Releases: zmap/zlint
ZLint v3.3.1-rc1
ZLint v3.3.1-rc1
The ZMap team is happy to share ZLint v3.3.1-rc1.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_ev_not_wildcard
asserts that wildcard domains are not allowable for EV certificates (except .onion addresses).e_dnsname_contains_prohibited_reserved_label
asserts that every label within a FQDN must be either a P-Label or a Non-Reserved LDH Label.e_ev_san_ip_address_present
asserts that Subject Alternative Name MUST contain onlydnsName
types.e_algorithm_identifier_improper_encoding
asserts CABF BR 7.1.3.1 regarding requiring a specific byte sequence within a Subject Public Key Info field.e_underscore_not_permissible_in_dnsname
asserts that underscore are not permissible after the brief permissibility period described in CABF BR 1.6.2.e_no_underscores_before_1_6_2
asserts that underscore are not permissible before the brief permissibility period described in CABF BR 1.6.2.
Bug Fixes:
- Corrected an issue in
lint_idn_dnsname_malformed_unicode
andlint_idn_dnsname_must_be_nfc
wherein the IDNA ACE prefixes were incorrectly considered to be case-sensitive. - A Tor Hash Descriptor is no longer required on certificates that encode Onion V3 addresses.
Misc:
- Numerous TLD updates.
- The CABF OID for EV (
2.23.140.1.1
) was added as a known EV OID. - Some clearer datetime logic for more natural daterange checking.
Changelog
b3be71c Skip checking for a Tor Descriptor Hash if the provided cert contains a V3 Onion address. (#669)
3be391b Update README.md (#666)
b1bd967 No underscores are allowed in DNSNames before BR 1.6.2's permissibility period (#659)
6badb89 No underscores are allowed in DNSNames after BR 1.6.2's permissibility period (#662)
4ab8567 util: gtld_map autopull updates for 2022-02-17T22:26:31 UTC (#658)
7fc9fbd Add Microsoft to the known-ZLint users (#655)
b4a225e AlgorithmIdentifier encoding (Section 7.1.3.1, CAB-Forum BR) (#642)
da67a23 util: gtld_map autopull updates for 2021-12-30T02:43:35 UTC (#654)
3f7cf6c Update README.md (#653)
9199b6d util: gtld_map autopull updates for 2021-12-09T20:29:24 UTC (#649)
0d71258 Entrust Datacard rebranded to Entrust (#652)
bbc7e36 Add lint to detect IP addresses in EV certs (#650)
cb3e7e8 Mark CA/Browser Forum EV Policy OID as EV (#651)
da4e374 refactor: move from io/ioutil to io and os packages (#647)
3a3de3c util: gtld_map autopull updates for 2021-10-30T04:36:00 UTC (#637)
2ff2130 cleaning up some datetime logic (#644)
cb17369 Lint for Non-XN Reserved Labels (#635)
9113ed8 Forbid wildcard certs for non .onion EVs (#641)
0508b86 Detect XN-Labels case-insensitively (#636)
b6ec327 util: gtld_map autopull updates for 2021-10-05T22:26:49 UTC (#633)
ZLint v3.3.0
ZLint v3.3.0
The ZMap team is happy to share ZLint v3.3.0.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_sub_ca_aia_missing
was split into two lints -e_sub_ca_aia_missing
andw_sub_ca_aia_missing
. The error variant becomes ineffective for certificates issued after August 20th, 2020. Conversely, the warning variant becomes effective for certificates issued after August 20th, 2020.e_subject_common_name_not_exactly_from_san
. The common name field in subscriber certificates must include only names from the SAN extension.e_rfc_dnsname_empty_label
. DNSNames should not have an empty label.e_rfc_dnsname_hyphen_in_sld.
. DNSName should not have a hyphen beginning or ending the SLD.e_rfc_dnsname_label_too_long
. DNSName labels MUST be less than or equal to 63 characters.e_rfc_dnsname_underscore_in_sld
. DNSName MUST NOT contain underscore characters.w_rfc_dnsname_underscore_in_trd
. DNSName MUST NOT contain underscore characters.
