v3.6.8

ZLint v3.6.8

The ZMap team is happy to share ZLint v3.6.8.

Thank you to everyone who contributes to ZLint!

New Lints

• e_cab_iv_requires_personal_name_strict If certificate policy 2.23.140.1.2.3 is included givenName and surname MUST be included in subject
• e_invalid_legacy_spki_algoid Checks that SubjectPublicKeyInfo.AlgorithmIdentifier is allowed
• e_mailbox_validated_allowed_subjectdn_attributes Only certain Subject DN attributes are permitted to be present in mailbox-validated certificates.
• e_crl_revoked_certificate_crl_entry_has_no_duplicate_extensions The revoked certificate in the CRL must not have duplicate extensions.
• e_crl_auth_key_id_only_contains_keyid The AuthKey extension must only contain the KeyIdentifier field.

Bug Fixes

• e_crl_extensions_validity corrected to check for Issuing Distribution Point rather than CRL Distribution Points.
• e_crl_extensions_validity corrected the lint to return warnings, rather than errors, on CRL extensions that are not recommended.

Misc

• e_ca_common_name_missing an update to citations
• e_ca_organization_name_missing an update to citations
• e_ca_country_name_invalid an update to citations
• e_ca_aia_non_http_url an update to citations
• e_ca_crl_sign_not_set an update to citations
• n_ca_digital_signature_not_set an update to citations
• Removed a duplicate entry in the integrations test suite
• Added new logic to Added new logic to e_ca_common_name_missing, e_ca_country_name_invalid, e_ca_country_name_missing, and e_ca_organization_name_missing lints that allows for the global boolean configuration CrossSignedCa. Doing so enables these lints to intelligently switch its logic to be accurate for cross signed CA certificates.
• A new facility has been added wherein an individual lint is given the opportunity to override the framework's applicability rules. This is especially useful for a handful of cases whereing OCSP signing certificates were subject to requirementes defined in CABF/BRs, however the framework filters out OSCP certificates for CABF/BRs.
• Added the ability to lint OCSP responses via the CLI interface. This functionality was previously only available via the usage of ZLint as a library.

Changelog

• f201c98 remove duplicate integration test data entry (#999)
• 85b3ef4 util: gtld_map autopull updates for 2025-10-22T07:20:44 UTC (#1001)
• 7dfef30 update n_ca_digital_signature_not_set citation, notice, and doc comment (#998)
• e8db7b4 update ca ku error lint citations (#997)
• a1126c8 add requirements comment to e_ca_aia_non_http_url (#996)
• 1a79b47 Add lint to check Authkey extension contain KID only (#995)
• 597a098 Zlint CLI supports linting ocsp responses (#993)
• 30a1e16 Add lint to check that revoked certificates in a CRL doesn't have duplicate extensions (#994)
• a03ec2d Allowed subjectdn attributes (#992)
• 2e19b4c Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules (#842)
• 341cb05 util: gtld_map autopull updates for 2025-09-14T15:20:04 UTC (#991)
• c63416f (Chris) Add lint to check encoding of SubjectPublicKeyInfo.AlgorithmIdentifier in S/MIME certificates (#989)
• 81bb184 Add cross-sign configuration for CA name tests (#987)
• 77960bf util: gtld_map autopull updates for 2025-08-27T05:20:31 UTC (#988)
• bb63cf4 Update README.md with 2025 reference to coverage spreadsheet (#985)
• 34901b1 Fix CRL extensions lint (#984)
• 8c38228 Update cab_iv_requires_personal_name lint to only require Personal Name (#980)
• 79c3465 update CA countryName lints' citations (#979)
• 130542a update language and citations for e_ca_organization_name_missing (#981)
• bdb982d Formatting for a contributor (#977)
• 5b6b916 Replace CRL Distribution Points oid(2.5.29.31) with Issuing Distribution Point oid(2.5.29.28) when checking crl extension validity (#974)
• 5891820 update citation for e_ca_common_name_missing (#976)

