v3.7.0

ZLint v3.7.0

The ZMap team is happy to share ZLint v3.7.0.

Thank you to everyone who contributes to ZLint!

New Lints

• e_arpa_domain_not_allowed CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
• e_basic_constr_invalid_der Checks the correct DER encoding of the cA field in the BasicConstraints ext
• e_client_auth_not_allowed Checks that Server certs do not contain clientAuth in the EKU extension
• e_cs_aia_missing_ca_issuers_http_url The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
• e_cs_aia_ocsp_not_http If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP
  responder (id-ad-ocsp)
• e_cs_authority_information_access The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
• e_cs_ecdsa_prohibited_curve If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
• e_cs_max_validity_period_39_months Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
• e_cs_max_validity_period_460_days Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
• e_cs_signature_algorithm_not_supported Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
• e_exactly_one_smime_policy The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
• e_excessively backdated notBefore [must be] a value within 48 hours of the certificate signing
• e_ext_cannot_be_empty_sequence Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
• e_ocsp_cert_cdp_forbidden In OCSP certificates, the CDP extension MUST NOT appear
• e_ocsp_cert_cp_forbidden In OCSP certificates, the CP extension MUST NOT appear
• e_ocsp_cert_invalid_ku For OCSP certificates, only digitalSignature is allowed in the KU ext
• e_qcstatem_qctype_oneonly Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
• e_state_or_province_name_must_not_contain_control_characters stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
• e_subj_email_not_in_san Certificates with email addresses MUST include them in the SAN extension

Bug Fixes

• e_cert_policy_iv_requires_country fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
• e_qcstatem_qctype_web fixed to not return an error for legitimate e-signature and e-seal qualified certificates

Security

• Patched CVE-2025-58181
• Bumped golang.org/x/crypto from 0.36.0 to 0.45.0

Misc

• Added support for Chrome Root Program Policy-based lints as a new lint source
• e_state_or_province_name_must_not_contain_control_characters extended to also check localityName
• cab_dv_conflicts_with_locality, cab_dv_conflicts_with_org, cab_dv_conflicts_with_postal, cab_dv_conflicts_with_province, and
  cab_dv_conflicts_with_street lints marked as superseded
• e_ca_country_name_invalid CheckApplies logic refactored with additional test coverage
• e_cert_policy_iv_requires_country citation updated to current location
• Broad dependency updates
• Updated gtld_map

Changelog

• e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
• 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)
• e17555a Upgrade zcrypto, golang, and golangci-lint to latest (#1039)
• 5dc4eaf Cs add ria lints (#1036)
• 31204be Add lint for checking curve param requirements (#1035)
• da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lint addressing clientAuth deprecation (#1031)
• fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
• 12ccc55 refactor ca country check applies, add tests (#1032)
• 215f568 Add cs sig alg lint (#1033)
• 90f1337 Add lint to check for certain extensions to have at least 1 element according to RFC 5280 (#1028)
• f804eca fix iv countryName lint checkApplies, add personal name lint history (#1027)
• b536041 Add lint to address Ballot SC-086v3 (Sunset the Inclusion of IP Reverse Address Domain Names) (#1030)
• 48f6dc7 Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6) (#1026)
• 7eb7ba8 Qc sttmnt only one qc type (#1025)
• 145bd26 mark cab_dv_conflicts_with* lints superseded (#1023)
• 505d5f4 Add lint to check that the notBefore timestamp is not too early compared to the SCTs (#1022)
• bc0c81e Added validity period lints for before and after CSC-31, included unit tests with test certificates (#1020)
• 67d05d8 util: gtld_map autopull updates for 2026-02-14T04:48:16 UTC (#1021)
• 1bb9b40 go mod tidy (#1017)
• 234d2d4 Adding locality to e_state_or_province_name_must_not_contain_control_characters (#1015)
• 570d5a6 Lint to ensure that stateOrProvinceName is in a plain human, readable, format (#1014)
• 4f6ffa4 Add lint to check for a reserved policy identifier in S/MIME certificates (#1011)
• 5dfb580 Broad Dependency Updates (#1013)
• 04b6958 Patch for CVE-2025-58181 (#1009)
• 46db9bf build(deps): bump golang.org/x/crypto in /v3/cmd/gen_test_crl (#1008)
• 736cd7c build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 (#1007)
• 8be747f Add lint to check for correct DER encoding of the cA field in BasicConstraints (#1006)
• d96b640 Lint e_qcstatem_qctype_web throws an error for legitimate e-signature and e-seal qualified certificates (#1004)
• cfa6a89 Add some lints for OCSP Responder certificates (#1002)

Full Changelog: v3.6.8...v3.7.0