Bug Fixes:
- The ZCrypto dependency was upgraded to
v0.0.0-20210811211718-6f9bc4aff20f
in order to fix issue #626, which was causing a compilation error when attempting to consume ZLint as a library rather than a binary application. - A bug was fixed in the project's test certificate generation script wherein generated sample certificates did not properly cryptographically chain
Misc:
- All lints had their
initialize
methods migrated to proper Go style constructors. This reduces the reliance upon singletons in the code base and improves multi-threaded test stability. - The ZLint test integration framework now rejects
config.json
files that have duplicate entries. This improves reasoning of test results as duplicate definitions elsewhere in the could unknowingly override test expectations. - Updated ZCrypto to allow for more permissive ASN.1 parsing.
e_subject_common_name_not_from_san
was configured to no longer be effective as of CABF 1.8.0.
Changelog
1b89405 bump zcrypto to v0.0.0-20210811211718-6f9bc4aff20f (#629)
9da3c9f disallow duplicate entries in config.json (#616)
4940d55 Test certificate generator doesn't create a certificate chain (#622)
e274215 split lint_sub_ca_aia_missing lint into an error lint for before CABF_BR 1.7.1 and a warning for after. Add test data (#613)
7bba362 Code clarification to match BRs wording. (#621)
48b300e Update README.md (#614)
8e8930e subsitute the initialize method for a constructor in the Lint struct (#607)
dbd9bfd dep: upgrade to latest ZCrypto with permissive asn1 parsing (#611)
b4060ec Correct lint attribution for dnsname_etc lints and limit scope to just DNS SAN entries (#609)
74dfff2 Update README.md (#631)
0944e91 e_subject_common_name_not_from_san is no longer sufficient for enforcing CABF BRs (#627)
v3.3.0-rc2
ZLint v3.3.0-rc2
The ZMap team is happy to share ZLint v3.3.0-rc2.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_sub_ca_aia_missing
was split into two lints -e_sub_ca_aia_missing
andw_sub_ca_aia_missing
. The error variant becomes ineffective for certificates issued after August 20th, 2020. Conversely, the warning variant becomes effective for certificates issued after August 20th, 2020.e_subject_common_name_not_exactly_from_san
. The common name field in subscriber certificates must include only names from the SAN extension.e_rfc_dnsname_empty_label
. DNSNames should not have an empty label.e_rfc_dnsname_hyphen_in_sld.
. DNSName should not have a hyphen beginning or ending the SLD.e_rfc_dnsname_label_too_long
. DNSName labels MUST be less than or equal to 63 characters.e_rfc_dnsname_underscore_in_sld
. DNSName MUST NOT contain underscore characters.w_rfc_dnsname_underscore_in_trd
. DNSName MUST NOT contain underscore characters.
Bug Fixes:
- The ZCrypto dependency was upgraded to
v0.0.0-20210811211718-6f9bc4aff20f
in order to fix issue #626, which was causing a compilation error when attempting to consume ZLint as a library rather than a binary application. - A bug was fixed in the project's test certificate generation script wherein generated sample certificates did not properly cryptographically chain
Misc:
- All lints had their
initialize
methods migrated to proper Go style constructors. This reduces the reliance upon singletons in the code base and improves multi-threaded test stability. - The ZLint test integration framework now rejects
config.json
files that have duplicate entries. This improves reasoning of test results as duplicate definitions elsewhere in the could unknowingly override test expectations. - Updated ZCrypto to allow for more permissive ASN.1 parsing.
e_subject_common_name_not_from_san
was configured to no longer be effective as of CABF 1.8.0.
Changelog
1b89405 bump zcrypto to v0.0.0-20210811211718-6f9bc4aff20f (#629)
9da3c9f disallow duplicate entries in config.json (#616)
4940d55 Test certificate generator doesn't create a certificate chain (#622)
e274215 split lint_sub_ca_aia_missing lint into an error lint for before CABF_BR 1.7.1 and a warning for after. Add test data (#613)
7bba362 Code clarification to match BRs wording. (#621)
48b300e Update README.md (#614)
8e8930e subsitute the initialize method for a constructor in the Lint struct (#607)
dbd9bfd dep: upgrade to latest ZCrypto with permissive asn1 parsing (#611)
b4060ec Correct lint attribution for dnsname_etc lints and limit scope to just DNS SAN entries (#609)
74dfff2 Update README.md (#631)
0944e91 e_subject_common_name_not_from_san is no longer sufficient for enforcing CABF BRs (#627)
ZLint v3.3.0-rc1
ZLint v3.3.0-rc1
The ZMap team is happy to share ZLint v3.3.0-rc1.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_sub_ca_aia_missing
was split into two lints -e_sub_ca_aia_missing
andw_sub_ca_aia_missing
. The error variant becomes ineffective for certificates issued after August 20th, 2020. Conversely, the warning variant becomes effective for certificates issued after August 20th, 2020.