Full Changelog:v3.6.7...v3.6.8

v3.6.8-rc1

ZLint v3.6.8-rc1

The ZMap team is happy to share ZLint v3.6.8-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_cab_iv_requires_personal_name_strict If certificate policy 2.23.140.1.2.3 is included givenName and surname MUST be included in subject
• e_invalid_legacy_spki_algoid Checks that SubjectPublicKeyInfo.AlgorithmIdentifier is allowed
• e_mailbox_validated_allowed_subjectdn_attributes Only certain Subject DN attributes are permitted to be present in mailbox-validated certificates.
• e_crl_revoked_certificate_crl_entry_has_no_duplicate_extensions The revoked certificate in the CRL must not have duplicate extensions.
• e_crl_auth_key_id_only_contains_keyid The AuthKey extension must only contain the KeyIdentifier field.

Bug Fixes

• e_crl_extensions_validity corrected to check for Issuing Distribution Point rather than CRL Distribution Points.
• e_crl_extensions_validity corrected the lint to return warnings, rather than errors, on CRL extensions that are not recommended.

Misc

• e_ca_common_name_missing an update to citations
• e_ca_organization_name_missing an update to citations
• e_ca_country_name_invalid an update to citations
• e_ca_aia_non_http_url an update to citations
• e_ca_crl_sign_not_set an update to citations
• n_ca_digital_signature_not_set an update to citations
• Removed a duplicate entry in the integrations test suite
• Added new logic to Added new logic to e_ca_common_name_missing, e_ca_country_name_invalid, e_ca_country_name_missing, and e_ca_organization_name_missing lints that allows for the global boolean configuration CrossSignedCa. Doing so enables these lints to intelligently switch its logic to be accurate for cross signed CA certificates.
• A new facility has been added wherein an individual lint is given the opportunity to override the framework's applicability rules. This is especially useful for a handful of cases whereing OCSP signing certificates were subject to requirementes defined in CABF/BRs, however the framework filters out OSCP certificates for CABF/BRs.
• Added the ability to lint OCSP responses via the CLI interface. This functionality was previously only available via the usage of ZLint as a library.

Changelog

• f201c98 remove duplicate integration test data entry (#999)
• 85b3ef4 util: gtld_map autopull updates for 2025-10-22T07:20:44 UTC (#1001)
• 7dfef30 update n_ca_digital_signature_not_set citation, notice, and doc comment (#998)
• e8db7b4 update ca ku error lint citations (#997)
• a1126c8 add requirements comment to e_ca_aia_non_http_url (#996)
• 1a79b47 Add lint to check Authkey extension contain KID only (#995)
• 597a098 Zlint CLI supports linting ocsp responses (#993)
• 30a1e16 Add lint to check that revoked certificates in a CRL doesn't have duplicate extensions (#994)
• a03ec2d Allowed subjectdn attributes (#992)
• 2e19b4c Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules (#842)
• 341cb05 util: gtld_map autopull updates for 2025-09-14T15:20:04 UTC (#991)
• c63416f (Chris) Add lint to check encoding of SubjectPublicKeyInfo.AlgorithmIdentifier in S/MIME certificates (#989)
• 81bb184 Add cross-sign configuration for CA name tests (#987)
• 77960bf util: gtld_map autopull updates for 2025-08-27T05:20:31 UTC (#988)
• bb63cf4 Update README.md with 2025 reference to coverage spreadsheet (#985)
• 34901b1 Fix CRL extensions lint (#984)
• 8c38228 Update cab_iv_requires_personal_name lint to only require Personal Name (#980)
• 79c3465 update CA countryName lints' citations (#979)
• 130542a update language and citations for e_ca_organization_name_missing (#981)
• bdb982d Formatting for a contributor (#977)
• 5b6b916 Replace CRL Distribution Points oid(2.5.29.31) with Issuing Distribution Point oid(2.5.29.28) when checking crl extension validity (#974)
• 5891820 update citation for e_ca_common_name_missing (#976)

Full Changelog:v3.6.7...v3.6.8-rc1

v3.6.7

ZLint v3.6.7

The ZMap team is happy to share ZLint v3.6.7.

Thank you to everyone who contributes to ZLint!

