ZLint v3.6.3-rc1

The ZMap team is happy to share ZLint v3.6.3-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_ev_invalid_business_category Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3
• e_subj_orgunit_in_ca_cert The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.
• e_subj_country_not_uppercase Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z
• e_aia_must_contain_permitted_access_method The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.
• e_aia_ocsp_must_have_http_only The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed
• e_aia_unique_access_locations When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.
• e_cabf_org_identifier_psd_vat_has_state The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.
• e_aia_ca_issuers_must_have_http_only he id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed
• e_duplicate_subject_attribs Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs
• e_ca_invalid_eku Checks that SubCA certificates do not contain forbidden values in their EKU extension
• e_empty_sct_list At least one SCT MUST be included in the SignedCertificateTimestampList extension
• e_precert_with_sct_list SCTs must be embedded in the final certificate, not in a precertificate
• e_cert_ext_invalid_der Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)
• e_crl_missing_crl_number CRL issuers conforming to this profile MUST include this extension in all CRLs
• e_sub_cert_eku_check Subscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsage
• e_invalid_cps_uri If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL
• e_crl_empty_revoked_certificates When there are no revoked certificates, the revoked certificates list MUST be absent
• e_crl_revoked_certificates_field_must_be_empty When the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structure
• e_ev_orgid_inconsistent_subj_and_ext Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent
• e_subject_rdns_correct_encoding CAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attribute

Miscellaneous

• Modified util.IsEmailProtectionCert to consider whether the certificate in question has an email SAN and whether it is an S/MIME BR certificate.
• Modifies util.IsServerAuthCert to presume that certificate with unknown key usages are server certificates.
• w_sub_cert_eku_extra_values is now ineffective as of CABF/BRs 2.0.0
• e_sub_cert_eku_server_auth_client_auth_missing is now ineffective as of CABF/BRs 2.0.0

Changelog

• 13c40b2 Fix goreleaser to use the --clean flag rather than --rm-dist (#868)
  015d220 Add lint to check for a valid business category in EV certificates (#830)
  2440571 Add lint to check that Root CA and TLS SubCA certificates do not contain the OU subject attribute (#864)
  672100d util: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866)
  f6d07ed Improve util.IsEmailProtectionCert function (#858)
  f7f6b51 Add lint to check that the countryName attribute (C) is in uppercase (#859)
  24d58f9 Subscriber aia lints (#860)
  04d863f cabfOrganizationIdentifier extension for VAT and PSD based organizationIdentifiers cannot have referenceStateOrProvince (#848)
  e5da476 Improve the util.IsServerAuthCert() function (#856)
  5b73e7b Fix ExpectedDetails of passing invalid subject test (#846)
  899709e Aia ca issuers must have http only (#852)
  ae8d594 util: gtld_map autopull updates for 2024-06-12T22:19:30 UTC (#854)
  b14a83b fix: Only apply CN check for Subscriber certificates (#851)
  bf3764c Cleanup some unnecessary allocations (#849)
  26ca0f3 Add lint to check for duplicate subject attributes (ATVs) (#850)
  c8164d8 Add lint to check that SubCA certificates do not have illegal values in their EKU extension (#840)
  068ae82 Avoid warning dv cn (#843)
  8523152 Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated (#845)
  456dc01 Add lint to check that an SCT list is not empty (#837)
  c73f78b Add lint to check that precertificates do not contain an SCT list (#841)
  26ab5b0 Add lint for checking that the 'critical' field is properly DER-encoded in extensions (#839)
  208af03 Add lint for checking that a CRL contains the CRL Number extension (#834)
  d5a09f8 Add lint to cover TLS BR v2 EKU checks (#833)
  63e3f86 Add lint to detect invalid cps uri (#828)
  2988620 Add lint to check that a CRL does not contain an empty revokedCertificates element (#831)
  61c73ed build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 in /v3 (#835)
  a011234 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#836)
  6c7d024 Add lint to verify CRL TBSCertList.revokedCertificates field is absent when there are no revoked certificates (#832)
  4b2f38b Lint for checking that organizationIdentifier Subject attribute and CABFOrganizationIdentifier extension are consistent as per EVG 9.2.8 (#820)
  5de620c Subject rdns correct encoding (#824)

Full Changelog:v3.6.2...v3.6.3-rc1

ZLint v3.6.2

The ZMap team is happy to share ZLint v3.6.2.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Corrected an issue in e_single_email_if_present wherein only the SAN was checked for email addresses and the subject domain name was not.
• Limited the checking of common names in the SAN for e_mailbox_address_shall_contain_an_rfc822_name
• Added an ineffective date to e_dsa_correct_order_in_subgroup, e_dsa_shorter_than_2048_bits, and e_dsa_unique_correct_representation.

