Skip to content

Tags: zmap/zlint

Tags

v3.6.3-rc1

Toggle v3.6.3-rc1's commit message

Verified

This tag was signed with the committer’s verified signature.
christopher-henderson Christopher Henderson
GPG key ID: 2632D36B664B36BC
Learn about vigilant mode 
ZLint v3.6.3-rc1

v3.6.2

Toggle v3.6.2's commit message 
ZLint v3.6.2

v3.6.2-rc2

Toggle v3.6.2-rc2's commit message 
308a138 (HEAD -> master, origin/master, origin/HEAD) Limit scope for …

…cn checking in SAN (#825)

2980c72 Add ineffective date to DSA lints. (#827)

v3.6.2-rc1

Toggle v3.6.2-rc1's commit message 
ZLint v3.6.2-rc1

f9496fa (HEAD -> master, origin/master, origin/HEAD) Use help Method beforeoron instead of  (#717)
9291729 util: gtld_map autopull updates for 2024-03-27T22:19:31 UTC (#817)
e99e725 feat: Test EKU Criticality (#816)
38cfd72 cRLIssuer MUST NOT be present (#814)
990a074 Add lints for S/MIME BR 7.1.2.3l (#805)
32bba7a Update single email if present (#808)
e33bae9 Update single email subject if present (#802)
7c899ea Add lint for BR 7.1.4.2.2a mailbox-validated (#806)
e6650eb Add lints for S/MIME BR 7.1.4.2.2n country name (#807)
8d2c579 Lint for 7.1.2.7.2 BR (#810)
e76cc77 Add lint for checking that Subject attributes (RDNs) appear in the order prescribed by CABF BR 7.1.4.2 (#813)
a063d31 Add lints for S/MIME BR 7.1.2.3.b (#779)
a72ff4e util: gtld_map autopull updates for 2024-03-09T18:19:57 UTC (#811)
5501be1 Mailbox addresses from san for all br (#809)
9c67bdb Fix typo (#804)
83b5f8d Add lint for S/MIME BR 7.1.2.3 (k) (#799)
b9ff71f Add lint to enforce SMIME BRs: 7.1.4.2.1 requirement for mailbox addr… (#800)
a23de3d util: gtld_map autopull updates for 2024-02-20T21:17:08 UTC (#794)
bf84ed8 Add test case for smime ext subject directory attr (#801)
060b385 Lint for S/MIME BR 7.1.2.3.g (#797)
a4b46ef Add lint for subject directory attributes extension (#798)
1baec6e Fix copy/paste error (#796)
8deb02b Subject Key Identifier is not recommended by CABF BR v2 (#790)
fa85598 Handle ips in aia internal names (#791)

v3.6.1

Toggle v3.6.1's commit message 
ZLint v3.6.1

v3.6.0

Toggle v3.6.0's commit message 
ZLint v3.6.0

v3.6.0-rc2

Toggle v3.6.0-rc2's commit message 
ZLint v3.6.0-rc2

v3.6.0-rc1

Toggle v3.6.0-rc1's commit message 
The ZMap team is happy to share ZLint v3.6.0-rc1.

Thank you to everyone who contributes to ZLint!

No breaking changes were made in this release.

This is primarily a deprecation warning for the library usages of ZLint.

The [lint.Lint](https://github.com/zmap/zlint/blob/45e8dff6fe0d2a6989366a3dbd44713c360afc8f/v3/lint/base.go#L98) has been deprecated in favor of the categorical interfaces - [CertificateLint](https://github.com/zmap/zlint/blob/45e8dff6fe0d2a6989366a3dbd44713c360afc8f/v3/lint/base.go#L175) and [RevocationListLint](https://github.com/zmap/zlint/blob/45e8dff6fe0d2a6989366a3dbd44713c360afc8f/v3/lint/base.go#L240).

It is advised to refrain from implementing news lints that target the `lint.Lint` interface as this interface will be removed entirely in a future release.

When implementing a lint for a x509 certificate, library usages should favor implementing the `CertificateLint` interface. Similarly, when implementing a lint for a CRL, the `RevocationListLint` should be used.

Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see #712

* SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
* Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
* Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
* Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
* Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
* Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
* Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
* Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
* Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
* Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
* subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
* subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
* Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
* subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
* subject DN attributes for mailbox-validated profile (7.1.4.2.3)

* 43b6954 address smime lint applicability issue.  regenerate test certificates to fix unit tests broken by change (#764)
* e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
* 64533b5 Ensure AIA URLs point to public paths (#760)
* 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
* f9f30bc Fixing lint registration for CABF SMIME (#761)
* 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
* 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
* 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
* 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
* 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
* 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
* 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
* 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
* 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
* ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
* 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
* 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
* 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
* 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
* d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
* 624744d Include LintMetadata in the LintResult (#729)
* 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
* 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
* b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
* 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
* 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
* 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
* 3f1605e Ecdsa ee invalid ku check applies (#731)
* 8c46bdf Fix typo in LintRevocationListEx comment (#730)
* 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
* 5e0219d Bc critical (#722)
* 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
* 9b18bdc Ca field empty description (#723)
* 59a91a2 Max length check applies (#724)

**Full Changelog**:v3.5.0...v3.6.0-rc1

v3.5.0

Toggle v3.5.0's commit message 
ZLint v3.5.0

v3.5.0-rc2

Toggle v3.5.0-rc2's commit message 
ZLint v3.5.0-rc2