Tags: pkic/zlint
Tags
ZLint v3.0.0
The ZMap team is happy to share ZLint v3.0.0. Above bugfixes and new
lints this major release also has a few breaking changes from v2.x.x
that we want to draw to your attention.
Breaking Changes:
* `w_dnsname_wildcard_left_of_public_suffix` and `w_san_iana_pub_suffix_empty`
have been demoted from warnings to notices and renamed accordingly
(`n_dnsname_wildcard_left_of_public_suffix` and
`n_san_iana_pub_suffix_empty`).
* The `e_tls_server_cert_valid_time_longer_than_398_days` lint now only returns
an error finding for certs exceeding the 398 lifetime. The warning result
previously returned for exceeding the 397 day lifetime suggestion is now
a separate `w_tls_server_cert_valid_time_longer_than_397_days` lint.
* The `lint.AppleCTPolicy` lint source was renamed to `lint.AppleRootStorePolicy`.
* The `lint.AWSLabs` and `lint.ZLint` lint sources were combined into one new lint
source `lint.Community`.
New Lints:
* `w_tls_server_cert_valid_time_longer_than_397_days` - see breaking change
notes above.
Bug Fixes:
* Previously `n_san_iana_pub_suffix_empty` could only flag one DNS name in
a certificate and would potentially return NA for certificates with one or
more names that fail to be parsed by publicsuffix-go. It now handles both cases
correctly.
* Removed `testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem` and test
case. Updated Go 1.15/ZCrypto throw a parse error for this test case now
that they are QcStatement aware.
Misc:
* Project and releases now built with Go 1.15.x
* Updated TLD data (Current to 2020-11-21).
* Integration test failures now include error/warning/info overviews.
* ZCrypto dependency bumped to latest commit.
* Project CI converted from Travis CI to Github Actions.
ZLint v3.0.0-rc1
The ZMap team is happy to share ZLint v3.0.0-rc1. Above bugfixes and new lints
this major release candidate also has a few breaking changes from v2.x.x that we
want to draw to your attention.
Breaking Changes:
* `w_dnsname_wildcard_left_of_public_suffix` and `w_san_iana_pub_suffix_empty`
have been demoted from warnings to notices and renamed accordingly
(`n_dnsname_wildcard_left_of_public_suffix` and
`n_san_iana_pub_suffix_empty`).
* The `e_tls_server_cert_valid_time_longer_than_398_days` lint now only returns
an error finding for certs exceeeding the 398 lifetime. The warning result
previously returned for exceeding the 397 day lifetime suggestion is now
a separate `w_tls_server_cert_valid_time_longer_than_397_days` lint.
* The `lint.AppleCTPolicy` lint source was renamed to `lint.AppleRootStorePolicy`.
* The `lint.AWSLabs` and `lint.ZLint` lint sources were combined into one new lint
source `lint.Community`.
New Lints:
* `w_tls_server_cert_valid_time_longer_than_397_days` - see breaking change
notes above.
Bug Fixes:
* Previously `n_san_iana_pub_suffix_empty` could only flag one DNS name in
a certificate and would potentially return NA for certificates with one or
more names that fail to be parsed by publicsuffix-go. It now handles both cases
correctly.
* Removed `testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem` and test
case. Updated Go 1.15/ZCrypto throw a parse error for this test case now
that they are QcStatement aware.
Misc:
* Project and releases now built with Go 1.15.x
* Updated TLD data (Current to 2020-11-21).
* Integration test failures now include error/warning/info overviews.
* ZCrypto dependency bumped to latest commit.
* Project CI converted from Travis CI to Github Actions.
ZLint v2.2.1 The ZMap team is happy to share ZLint v2.2.1. This minor release primarily includes a fix for a security vulnerability in a dependency. We encourage anyone using ZLint on untrusted certificate inputs to upgrade. Bug Fixes: * `golang.org/x/text` dependency bumped to v0.3.3 to address CVE-2020-14040. Misc: * Better error message from `test/helpers.go`'s `ReadTestCert` helper in the case where an input certificate causes a panic during parse. * Updated TLD data (Current to 2020-10-08).
ZLint v2.2.1-rc1 The ZMap team is happy to share a v2.2.1 release candidate. This minor release primarily includes a fix for a security vulnerability in a dependency. We encourage anyone using ZLint on untrusted certificates to upgrade. Bug Fixes: * `golang.org/x/text` dependency bumped to v0.3.3 to address CVE-2020-14040. Misc: * Better error message from `test/helpers.go`'s `ReadTestCert` helper in the case where an input certificate causes a panic during parse.
v2.2.0
The ZMap team is happy to share ZLint v2.2.0. This minor release
primarily includes bug fixes and new lints.
New Lints:
* New RFC 5280 Lints
* `e_cert_sig_alg_not_match_tbs_sig_alg` to verify `tbsCertificate` algorithm
matches certificate's signature algorithm.
* New CA/Browser Forum Lints:
* `e_san_dns_name_onion_invalid` to validate `.onion` certificate subject
addresses are well-formed.
Updated Lints:
* `e_ext_tor_service_descriptor_hash_invalid` updated for Ballot SC27 to only
require the extension for EV certificates.
Removed Lints:
* `e_sub_ca_aia_does_not_contain_ocsp_url`, as of Ballot SC31 this lint is no
longer required.
Command Line Utility Updates:
* `-summary` and `-longSummary` command line flags added to `zlint` utility
for presenting lint results in a human-readable tabular form.
Bug Fixes:
* `lint_ev_valid_time_too_long` maximum validity calculation fixed and
source/citation/package corrected to CABF EV Guidelines.