New Lints

• e_eku_critical, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked critical
• e_crlissuer_must_not_be_present_in_cdp, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.
• e_legal_entity_identifier, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be present
• e_commonname_mailbox_validated, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address
• e_subject_country_name, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject
• e_cab_dv_subject_invalid_values, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.
• e_invalid_subject_rdn_order, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific order
• e_subscribers_crl_distribution_points_are_http, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.
• e_smime_qc_statements_must_not_be_critical, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.
• e_mailbox_address_shall_contain_an_rfc822_name, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension
• e_authority_key_identifier_correct, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.
• e_strict_multipurpose_smime_ext_subject_directory_attr, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attribute
• w_ext_subject_key_identifier_not_recommended_subscriber, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED

Changelog

• ae3b1f3 Correct test descriptions (#829)
• 308a138 Limit scope for cn checking in SAN (#825)
• 2980c72 Add ineffective date to DSA lints. (#827)
• f9496fa Use help Method beforeoron instead of (#717)
• 9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
• e99e725 feat: Test EKU Criticality (#816)
• 38cfd72 cRLIssuer MUST NOT be present (#814)
• 990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
• 32bba7a Update single email if present (#808)
• e33bae9 Update single email subject if present (#802)
• 7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
• e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
• 8d2c579 Lint for 7.1.2.7.2 BR (#810)
• e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
• a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
• a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
• 5501be1 Mailbox addresses from san for all br (#809)
• 9c67bdb Fix typo (#804)
• 83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
• b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
• a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
• bf84ed8 Add test case for smime ext subject directory attr (#801)
• 060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
• a4b46ef Add lint for subject directory attributes extension (#798)
• 1baec6e Fix copy/paste error (#796)
• 8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
• fa85598 Handle ips in aia internal names (#791)

Full Changelog:v3.6.1...v3.6.2

ZLint v3.6.2-rc2

The ZMap team is happy to share ZLint v3.6.2-rc2.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Limited the checking of common names in the SAN for e_mailbox_address_shall_contain_an_rfc822_name
• Added an ineffective date to e_dsa_correct_order_in_subgroup, e_dsa_shorter_than_2048_bits, and e_dsa_unique_correct_representation.

Changelog

• 308a138 Limit scope for cn checking in SAN (#825)
• 2980c72 Add ineffective date to DSA lints. (#827)

Full Changelog:v3.6.2-rc1...v3.6.2-rc2

ZLint v3.6.2-rc1

The ZMap team is happy to share ZLint v3.6.2-rc1.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Corrected an issue in e_single_email_if_present wherein only the SAN was checked for email addresses and the subject domain name was not.

New Lints

• e_eku_critical, BRs: 7.1.2.7.6, Subscriber Certificate extkeyUsage extension MUST NOT be marked critical
• e_crlissuer_must_not_be_present_in_cdp, BRs: 7.1.2.11.2, crlIssuer and/or Reason field MUST NOT be present in the CDP extension.
• e_legal_entity_identifier, S/MIME BRs: 7.1.2.3.l, Mailbox/individual: prohibited. Organization/sponsor: may be present
• e_commonname_mailbox_validated, S/MIME BRs: 7.1.4.2.2a, If present, the commonName attribute of a mailbox-validated certificate SHALL contain a mailbox address
• e_subject_country_name, S/MIME BRs: 7.1.4.2.2n, If present, the subject:countryName SHALL contain the two‐letter ISO 3166‐1 country code associated with the location of the Subject
• e_cab_dv_subject_invalid_values, BRs: 7.1.2.7.2, If certificate policy 2.23.140.1.2.1 (CA/B BR domain validated) is included, only country and/or common name is allowed in SubjectDN.
• e_invalid_subject_rdn_order, BRs: 7.1.4.2, Subject field attributes (RDNs) SHALL be encoded in a specific order
• e_subscribers_crl_distribution_points_are_http, S/MIME BRs: 7.1.2.3.b, cRLDistributionPoints SHALL have URI scheme HTTP.
• e_smime_qc_statements_must_not_be_critical, S/MIME BRs: 7.1.2.3.k, This extension MAY be present and SHALL NOT be marked critical.
• e_mailbox_address_shall_contain_an_rfc822_name, S/MIME BRs: 7.1.4.2.1, All Mailbox Addresses in the subject field or entries of type dirName of this extension SHALL be repeated as rfc822Name or otherName values of type id-on-SmtpUTF8Mailbox in this extension
• e_authority_key_identifier_correct, S/MIME BRs: 7.1.2.3.g, authorityKeyIdentifier SHALL be present. This extension SHALL NOT be marked critical. The keyIdentifier field SHALL be present. authorityCertIssuer and authorityCertSerialNumber fields SHALL NOT be present.
• e_strict_multipurpose_smime_ext_subject_directory_attr, S/MIME BRs: 7.1.2.3j, SMIME Strict and Multipurpose certificates cannot have Subject Directory Attribute
• w_ext_subject_key_identifier_not_recommended_subscriber, BRs v2: 7.1.2.7.6, Subcriber certificates use of Subject Key Identifier is NOT RECOMMENDED

