2c579 Lint for 7.1.2.7.2 BR (#810)
- e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
- a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
- a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
- 5501be1 Mailbox addresses from san for all br (#809)
- 9c67bdb Fix typo (#804)
- 83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
- b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
- a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
- bf84ed8 Add test case for smime ext subject directory attr (#801)
- 060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
- a4b46ef Add lint for subject directory attributes extension (#798)
- 1baec6e Fix copy/paste error (#796)
- 8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
- fa85598 Handle ips in aia internal names (#791)
Full Changelog:v3.6.1...v3.6.2
v3.6.2-rc2
ZLint v3.6.2-rc2
The ZMap team is happy to share ZLint v3.6.2-rc2.
Thank you to everyone who contributes to ZLint!
Bug Fixes
- Limited the checking of common names in the SAN for
e_mailbox_address_shall_contain_an_rfc822_name
- Added an ineffective date to
e_dsa_correct_order_in_subgroup
,e_dsa_shorter_than_2048_bits
, ande_dsa_unique_correct_representation
.
Changelog
Full Changelog:v3.6.2-rc1...v3.6.2-rc2
v3.6.2-rc1
ZLint v3.6.2-rc1
The ZMap team is happy to share ZLint v3.6.2-rc1.
Thank you to everyone who contributes to ZLint!
Bug Fixes
- Corrected an issue in e_single_email_if_present wherein only the SAN was checked for email addresses and the subject domain name was not.
New Lints
e_eku_critical
, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked criticale_crlissuer_must_not_be_present_in_cdp
, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.e_legal_entity_identifier
, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be presente_commonname_mailbox_validated
, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox addresse_subject_country_name
, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subjecte_cab_dv_subject_invalid_values
, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.e_invalid_subject_rdn_order
, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific ordere_subscribers_crl_distribution_points_are_http
, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.e_smime_qc_statements_must_not_be_critical
, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.e_mailbox_address_shall_contain_an_rfc822_name
, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extensione_authority_key_identifier_correct
, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.e_strict_multipurpose_smime_ext_subject_directory_attr
, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attributew_ext_subject_key_identifier_not_recommended_subscriber
, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED
Changelog
- f9496fa Use help Method beforeoron instead of (#717)
- 9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
- e99e725 feat: Test EKU Criticality (#816)
- 38cfd72 cRLIssuer MUST NOT be present (#814)
- 990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
- 32bba7a Update single email if present (#808)
- e33bae9 Update single email subject if present (#802)
- 7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
- e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
- 8d2c579 Lint for 7.1.2.7.2 BR (#810)
- e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
- a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
- a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
- 5501be1 Mailbox addresses from san for all br (#809)
- 9c67bdb Fix typo (#804)
- 83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
- b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
- a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
- bf84ed8 Add test case for smime ext subject directory attr (#801)
- 060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
- a4b46ef Add lint for subject directory attributes extension (#798)
- 1baec6e Fix copy/paste error (#796)
- 8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
- fa85598 Handle ips in aia internal names (#791)
Full Changelog:v3.6.1...v3.6.2-rc1
v3.6.1
ZLint v3.6.1
The ZMap team is happy to share ZLint v3.6.1.
Thank you to everyone who contributes to ZLint!
Bug Fixes
- Corrected an issue in
e_single_email_if_present
wherein certificates with multiple email fields were rejected rather than rejecting certificates with email fields which themselves contained multiple address.
Changelog
- 82d733e Fix a bug in the check for 7.1.4.2.h - single email address in subject:emailAddress (#792)
- 5501b4f util: gtld_map autopull updates for 2024-01-22T23:19:16 UTC (#789)
- ddd1a81 Update copyright notices to 2024 (#787)
- 8a61dfa Refactor and improve the new lint creation bash script (#786)
Full Changelog:v3.6.0...v3.6.1
v3.6.0
ZLint v3.6.0
The ZMap team is happy to share ZLint v3.6.0.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
Deprecation Warning:
This is primarily a deprecation warning for the library usages of ZLint.
The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.
It is advised to refrain from implementing news lints that target the lint.Lint
interface as this interface will be removed entirely in a future release.
When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint
interface. Similarly, when implementing a lint for a CRL, the RevocationListLint
interface should be used.
Security Patches
A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.
Bug Fixes
- Corrected an issue in
e_registration_scheme_id_matches_subject_country
whereinLEI
andINT
certificates were being incorrectly checked.
New Lints:
Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712
- SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
- Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
- Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
- Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
- Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
- Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
- Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
- Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
- Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
- Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
- subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
- subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
- Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
- subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
- subject DN attributes for mailbox-validated profile (7.1.4.2.3)
Changelog
- be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
- dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
- 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
- d4e2de0 Fix goreleaser deprecation (#783)
- f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
- c1aacb0 golangci-lint update and fixes (#782)
- f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
- 45de880 refactor of SMIME aia contains (#777)
- bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
- 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
- ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
- c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
- 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
- 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
- a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
- 45e6204 Convert all Lints to CertificateLints (#767)
- 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
- e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
- 64533b5 Ensure AIA URLs point to public paths (#760)
- 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
- f9f30bc Fixing lint registration for CABF SMIME (#761)
- 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
- 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
- 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
- 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
- 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
- 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
- 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
- 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
- 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
- ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
- 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
- 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
- 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
- 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
- d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
- 624744d Include LintMetadata in the LintResult (#729)
- 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
- 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
- b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
- 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
- 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
- 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
- 3f1605e Ecdsa ee invalid ku check applies (#731)
- 8c46bdf Fix typo in LintRevocationListEx comment (#730)
- 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
- 5e0219d Bc critical (#722)
- 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
- 9b18bdc Ca field empty description (#723)
- 59a91a2 Max length check applies (#724)
Full Changelog:v3.5.0...v3.6.0
v3.6.0-rc2
ZLint v3.6.0-rc2
The ZMap team is happy to share ZLint v3.6.0-rc2.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
Security Patches
A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.