Bug Fixes:
- The ZCrypto dependency was upgraded to
v0.0.0-20210811211718-6f9bc4aff20f
in order to fix issue #626, which was causing a compilation error when attempting to consume ZLint as a library rather than a binary application. - A bug was fixed in the project's test certificate generation script wherein generated sample certificates did not properly cryptographically chain
Misc:
- All lints had their
initialize
methods migrated to proper Go style constructors. This reduces the reliance upon singletons in the code base and improves multi-threaded test stability. - The ZLint test integration framework now rejects
config.json
files that have duplicate entries. This improves reasoning of test results as duplicate definitions elsewhere in the could unknowingly override test expectations. - Updated ZCrypto to allow for more permissive ASN.1 parsing.
Changelog
1b89405 bump zcrypto to v0.0.0-20210811211718-6f9bc4aff20f (#629)
9da3c9f disallow duplicate entries in config.json (#616)
4940d55 Test certificate generator doesn't create a certificate chain (#622)
e274215 split lint_sub_ca_aia_missing lint into an error lint for before CABF_BR 1.7.1 and a warning for after. Add test data (#613)
7bba362 Code clarification to match BRs wording. (#621)
48b300e Update README.md (#614)
8e8930e subsitute the initialize method for a constructor in the Lint struct (#607)
dbd9bfd dep: upgrade to latest ZCrypto with permissive asn1 parsing (#611)
ZLInt v3.2.0
ZLint v3.2.0
The ZMap team is happy to share ZLint v3.2.0.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
w_subject_given_name_recommended_max_length
, RFC 5280X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have targeted this length, for compatibility purposes it may be prudent to limit given names to this length.
e_prohibit_dsa_usage
, Mozilla Root Store Policy - §5.1The usage of DSA as the public key algorithm is no longer allowed. Effective March 31st, 2017.
e_br_prohibit_dsa_usage
, CABF Baseline requirements, v1.7.1DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1. Effective August 20th, 2020.
Bug Fixes:
e_serial_number_not_positive
no longer considers zero to be valid.e_subject_given_name_max_length
now checks whether given names are under 32769 characters long (was 17).e_subject_surname_max_length
now checks whether given names are under 32769 characters long (was 17).e_dsa_params_missing
is no longer effective as of August 20th, 2020.
Misc:
- Updated TLD data (Current to 2021-04-22).
- ZCrypto dependency bumped to
ea3fdbd5ea2
. - Switched ZLint to Go 1.16.
- Added the
-version
flag tozlint
/zlint-gtld-update
. - Added support for
IneffectiveDate
in lints, which complementsEffectiveDate
and marks when a lint is superseded by another or is otherwise no longer enforced. - A certificate generating playground tool was added under
v3/cmd/genTestCerts/
. This script should hopefully accelerate the process of generating test certificates for most edge cases. - Added static analysis to the repository which enforces function ordering in lints in CI/CD.
- Miscellaneous typos.
Changelog
7e75dc3 deps: update zcrypto to ea3fdbd (#604)
d5d0ed9 lints: fix anyKeyUsage typo in n_mp_allowed_eku
. (#600)
c47eab4 cmd: add -version
to zlint
, zlint-gtld-update
. (#598)
0807bf9 Updating RFC surname and givenname character limits (#586)
3de0a7c util: gtld_map autopull updates for 2021-04-22T03:40:32 UTC (#590)
5ca3470 util: gtld_map autopull updates for 2021-04-21T21:31:31 UTC (#589)
740b212 util: gtld_map autopull updates for 2021-04-17T02:48:14 UTC (#588)
d5ab97e Make zero an invalid serial number for RFC lints (#584)
2cac1fd Lint that DSA is not used - BR (#577)
30c55c5 lints: fix typo in e_ext_name_constraints_not_critical description (#579)
a6348f9 Update zcrypto for vendored crypto/dsa package (#578)
35273f1 util: gtld_map autopull updates for 2021-03-26T21:30:44 UTC (#580)
b313d9f Introduce an upper bounds to effective dates (#576)
3223b2a Add a new lint to prohibit using DSA (#572)
3615e0f Include a playground script for generating one off certificates and certificate chains (#569)
7fcf0da util: gtld_map autopull updates for 2021-02-19T22:31:45 UTC (#571)
2aa588f project: switch to go 1.16. (#570)
1f157ab Lint template produces a file with an init
function that is not at the top of the new lint (#565)
835500b Custom static analysis tooling for CI/CD (#551)
1cbdd0c docs: update CONTRIBUTING.md with cert generation resources (#560)
59e0d78 util: gtld_map autopull updates for 2021-02-11T11:26:01 UTC (#563)
f091dd3 deps: update zcrypto to 2a2d9c3 (#562)
v3.2.0-rc1
ZLint v3.2.0-rc1
The ZMap team is happy to share ZLint v3.2.0-rc1.