* `e_ev_business_category_missing`, `e_ev_country_name_missing`,
`e_ev_organization_name_missing`, and `e_ev_serial_number_missing`
`e_ev_serial_number_missing` source/citation/package corrected to CABF EV
Guidelines.
* `e_tls_server_cert_valid_time_longer_than_398_days` fixed to not apply to CA
certificates.
* `e_tls_server_cert_valid_time_longer_than_398_days` fixed off-by-one
calculation of validity period.
Misc:
* README updates.
* Updated ZCrypto dependency (Added QCStatement support).
* Updated TLD data (Current to 2020-09-08).
ZLint v2.2.0-rc2.
The ZMap team is happy to share a second v2.2.0 release candidate. This minor
release primary includes bug fixes and new lints.
New Lints:
* New RFC 5280 Lints
* `e_cert_sig_alg_not_match_tbs_sig_alg` to verify `tbsCertificate` algorithm
matches certificate's signature algorithm.
* New CA/Browser Forum Lints:
* `e_san_dns_name_onion_invalid` to validate `.onion` certificate subject
addresses are well-formed.
Updated Lints:
* `e_ext_tor_service_descriptor_hash_invalid` updated for Ballot SC27 to only
require the extension for EV certificates.
Removed Lints:
* `e_sub_ca_aia_does_not_contain_ocsp_url`, as of Ballot SC31 this lint is no
longer required.
Command Line Utility Updates:
* `-summary` and `-longSummary` command line flags added to `zlint` utility
for presenting lint results in a human-readable tabular form.
Bug Fixes:
* `lint_ev_valid_time_too_long` maximum validity calculation fixed and
source/citation/package corrected to CABF EV Guidelines.
* `e_ev_business_category_missing`, `e_ev_country_name_missing`,
`e_ev_organization_name_missing`, and `e_ev_serial_number_missing`
source/citation/package corrected to CABF EV Guidelines.
* `e_tls_server_cert_valid_time_longer_than_398_days` fixed to not apply to CA
certificates.
* `e_tls_server_cert_valid_time_longer_than_398_days` off by one second fix
Misc:
* README updatesa.
* Updated ZCrypto dependency (Added QCStatement support).
* Updated TLD data (Current to 2020-07-29).
ZLint v2.2.0-rc1.
The ZMap team is happy to share a v2.2.0 release candidate. This minor
release primary includes bug fixes and new lints.
New Lints:
* New RFC 5280 Lints
* `e_cert_sig_alg_not_match_tbs_sig_alg` to verify `tbsCertificate` algorithm
matches certificate's signature algorithm.
* New CA/Browser Forum Lints:
* `e_san_dns_name_onion_invalid` to validate `.onion` certificate subject
addresses are well-formed.
Updated Lints:
* `e_ext_tor_service_descriptor_hash_invalid` updated for Ballot SC27 to only
require the extension for EV certificates.
Removed Lints:
* `e_sub_ca_aia_does_not_contain_ocsp_url`, as of Ballot SC31 this lint is no
longer required.
Command Line Utility Updates:
* `-summary` and `-longSummary` command line flags added to `zlint` utility
for presenting lint results in a human-readable tabular form.
Bug Fixes:
* `lint_ev_valid_time_too_long` maximum validity calculation fixed and
source/citation/package corrected to CABF EV Guidelines.
* `e_ev_business_category_missing`, `e_ev_country_name_missing`,
`e_ev_organization_name_missing`, and `e_ev_serial_number_missing`
source/citation/package corrected to CABF EV Guidelines.
* `e_tls_server_cert_valid_time_longer_than_398_days` fixed to not apply to CA
certificates.
Misc:
* README updatesa.
* Updated ZCrypto dependency (Added QCStatement support).
* Updated TLD data (Current to 2020-07-29).
v2.1.0
The ZMap team is happy to announce the v2.1.0 release. This minor
release primary includes bug fixes and new lints.
New Lints:
* New CABF Baseline Requirements Lint
* `e_ext_nc_intersects_reserved_ip`
* New Mozilla PKI Policy Lints
* `e_mp_rsassa-pss_in_spki`
* `e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct``
* `e_mp_ecdsa_pub_key_encoding_correct`
* `e_mp_ecdsa_signature_encoding_correct`
* New Apple PKI Policy Lints
* `e_tls_server_cert_valid_time_longer_than_398_days`
Bug Fixes:
* The `2001:5::/32` network was removed from reserved networks list since it
is no longer IANA reserved.
Misc:
* Updated TLD data (Current to 2020-04-02).
* README updates.
* CI test for ensuring OpenSSL text prepend of test cert data.
ZLint v2.1.0 RC-1
The ZMap team is proud to share a v2.1.0 release candidate. This minor
release primary includes bug fixes and new lints.
New Lints:
* New CABF Baseline Requirements Lint
* `e_ext_nc_intersects_reserved_ip`
* New Mozilla PKI Policy Lints
* `e_mp_rsassa-pss_in_spki`
* `e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct``
* `e_mp_ecdsa_pub_key_encoding_correct`
* `e_mp_ecdsa_signature_encoding_correct`
* New Apple PKI Policy Lints
* `e_tls_server_cert_valid_time_longer_than_398_days`
Bug Fixes:
* The `2001:5::/32` network was removed from reserved networks list since it is
no longer IANA reserved.
Misc:
* Updated TLD data (Current to 2020-04-02).
* README updates.
* CI test for ensuring OpenSSL text prepend of test cert data.
PreviousNext