ZLint v3.6.8
4 views
Skip to first unread message
chris
Nov 2, 2025, 12:44:22 PM (7 days ago) Nov 2
to ZLint Announcements
# ZLint v3.6.8
The ZMap team is happy to share ZLint v3.6.8 (https://github.com/zmap/zlint/releases/tag/v3.6.8).
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_cab_iv_requires_personal_name_strict` If certificate policy 2.23.140.1.2.3 is included givenName and surname MUST be included in subject
* `e_invalid_legacy_spki_algoid` Checks that SubjectPublicKeyInfo.AlgorithmIdentifier is allowed
* `e_mailbox_validated_allowed_subjectdn_attributes` Only certain Subject DN attributes are permitted to be present in mailbox-validated certificates.
* `e_crl_revoked_certificate_crl_entry_has_no_duplicate_extensions` The revoked certificate in the CRL must not have duplicate extensions.
* `e_crl_auth_key_id_only_contains_keyid` The AuthKey extension must only contain the KeyIdentifier field.
## Bug Fixes
* `e_crl_extensions_validity` corrected to check for Issuing Distribution Point rather than CRL Distribution Points.
* `e_crl_extensions_validity` corrected the lint to return warnings, rather than errors, on CRL extensions that are not recommended.
## Misc
* `e_ca_common_name_missing` an update to citations
* `e_ca_organization_name_missing` an update to citations
* `e_ca_country_name_invalid` an update to citations
* `e_ca_aia_non_http_url` an update to citations
* `e_ca_crl_sign_not_set` an update to citations
* `n_ca_digital_signature_not_set` an update to citations
* Removed a duplicate entry in the integrations test suite
* Added new logic to Added new logic to `e_ca_common_name_missing`, `e_ca_country_name_invalid`, `e_ca_country_name_missing`, and `e_ca_organization_name_missing` lints that allows for the global boolean configuration `CrossSignedCa`. Doing so enables these lints to intelligently switch its logic to be accurate for cross signed CA certificates.
* A new facility has been added wherein an individual lint is given the opportunity to override the framework's applicability rules. This is especially useful for a handful of cases whereing OCSP signing certificates were subject to requirementes defined in CABF/BRs, however the framework filters out OSCP certificates for CABF/BRs.
* Added the ability to lint OCSP responses via the CLI interface. This functionality was previously only available via the usage of ZLint as a library.
## Changelog
* f201c98 remove duplicate integration test data entry (#999)
* 85b3ef4 util: gtld_map autopull updates for 2025-10-22T07:20:44 UTC (#1001)
* 7dfef30 update n_ca_digital_signature_not_set citation, notice, and doc comment (#998)
* e8db7b4 update ca ku error lint citations (#997)
* a1126c8 add requirements comment to e_ca_aia_non_http_url (#996)
* 1a79b47 Add lint to check Authkey extension contain KID only (#995)
* 597a098 Zlint CLI supports linting ocsp responses (#993)
* 30a1e16 Add lint to check that revoked certificates in a CRL doesn't have duplicate extensions (#994)
* a03ec2d Allowed subjectdn attributes (#992)
* 2e19b4c Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules (#842)
* 341cb05 util: gtld_map autopull updates for 2025-09-14T15:20:04 UTC (#991)
* c63416f (Chris) Add lint to check encoding of SubjectPublicKeyInfo.AlgorithmIdentifier in S/MIME certificates (#989)
* 81bb184 Add cross-sign configuration for CA name tests (#987)
* 77960bf util: gtld_map autopull updates for 2025-08-27T05:20:31 UTC (#988)
* bb63cf4 Update README.md with 2025 reference to coverage spreadsheet (#985)
* 34901b1 Fix CRL extensions lint (#984)
* 8c38228 Update cab_iv_requires_personal_name lint to only require Personal Name (#980)
* 79c3465 update CA countryName lints' citations (#979)
* 130542a update language and citations for e_ca_organization_name_missing (#981)
* bdb982d Formatting for a contributor (#977)
* 5b6b916 Replace CRL Distribution Points oid(2.5.29.31) with Issuing Distribution Point oid(2.5.29.28) when checking crl extension validity (#974)
* 5891820 update citation for e_ca_common_name_missing (#976)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.7...v3.6.8
The ZMap team is happy to share ZLint v3.6.8 (https://github.com/zmap/zlint/releases/tag/v3.6.8).