Thank you to everyone who contributes to Zlint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
w_subject_given_name_recommended_max_length
, RFC 5280X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have targeted this length, for compatibility purposes it may be prudent to limit given names to this length.
e_prohibit_dsa_usage
, Mozilla Root Store Policy - §5.1The usage of DSA as the public key algorithm is no longer allowed. Effective March 31st, 2017.
e_br_prohibit_dsa_usage
, CABF Baseline requirements, v1.7.1DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1. Effective August 20th, 2020.
Bug Fixes:
e_serial_number_not_positive
no longer considers zero to be valid.e_subject_given_name_max_length
now checks whether given names are under 32769 characters long (was 17).e_subject_surname_max_length
now checks whether given names are under 32769 characters long (was 17).e_dsa_params_missing
is no longer effective as of August 20th, 2020.
Misc:
- Updated TLD data (Current to 2021-04-22).
- ZCrypto dependency bumped to
ea3fdbd5ea2
. - Switched ZLint to Go 1.16.
- Added the
-version
flag tozlint
/zlint-gtld-update
. - Added support for
IneffectiveDate
in lints, which complementsEffectiveDate
and marks when a lint is superseded by another or is otherwise no longer enforced. - A certificate generating playground tool was added under
v3/cmd/genTestCerts/
. This script should hopefully accelerate the process of generating test certificates for most edge cases. - Added static analysis to the repository which enforces function ordering in lints in CI/CD.
- Miscellaneous typos.
Changelog
7e75dc3 deps: update zcrypto to ea3fdbd (#604)
d5d0ed9 lints: fix anyKeyUsage typo in n_mp_allowed_eku
. (#600)
c47eab4 cmd: add -version
to zlint
, zlint-gtld-update
. (#598)
0807bf9 Updating RFC surname and givenname character limits (#586)
3de0a7c util: gtld_map autopull updates for 2021-04-22T03:40:32 UTC (#590)
5ca3470 util: gtld_map autopull updates for 2021-04-21T21:31:31 UTC (#589)
740b212 util: gtld_map autopull updates for 2021-04-17T02:48:14 UTC (#588)
d5ab97e Make zero an invalid serial number for RFC lints (#584)
2cac1fd Lint that DSA is not used - BR (#577)
30c55c5 lints: fix typo in e_ext_name_constraints_not_critical description (#579)
a6348f9 Update zcrypto for vendored crypto/dsa package (#578)
35273f1 util: gtld_map autopull updates for 2021-03-26T21:30:44 UTC (#580)
b313d9f Introduce an upper bounds to effective dates (#576)
3223b2a Add a new lint to prohibit using DSA (#572)
3615e0f Include a playground script for generating one off certificates and certificate chains (#569)
7fcf0da util: gtld_map autopull updates for 2021-02-19T22:31:45 UTC (#571)
2aa588f project: switch to go 1.16. (#570)
1f157ab Lint template produces a file with an init
function that is not at the top of the new lint (#565)
835500b Custom static analysis tooling for CI/CD (#551)
1cbdd0c docs: update CONTRIBUTING.md with cert generation resources (#560)
59e0d78 util: gtld_map autopull updates for 2021-02-11T11:26:01 UTC (#563)
f091dd3 deps: update zcrypto to 2a2d9c3 (#562)
v3.1.0
ZLint v3.1.0
The ZMap team is happy to share ZLint v3.1.0.
