ZLint v3.7.0
14 views
Skip to first unread message
chris
May 10, 2026, 2:35:08 PMMay 10
to ZLint Announcements
# ZLint v3.7.0
The ZMap team is happy to share ZLint v3.7.0.
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_arpa_domain_not_allowed` CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
* `e_basic_constr_invalid_der` Checks the correct DER encoding of the cA field in the BasicConstraints ext
* `e_client_auth_not_allowed` Checks that Server certs do not contain clientAuth in the EKU extension
* `e_cs_aia_missing_ca_issuers_http_url` The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
* `e_cs_aia_ocsp_not_http` If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP
responder (id-ad-ocsp)
* `e_cs_authority_information_access` The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
* `e_cs_ecdsa_prohibited_curve` If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
* `e_cs_max_validity_period_39_months` Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
* `e_cs_max_validity_period_460_days` Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
* `e_cs_signature_algorithm_not_supported` Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
* `e_exactly_one_smime_policy` The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
* `e_excessively backdated` notBefore [must be] a value within 48 hours of the certificate signing
* `e_ext_cannot_be_empty_sequence` Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
* `e_ocsp_cert_cdp_forbidden` In OCSP certificates, the CDP extension MUST NOT appear
* `e_ocsp_cert_cp_forbidden` In OCSP certificates, the CP extension MUST NOT appear
* `e_ocsp_cert_invalid_ku` For OCSP certificates, only digitalSignature is allowed in the KU ext
* `e_qcstatem_qctype_oneonly` Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
* `e_state_or_province_name_must_not_contain_control_characters` stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
* `e_subj_email_not_in_san` Certificates with email addresses MUST include them in the SAN extension
## Bug Fixes
* `e_cert_policy_iv_requires_country` fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
* `e_qcstatem_qctype_web` fixed to not return an error for legitimate e-signature and e-seal qualified certificates
## Security
* Patched CVE-2025-58181
* Bumped `golang.org/x/crypto` from 0.36.0 to 0.45.0
## Misc
* Added support for Chrome Root Program Policy-based lints as a new lint source
* `e_state_or_province_name_must_not_contain_control_characters` extended to also check localityName
* `cab_dv_conflicts_with_locality`, `cab_dv_conflicts_with_org`, `cab_dv_conflicts_with_postal`, `cab_dv_conflicts_with_province`, and
`cab_dv_conflicts_with_street` lints marked as superseded
* `e_ca_country_name_invalid` CheckApplies logic refactored with additional test coverage
* `e_cert_policy_iv_requires_country` citation updated to current location
* Broad dependency updates
* Updated gtld_map
## Changelog
* e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
* 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)
* e17555a Upgrade zcrypto, golang, and golangci-lint to latest (#1039)
* 5dc4eaf Cs add ria lints (#1036)
* 31204be Add lint for checking curve param requirements (#1035)
* da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lint addressing clientAuth deprecation (#1031)
* fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
* 12ccc55 refactor ca country check applies, add tests (#1032)
* 215f568 Add cs sig alg lint (#1033)
* 90f1337 Add lint to check for certain extensions to have at least 1 element according to RFC 5280 (#1028)
* f804eca fix iv countryName lint checkApplies, add personal name lint history (#1027)
* b536041 Add lint to address Ballot SC-086v3 (Sunset the Inclusion of IP Reverse Address Domain Names) (#1030)
* 48f6dc7 Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6) (#1026)
* 7eb7ba8 Qc sttmnt only one qc type (#1025)
* 145bd26 mark cab_dv_conflicts_with* lints superseded (#1023)
* 505d5f4 Add lint to check that the notBefore timestamp is not too early compared to the SCTs (#1022)
* bc0c81e Added validity period lints for before and after CSC-31, included unit tests with test certificates (#1020)
* 67d05d8 util: gtld_map autopull updates for 2026-02-14T04:48:16 UTC (#1021)
* 1bb9b40 go mod tidy (#1017)
* 234d2d4 Adding locality to e_state_or_province_name_must_not_contain_control_characters (#1015)
* 570d5a6 Lint to ensure that stateOrProvinceName is in a plain human, readable, format (#1014)
* 4f6ffa4 Add lint to check for a reserved policy identifier in S/MIME certificates (#1011)
* 5dfb580 Broad Dependency Updates (#1013)
* 04b6958 Patch for CVE-2025-58181 (#1009)
* 46db9bf build(deps): bump golang.org/x/crypto in /v3/cmd/gen_test_crl (#1008)
* 736cd7c build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 (#1007)
* 8be747f Add lint to check for correct DER encoding of the cA field in BasicConstraints (#1006)
* d96b640 Lint e_qcstatem_qctype_web throws an error for legitimate e-signature and e-seal qualified certificates (#1004)
* cfa6a89 Add some lints for OCSP Responder certificates (#1002)
**Full Changelog**: https://github.com/zmap/zlint/compare/v3.6.8...v3.7.0
The ZMap team is happy to share ZLint v3.7.0.
