ZLint v3.6.0
29 views
Skip to first unread message
chris
Jan 7, 2024, 2:57:28 PMJan 7
to ZLint Announcements
# ZLint v3.6.0
The ZMap team is happy to share ZLint v3.6.0 (https://github.com/zmap/zlint/releases/tag/v3.6.0).
Thank you to everyone who contributes to ZLint!
## Breaking Changes:
No breaking changes were made in this release.
## Deprecation Warning:
This is primarily a deprecation warning for the library usages of ZLint.
The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.
It is advised to refrain from implementing news lints that target the `lint.Lint` interface as this interface will be removed entirely in a future release.
When implementing a lint for a x509 certificate, library usages should favor implementing the `CertificateLint` interface. Similarly, when implementing a lint for a CRL, the `RevocationListLint` interface should be used.
## Security Patches
A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.
## Bug Fixes
* Corrected an issue in `e_registration_scheme_id_matches_subject_country` wherein `LEI` and `INT` certificates were being incorrectly checked.
## New Lints:
Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see https://github.com/zmap/zlint/issues/712
* SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
* Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
* Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
* Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
* Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
* Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
* Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
* Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
* Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
* Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
* subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
* subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
* Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
* subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
* subject DN attributes for mailbox-validated profile (7.1.4.2.3)
## Changelog
* be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
* dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
* 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
* d4e2de0 Fix goreleaser deprecation (#783)
* 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
* e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
* 64533b5 Ensure AIA URLs point to public paths (#760)
* 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
* f9f30bc Fixing lint registration for CABF SMIME (#761)
* 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
* 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
* 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
* 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
* 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
* 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
* 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
* 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
* 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
* ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
* 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
* 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
* 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
* 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
* d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
* 624744d Include LintMetadata in the LintResult (#729)
* 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
* 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
* b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
* 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
* 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
* 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
* 3f1605e Ecdsa ee invalid ku check applies (#731)
* 8c46bdf Fix typo in LintRevocationListEx comment (#730)
* 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
* 5e0219d Bc critical (#722)
* 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
* 9b18bdc Ca field empty description (#723)
* 59a91a2 Max length check applies (#724)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.5.0...v3.6.0
The ZMap team is happy to share ZLint v3.6.0 (https://github.com/zmap/zlint/releases/tag/v3.6.0).
Thank you to everyone who contributes to ZLint!
## Breaking Changes:
No breaking changes were made in this release.
## Deprecation Warning:
This is primarily a deprecation warning for the library usages of ZLint.
The lint.Lint has been deprecated in favor of the categorical interfaces - CertificateLint and RevocationListLint.
It is advised to refrain from implementing news lints that target the `lint.Lint` interface as this interface will be removed entirely in a future release.
When implementing a lint for a x509 certificate, library usages should favor implementing the `CertificateLint` interface. Similarly, when implementing a lint for a CRL, the `RevocationListLint` interface should be used.
## Security Patches
A patch was applied to the test certificate generation script which addresses CVE-2023-48795 (Severity Score: 5.9). This script never went online and as such never triggered the vulnerability.
## Bug Fixes
* Corrected an issue in `e_registration_scheme_id_matches_subject_country` wherein `LEI` and `INT` certificates were being incorrectly checked.
## New Lints:
Work has begun on the implementation of CABF/BR SMIME lints. For a complete list of lints being tracked please see https://github.com/zmap/zlint/issues/712
* SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)
* Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
* Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1)
* Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e)
* Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e)
* Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e)
* Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e)
* Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation (7.1.2.3.e)
* Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)
* Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)
* subjectAlternativeName, all: SHALL be present (7.1.2.3.h)
* subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)
* Adobe Extensions, strict: is Prohibited (7.1.2.3.m)
* subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)
* subject DN attributes for mailbox-validated profile (7.1.4.2.3)
## Changelog
* be8dd6a Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers (#781)
* dfb985b build(deps): bump golang.org/x/crypto from 0.14.0 to 0.17.0 in /v3 (#784)
* 832a1ea build(deps): bump golang.org/x/crypto in /v3/cmd/genTestCerts (#785)
* d4e2de0 Fix goreleaser deprecation (#783)
* 43b6954 address smime lint applicability issue. regenerate test certificates to fix unit tests broken by change (#764)
* e8c0c24 util: gtld_map autopull updates for 2023-11-06T23:18:29 UTC (#756)
* 64533b5 Ensure AIA URLs point to public paths (#760)
* 8923170 CABF SMIME BR 7.1.2.3.e - KeyUsages (#757)
* f9f30bc Fixing lint registration for CABF SMIME (#761)
* 1c307f4 Lints for CABF SMIME BRs 7.1.2.3.f - EKUs (#747)
* 553276d util: gtld_map autopull updates for 2023-10-19T17:18:28 UTC (#755)
* 2f54486 CABF SMIME 7.1.4.2.h If present, the subject:emailAddress SHALL contain a single Mailbox Address (#752)
* 2f0f4b8 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#751)
* 378c09f build(deps): bump golang.org/x/net from 0.8.0 to 0.17.0 in /v3 (#750)
* 88e01ad Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName SHOULD NOT be marked critical unless the subject field is an empty sequence (#746)
* 08a9354 Lint for CABF SMIME 7.1.2.3.h - subjectAlternativeName, all: SHALL be present (7.1.2.3.h) (#744)
* 386a8dc Lint for CABF SMIME 7.1.2.3b - cRLDistributionPoints SHALL be present (#742)
* 48baa89 Permit underscores in DNSNames if-and-only-if replacing all underscores results in valid LDH labels during BR 1.6.2's permissibility period (#661)
* ba30b3b Permit underscores in DNSNames if-and-only-if those certificates are valid for less than 30 days and during BR 1.6.2's permissibility period (#660)
* 1fd1c0d Part 1 of SC-62 related updates to zlint (#739)
* 5c4e05f util: gtld_map autopull updates for 2023-08-27T22:18:12 UTC (#737)
* 71d5e4b Reintroduce lint for inconsistent KU and EKU (#708)
* 59d4dd3 Inclusion of approximately 190000 email protection certificates into the test corpus (#738)
* d959c83 Add lint enforcing the restrictions on subject DN fields for mailbox validated SMIME certificates (#713)
* 624744d Include LintMetadata in the LintResult (#729)
* 38b7484 Add CRL Lints for the ReasonCode extension from the baseline requirements and RFC 5280 (#715)
* 1e3cf01 util: gtld_map autopull updates for 2023-07-25T22:18:37 UTC (#736)
* b492fe7 tidy: delete 'h' gitlog fragment from proj. root. (#735)
* 4d38bfe E ext cert policy disallowed any policy qualifier refactor (#732)
* 7602109 util: gtld_map autopull updates for 2023-07-08T13:20:31 UTC (#733)
* 40f2b32 Duplicate lints about keyIdentifier in certificates (#726)
* 3f1605e Ecdsa ee invalid ku check applies (#731)
* 8c46bdf Fix typo in LintRevocationListEx comment (#730)
* 7ef1f84 util: gtld_map autopull updates for 2023-06-14T22:18:50 UTC (#727)
* 5e0219d Bc critical (#722)
* 3746088 util: gtld_map autopull updates for 2023-06-06T18:20:14 UTC (#698)
* 9b18bdc Ca field empty description (#723)
* 59a91a2 Max length check applies (#724)
**Full Changelog**:https://github.com/zmap/zlint/compare/v3.5.0...v3.6.0
Reply all
Reply to author
Forward
0 new messages