New Lints

• e_qcstatem_pds_must_have_https_only, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
• e_server_cert_valid_time_longer_than_100_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
• e_server_cert_valid_time_longer_than_200_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
• e_server_cert_valid_time_longer_than_47_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
• w_server_cert_valid_time_longer_than_199_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
• w_server_cert_valid_time_longer_than_46_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
• w_server_cert_valid_time_longer_than_99_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
• e_legacy_generation_deprecated, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
• e_invalid_individual_identity, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
• e_ca_multiple_reserved_policy_oids, The CA MUST include exactly one Reserved Certificate Policy Identifier.
• e_missing_crl_distrib_point, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
• e_crl_revocation_date_too_early, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
• e_crl_extensions_validity, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
• e_crl_no_duplicate_extensions, The CRL must not include duplicate extensions.
• e_crl_revocation_time_after_this_update, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
• e_crl_number_out_of_range, The CRL number must be greater than or equal to 0 and less than 2^159.
• e_ca_aia_non_http_url, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.

Bug Fixes

• e_mp_ecdsa_pub_key_encoding_correct is now aware of P-521 algorithm identifiers.
• w_sub_ca_aia_does_not_contain_issuing_ca_url is now ineffective as of CABF/BRs 2.0.0.

Security

• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Misc

• Refactor of time utility functions.
• Upgraded Go version from 1.23.0 to 1.24.0.
• Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.

Changelog

• 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
• 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
• 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
• 341615f Add lint to check CRL Number range (#964)
• ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
• 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
• 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
• 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
• fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
• 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
• 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
• 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
• 0efbae8 Sc081 update (#955)
• 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
• 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
• c730a76 SC081 shorter validities (#952)
• e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
• f605149 qcstatem pds must have https only (#935)
• d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
• a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)

Full Changelog:v3.6.6...v3.6.7

v3.6.7-rc1

ZLint v3.6.7-rc1

The ZMap team is happy to share ZLint v3.6.7-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_qcstatem_pds_must_have_https_only, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
• e_server_cert_valid_time_longer_than_100_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
• e_server_cert_valid_time_longer_than_200_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
• e_server_cert_valid_time_longer_than_47_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
• w_server_cert_valid_time_longer_than_199_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
• w_server_cert_valid_time_longer_than_46_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
• w_server_cert_valid_time_longer_than_99_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
• e_legacy_generation_deprecated, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
• e_invalid_individual_identity, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
• e_ca_multiple_reserved_policy_oids, The CA MUST include exactly one Reserved Certificate Policy Identifier.
• e_missing_crl_distrib_point, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
• e_crl_revocation_date_too_early, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
• e_crl_extensions_validity, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
• e_crl_no_duplicate_extensions, The CRL must not include duplicate extensions.
• e_crl_revocation_time_after_this_update, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
• e_crl_number_out_of_range, The CRL number must be greater than or equal to 0 and less than 2^159.
• e_ca_aia_non_http_url, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.

Bug Fixes

• e_mp_ecdsa_pub_key_encoding_correct is now aware of P-521 algorithm identifiers.
• w_sub_ca_aia_does_not_contain_issuing_ca_url is now ineffective as of CABF/BRs 2.0.0.

Security

• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Misc

• Refactor of time utility functions.
• Upgraded Go version from 1.23.0 to 1.24.0.
• Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.

Changelog

• 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
• 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
• 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
• 341615f Add lint to check CRL Number range (#964)
• ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
• 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
• 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
• 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
• fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
• 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
• 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
• 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
• 0efbae8 Sc081 update (#955)
• 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
• 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
• c730a76 SC081 shorter validities (#952)
• e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
• f605149 qcstatem pds must have https only (#935)
• d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
• a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)

Full Changelog:v3.6.6...v3.6.7-rc1

v3.6.6

ZLint v3.6.6

The ZMap team is happy to share ZLint v3.6.6.

Thank you to everyone who contributes to ZLint!