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_arpa_domain_not_allowed` CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
* `e_basic_constr_invalid_der` Checks the correct DER encoding of the cA field in the BasicConstraints ext
* `e_client_auth_not_allowed` Checks that Server certs do not contain clientAuth in the EKU extension
* `e_cs_aia_missing_ca_issuers_http_url` The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
* `e_cs_aia_ocsp_not_http` If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP
responder (id-ad-ocsp)
* `e_cs_authority_information_access` The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
* `e_cs_ecdsa_prohibited_curve` If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
* `e_cs_max_validity_period_39_months` Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
* `e_cs_max_validity_period_460_days` Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
* `e_cs_signature_algorithm_not_supported` Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
* `e_exactly_one_smime_policy` The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
* `e_excessively backdated` notBefore [must be] a value within 48 hours of the certificate signing
* `e_ext_cannot_be_empty_sequence` Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
* `e_ocsp_cert_cdp_forbidden` In OCSP certificates, the CDP extension MUST NOT appear
* `e_ocsp_cert_cp_forbidden` In OCSP certificates, the CP extension MUST NOT appear
* `e_ocsp_cert_invalid_ku` For OCSP certificates, only digitalSignature is allowed in the KU ext
* `e_qcstatem_qctype_oneonly` Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
* `e_state_or_province_name_must_not_contain_control_characters` stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
* `e_subj_email_not_in_san` Certificates with email addresses MUST include them in the SAN extension
## Bug Fixes
* `e_cert_policy_iv_requires_country` fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
* `e_qcstatem_qctype_web` fixed to not return an error for legitimate e-signature and e-seal qualified certificates
## Security
* Patched CVE-2025-58181
* Bumped `golang.org/x/crypto` from 0.36.0 to 0.45.0
## Misc
* Added support for Chrome Root Program Policy-based lints as a new lint source
* `e_state_or_province_name_must_not_contain_control_characters` extended to also check localityName
* `cab_dv_conflicts_with_locality`, `cab_dv_conflicts_with_org`, `cab_dv_conflicts_with_postal`, `cab_dv_conflicts_with_province`, and
`cab_dv_conflicts_with_street` lints marked as superseded
* `e_ca_country_name_invalid` CheckApplies logic refactored with additional test coverage
* `e_cert_policy_iv_requires_country` citation updated to current location
* Broad dependency updates
* Updated gtld_map
## Changelog
* e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
* 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)
* e17555a Upgrade zcrypto, golang, and golangci-lint to latest (#1039)
* 5dc4eaf Cs add ria lints (#1036)
* 31204be Add lint for checking curve param requirements (#1035)
* da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lint addressing clientAuth deprecation (#1031)
* fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
* 12ccc55 refactor ca country check applies, add tests (#1032)
* 215f568 Add cs sig alg lint (#1033)
* 90f1337 Add lint to check for certain extensions to have at least 1 element according to RFC 5280 (#1028)
* f804eca fix iv countryName lint checkApplies, add personal name lint history (#1027)
* b536041 Add lint to address Ballot SC-086v3 (Sunset the Inclusion of IP Reverse Address Domain Names) (#1030)
* 48f6dc7 Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6) (#1026)
* 7eb7ba8 Qc sttmnt only one qc type (#1025)
* 145bd26 mark cab_dv_conflicts_with* lints superseded (#1023)
* 505d5f4 Add lint to check that the notBefore timestamp is not too early compared to the SCTs (#1022)
* bc0c81e Added validity period lints for before and after CSC-31, included unit tests with test certificates (#1020)
* 67d05d8 util: gtld_map autopull updates for 2026-02-14T04:48:16 UTC (#1021)
* 1bb9b40 go mod tidy (#1017)
* 234d2d4 Adding locality to e_state_or_province_name_must_not_contain_control_characters (#1015)
* 570d5a6 Lint to ensure that stateOrProvinceName is in a plain human, readable, format (#1014)
* 4f6ffa4 Add lint to check for a reserved policy identifier in S/MIME certificates (#1011)
* 5dfb580 Broad Dependency Updates (#1013)
* 04b6958 Patch for CVE-2025-58181 (#1009)
* 46db9bf build(deps): bump golang.org/x/crypto in /v3/cmd/gen_test_crl (#1008)
* 736cd7c build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 (#1007)
* 8be747f Add lint to check for correct DER encoding of the cA field in BasicConstraints (#1006)
* d96b640 Lint e_qcstatem_qctype_web throws an error for legitimate e-signature and e-seal qualified certificates (#1004)
* cfa6a89 Add some lints for OCSP Responder certificates (#1002)
**Full Changelog**: https://github.com/zmap/zlint/compare/v3.6.8...v3.7.0
Reply all
Reply to author
Forward
0 new messages