v3.6.0-rc1

ZLint v3.6.0-rc1

The ZMap team is happy to share ZLint v3.6.0-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

• SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
• Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
• Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
• Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
• Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
• Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
• Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
• Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
• subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
• subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
• Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
• subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
• subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
• c1aacb0 golangci-lint update and fixes (#782)
• f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
• 45de880 refactor of SMIME aia contains (#777)
• bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
• 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
• ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
• c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
• 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
• 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
• a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
• 45e6204 Convert all Lints to CertificateLints (#767)
• 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
• e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
• 64533b5 Ensure AIA URLs point to public paths (#760)
• 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
• f9f30bc Fixing lint registration for CABF SMIME (#761)
• 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
• 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
• 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
• 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
• 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
• 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
• 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
• 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
• 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
• ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
• 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
• 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
• 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
• 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
• d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
• 624744d Include LintMetadata in the LintResult (#729)
• 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
• 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
• b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
• 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
• 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
• 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
• 3f1605e Ecdsa ee invalid ku check applies (#731)
• 8c46bdf Fix typo in LintRevocationListEx comment (#730)
• 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
• 5e0219d Bc critical (#722)
• 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
• 9b18bdc Ca field empty description (#723)
• 59a91a2 Max length check applies (#724)

Full Changelog:v3.5.0...v3.6.0-rc1

v3.5.0

ZLint v3.5.0

The ZMap team is happy to share ZLint v3.5.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

New infrastructure has been added that supports linting Certificate Revocation Lists.

A special thank you to Amir Omidi for their work on this contribution!

New Lints:

• e_crl_has_next_update Conforming CRL issuers MUST include the nextUpdate field in all CRLs.

Bug Fixes:

• Changed e_cert_unique_identifier_version_not_2_or_3 to apply to all certificates, effectively changin a N/A result to a PASS result.
• Changed several unit tests that asserted on string messages, resulting in brittle tests.

Security Updates

• Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
• Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
• Patch for security vulnerability CVE-2022-41723 (CVSS "low")
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)

Changelog

• 45e8dff Update README.md (#719)
• af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)
• 1d8591c Remove references in comments to Initialize() method of lints (#718)
• 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
• a5c869f Update copyright text to 2023 (#716)
• 997ad51 Add CRL linting infrastructure (#699)
• 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
• 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
• 5ed8e34 asserting human readable strings is error prone (#707)
• c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
• a476724 Upgrading golangci-lint to v1.51.2 (#705)
• 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
• 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
• 6292ca4 Adding support for linting profiles (#595)
• c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
• 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)

Full Changelog:v3.4.1...v3.5.0

v3.5.0-rc2

ZLint v3.5.0-rc2

The ZMap team is happy to share ZLint v3.5.0-rc2.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Bug Fixes:

• Corrected an issue which prevented PEM encoded CRLs from being readable via the command line interface. Thank you to Adriano Santoni for finding this issue!

Misc

• Added PKI Insights to the list of industry usages.

Changelog

• 45e8dff Update README.md (#719)
• af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)

Full Changelog:v3.5.0-rc1...v3.5.0-rc2

ZLint v3.5.0-rc1

ZLint v3.5.0-rc1

The ZMap team is happy to share ZLint v3.5.0-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

New infrastructure has been added that supports linting Certificate Revocation Lists.

A special thank you to Amir Omidi for their work on this contribution!

New Lints:

• e_crl_has_next_update Conforming CRL issuers MUST include the nextUpdate field in all CRLs.

Bug Fixes:

• Changed e_cert_unique_identifier_version_not_2_or_3 to apply to all certificates, effectively changin a N/A result to a PASS result.
• Changed several unit tests that asserted on string messages, resulting in brittle tests.

Security Updates

• Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
• Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
• Patch for security vulnerability CVE-2022-41723 (CVSS "low")
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)

Changelog

• 1d8591c Remove references in comments to Initialize() method of lints (#718)
• 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
• a5c869f Update copyright text to 2023 (#716)
• 997ad51 Add CRL linting infrastructure (#699)
• 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
• 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
• 5ed8e34 asserting human readable strings is error prone (#707)
• c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
• a476724 Upgrading golangci-lint to v1.51.2 (#705)
• 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
• 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
• 6292ca4 Adding support for linting profiles (#595)
• c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
• 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)

Full Changelog:v3.4.1...v3.5.0-rc1

ZLint v3.4.1

ZLint v3.4.1

The ZMap team is happy to share ZLint v3.4.1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Bug Fixes:

• A change was made in test.ReadTestCert to find test certificates relative to the root of the repository. This change, however, broke some downstream consumers who were dependent upon the previous behavior of searching for test certificates relative to the present working directory.