New Feature

• Preliminary support for OCSP response linting via the library usage of ZLint

New Lints

• e_crl_next_update_invalid, For CRLs covering (EE|CA) certificates, nextUpdate must be at most (10 days|12 months) beyond thisUpdate
• e_qcstatem_qctype_smime, Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least one of the types IdEtsiQcsQctEsign or IdEtsiQcsQctEseal, in case of an S/MIME certificate
• e_utf8_latin1_mixup, Checks for wrongly encoded diacritics due to UTF-8 mistaken for Latin-1

Bug Fixes

• Panics from individual lints no longer impact the execution of other lints
• Corrected an issue in e_ev_extra_subject_attribs wherein OU was incorrectly marked as forbidden
• Corrected an issue with not all lint sources being considered correctly during filtering
• Corrected citation e_this_update_not_after_produced_at

Security

• Upgraded golang.org/x/net from 0.33.0 to 0.37.0 to address CVE-2025-22870
• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Changelog

• c2d9286 Fix reference and description of OCSP lint (#937)
• b60a4b1 build(deps): bump golang.org/x/net in /v3/cmd/gen_test_crl (#939)
• d163497 build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /v3 (#936)
• e8d0409 Corrected an issue with not all lint sources being considered correctly during filtering (#934)
• 80afcba Framework for linting OSCP responses (#917)
• 7a0479c Add lint to detect wrongly encoded diacritics due to UTF-8 mistaken for Latin-1 (#931)
• f68dfde Patch golang.org/x/net for CVE-2025-22870 (#928)
• 3cc488f Update README.md (#926)
• 900a4d0 Fix the linter (#929)
• 502f687 Qc type web also smime (#919)
• 7f772fd Updating actions/cache to v4 to fix integration tests (#927)
• 59fffe7 util: gtld_map autopull updates for 2025-02-28T00:33:21 UTC (#920)
• a2721f2 Add lint to check CRLs for a valid nextUpdate as per CABF BRs (#916)
• f8bbdec OU (2.5.4.11) is incorrectly omitted from the allow list in e_ev_extra_subject_attribs (#915)
• 62639df Panics should not prevent other lints from running (#914)
• 32cb0bf Update README.md (#909)

Full Changelog:v3.6.5...v3.6.6

v3.6.6-rc2

ZLint v3.6.6-rc2

The ZMap team is happy to share ZLint v3.6.6-rc2.

Thank you to everyone who contributes to ZLint!

New Feature

• Preliminary support for OCSP response linting via the library usage of ZLint

New Lints

• e_crl_next_update_invalid, For CRLs covering (EE|CA) certificates, nextUpdate must be at most (10 days|12 months) beyond thisUpdate
• e_qcstatem_qctype_smime, Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least one of the types IdEtsiQcsQctEsign or IdEtsiQcsQctEseal, in case of an S/MIME certificate
• e_utf8_latin1_mixup, Checks for wrongly encoded diacritics due to UTF-8 mistaken for Latin-1

Bug Fixes

• Panics from individual lints no longer impact the execution of other lints
• Corrected an issue in e_ev_extra_subject_attribs wherein OU was incorrectly marked as forbidden
• Corrected an issue with not all lint sources being considered correctly during filtering
• Corrected citation e_this_update_not_after_produced_at

Security

• Upgraded golang.org/x/net from 0.33.0 to 0.37.0 to address CVE-2025-22870
• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Changelog

• c2d9286 Fix reference and description of OCSP lint (#937)
• b60a4b1 build(deps): bump golang.org/x/net in /v3/cmd/gen_test_crl (#939)
• d163497 build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /v3 (#936)
• e8d0409 Corrected an issue with not all lint sources being considered correctly during filtering (#934)
• 80afcba Framework for linting OSCP responses (#917)
• 7a0479c Add lint to detect wrongly encoded diacritics due to UTF-8 mistaken for Latin-1 (#931)
• f68dfde Patch golang.org/x/net for CVE-2025-22870 (#928)
• 3cc488f Update README.md (#926)
• 900a4d0 Fix the linter (#929)
• 502f687 Qc type web also smime (#919)
• 7f772fd Updating actions/cache to v4 to fix integration tests (#927)
• 59fffe7 util: gtld_map autopull updates for 2025-02-28T00:33:21 UTC (#920)
• a2721f2 Add lint to check CRLs for a valid nextUpdate as per CABF BRs (#916)
• f8bbdec OU (2.5.4.11) is incorrectly omitted from the allow list in e_ev_extra_subject_attribs (#915)
• 62639df Panics should not prevent other lints from running (#914)
• 32cb0bf Update README.md (#909)

Full Changelog:v3.6.5...v3.6.6-rc2

v3.6.6-rc1

ZLint v3.6.6-rc1

The ZMap team is happy to share ZLint v3.6.6-rc1.