Bug Fixes
- Corrected an issue in
e_registration_scheme_id_matches_subject_country
whereinLEI
andINT
certificates were being incorrectly checked.
Changelog
v3.6.0-rc1
ZLint v3.6.0-rc1
The ZMap team is happy to share ZLint v3.6.0-rc1.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
Deprecation Warning:
This is primarily a deprecation warning for the library usages of ZLint.
The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.
It is advised to refrain from implementing news lints that target the lint.Lint
interface as this interface will be removed entirely in a future release.
When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint
interface. Similarly, when implementing a lint for a CRL, the RevocationListLint
interface should be used.
New Lints:
Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712
- SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
- Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
- Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
- Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
- Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
- Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
- Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
- Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
- Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
- Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
- subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
- subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
- Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
- subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
- subject DN attributes for mailbox-validated profile (7.1.4.2.3)
Changelog
- d4e2de0 Fix goreleaser deprecation (#783)
- f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
- c1aacb0 golangci-lint update and fixes (#782)
- f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
- 45de880 refactor of SMIME aia contains (#777)
- bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
- 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
- ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
- c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
- 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
- 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
- a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
- 45e6204 Convert all Lints to CertificateLints (#767)
- 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
- e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
- 64533b5 Ensure AIA URLs point to public paths (#760)
- 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
- f9f30bc Fixing lint registration for CABF SMIME (#761)
- 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
- 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
- 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
- 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
- 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
- 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
- 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
- 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
- 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
- ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
- 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
- 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
- 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
- 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
- d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
- 624744d Include LintMetadata in the LintResult (#729)
- 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
- 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
- b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
- 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
- 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
- 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
- 3f1605e Ecdsa ee invalid ku check applies (#731)
- 8c46bdf Fix typo in LintRevocationListEx comment (#730)
- 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
- 5e0219d Bc critical (#722)
- 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
- 9b18bdc Ca field empty description (#723)
- 59a91a2 Max length check applies (#724)
Full Changelog:v3.5.0...v3.6.0-rc1
v3.5.0
ZLint v3.5.0
The ZMap team is happy to share ZLint v3.5.0.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Features:
New infrastructure has been added that supports linting Certificate Revocation Lists.
A special thank you to Amir Omidi for their work on this contribution!
New Lints:
e_crl_has_next_update
Conforming CRL issuers MUST include the nextUpdate field in all CRLs.
Bug Fixes:
- Changed
e_cert_unique_identifier_version_not_2_or_3
to apply to all certificates, effectively changin aN/A
result to aPASS
result. - Changed several unit tests that asserted on string messages, resulting in brittle tests.
Security Updates
- Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
- Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
- Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
- Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
- Patch for security vulnerability CVE-2022-41723 (CVSS "low")
- Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
Changelog
- 45e8dff Update README.md (#719)
- af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)
- 1d8591c Remove references in comments to Initialize() method of lints (#718)
- 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
- a5c869f Update copyright text to 2023 (#716)
- 997ad51 Add CRL linting infrastructure (#699)
- 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
- 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
- 5ed8e34 asserting human readable strings is error prone (#707)
- c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
- a476724 Upgrading golangci-lint to v1.51.2 (#705)
- 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
- 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
- 6292ca4 Adding support for linting profiles (#595)
- c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
- 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)
Full Changelog:v3.4.1...v3.5.0
v3.5.0-rc2
ZLint v3.5.0-rc2
The ZMap team is happy to share ZLint v3.5.0-rc2.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
Bug Fixes:
- Corrected an issue which prevented PEM encoded CRLs from being readable via the command line interface. Thank you to Adriano Santoni for finding this issue!
Misc
- Added PKI Insights to the list of industry usages.
Changelog
- 45e8dff Update README.md (#719)
- af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)
Full Changelog:v3.5.0-rc1...v3.5.0-rc2
ZLint v3.5.0-rc1
ZLint v3.5.0-rc1
The ZMap team is happy to share ZLint v3.5.0-rc1.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Features:
New infrastructure has been added that supports linting Certificate Revocation Lists.
A special thank you to Amir Omidi for their work on this contribution!
New Lints:
e_crl_has_next_update
Conforming CRL issuers MUST include the nextUpdate field in all CRLs.
Bug Fixes:
- Changed
e_cert_unique_identifier_version_not_2_or_3
to apply to all certificates, effectively changin aN/A
result to aPASS
result. - Changed several unit tests that asserted on string messages, resulting in brittle tests.
Security Updates
- Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
- Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
- Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
- Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
- Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
- Patch for security vulnerability CVE-2022-41723 (CVSS "low")
- Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
Changelog
- 1d8591c Remove references in comments to Initialize() method of lints (#718)
- 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
- a5c869f Update copyright text to 2023 (#716)
- 997ad51 Add CRL linting infrastructure (#699)
- 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
- 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
- 5ed8e34 asserting human readable strings is error prone (#707)
- c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
- a476724 Upgrading golangci-lint to v1.51.2 (#705)
- 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
- 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
- 6292ca4 Adding support for linting profiles (#595)
- c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
- 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)
Full Changelog:v3.4.1...v3.5.0-rc1