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_cab_iv_requires_personal_name_strict` If certificate policy 2.23.140.1.2.3 is included givenName and surname MUST be included in subject
* `e_invalid_legacy_spki_algoid` Checks that SubjectPublicKeyInfo.AlgorithmIdentifier is allowed
* `e_mailbox_validated_allowed_subjectdn_attributes` Only certain Subject DN attributes are permitted to be present in mailbox-validated certificates.
* `e_crl_revoked_certificate_crl_entry_has_no_duplicate_extensions` The revoked certificate in the CRL must not have duplicate extensions.
* `e_crl_auth_key_id_only_contains_keyid` The AuthKey extension must only contain the KeyIdentifier field.
## Bug Fixes
* `e_crl_extensions_validity` corrected to check for Issuing Distribution Point rather than CRL Distribution Points.
* `e_crl_extensions_validity` corrected the lint to return warnings, rather than errors, on CRL extensions that are not recommended.
## Misc
* `e_ca_common_name_missing` an update to citations
* `e_ca_organization_name_missing` an update to citations
* `e_ca_country_name_invalid` an update to citations
* `e_ca_aia_non_http_url` an update to citations
* `e_ca_crl_sign_not_set` an update to citations
* `n_ca_digital_signature_not_set` an update to citations
* Removed a duplicate entry in the integrations test suite
* Added new logic to Added new logic to `e_ca_common_name_missing`, `e_ca_country_name_invalid`, `e_ca_country_name_missing`, and `e_ca_organization_name_missing` lints that allows for the global boolean configuration `CrossSignedCa`. Doing so enables these lints to intelligently switch its logic to be accurate for cross signed CA certificates.
* A new facility has been added wherein an individual lint is given the opportunity to override the framework's applicability rules. This is especially useful for a handful of cases whereing OCSP signing certificates were subject to requirementes defined in CABF/BRs, however the framework filters out OSCP certificates for CABF/BRs.
* Added the ability to lint OCSP responses via the CLI interface. This functionality was previously only available via the usage of ZLint as a library.
## Changelog
* f201c98 remove duplicate integration test data entry (#999)
* 85b3ef4 util: gtld_map autopull updates for 2025-10-22T07:20:44 UTC (#1001)
* 7dfef30 update n_ca_digital_signature_not_set citation, notice, and doc comment (#998)
* e8db7b4 update ca ku error lint citations (#997)
* a1126c8 add requirements comment to e_ca_aia_non_http_url (#996)
* 1a79b47 Add lint to check Authkey extension contain KID only (#995)
* 597a098 Zlint CLI supports linting ocsp responses (#993)
* 30a1e16 Add lint to check that revoked certificates in a CRL doesn't have duplicate extensions (#994)
* a03ec2d Allowed subjectdn attributes (#992)
* 2e19b4c Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules (#842)
* 341cb05 util: gtld_map autopull updates for 2025-09-14T15:20:04 UTC (#991)
* c63416f (Chris) Add lint to check encoding of SubjectPublicKeyInfo.AlgorithmIdentifier in S/MIME certificates (#989)
* 81bb184 Add cross-sign configuration for CA name tests (#987)
* 77960bf util: gtld_map autopull updates for 2025-08-27T05:20:31 UTC (#988)
* bb63cf4 Update README.md with 2025 reference to coverage spreadsheet (#985)
* 34901b1 Fix CRL extensions lint (#984)
* 8c38228 Update cab_iv_requires_personal_name lint to only require Personal Name (#980)
* 79c3465 update CA countryName lints' citations (#979)
* 130542a update language and citations for e_ca_organization_name_missing (#981)
* bdb982d Formatting for a contributor (#977)
* 5b6b916 Replace CRL Distribution Points oid(2.5.29.31) with Issuing Distribution Point oid(2.5.29.28) when checking crl extension validity (#974)
* 5891820 update citation for e_ca_common_name_missing (#976)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.7...v3.6.8
Reply all
Reply to author
Forward
0 new messages