v3.6.2

ZLint v3.6.2

The ZMap team is happy to share ZLint v3.6.2.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Corrected an issue in e_single_email_if_present wherein only the SAN was checked for email addresses and the subject domain name was not.
• Limited the checking of common names in the SAN for e_mailbox_address_shall_contain_an_rfc822_name
• Added an ineffective date to e_dsa_correct_order_in_subgroup, e_dsa_shorter_than_2048_bits, and e_dsa_unique_correct_representation.

New Lints

• e_eku_critical, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked critical
• e_crlissuer_must_not_be_present_in_cdp, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.
• e_legal_entity_identifier, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be present
• e_commonname_mailbox_validated, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address
• e_subject_country_name, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject
• e_cab_dv_subject_invalid_values, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.
• e_invalid_subject_rdn_order, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific order
• e_subscribers_crl_distribution_points_are_http, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.
• e_smime_qc_statements_must_not_be_critical, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.
• e_mailbox_address_shall_contain_an_rfc822_name, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension
• e_authority_key_identifier_correct, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.
• e_strict_multipurpose_smime_ext_subject_directory_attr, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attribute
• w_ext_subject_key_identifier_not_recommended_subscriber, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED

Changelog

• ae3b1f3 Correct test descriptions (#829)
• 308a138 Limit scope for cn checking in SAN (#825)
• 2980c72 Add ineffective date to DSA lints. (#827)
• f9496fa Use help Method beforeoron instead of (#717)
• 9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
• e99e725 feat: Test EKU Criticality (#816)
• 38cfd72 cRLIssuer MUST NOT be present (#814)
• 990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
• 32bba7a Update single email if present (#808)
• e33bae9 Update single email subject if present (#802)
• 7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
• e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
• 8d2c579 Lint for 7.1.2.7.2 BR (#810)
• e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
• a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
• a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
• 5501be1 Mailbox addresses from san for all br (#809)
• 9c67bdb Fix typo (#804)
• 83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
• b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
• a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
• bf84ed8 Add test case for smime ext subject directory attr (#801)
• 060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
• a4b46ef Add lint for subject directory attributes extension (#798)
• 1baec6e Fix copy/paste error (#796)
• 8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
• fa85598 Handle ips in aia internal names (#791)

Full Changelog:v3.6.1...v3.6.2

v3.6.2-rc2

ZLint v3.6.2-rc2

The ZMap team is happy to share ZLint v3.6.2-rc2.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Limited the checking of common names in the SAN for e_mailbox_address_shall_contain_an_rfc822_name
• Added an ineffective date to e_dsa_correct_order_in_subgroup, e_dsa_shorter_than_2048_bits, and e_dsa_unique_correct_representation.

Changelog

• 308a138 Limit scope for cn checking in SAN (#825)
• 2980c72 Add ineffective date to DSA lints. (#827)

Full Changelog:v3.6.2-rc1...v3.6.2-rc2

v3.6.2-rc1

ZLint v3.6.2-rc1

The ZMap team is happy to share ZLint v3.6.2-rc1.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Corrected an issue in e_single_email_if_present wherein only the SAN was checked for email addresses and the subject domain name was not.

New Lints

• e_eku_critical, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked critical
• e_crlissuer_must_not_be_present_in_cdp, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.
• e_legal_entity_identifier, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be present
• e_commonname_mailbox_validated, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address
• e_subject_country_name, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject
• e_cab_dv_subject_invalid_values, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.
• e_invalid_subject_rdn_order, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific order
• e_subscribers_crl_distribution_points_are_http, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.
• e_smime_qc_statements_must_not_be_critical, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.
• e_mailbox_address_shall_contain_an_rfc822_name, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension
• e_authority_key_identifier_correct, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.
• e_strict_multipurpose_smime_ext_subject_directory_attr, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attribute
• w_ext_subject_key_identifier_not_recommended_subscriber, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED

Changelog

• f9496fa Use help Method beforeoron instead of (#717)
• 9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
• e99e725 feat: Test EKU Criticality (#816)
• 38cfd72 cRLIssuer MUST NOT be present (#814)
• 990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
• 32bba7a Update single email if present (#808)
• e33bae9 Update single email subject if present (#802)
• 7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
• e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
• 8d2c579 Lint for 7.1.2.7.2 BR (#810)
• e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
• a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
• a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
• 5501be1 Mailbox addresses from san for all br (#809)
• 9c67bdb Fix typo (#804)
• 83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
• b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
• a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
• bf84ed8 Add test case for smime ext subject directory attr (#801)
• 060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
• a4b46ef Add lint for subject directory attributes extension (#798)
• 1baec6e Fix copy/paste error (#796)
• 8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
• fa85598 Handle ips in aia internal names (#791)

Full Changelog:v3.6.1...v3.6.2-rc1

v3.6.1

ZLint v3.6.1

The ZMap team is happy to share ZLint v3.6.1.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Corrected an issue in e_single_email_if_present wherein certificates with multiple email fields were rejected rather than rejecting certificates with email fields which themselves contained multiple address.

Changelog

• 82d733e Fix a bug in the check for 7.1.4.2.h - single email address in subject:emailAddress (#792)
• 5501b4f util: gtld_map autopull updates for 2024-01-22T23:19:16 UTC (#789)
• ddd1a81 Update copyright notices to 2024 (#787)
• 8a61dfa Refactor and improve the new lint creation bash script (#786)

Full Changelog:v3.6.0...v3.6.1

v3.6.0

ZLint v3.6.0

The ZMap team is happy to share ZLint v3.6.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

Security Patches

A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.

Bug Fixes

• Corrected an issue in e_registration_scheme_id_matches_subject_country wherein LEI and INT certificates were being incorrectly checked.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

• SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
• Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
• Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
• Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
• Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
• Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
• Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
• Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
• subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
• subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
• Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
• subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
• subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

• be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
• dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
• 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
• c1aacb0 golangci-lint update and fixes (#782)
• f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
• 45de880 refactor of SMIME aia contains (#777)
• bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
• 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
• ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
• c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
• 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
• 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
• a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
• 45e6204 Convert all Lints to CertificateLints (#767)
• 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
• e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
• 64533b5 Ensure AIA URLs point to public paths (#760)
• 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
• f9f30bc Fixing lint registration for CABF SMIME (#761)
• 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
• 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
• 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
• 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
• 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
• 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
• 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
• 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
• 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
• ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
• 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
• 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
• 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
• 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
• d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
• 624744d Include LintMetadata in the LintResult (#729)
• 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
• 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
• b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
• 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
• 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
• 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
• 3f1605e Ecdsa ee invalid ku check applies (#731)
• 8c46bdf Fix typo in LintRevocationListEx comment (#730)
• 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
• 5e0219d Bc critical (#722)
• 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
• 9b18bdc Ca field empty description (#723)
• 59a91a2 Max length check applies (#724)

Full Changelog:v3.5.0...v3.6.0

v3.6.0-rc2

ZLint v3.6.0-rc2

The ZMap team is happy to share ZLint v3.6.0-rc2.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Security Patches

A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.

Bug Fixes

• Corrected an issue in e_registration_scheme_id_matches_subject_country wherein LEI and INT certificates were being incorrectly checked.