Thank you to everyone who contributes to ZLint!

New Feature

• Preliminary support for OCSP response linting via the library usage of ZLint.

New Lints

• e_crl_next_update_invalid, For CRLs covering (EE|CA) certificates, nextUpdate must be at most (10 days|12 months) beyond thisUpdate
• e_qcstatem_qctype_smime, Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least one of the types IdEtsiQcsQctEsign or IdEtsiQcsQctEseal, in case of an S/MIME certificate.
• e_utf8_latin1_mixup, Checks for wrongly encoded diacritics due to UTF-8 mistaken for Latin-1

Bug Fixes

• Panics from individual lints no longer impact the execution of other lints.
• Corrected an issue in e_ev_extra_subject_attribs wherein OU was incorrectly marked as forbidden
• Corrected an issue with not all lint sources being considered correctly during filtering

Security

• Upgraded golang.org/x/net from 0.33.0 to 0.37.0 to address CVE-2025-22870

Changelog

• e8d0409 Corrected an issue with not all lint sources being considered correctly during filtering (#934)
• 80afcba Framework for linting OSCP responses (#917)
• 7a0479c Add lint to detect wrongly encoded diacritics due to UTF-8 mistaken for Latin-1 (#931)
• f68dfde Patch golang.org/x/net for CVE-2025-22870 (#928)
• 3cc488f Update README.md (#926)
• 900a4d0 Fix the linter (#929)
• 502f687 Qc type web also smime (#919)
• 7f772fd Updating actions/cache to v4 to fix integration tests (#927)
• 59fffe7 util: gtld_map autopull updates for 2025-02-28T00:33:21 UTC (#920)
• a2721f2 Add lint to check CRLs for a valid nextUpdate as per CABF BRs (#916)
• f8bbdec OU (2.5.4.11) is incorrectly omitted from the allow list in e_ev_extra_subject_attribs (#915)
• 62639df Panics should not prevent other lints from running (#914)
• 32cb0bf Update README.md (#909)

Full Changelog:v3.6.5...v3.6.6-rc1

v3.6.5-rc2

ZLint v3.6.5-rc2

The ZMap team is happy to share ZLint v3.6.5-rc2.

Thank you to everyone who contributes to ZLint!

New Lints

• e_subj_contains_html_entities Detects the presence of HTML entities (e.g. '&') in the Subject, which probably shouldn't be there
• e_ev_invalid_orgid_reg_scheme The Registration Schemes allowed in organizationIdentifier are those listed in Appendix H
• e_ev_extra_subject_attribs CAs SHALL NOT include any Subject Distinguished Name attributes except as specified
• e_crl_has_authority_key_identifier The CRL must include Authority Key Identifier extension
• e_crl_unique_revoked_certificate The CRL must not include duplicate serial numbers in its revoked certificates list
• e_invalid_ca_certificate_policies Checks that the Policy OIDs in the CertificatePolicies extension of a SubCA certificate comply with CABF requirements

Bug Fixes

• Corrected e_ev_extra_subject_attribs to not allow OUs

Security

• Upgraded golang.org/x/crypto from 0.25.0 to 0.31.0 to address CVE-2024-45337
• Upgraded golang.org/x/net from 0.27.0 to 0.33.0 to address CVE-2024-45338

Misc

• More clear language in CLI option descriptions.
• An upgrade to the repository's linter.
• Addition of the Delta CRL Indicator OID to the list of known OIDs
• Added effective dates for CABF/BR 2.0.1 to 2.0.8
• Typo correction in citation string for e_crl_has_authority_key_identifier
• Updated ZCrypto to 3a86168
• Updates to the newLint.sh helper script.
• New repo tooling to generate test CRLs.