Thank you to everyone who contributes to Zlint; whether it be code, knowledge, wisdom or the grace of all three you are appreciated.
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth
, CABF Baseline Requirements - §4.9.9OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as defined by RFC6960.
e_ev_organization_id_missing lint
, CABF EV Guidelines v1.7.0 - §9.8.2Effective January 31, 2020, if the subject:organizationIdentifier field is present, this [cabfOrganizationIdentifier] field MUST be present.
e_name_constraint_not_fqdn
, RFC 5280 - §4.2.1.10For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.
Bug Fixes:
e_serial_number_longer_than_20_octets
has been corrected to count the number of octets taken to represent a serial number after it has been serialized to ASN.1. Since ASN.1 numbers are signed values, serial numbers that are greater-than-or-equal-to 2^160 will begin to fail this lint as they are prefixed with a0x00
to maintain their positive sign.- Previously the
e_ext_duplicate_extension
lint from thelint.RFC5280
source only returned alint.Error
result as soon as one duplicate extension was found in a certificate. It did not indicate which extension OID was duplicated, or if there was more than one duplicated extensions. In this release, the lint now does both of these things. The detail string now indicates all of the extension OIDs that were present more than once.
Misc:
- Updated TLD data (Current to 2020-12-11).
- ZCrypto dependency bumped to 9cf5bea.
- Changed the project style guide to asking that lints have their
init
function declared near the top of the file as it often contains the most useful information for outside readers. - Removed an unused utility function.
- Copyright updated to 2021.
Full Changelog
848c50b integration: fix resultCount types to not overflow, update expected vals. (#557)
12bb0ed lints: revert e_key_usage_and_extended_key_usage_inconsistent. (#556)
c1c6681 lints: fix description of e_ext_ian_uri_not_ia5 (#554)
2549ed3 lints: return detail for e_ext_duplicate_extension. (#550)
6dde095 deps: update zcrypto to 9cf5bea (#548)
3094399 tests: coverage for e_name_constraint_not_fqdn detail msgs (#547)
ea23311 lints: move init to start of lint_name_constraint_not_fqdn.go (#544)
6d643b9 project: re-order lint init functions (#536)
edd0d0c lints: adds e_name_constraint_not_fqdn
lint (RFC5280 4.2.1.10) (#533)
186e2c1 project: update copyright year to 2021 (#543)
5316fa5 lints: adds e_ev_organization_id_missing lint (CABF EVG 1.7.0 Section 9.8.2) (#532)
b0e20c8 docs: CONTRIBUTING.md updates, couple copyright year tweaks. (#535)
747b41f lints: fix boundary condition in e_serial_number_longer_than_20_octets
lint (#527)
3042438 KU and EKU Inconsistent lint correction (#528)
4d0ac7a deps: update zmap/zcrypto to 1eef276 (#529)
b691fe9 Added a new lint and tests for correlation between KU&EKU (#497)
a1b837a deps: update zmap/zcrypto to deeac00. (#526)
9e16bfc util: remove unused ICANNPublicSuffixParse
helper. (#525)
f47c9d6 CI: Cleanup hacky tld-update workflow env var use. (#524)
d8314a3 CI: Have tld-update workflow build & test pre-PR. (#521)
83f15ca util: gtld_map autopull updates for 2020-12-11T05:27:56 UTC (#520)
b6e5ba7 util: gtld_map autopull updates for 2020-12-08T18:31:14 UTC (#518)
1eb11ce Ocsp eku check for tls certificates (#490)
662504d change tld updator to not be me (#516)
931c5d4 util: gtld_map autopull updates for 2020-11-30T23:23:57 UTC (#514)
12dfc18 CI: Add cron workflow for gTLD update PRs. (#513)
v3.1.0-rc1
ZLint v3.1.0-rc1
The ZMap team is happy to share ZLint v3.1.0-rc1.
Thank you to everyone who contributes to Zlint; whether it be code, knowledge, wisdom or the grace of all three you are appreciated.
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth
, CABF Baseline Requirements - §4.9.9OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as defined by RFC6960.
e_ev_organization_id_missing lint
, CABF EV Guidelines v1.7.0 - §9.8.2Effective January 31, 2020, if the subject:organizationIdentifier field is present, this [cabfOrganizationIdentifier] field MUST be present.
e_name_constraint_not_fqdn
, RFC 5280 - §4.2.1.10For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.