Changelog

• e9597a6 test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)

Full Changelog: v3.4.0...v3.4.1

ZLint v3.4.1-rc1

ZLint v3.4.1-rc1

The ZMap team is happy to share ZLint v3.4.1-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Bug Fixes:

• A change was made in test.ReadTestCert to find test certificates relative to the root of the repository. This change, however, broke some downstream consumers who were dependent upon the previous behavior of searching for test certificates relative to the present working directory.

Changelog

• e9597a6 test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)

Full Changelog: v3.4.0...v3.4.1-rc1

v3.4.0

ZLint v3.4.0

The ZMap team is happy to share ZLint v3.4.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

Individual lints may now be (optionally) configurable!

For Lint Authors

For lint authors, please see CONTRIBUTING.md for more details on how to write a lint that may receive optional configurations.

For users

For users of the CLI tool, configuring a particular lint is as simple as providing a valid toml file to ZLint.

zlint -config configFile.toml mycert.pem

ZLint also provides a facility for getting a print out of a valid, all default, configuration file such that users do not have to hunt through documentation to discover what lints are configurable and what their fields are.

For example...

zlint -exampleConfig

...currently prints to the terminal....

[AppleRootStorePolicyConfig]

[CABFBaselineRequirementsConfig]

[CABFEVGuidelinesConfig]

[CommunityConfig]

[MozillaRootStorePolicyConfig]

[RFC5280Config]

[RFC5480Config]

[RFC5891Config]

[e_rsa_fermat_factorization]
Rounds = 100

Note that there is already a lint that is configurable - e_rsa_fermat_factorization. This lint checks an RSA keypair for susceptibility to the Fermat factorization attack. The more rounds used, the more likely the lint is to successfully factor a key pair. However, increasing the number of rounds dramatically increases the amount of time taken to lint a single certificate. As such, the default is set to 100 as per CABF requirements and users are free to set this value to something lower (if they wish to lint a large number of certificates and want the batch job to run faster) or to something much higher (if they suspect that a key pair is susceptible, but not trivially so).

New Lints:

• e_key_usage_incorrect_length checks for KeyUsages that are outside the range of possible values.
• e_incorrect_ku_encoding check for KeyUsages that are not properly encoded ASN.1 bitstrings.
• e_rsa_fermat_factorization checks for key pairs that are susceptible to Fermat factorization.
• e_superfluous_ku_encoding checks for KeyUsages that have unnecessary trailing zero-bytes.
• e_ecdsa_allowed_ku key usage values keyEncipherment or dataEncipherment MUST NOT be present in certificates with ECDSA public keys
• e_rsa_allowed_ku_ca key usage values digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, and cRLSign may only be present in a CA certificate with an RSA key
• e_rsa_allowed_ku_ee key usage values digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment may only be present in an end entity certificate with an RSA key
• e_rsa_allowed_ku_no_encipherment_ca if Key usage value keyCertSign or cRLSign is present in a CA certificate both keyEncipherment and dataEncipherment SHOULD NOT be present"
• e_subject_contains_organizational_unit_name_and_no_organization_name if a subject organization name is absent then an organizational unit name MUST NOT be included in subject
• e_organizational_unit_name_prohibited organizationalUnitName is prohibited if...the certificate was issued on or after September 1, 2022

Bug Fixes:

• Corrected e_organizational_unit_name_prohibited to not lint CA certificates.
• Corrected a CABF citation in e_algorithm_identifier_improper_encoding
• Corrected an issue e_ext_tor_service_descriptor_hash_invalid wherein an OnionV3 certificate may be considered an OnionV2 certificate if a non-onion DNS entry were present in the certificate.

Changelog

• 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)
• 137e46e Lint to check for invalid KU lengths (#686)
• 1209017 Prevent OU lint from applying to CA certificates. Add unit test to confirm change of behaviour (#691)
• 44e12c1 Add lint to check for incorrect 'unused' bit encoding in KeyUsages (#684)
• 3f5e40d Lint for RSA close prime Fermat factorization susceptibility (#674)
• e5ee614 Support for Configurable Lints (#648)
• ed9a20f Added lint to check for superfluous zero byte on KU (#682)
• d8b86f7 Lints for allowable key usages as per RFC 8813 Section 3 and RFC 3279 Section 2.3.1 (#678)
• c7955ed Sunset subject:organizationalUnitName (Section 7.1.4.2.2.i, CAB-Forum BR) (#643)
• b7abf25 Add new lint to block organisational unit names as of 1st September 2022 (#675)
• c32f6d3 Fix SPKI Encoding Lint's RSA BR Section (#679)
• ed6287a Zlint incorrectly requires TorServiceDescriptors if V3 onion and DNS name (#677)

Full Changelog: v3.3.1...v3.4.0

v3.4.0-rc1

ZLint v3.4.0-rc1

The ZMap team is happy to share ZLint v3.4.0-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

Individual lints may now be (optionally) configurable!