Changelog

• f9496fa Use help Method beforeoron instead of (#717)
• 9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
• e99e725 feat: Test EKU Criticality (#816)
• 38cfd72 cRLIssuer MUST NOT be present (#814)
• 990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
• 32bba7a Update single email if present (#808)
• e33bae9 Update single email subject if present (#802)
• 7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
• e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
• 8d2c579 Lint for 7.1.2.7.2 BR (#810)
• e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
• a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
• a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
• 5501be1 Mailbox addresses from san for all br (#809)
• 9c67bdb Fix typo (#804)
• 83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
• b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
• a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
• bf84ed8 Add test case for smime ext subject directory attr (#801)
• 060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
• a4b46ef Add lint for subject directory attributes extension (#798)
• 1baec6e Fix copy/paste error (#796)
• 8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
• fa85598 Handle ips in aia internal names (#791)

Full Changelog:v3.6.1...v3.6.2-rc1

ZLint v3.6.1

The ZMap team is happy to share ZLint v3.6.1.

Thank you to everyone who contributes to ZLint!

Bug Fixes

• Corrected an issue in e_single_email_if_present wherein certificates with multiple email fields were rejected rather than rejecting certificates with email fields which themselves contained multiple address.

Changelog

• 82d733e Fix a bug in the check for 7.1.4.2.h - single email address in subject:emailAddress (#792)
• 5501b4f util: gtld_map autopull updates for 2024-01-22T23:19:16 UTC (#789)
• ddd1a81 Update copyright notices to 2024 (#787)
• 8a61dfa Refactor and improve the new lint creation bash script (#786)

Full Changelog:v3.6.0...v3.6.1

ZLint v3.6.0

The ZMap team is happy to share ZLint v3.6.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

Security Patches

A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.

Bug Fixes

• Corrected an issue in e_registration_scheme_id_matches_subject_country wherein LEI and INT certificates were being incorrectly checked.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

• SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
• Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
• Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
• Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
• Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
• Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
• Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
• Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
• subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
• subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
• Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
• subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
• subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

• be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
• dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
• 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
• c1aacb0 golangci-lint update and fixes (#782)
• f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
• 45de880 refactor of SMIME aia contains (#777)
• bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
• 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
• ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
• c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
• 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
• 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
• a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
• 45e6204 Convert all Lints to CertificateLints (#767)
• 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
• e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
• 64533b5 Ensure AIA URLs point to public paths (#760)
• 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
• f9f30bc Fixing lint registration for CABF SMIME (#761)
• 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
• 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
• 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
• 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
• 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
• 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
• 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
• 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
• 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
• ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
• 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
• 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
• 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
• 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
• d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
• 624744d Include LintMetadata in the LintResult (#729)
• 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
• 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
• b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
• 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
• 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
• 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
• 3f1605e Ecdsa ee invalid ku check applies (#731)
• 8c46bdf Fix typo in LintRevocationListEx comment (#730)
• 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
• 5e0219d Bc critical (#722)
• 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
• 9b18bdc Ca field empty description (#723)
• 59a91a2 Max length check applies (#724)

Full Changelog:v3.5.0...v3.6.0

ZLint v3.6.0-rc2

The ZMap team is happy to share ZLint v3.6.0-rc2.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Security Patches

A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.

Bug Fixes

• Corrected an issue in e_registration_scheme_id_matches_subject_country wherein LEI and INT certificates were being incorrectly checked.

Changelog

• be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
• dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
• 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)

ZLint v3.6.0-rc1

The ZMap team is happy to share ZLint v3.6.0-rc1.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Deprecation Warning:

This is primarily a deprecation warning for the library usages of ZLint.

The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.

It is advised to refrain from implementing news lints that target the lint.Lint interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the CertificateLint interface. Similarly, when implementing a lint for a CRL, the RevocationListLint interface should be used.

