ZLint v3.1.0 Release Candidate 1

[chris]

The ZMap team is happy to share ZLint v3.1.0-rc1 (https://github.com/zmap/zlint/releases/tag/v3.1.0-rc1).

Breaking Changes:

No breaking changes were made in this release.

New Lints:

• e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth, CABF Baseline Requirements - §4.9.9

  - OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as defined by RFC6960.

• e_ev_organization_id_missing lint, CABF EV Guidelines v1.7.0 - §9.8.2

  - Effective January 31, 2020, if the subject:organizationIdentifier field is present, this [cabfOrganizationIdentifier] field MUST be present.

• e_name_constraint_not_fqdn, RFC 5280 - §4.2.1.10

  - For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.

Bug Fixes:

• e_serial_number_longer_than_20_octets has been corrected to count the number of octets taken to represent a serial number after it has been serialized to ASN.1. Since ASN.1 numbers are signed values, serial numbers that are greater-than-or-equal-to 2^160 will begin to fail this lint as they are prefixed with a 0x00 to maintain their positive sign.
• Previously the e_ext_duplicate_extension lint from the lint.RFC5280 source only returned a lint.Error result as soon as one duplicate extension was found in a certificate. It did not indicate which extension OID was duplicated, or if there was more than one duplicated extensions. In this release, the lint now does both of these things. The detail string now indicates all of the extension OIDs that were present more than once.