For Lint Authors

For lint authors, please see CONTRIBUTING.md for more details on how to write a lint that may receive optional configurations.

For users

For users of the CLI tool, configuring a particular lint is as simple as providing a valid toml file to ZLint.

zlint -config configFile.toml mycert.pem

ZLint also provides a facility for getting a print out of a valid, all default, configuration file such that users do not have to hunt through documentation to discover what lints are configurable and what their fields are.

For example...

zlint -exampleConfig

...currently prints to the terminal....

[AppleRootStorePolicyConfig]

[CABFBaselineRequirementsConfig]

[CABFEVGuidelinesConfig]

[CommunityConfig]

[MozillaRootStorePolicyConfig]

[RFC5280Config]

[RFC5480Config]

[RFC5891Config]

[e_rsa_fermat_factorization]
Rounds = 100

Note that there is already a lint that is configurable - e_rsa_fermat_factorization. This lint checks an RSA keypair for susceptibility to the Fermat factorization attack. The more rounds used, the more likely the lint is to successfully factor a key pair. However, increasing the number of rounds dramatically increases the amount of time taken to lint a single certificate. As such, the default is set to 100 as per CABF requirements and users are free to set this value to something lower (if they wish to lint a large number of certificates and want the batch job to run faster) or to something much higher (if they suspect that a key pair is susceptible, but not trivially so).

New Lints:

• e_key_usage_incorrect_length checks for KeyUsages that are outside the range of possible values.
• e_incorrect_ku_encoding check for KeyUsages that are not properly encoded ASN.1 bitstrings.
• e_rsa_fermat_factorization checks for key pairs that are susceptible to Fermat factorization.
• e_superfluous_ku_encoding checks for KeyUsages that have unnecessary trailing zero-bytes.
• e_ecdsa_allowed_ku key usage values keyEncipherment or dataEncipherment MUST NOT be present in certificates with ECDSA public keys
• e_rsa_allowed_ku_ca key usage values digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign, and cRLSign may only be present in a CA certificate with an RSA key
• e_rsa_allowed_ku_ee key usage values digitalSignature, nonRepudiation, keyEncipherment, and dataEncipherment may only be present in an end entity certificate with an RSA key
• e_rsa_allowed_ku_no_encipherment_ca if Key usage value keyCertSign or cRLSign is present in a CA certificate both keyEncipherment and dataEncipherment SHOULD NOT be present"
• e_subject_contains_organizational_unit_name_and_no_organization_name if a subject organization name is absent then an organizational unit name MUST NOT be included in subject
• e_organizational_unit_name_prohibited organizationalUnitName is prohibited if...the certificate was issued on or after September 1, 2022

Bug Fixes:

• Corrected e_organizational_unit_name_prohibited to not lint CA certificates.
• Corrected a CABF citation in e_algorithm_identifier_improper_encoding
• Corrected an issue e_ext_tor_service_descriptor_hash_invalid wherein an OnionV3 certificate may be considered an OnionV2 certificate if a non-onion DNS entry were present in the certificate.

Changelog

• 137e46e Lint to check for invalid KU lengths (#686)
• 1209017 Prevent OU lint from applying to CA certificates. Add unit test to confirm change of behaviour (#691)
• 44e12c1 Add lint to check for incorrect 'unused' bit encoding in KeyUsages (#684)
• 3f5e40d Lint for RSA close prime Fermat factorization susceptibility (#674)
• e5ee614 Support for Configurable Lints (#648)
• ed9a20f Added lint to check for superfluous zero byte on KU (#682)
• d8b86f7 Lints for allowable key usages as per RFC 8813 Section 3 and RFC 3279 Section 2.3.1 (#678)
• c7955ed Sunset subject:organizationalUnitName (Section 7.1.4.2.2.i, CAB-Forum BR) (#643)
• b7abf25 Add new lint to block organisational unit names as of 1st September 2022 (#675)
• c32f6d3 Fix SPKI Encoding Lint's RSA BR Section (#679)
• ed6287a Zlint incorrectly requires TorServiceDescriptors if V3 onion and DNS name (#677)