Changelog

• 629cb54 Add lint to detect HTML entities in Subject attributes (#907)
• cd73211 fix: organizationUnitName is prohibited (#903)
• 1fccaa7 Patch for CVE CVE-2024-45337 in test CRL generation tool (#906)
• 5c47a01 build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#905)
• cb26b9e build(deps): bump golang.org/x/crypto from 0.25.0 to 0.31.0 in /v3 (#904)
• 0d1ece3 Add lint to check for a valid Registration Scheme in the Subject.organizationIdentifier of EV certificates (#901)
• 82c722b Add lint to check that EV certificates contain only allowed attributes in the Subject (#902)
• 529e5e5 Add functionality to generate CRL in asn1 encoding (#893)
• 5807078 Fix newLint.sh CLI (#897)
• 5534545 Linter is broken due to a broken dependency on an old Golang version (#900)
• d0b1e1f Update to zcrypto 3a86168 (#899)
• 989baef Correct typo in RFC section reference (#898)
• 6ec3b31 Add lint to check Authority Key Identifier in CRL Extension (#892)
• eba3486 Add Effective Date for recent CABFBRs (#895)
• 84d8f29 Add Delta CRL Indicator Oid (#896)
• 920bf49 Add Delta CRL Indicator Oid (#894)
• 4b55d49 Add lint to check that CRL does not have duplicates in RevokedCertificates (#890)
• d0dc117 Add lint for checking compliance with §7.1.2.10.5 of the BRs (CA Certificate Policies) (#887)
• f1f5644 Upgrade linter to 1.61.0 and address new lints (#891)
• 45a7d73 Improve the language on some CLI option descriptions (#886)

Full Changelog:v3.6.4...v3.6.5-rc2

v3.6.5

ZLint v3.6.5

The ZMap team is happy to share ZLint v3.6.5.

Thank you to everyone who contributes to ZLint!

New Lints

• e_subj_contains_html_entities Detects the presence of HTML entities (e.g. '&') in the Subject, which probably shouldn't be there
• e_ev_invalid_orgid_reg_scheme The Registration Schemes allowed in organizationIdentifier are those listed in Appendix H
• e_ev_extra_subject_attribs CAs SHALL NOT include any Subject Distinguished Name attributes except as specified
• e_crl_has_authority_key_identifier The CRL must include Authority Key Identifier extension
• e_crl_unique_revoked_certificate The CRL must not include duplicate serial numbers in its revoked certificates list
• e_invalid_ca_certificate_policies Checks that the Policy OIDs in the CertificatePolicies extension of a SubCA certificate comply with CABF requirements

Bug Fixes

• Corrected e_ev_extra_subject_attribs to not allow OUs

Security

• Upgraded golang.org/x/crypto from 0.25.0 to 0.31.0 to address CVE-2024-45337
• Upgraded golang.org/x/net from 0.27.0 to 0.33.0 to address CVE-2024-45338

Misc

• More clear language in CLI option descriptions.
• An upgrade to the repository's linter.
• Addition of the Delta CRL Indicator OID to the list of known OIDs
• Added effective dates for CABF/BR 2.0.1 to 2.0.8
• Typo correction in citation string for e_crl_has_authority_key_identifier
• Updated ZCrypto to 3a86168
• Updates to the newLint.sh helper script.
• New repo tooling to generate test CRLs.