New Lints:

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

• SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
• Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
• Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
• Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
• Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
• Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
• Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
• Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
• Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
• subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
• subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
• Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
• subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
• subject DN attributes for mailbox-validated profile (7.1.4.2.3)

Changelog

• d4e2de0 Fix goreleaser deprecation (#783)
• f830602 Added IsSMIMEBRCertificate in checkApplies where missing (#780)
• c1aacb0 golangci-lint update and fixes (#782)
• f90a51e util: gtld_map autopull updates for 2023-12-16T12:21:31 UTC (#778)
• 45de880 refactor of SMIME aia contains (#777)
• bc2c0fd CABF SMIME BR Appendix A.1 - countryName matches registration scheme id (#768)
• 7f6ef92 Metalint for checking against the deprecaetd lint.RegisterLint function (#775)
• ebf2071 util: gtld_map autopull updates for 2023-11-27T16:20:42 UTC (#773)
• c35c9b9 Policy Qualifiers other than id-qt-cps are no longer allowed as per CABF BRs (#774)
• 1bb58f0 Updating certificate lint template to use the new certificate specific interface (#772)
• 96a4799 util: gtld_map autopull updates for 2023-11-17T20:19:40 UTC (#771)
• a08efa8 CABF SMIME BR 7.1.2.3.m - Adobe Extensions (#763)
• 45e6204 Convert all Lints to CertificateLints (#767)
• 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
• e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
• 64533b5 Ensure AIA URLs point to public paths (#760)
• 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
• f9f30bc Fixing lint registration for CABF SMIME (#761)
• 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
• 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
• 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
• 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
• 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
• 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
• 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
• 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
• 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
• ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
• 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
• 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
• 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
• 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
• d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
• 624744d Include LintMetadata in the LintResult (#729)
• 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
• 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
• b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
• 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
• 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
• 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
• 3f1605e Ecdsa ee invalid ku check applies (#731)
• 8c46bdf Fix typo in LintRevocationListEx comment (#730)
• 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
• 5e0219d Bc critical (#722)
• 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
• 9b18bdc Ca field empty description (#723)
• 59a91a2 Max length check applies (#724)

Full Changelog:v3.5.0...v3.6.0-rc1

ZLint v3.5.0

The ZMap team is happy to share ZLint v3.5.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Features:

New infrastructure has been added that supports linting Certificate Revocation Lists.

A special thank you to Amir Omidi for their work on this contribution!

New Lints:

• e_crl_has_next_update Conforming CRL issuers MUST include the nextUpdate field in all CRLs.

Bug Fixes:

• Changed e_cert_unique_identifier_version_not_2_or_3 to apply to all certificates, effectively changin a N/A result to a PASS result.
• Changed several unit tests that asserted on string messages, resulting in brittle tests.

Security Updates

• Patch for security vulnerability CVE-2021-38561 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-33194 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-32149 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)
• Patch for security vulnerability CVE-2021-43565 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-27191 (CVSS 7.5)
• Patch for security vulnerability CVE-2022-29526 (CVSS 5.3)
• Patch for security vulnerability CVE-2021-31525 (CVSS 5.9)
• Patch for security vulnerability CVE-2022-41723 (CVSS "low")
• Patch for security vulnerability CVE-2022-27664 (CVSS 7.5)

Changelog

• 45e8dff Update README.md (#719)
• af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)
• 1d8591c Remove references in comments to Initialize() method of lints (#718)
• 2438596 Always perform e_cert_unique_identifier_version_not_2_or_3 (#711)
• a5c869f Update copyright text to 2023 (#716)
• 997ad51 Add CRL linting infrastructure (#699)
• 64ae4e5 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#704)
• 68901ea build(deps): bump golang.org/x/net in /v3 (#702)
• 5ed8e34 asserting human readable strings is error prone (#707)
• c7740fa build(deps): bump golang.org/x/text in /v3/cmd/genTestCerts (#701)
• a476724 Upgrading golangci-lint to v1.51.2 (#705)
• 46f7185 build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in /v3 (#700)
• 8a9f61e test.ReadTestCert breaks for downstream consumers dependent on the previous relative certificate path building behavior (#695)
• 6292ca4 Adding support for linting profiles (#595)
• c627333 util: gtld_map autopull updates for 2022-10-10T19:22:35 UTC (#694)
• 13fcc6f util: gtld_map autopull updates for 2022-10-06T19:22:06 UTC (#693)

Full Changelog:v3.4.1...v3.5.0

ZLint v3.5.0-rc2

The ZMap team is happy to share ZLint v3.5.0-rc2.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

Bug Fixes:

• Corrected an issue which prevented PEM encoded CRLs from being readable via the command line interface. Thank you to Adriano Santoni for finding this issue!

Misc

• Added PKI Insights to the list of industry usages.

Changelog

• 45e8dff Update README.md (#719)
• af90382 Enable accepting a PEM encoded CRL via the command line interface (#721)

Full Changelog:v3.5.0-rc1...v3.5.0-rc2