Changelog

• be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
• dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
• 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)

v3.6.0-rc1

ZLint v3.6.0-rc1

The ZMap team is happy to share ZLint v3.6.0-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

• SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
• Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
• Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
• Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
• Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
• Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
• Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
• Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
• subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
• subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
• Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
• subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
• subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
• c1aacb0 golangci-lint update and fixes (#782)
• f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
• 45de880 refactor of SMIME aia contains (#777)
• bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
• 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
• ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
• c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
• 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
• 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
• a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
• 45e6204 Convert all Lints to CertificateLints (#767)
• 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
• e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
• 64533b5 Ensure AIA URLs point to public paths (#760)
• 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
• f9f30bc Fixing lint registration for CABF SMIME (#761)
• 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
• 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
• 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
• 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
• 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
• 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
• 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
• 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
• 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
• ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
• 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
• 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
• 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
• 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
• d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
• 624744d Include LintMetadata in the LintResult (#729)
• 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
• 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
• b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
• 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
• 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
• 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
• 3f1605e Ecdsa ee invalid ku check applies (#731)
• 8c46bdf Fix typo in LintRevocationListEx comment (#730)
• 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
• 5e0219d Bc critical (#722)
• 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
• 9b18bdc Ca field empty description (#723)
• 59a91a2 Max length check applies (#724)

Full Changelog:v3.5.0...v3.6.0-rc1

v3.5.0

ZLint v3.5.0

The ZMap team is happy to share ZLint v3.5.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

New infrastructure has been added that supports linting Certificate Revocation Lists.

A special thank you to Amir Omidi for their work on this contribution!

New Lints:

• e_crl_has_next_update Conforming CRL issuers MUST include the nextUpdate field in all CRLs.

Bug Fixes:

• Changed e_cert_unique_identifier_version_not_2_or_3 to apply to all certificates, effectively changin a N/A result to a PASS result.
• Changed several unit tests that asserted on string messages, resulting in brittle tests.

Security Updates

• Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
• Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
• Patch for security vulnerability CVE-2022-41723 (CVSS "low")
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)

Changelog

• 45e8dff Update README.md (#719)
• af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)
• 1d8591c Remove references in comments to Initialize() method of lints (#718)
• 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
• a5c869f Update copyright text to 2023 (#716)
• 997ad51 Add CRL linting infrastructure (#699)
• 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
• 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
• 5ed8e34 asserting human readable strings is error prone (#707)
• c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
• a476724 Upgrading golangci-lint to v1.51.2 (#705)
• 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
• 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
• 6292ca4 Adding support for linting profiles (#595)
• c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
• 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)

Full Changelog:v3.4.1...v3.5.0

v3.5.0-rc2

ZLint v3.5.0-rc2

The ZMap team is happy to share ZLint v3.5.0-rc2.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Bug Fixes:

• Corrected an issue which prevented PEM encoded CRLs from being readable via the command line interface. Thank you to Adriano Santoni for finding this issue!

Misc

• Added PKI Insights to the list of industry usages.

Changelog

• 45e8dff Update README.md (#719)
• af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)

Full Changelog:v3.5.0-rc1...v3.5.0-rc2

ZLint v3.5.0-rc1

ZLint v3.5.0-rc1

The ZMap team is happy to share ZLint v3.5.0-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

New infrastructure has been added that supports linting Certificate Revocation Lists.

A special thank you to Amir Omidi for their work on this contribution!

New Lints:

• e_crl_has_next_update Conforming CRL issuers MUST include the nextUpdate field in all CRLs.

Bug Fixes:

• Changed e_cert_unique_identifier_version_not_2_or_3 to apply to all certificates, effectively changin a N/A result to a PASS result.
• Changed several unit tests that asserted on string messages, resulting in brittle tests.

Security Updates

• Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
• Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
• Patch for security vulnerability CVE-2022-41723 (CVSS "low")
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)

Changelog

• 1d8591c Remove references in comments to Initialize() method of lints (#718)
• 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
• a5c869f Update copyright text to 2023 (#716)
• 997ad51 Add CRL linting infrastructure (#699)
• 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
• 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
• 5ed8e34 asserting human readable strings is error prone (#707)
• c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
• a476724 Upgrading golangci-lint to v1.51.2 (#705)
• 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
• 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
• 6292ca4 Adding support for linting profiles (#595)
• c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
• 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)

Full Changelog:v3.4.1...v3.5.0-rc1