Changelog

• 629cb54 Add lint to detect HTML entities in Subject attributes (#907)
• cd73211 fix: organizationUnitName is prohibited (#903)
• 1fccaa7 Patch for CVE CVE-2024-45337 in test CRL generation tool (#906)
• 5c47a01 build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#905)
• cb26b9e build(deps): bump golang.org/x/crypto from 0.25.0 to 0.31.0 in /v3 (#904)
• 0d1ece3 Add lint to check for a valid Registration Scheme in the Subject.organizationIdentifier of EV certificates (#901)
• 82c722b Add lint to check that EV certificates contain only allowed attributes in the Subject (#902)
• 529e5e5 Add functionality to generate CRL in asn1 encoding (#893)
• 5807078 Fix newLint.sh CLI (#897)
• 5534545 Linter is broken due to a broken dependency on an old Golang version (#900)
• d0b1e1f Update to zcrypto 3a86168 (#899)
• 989baef Correct typo in RFC section reference (#898)
• 6ec3b31 Add lint to check Authority Key Identifier in CRL Extension (#892)
• eba3486 Add Effective Date for recent CABFBRs (#895)
• 84d8f29 Add Delta CRL Indicator Oid (#896)
• 920bf49 Add Delta CRL Indicator Oid (#894)
• 4b55d49 Add lint to check that CRL does not have duplicates in RevokedCertificates (#890)
• d0dc117 Add lint for checking compliance with §7.1.2.10.5 of the BRs (CA Certificate Policies) (#887)
• f1f5644 Upgrade linter to 1.61.0 and address new lints (#891)
• 45a7d73 Improve the language on some CLI option descriptions (#886)

Full Changelog:v3.6.4...v3.6.5

v3.6.5-rc1

ZLint v3.6.5-rc1

The ZMap team is happy to share ZLint v3.6.5-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_subj_contains_html_entities Detects the presence of HTML entities (e.g. '&') in the Subject, which probably shouldn't be there
• e_ev_invalid_orgid_reg_scheme The Registration Schemes allowed in organizationIdentifier are those listed in Appendix H
• e_ev_extra_subject_attribs CAs SHALL NOT include any Subject Distinguished Name attributes except as specified
• e_crl_has_authority_key_identifier The CRL must include Authority Key Identifier extension
• e_crl_unique_revoked_certificate The CRL must not include duplicate serial numbers in its revoked certificates list
• e_invalid_ca_certificate_policies Checks that the Policy OIDs in the CertificatePolicies extension of a SubCA certificate comply with CABF requirements

Bug Fixes

• Corrected e_ev_extra_subject_attribs to not allow OUs

Security

• Upgraded golang.org/x/crypto from 0.25.0 to 0.31.0 to address CVE-2024-45337

Misc

• More clear language in CLI option descriptions.
• An upgrade to the repository's linter.
• Addition of the Delta CRL Indicator OID to the list of known OIDs
• Added effective dates for CABF/BR 2.0.1 to 2.0.8
• Typo correction in citation string for e_crl_has_authority_key_identifier
• Updated ZCrypto to 3a86168
• Updates to the newLint.sh helper script.
• New repo tooling to generate test CRLs.

Changelog

• 629cb54 Add lint to detect HTML entities in Subject attributes (#907)
• cd73211 fix: organizationUnitName is prohibited (#903)
• 1fccaa7 Patch for CVE CVE-2024-45337 in test CRL generation tool (#906)
• 5c47a01 build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#905)
• cb26b9e build(deps): bump golang.org/x/crypto from 0.25.0 to 0.31.0 in /v3 (#904)
• 0d1ece3 Add lint to check for a valid Registration Scheme in the Subject.organizationIdentifier of EV certificates (#901)
• 82c722b Add lint to check that EV certificates contain only allowed attributes in the Subject (#902)
• 529e5e5 Add functionality to generate CRL in asn1 encoding (#893)
• 5807078 Fix newLint.sh CLI (#897)
• 5534545 Linter is broken due to a broken dependency on an old Golang version (#900)
• d0b1e1f Update to zcrypto 3a86168 (#899)
• 989baef Correct typo in RFC section reference (#898)
• 6ec3b31 Add lint to check Authority Key Identifier in CRL Extension (#892)
• eba3486 Add Effective Date for recent CABFBRs (#895)
• 84d8f29 Add Delta CRL Indicator Oid (#896)
• 920bf49 Add Delta CRL Indicator Oid (#894)
• 4b55d49 Add lint to check that CRL does not have duplicates in RevokedCertificates (#890)
• d0dc117 Add lint for checking compliance with §7.1.2.10.5 of the BRs (CA Certificate Policies) (#887)
• f1f5644 Upgrade linter to 1.61.0 and address new lints (#891)
• 45a7d73 Improve the language on some CLI option descriptions (#886)

Full Changelog:v3.6.4...v3.6.5-rc1