ZLint v3.6.3-rc1
15 views
Skip to first unread message
chris
Jul 20, 2024, 2:39:49 PM (3 days ago) Jul 20
to ZLint Announcements
# ZLint v3.6.3-rc1
The ZMap team is happy to share ZLint v3.6.3-rc1.
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_ev_invalid_business_category` Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3
* `e_subj_orgunit_in_ca_cert` The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.
* `e_subj_country_not_uppercase` Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z
* `e_aia_must_contain_permitted_access_method` The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.
* `e_aia_ocsp_must_have_http_only` The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed
* `e_aia_unique_access_locations` When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.
* `e_cabf_org_identifier_psd_vat_has_state` The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.
* `e_aia_ca_issuers_must_have_http_only` he id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed
* `e_duplicate_subject_attribs` Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs
* `e_ca_invalid_eku` Checks that SubCA certificates do not contain forbidden values in their EKU extension
* `e_empty_sct_list` At least one SCT MUST be included in the SignedCertificateTimestampList extension
* `e_precert_with_sct_list` SCTs must be embedded in the final certificate, not in a precertificate
* `e_cert_ext_invalid_der` Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)
* `e_crl_missing_crl_number` CRL issuers conforming to this profile MUST include this extension in all CRLs
* `e_sub_cert_eku_check` Subscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsage
* `e_invalid_cps_uri` If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL
* `e_crl_empty_revoked_certificates` When there are no revoked certificates, the revoked certificates list MUST be absent
* `e_crl_revoked_certificates_field_must_be_empty` When the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structure
* `e_ev_orgid_inconsistent_subj_and_ext` Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent
* `e_subject_rdns_correct_encoding` CAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attribute
## Miscellaneous
* Modified `util.IsEmailProtectionCert` to consider whether the certificate in question has an email SAN and whether it is an S/MIME BR certificate.
* Modifies `util.IsServerAuthCert` to presume that certificate with unknown key usages are server certificates.
* `w_sub_cert_eku_extra_values` is now ineffective as of CABF/BRs 2.0.0
* `e_sub_cert_eku_server_auth_client_auth_missing` is now ineffective as of CABF/BRs 2.0.0
## Changelog
015d220 Add lint to check for a valid business category in EV certificates (#830)
2440571 Add lint to check that Root CA and TLS SubCA certificates do not contain the OU subject attribute (#864)
672100d util: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866)
f6d07ed Improve util.IsEmailProtectionCert function (#858)
f7f6b51 Add lint to check that the countryName attribute (C) is in uppercase (#859)
24d58f9 Subscriber aia lints (#860)
04d863f cabfOrganizationIdentifier extension for VAT and PSD based organizationIdentifiers cannot have referenceStateOrProvince (#848)
e5da476 Improve the util.IsServerAuthCert() function (#856)
5b73e7b Fix ExpectedDetails of passing invalid subject test (#846)
899709e Aia ca issuers must have http only (#852)
ae8d594 util: gtld_map autopull updates for 2024-06-12T22:19:30 UTC (#854)
b14a83b fix: Only apply CN check for Subscriber certificates (#851)
bf3764c Cleanup some unnecessary allocations (#849)
26ca0f3 Add lint to check for duplicate subject attributes (ATVs) (#850)
c8164d8 Add lint to check that SubCA certificates do not have illegal values in their EKU extension (#840)
068ae82 Avoid warning dv cn (#843)
8523152 Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated (#845)
456dc01 Add lint to check that an SCT list is not empty (#837)
c73f78b Add lint to check that precertificates do not contain an SCT list (#841)
26ab5b0 Add lint for checking that the 'critical' field is properly DER-encoded in extensions (#839)
208af03 Add lint for checking that a CRL contains the CRL Number extension (#834)
d5a09f8 Add lint to cover TLS BR v2 EKU checks (#833)
63e3f86 Add lint to detect invalid cps uri (#828)
2988620 Add lint to check that a CRL does not contain an empty revokedCertificates element (#831)
61c73ed build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 in /v3 (#835)
a011234 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#836)
6c7d024 Add lint to verify CRL TBSCertList.revokedCertificates field is absent when there are no revoked certificates (#832)
4b2f38b Lint for checking that organizationIdentifier Subject attribute and CABFOrganizationIdentifier extension are consistent as per EVG 9.2.8 (#820)
5de620c Subject rdns correct encoding (#824)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.2...v3.6.3-rc1
The ZMap team is happy to share ZLint v3.6.3-rc1.
Thank you to everyone who contributes to ZLint!
## New Lints
* `e_ev_invalid_business_category` Checks that businessCategory contains a valid value as per EV Guidelines 7.1.4.2.3
* `e_subj_orgunit_in_ca_cert` The organizationalUnitName MUST NOT be included in Root CA certs or TLS Subordinate CA certs. organizationalUnitName is allowed for cross signed certificates, although not recommended. This lint may be configured to signify that the target is a cross signed certificate.
* `e_subj_country_not_uppercase` Alpha-2 country codes shall consist of LATIN CAPITAL LETTER A through LATIN CAPITAL LETTER Z
* `e_aia_must_contain_permitted_access_method` The AIA must contain only the id-ad-ocsp or id-ad-caIssuers accessMethod. Others are not allowed. Also, each accessLocation MUST be encoded as uniformResourceIdentifier GeneralName.
