v3.6.0
ZLint v3.6.0
The ZMap team is happy to share ZLint v3.6.0.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
Deprecation Warning:
This is primarily a deprecation warning for the library usages of ZLint.
The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.
It is advised to refrain from implementing news lints that target the lint.Lint
interface as this interface will be removed entirely in a future release.
When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint
interface. Similarly, when implementing a lint for a CRL, the RevocationListLint
interface should be used.
Security Patches
A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.
Bug Fixes
- Corrected an issue in
e_registration_scheme_id_matches_subject_country
whereinLEI
andINT
certificates were being incorrectly checked.
New Lints:
Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712
- SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
- Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
- Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
- Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
- Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
- Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
- Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
- Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
- Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
- Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
- subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
- subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
- Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
- subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
- subject DN attributes for mailbox-validated profile (7.1.4.2.3)
Changelog
- be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
- dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
- 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
- d4e2de0 Fix goreleaser deprecation (#783)
- f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
- c1aacb0 golangci-lint update and fixes (#782)
- f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
- 45de880 refactor of SMIME aia contains (#777)
- bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
- 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
- ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
- c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
- 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
- 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
- a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
- 45e6204 Convert all Lints to CertificateLints (#767)
- 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
- e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
- 64533b5 Ensure AIA URLs point to public paths (#760)
- 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
- f9f30bc Fixing lint registration for CABF SMIME (#761)
- 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
- 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
- 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
- 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
- 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
- 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
- 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
- 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
- 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
- ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
- 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
- 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
- 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
- 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
- d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
- 624744d Include LintMetadata in the LintResult (#729)
- 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
- 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
- b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
- 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
- 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
- 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
- 3f1605e Ecdsa ee invalid ku check applies (#731)
- 8c46bdf Fix typo in LintRevocationListEx comment (#730)
- 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
- 5e0219d Bc critical (#722)
- 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
- 9b18bdc Ca field empty description (#723)
- 59a91a2 Max length check applies (#724)
Full Changelog:v3.5.0...v3.6.0