Bug Fixes:
e_serial_number_longer_than_20_octets
has been corrected to count the number of octets taken to represent a serial number after it has been serialized to ASN.1. Since ASN.1 numbers are signed values, serial numbers that are greater-than-or-equal-to 2^160 will begin to fail this lint as they are prefixed with a0x00
to maintain their positive sign.- Previously the
e_ext_duplicate_extension
lint from thelint.RFC5280
source only returned alint.Error
result as soon as one duplicate extension was found in a certificate. It did not indicate which extension OID was duplicated, or if there was more than one duplicated extensions. In this release, the lint now does both of these things. The detail string now indicates all of the extension OIDs that were present more than once.
Misc:
- Updated TLD data (Current to 2020-12-11).
- ZCrypto dependency bumped to 9cf5bea.
- Changed the project style guide to asking that lints have their
init
function declared near the top of the file as it often contains the most useful information for outside readers. - Removed an unused utility function.
- Copyright updated to 2021.
Full Changelog
848c50b integration: fix resultCount types to not overflow, update expected vals. (#557)
12bb0ed lints: revert e_key_usage_and_extended_key_usage_inconsistent. (#556)
c1c6681 lints: fix description of e_ext_ian_uri_not_ia5 (#554)
2549ed3 lints: return detail for e_ext_duplicate_extension. (#550)
6dde095 deps: update zcrypto to 9cf5bea (#548)
3094399 tests: coverage for e_name_constraint_not_fqdn detail msgs (#547)
ea23311 lints: move init to start of lint_name_constraint_not_fqdn.go (#544)
6d643b9 project: re-order lint init functions (#536)
edd0d0c lints: adds e_name_constraint_not_fqdn
lint (RFC5280 4.2.1.10) (#533)
186e2c1 project: update copyright year to 2021 (#543)
5316fa5 lints: adds e_ev_organization_id_missing lint (CABF EVG 1.7.0 Section 9.8.2) (#532)
b0e20c8 docs: CONTRIBUTING.md updates, couple copyright year tweaks. (#535)
747b41f lints: fix boundary condition in e_serial_number_longer_than_20_octets
lint (#527)
3042438 KU and EKU Inconsistent lint correction (#528)
4d0ac7a deps: update zmap/zcrypto to 1eef276 (#529)
b691fe9 Added a new lint and tests for correlation between KU&EKU (#497)
a1b837a deps: update zmap/zcrypto to deeac00. (#526)
9e16bfc util: remove unused ICANNPublicSuffixParse
helper. (#525)
f47c9d6 CI: Cleanup hacky tld-update workflow env var use. (#524)
d8314a3 CI: Have tld-update workflow build & test pre-PR. (#521)
83f15ca util: gtld_map autopull updates for 2020-12-11T05:27:56 UTC (#520)
b6e5ba7 util: gtld_map autopull updates for 2020-12-08T18:31:14 UTC (#518)
1eb11ce Ocsp eku check for tls certificates (#490)
662504d change tld updator to not be me (#516)
931c5d4 util: gtld_map autopull updates for 2020-11-30T23:23:57 UTC (#514)
12dfc18 CI: Add cron workflow for gTLD update PRs. (#513)
v3.0.0
ZLint v3.0.0
The ZMap team is happy to share ZLint v3.0.0. Above bugfixes and new lints this major release also has a few breaking changes from v2.x.x that we want to draw to your attention.
Breaking Changes:
w_dnsname_wildcard_left_of_public_suffix
andw_san_iana_pub_suffix_empty
have been demoted from warnings to notices and renamed accordingly (n_dnsname_wildcard_left_of_public_suffix
andn_san_iana_pub_suffix_empty
).- The
e_tls_server_cert_valid_time_longer_than_398_days
lint now only returns an error finding for certs exceeding the 398 lifetime. The warning result previously returned for exceeding the 397 day lifetime suggestion is now a separatew_tls_server_cert_valid_time_longer_than_397_days
lint. - The
lint.AppleCTPolicy
lint source was renamed tolint.AppleRootStorePolicy
. - The
lint.AWSLabs
andlint.ZLint
lint sources were combined into one new lint sourcelint.Community
.
New Lints:
w_tls_server_cert_valid_time_longer_than_397_days
- see breaking change notes above.