* `e_aia_ocsp_must_have_http_only` The id-ad-ocsp accessMethod must contain an HTTP URL of the of the Issuing CA’s OCSP responder. Other schemes are not allowed
* `e_aia_unique_access_locations` When multiple AccessDescriptions are present with the same accessMethod in the AIA extension, then each accessLocation MUST be unique.
* `e_cabf_org_identifier_psd_vat_has_state` The cabfOrganizationIdentifier field for PSD org VAT Registration Schemes cannot include the referenceStateOrProvince field.
* `e_aia_ca_issuers_must_have_http_only` he id-ad-caIssuers accessMethod must contain an HTTP URL of the Issuing CA’s certificate. Other schemes are not allowed
* `e_duplicate_subject_attribs` Each Name MUST NOT contain more than one instance of a given AttributeTypeAndValue across all RDNs
* `e_ca_invalid_eku` Checks that SubCA certificates do not contain forbidden values in their EKU extension
* `e_empty_sct_list` At least one SCT MUST be included in the SignedCertificateTimestampList extension
* `e_precert_with_sct_list` SCTs must be embedded in the final certificate, not in a precertificate
* `e_cert_ext_invalid_der` Checks that the 'critical' flag of extensions is not FALSE when present (as per DER encoding)
* `e_crl_missing_crl_number` CRL issuers conforming to this profile MUST include this extension in all CRLs
* `e_sub_cert_eku_check` Subscriber certificates MUST have id-kp-serverAuth and MAY have id-kp-clientAuth present in extKeyUsage
* `e_invalid_cps_uri` If the CPS URI policyQualifier is present in a certificate, it MUST contain an HTTP or HTTPS URL
* `e_crl_empty_revoked_certificates` When there are no revoked certificates, the revoked certificates list MUST be absent
* `e_crl_revoked_certificates_field_must_be_empty` When the revokedCertificates field is empty, it MUST be absent from the DER-encoded ASN.1 data structure
* `e_ev_orgid_inconsistent_subj_and_ext` Checks that the organizationIdentifier Subject attribute and the CABFOrganizationIdentifier extension are consistent
* `e_subject_rdns_correct_encoding` CAs that include attributes in the Certificate subject field that are listed in the Tables 77 and 78 of BR 2.0.0 SHALL follow the specified encoding requirements for the attribute
## Miscellaneous
* Modified `util.IsEmailProtectionCert` to consider whether the certificate in question has an email SAN and whether it is an S/MIME BR certificate.
* Modifies `util.IsServerAuthCert` to presume that certificate with unknown key usages are server certificates.
* `w_sub_cert_eku_extra_values` is now ineffective as of CABF/BRs 2.0.0
* `e_sub_cert_eku_server_auth_client_auth_missing` is now ineffective as of CABF/BRs 2.0.0
## Changelog
015d220 Add lint to check for a valid business category in EV certificates (#830)
2440571 Add lint to check that Root CA and TLS SubCA certificates do not contain the OU subject attribute (#864)
672100d util: gtld_map autopull updates for 2024-07-13T13:20:09 UTC (#866)
f6d07ed Improve util.IsEmailProtectionCert function (#858)
f7f6b51 Add lint to check that the countryName attribute (C) is in uppercase (#859)
24d58f9 Subscriber aia lints (#860)
04d863f cabfOrganizationIdentifier extension for VAT and PSD based organizationIdentifiers cannot have referenceStateOrProvince (#848)
e5da476 Improve the util.IsServerAuthCert() function (#856)
5b73e7b Fix ExpectedDetails of passing invalid subject test (#846)
899709e Aia ca issuers must have http only (#852)
ae8d594 util: gtld_map autopull updates for 2024-06-12T22:19:30 UTC (#854)
b14a83b fix: Only apply CN check for Subscriber certificates (#851)
bf3764c Cleanup some unnecessary allocations (#849)
26ca0f3 Add lint to check for duplicate subject attributes (ATVs) (#850)
c8164d8 Add lint to check that SubCA certificates do not have illegal values in their EKU extension (#840)
068ae82 Avoid warning dv cn (#843)
8523152 Fix handling of Subject:commonName not present in lint for BR 7.1.4.2.2a mailbox-validated (#845)
456dc01 Add lint to check that an SCT list is not empty (#837)
c73f78b Add lint to check that precertificates do not contain an SCT list (#841)
26ab5b0 Add lint for checking that the 'critical' field is properly DER-encoded in extensions (#839)
208af03 Add lint for checking that a CRL contains the CRL Number extension (#834)
d5a09f8 Add lint to cover TLS BR v2 EKU checks (#833)
63e3f86 Add lint to detect invalid cps uri (#828)
2988620 Add lint to check that a CRL does not contain an empty revokedCertificates element (#831)
61c73ed build(deps): bump golang.org/x/net from 0.17.0 to 0.23.0 in /v3 (#835)
a011234 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#836)
6c7d024 Add lint to verify CRL TBSCertList.revokedCertificates field is absent when there are no revoked certificates (#832)
4b2f38b Lint for checking that organizationIdentifier Subject attribute and CABFOrganizationIdentifier extension are consistent as per EVG 9.2.8 (#820)
5de620c Subject rdns correct encoding (#824)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.6.2...v3.6.3-rc1
Reply all
Reply to author
Forward
0 new messages