ZLint v3.3.1
14 views
Skip to first unread message
chris
Apr 24, 2022, 2:54:06 PM4/24/22
to ZLint Announcements
The ZMap team is happy to share ZLint v3.3.1 (https://github.com/zmap/zlint/releases/tag/v3.3.1).
Thank you to everyone who contributes to ZLint!
* `e_ev_not_wildcard` asserts that wildcard domains are not allowable for EV certificates (except .onion addresses).
* `e_dnsname_contains_prohibited_reserved_label` asserts that every label within a FQDN must be either a P-Label or a Non-Reserved LDH Label.
* `e_ev_san_ip_address_present` asserts that Subject Alternative Name MUST contain only `dnsName` types.
* `e_algorithm_identifier_improper_encoding` asserts CABF BR 7.1.3.1 regarding requiring a specific byte sequence within a Subject Public Key Info field.
* `e_underscore_not_permissible_in_dnsname` asserts that underscore are not permissible after the brief permissibility period described in CABF BR 1.6.2.
* `e_no_underscores_before_1_6_2` asserts that underscore are not permissible before the brief permissibility period described in CABF BR 1.6.2.
*
Corrected an issue in `lint_idn_dnsname_malformed_unicode` and
`lint_idn_dnsname_must_be_nfc` wherein the IDNA ACE prefixes were
incorrectly considered to be case-sensitive.
* A Tor Hash Descriptor is no longer required on certificates that encode Onion V3 addresses.
* The CABF OID for EV (`2.23.140.1.1`) was added as a known EV OID.
* Some clearer datetime logic for more natural daterange checking.
Thank you to everyone who contributes to ZLint!
## New Lints:
* `e_dnsname_contains_prohibited_reserved_label` asserts that every label within a FQDN must be either a P-Label or a Non-Reserved LDH Label.
* `e_ev_san_ip_address_present` asserts that Subject Alternative Name MUST contain only `dnsName` types.
* `e_algorithm_identifier_improper_encoding` asserts CABF BR 7.1.3.1 regarding requiring a specific byte sequence within a Subject Public Key Info field.
* `e_underscore_not_permissible_in_dnsname` asserts that underscore are not permissible after the brief permissibility period described in CABF BR 1.6.2.
* `e_no_underscores_before_1_6_2` asserts that underscore are not permissible before the brief permissibility period described in CABF BR 1.6.2.
## Bug Fixes:
* A Tor Hash Descriptor is no longer required on certificates that encode Onion V3 addresses.
## Misc:
* The ZLint project has been updated to use the Go 1.18 toolchain.
* zcrypto was updated to point towards commit @599ec18ecbac.
* Various quality of life changes to the ZLint developer experience.
* Numerous TLD updates.* zcrypto was updated to point towards commit @599ec18ecbac.
* Various quality of life changes to the ZLint developer experience.
* The CABF OID for EV (`2.23.140.1.1`) was added as a known EV OID.
* Some clearer datetime logic for more natural daterange checking.
Reply all
Reply to author
Forward
0 new messages