Bug Fixes:
- Previously
n_san_iana_pub_suffix_empty
could only flag one DNS name in a certificate and would potentially return NA for certificates with one or more names that fail to be parsed by publicsuffix-go. It now handles both cases correctly. - Removed
testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem
and test case. Updated Go 1.15/ZCrypto throw a parse error for this test case now that they are QcStatement aware.
Misc:
- Project and releases now built with Go 1.15.x
- Updated TLD data (Current to 2020-11-21).
- Integration test failures now include error/warning/info overviews.
- ZCrypto dependency bumped to latest commit.
- Project CI converted from Travis CI to Github Actions.
Full Changelog
fe65bae project: bump major version to 3.0.0 (#510)
0d48ea1 lint: combine ZLint and AWSLabs Sources into Community. (#509)
8dc66d0 Update to Go 1.15, latest , fix n_san_iana_pub_suffix_empty. (#508)
da00f3f CI: Switch from Travis to Github Actions. (#505)
7f7ef1f lints: split Apple cert lifetime lint per-result. (#506)
c42a358 lint: rename Source AppleCTPolicy -> AppleRootProgramPolicy (#501)
71e2966 gTLD autopull: 2020-11-21T16:05:09Z (#498)
29b3fa9 Update Contributing Guidelines (#495)
e2b3658 make two lints notice instead of warn, (#493)
7b54a38 Improve readability of "EKU" abbreviation (#489)
f46d09c tests: include error/warning/info overview for integration test failures (#488)
cca4a6b gTLD autopull: 2020-10-19T15:48:38Z (#487)
v3.0.0-rc1
ZLint v3.0.0-rc1
The ZMap team is happy to share ZLint v3.0.0-rc1. Above bugfixes and new lints this major release candidate also has a few breaking changes from v2.x.x that we want to draw to your attention.
Breaking Changes:
w_dnsname_wildcard_left_of_public_suffix
andw_san_iana_pub_suffix_empty
have been demoted from warnings to notices and renamed accordingly (n_dnsname_wildcard_left_of_public_suffix
andn_san_iana_pub_suffix_empty
).- The
e_tls_server_cert_valid_time_longer_than_398_days
lint now only returns an error finding for certs exceeeding the 398 lifetime. The warning result previously returned for exceeding the 397 day lifetime suggestion is now a separatew_tls_server_cert_valid_time_longer_than_397_days
lint. - The
lint.AppleCTPolicy
lint source was renamed tolint.AppleRootStorePolicy
. - The
lint.AWSLabs
andlint.ZLint
lint sources were combined into one new lint sourcelint.Community
.
New Lints:
w_tls_server_cert_valid_time_longer_than_397_days
- see breaking change notes above.
Bug Fixes:
- Previously
n_san_iana_pub_suffix_empty
could only flag one DNS name in a certificate and would potentially return NA for certificates with one or more names that fail to be parsed by publicsuffix-go. It now handles both cases correctly. - Removed
testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem
and test case. Updated Go 1.15/ZCrypto throw a parse error for this test case now that they are QcStatement aware.
Misc:
- Project and releases now built with Go 1.15.x
- Updated TLD data (Current to 2020-11-21).
- Integration test failures now include error/warning/info overviews.
- ZCrypto dependency bumped to latest commit.
- Project CI converted from Travis CI to Github Actions.
Full Changelog
fe65bae project: bump major version to 3.0.0 (#510)
0d48ea1 lint: combine ZLint and AWSLabs Sources into Community. (#509)
8dc66d0 Update to Go 1.15, latest , fix n_san_iana_pub_suffix_empty. (#508)
da00f3f CI: Switch from Travis to Github Actions. (#505)
7f7ef1f lints: split Apple cert lifetime lint per-result. (#506)
c42a358 lint: rename Source AppleCTPolicy -> AppleRootProgramPolicy (#501)
71e2966 gTLD autopull: 2020-11-21T16:05:09Z (#498)
29b3fa9 Update Contributing Guidelines (#495)
e2b3658 make two lints notice instead of warn, (#493)
7b54a38 Improve readability of "EKU" abbreviation (#489)
f46d09c tests: include error/warning/info overview for integration test failures (#488)
cca4a6b gTLD autopull: 2020-10-19T15:48:38Z (#487)