Skip to content

v3.6.0

Compare
Choose a tag to compare
@github-actions github-actions released this 07 Jan 19:53
· 88 commits to master since this release
be8dd6a

ZLint v3.6.0

The ZMap team is happy to share ZLint v3.6.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

Security Patches

A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.

Bug Fixes

  • Corrected an issue in e_registration_scheme_id_matches_subject_country wherein LEI and INT certificates were being incorrectly checked.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

  • SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
  • Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
  • Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
  • Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
  • Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
  • Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
  • Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
  • Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
  • Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
  • Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
  • subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
  • subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
  • Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
  • subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
  • subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

  • be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
  • dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
  • 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
  • d4e2de0 Fix goreleaser deprecation (#783)
  • f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
  • c1aacb0 golangci-lint update and fixes (#782)
  • f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
  • 45de880 refactor of SMIME aia contains (#777)
  • bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
  • 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
  • ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
  • c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
  • 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
  • 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
  • a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
  • 45e6204 Convert all Lints to CertificateLints (#767)
  • 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
  • e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
  • 64533b5 Ensure AIA URLs point to public paths (#760)
  • 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
  • f9f30bc Fixing lint registration for CABF SMIME (#761)
  • 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
  • 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
  • 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
  • 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
  • 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
  • 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
  • 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
  • 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
  • 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
  • ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
  • 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
  • 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
  • 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
  • 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
  • d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
  • 624744d Include LintMetadata in the LintResult (#729)
  • 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
  • 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
  • b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
  • 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
  • 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
  • 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
  • 3f1605e Ecdsa ee invalid ku check applies (#731)
  • 8c46bdf Fix typo in LintRevocationListEx comment (#730)
  • 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
  • 5e0219d Bc critical (#722)
  • 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
  • 9b18bdc Ca field empty description (#723)
  • 59a91a2 Max length check applies (#724)

Full Changelog:v3.5.0...v3.6.0