Full Changelog: v3.3.1...v3.4.0-rc1

ZLint v3.3.1

ZLint v3.3.1

The ZMap team is happy to share ZLint v3.3.1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Lints:

• e_ev_not_wildcard asserts that wildcard domains are not allowable for EV certificates (except .onion addresses).
• e_dnsname_contains_prohibited_reserved_label asserts that every label within a FQDN must be either a P-Label or a Non-Reserved LDH Label.
• e_ev_san_ip_address_present asserts that Subject Alternative Name MUST contain only dnsName types.
• e_algorithm_identifier_improper_encoding asserts CABF BR 7.1.3.1 regarding requiring a specific byte sequence within a Subject Public Key Info field.
• e_underscore_not_permissible_in_dnsname asserts that underscore are not permissible after the brief permissibility period described in CABF BR 1.6.2.
• e_no_underscores_before_1_6_2 asserts that underscore are not permissible before the brief permissibility period described in CABF BR 1.6.2.

Bug Fixes:

• Corrected an issue in lint_idn_dnsname_malformed_unicode and lint_idn_dnsname_must_be_nfc wherein the IDNA ACE prefixes were incorrectly considered to be case-sensitive.
• A Tor Hash Descriptor is no longer required on certificates that encode Onion V3 addresses.

Misc:

• Numerous TLD updates.
• The CABF OID for EV (2.23.140.1.1) was added as a known EV OID.
• Some clearer datetime logic for more natural daterange checking.
• The ZLint project has been updated to use the Go 1.18 toolchain.
• zcrypto was updated to point towards commit @599ec18ecbac.
• Various quality of life changes to the ZLint developer experience.

Changelog

74f4541 Update to Go 1.18 and update GolangCI Linter (#672)
a34c016 QoL changes to genTestCert.go (#664)
20aeab4 util: gtld_map autopull updates for 2022-04-15T16:45:51 UTC (#671)
6d874e6 updating to zcrypto 599ec18 (#670)
b3be71c Skip checking for a Tor Descriptor Hash if the provided cert contains a V3 Onion address. (#669)
3be391b Update README.md (#666)
b1bd967 No underscores are allowed in DNSNames before BR 1.6.2's permissibility period (#659)
6badb89 No underscores are allowed in DNSNames after BR 1.6.2's permissibility period (#662)
4ab8567 util: gtld_map autopull updates for 2022-02-17T22:26:31 UTC (#658)
7fc9fbd Add Microsoft to the known-ZLint users (#655)
b4a225e AlgorithmIdentifier encoding (Section 7.1.3.1, CAB-Forum BR) (#642)
da67a23 util: gtld_map autopull updates for 2021-12-30T02:43:35 UTC (#654)
3f7cf6c Update README.md (#653)
9199b6d util: gtld_map autopull updates for 2021-12-09T20:29:24 UTC (#649)
0d71258 Entrust Datacard rebranded to Entrust (#652)
bbc7e36 Add lint to detect IP addresses in EV certs (#650)
cb3e7e8 Mark CA/Browser Forum EV Policy OID as EV (#651)
da4e374 refactor: move from io/ioutil to io and os packages (#647)
3a3de3c util: gtld_map autopull updates for 2021-10-30T04:36:00 UTC (#637)
2ff2130 cleaning up some datetime logic (#644)
cb17369 Lint for Non-XN Reserved Labels (#635)
9113ed8 Forbid wildcard certs for non .onion EVs (#641)
0508b86 Detect XN-Labels case-insensitively (#636)
b6ec327 util: gtld_map autopull updates for 2021-10-05T22:26:49 UTC (#633)

ZLint v3.3.1-rc2

ZLint v3.3.1-rc2

The ZMap team is happy to share ZLint v3.3.1-rc2.

Thank you to everyone who contributes to ZLint!

The following changes are what have occurred since v3.3.1-rc1

Breaking Changes:

No breaking changes were made in this release.

New Lints:

• No new lints

Bug Fixes:

• No bug fixes.

Misc:

• The ZLint project has been updated to use the Go 1.18 toolchain.
• A GTLD update
• zcrypto was updated to point towards commit @599ec18ecbac.
• Various quality of life changes to the ZLint developer experience.

Changelog

• 74f4541 Update to Go 1.18 and update GolangCI Linter (#672)
• a34c016 QoL changes to genTestCert.go (#664)
• 20aeab4 util: gtld_map autopull updates for 2022-04-15T16:45:51 UTC (#671)
• 6d874e6 updating to zcrypto 599ec18 (#670)