ZLint v3.6.4-rc1
22 views
Skip to first unread message
chris
Sep 29, 2024, 11:28:22 AM9/29/24
to ZLint Announcements
# ZLint v3.6.4-rc1
The ZMap team is happy to share ZLint v3.6.4-rc1 (https://github.com/zmap/zlint/releases/tag/v3.6.4-rc1).
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_crl_distrib_points_not_http` The scheme of each CRL Distribution Point MUST be 'http'
* `e_cs_crl_distribution_points` This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service
* `e_cs_eku_required` If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present
* `e_cs_key_usage_required` This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
* `e_cs_rsa_key_size` e_cs_rsa_key_size
## Bug Fixes
* Corrected the semantics of `e_ev_orgid_inconsistent_subj_and_ext` to address Mozilla #1897538 (https://bugzilla.mozilla.org/show_bug.cgi?id=1897538)
* Corrected `e_sub_cert_aia_does_not_contain_ocsp_url` to have an ineffective date.
* Corrected an issue in the CLI parser wherein filtering on RFC8813 would result in an error.
* Corrected an issue in the CLI parser wherein filtering rules would not be applied when running lints against a CRL.
## Changelog
* ddaf5ccd564ba8e5f1115f2885ac9cc9d6451248 util: gtld_map autopull updates for 2024-09-28T16:21:05 UTC (#882)
* 77a646819101c358541ee3dbdc072169fd18ff1b fix: Fix PSD2 based cabfOrganizationIdentifier check (#880)
* 372cdc66ed0f303a0799715f30692e1c95f378a8 RFC8813 is not referrable from the CLI as a valid lint source (#879)
* caa62acd5a7d57f67ef2c5b760f0a54880648d43 Add lint to check that all CRL Distribution Points only contain "http" URLs (per CABF BRs 7.1.2.11.2) (#867)
* 8eb670f6ab021ea56d1f3daefa160b2b18cb0d8d Fix old lint checking that an OCSP URL is present in TLS Server certificates: add ineffective date (#871)
* 2e67fb9993c52daf50ca7f12aaf1ddba877d71e9 Update main.go to have CRL linting lint on provided registry (#874)
* f83e4e2d27c56082d4ecdb4679d8b58ae6996c18 README: Add pkimetal to users list (#873)
* 33ee62a138fc62f3c2102cfc575c4738b0c1030a Add Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPoints (#865)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.3...v3.6.4-rc1
The ZMap team is happy to share ZLint v3.6.4-rc1 (https://github.com/zmap/zlint/releases/tag/v3.6.4-rc1).
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_crl_distrib_points_not_http` The scheme of each CRL Distribution Point MUST be 'http'
* `e_cs_crl_distribution_points` This extension MUST be present. It MUST NOT be marked critical. It MUST contain the HTTP URL of the CA's CRL service
* `e_cs_eku_required` If the Certificate is a Code Signing Certificate, then id-kp-codeSigning MUST be present. anyExtendedKeyUsage and id-kp-serverAuth MUST NOT be present
* `e_cs_key_usage_required` This extension MUST be present and MUST be marked critical. The bit position for digitalSignature MUST be set. The bit positions for keyCertSign and cRLSign MUST NOT be set. All other bit positions SHOULD NOT be set.
* `e_cs_rsa_key_size` e_cs_rsa_key_size
## Bug Fixes
* Corrected the semantics of `e_ev_orgid_inconsistent_subj_and_ext` to address Mozilla #1897538 (https://bugzilla.mozilla.org/show_bug.cgi?id=1897538)
* Corrected `e_sub_cert_aia_does_not_contain_ocsp_url` to have an ineffective date.
* Corrected an issue in the CLI parser wherein filtering on RFC8813 would result in an error.
* Corrected an issue in the CLI parser wherein filtering rules would not be applied when running lints against a CRL.
## Changelog
* ddaf5ccd564ba8e5f1115f2885ac9cc9d6451248 util: gtld_map autopull updates for 2024-09-28T16:21:05 UTC (#882)
* 77a646819101c358541ee3dbdc072169fd18ff1b fix: Fix PSD2 based cabfOrganizationIdentifier check (#880)
* 372cdc66ed0f303a0799715f30692e1c95f378a8 RFC8813 is not referrable from the CLI as a valid lint source (#879)
* caa62acd5a7d57f67ef2c5b760f0a54880648d43 Add lint to check that all CRL Distribution Points only contain "http" URLs (per CABF BRs 7.1.2.11.2) (#867)
* 8eb670f6ab021ea56d1f3daefa160b2b18cb0d8d Fix old lint checking that an OCSP URL is present in TLS Server certificates: add ineffective date (#871)
* 2e67fb9993c52daf50ca7f12aaf1ddba877d71e9 Update main.go to have CRL linting lint on provided registry (#874)
* f83e4e2d27c56082d4ecdb4679d8b58ae6996c18 README: Add pkimetal to users list (#873)
* 33ee62a138fc62f3c2102cfc575c4738b0c1030a Add Code Signing lints for EKU, Key Usage, RSA Key Size and CRLDistributionPoints (#865)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.3...v3.6.4-rc1
Reply all
Reply to author
Forward
0 new messages