v2.2.0-rc1

ZLint v2.2.0-rc1

The ZMap team is happy to share a v2.2.0 release candidate. This minor release primarily includes bug fixes and new lints.

New Lints:

• New RFC 5280 Lints

  • e_cert_sig_alg_not_match_tbs_sig_alg to verify tbsCertificate algorithm matches certificate's signature algorithm.

• New CA/Browser Forum Lints:

  • e_san_dns_name_onion_invalid to validate .onion certificate subject addresses are well-formed.

Updated Lints:

• e_ext_tor_service_descriptor_hash_invalid updated for Ballot SC27 to only require the extension for EV certificates.

Removed Lints:

• e_sub_ca_aia_does_not_contain_ocsp_url, as of Ballot SC31 this lint is no longer required.

Command Line Utility Updates:

• -summary and -longSummary command line flags added to zlint utility for presenting lint results in a human-readable tabular form.

Bug Fixes:

• lint_ev_valid_time_too_long maximum validity calculation fixed and source/citation/package corrected to CABF EV Guidelines.
• e_ev_business_category_missing, e_ev_country_name_missing, e_ev_organization_name_missing, and e_ev_serial_number_missing source/citation/package corrected to CABF EV Guidelines.
• e_tls_server_cert_valid_time_longer_than_398_days fixed to not apply to CA certificates.

Misc:

• README updates.
• Updated ZCrypto dependency (Added QCStatement support).
• Updated TLD data (Current to 2020-07-29).

Full Changelog

e1a9412 Add citation for sub-CAs to ca_digital_signature_not_set (#464)
9ab0643 Ballot SC31 makes OCSP optional for intermediate certificates. (#463)
3f689d2 README to suggest checking x509.ParseCertificate error (#460)
ada0991 autopull: 2020-07-29T15:10:15Z (#459)
6d02ef7 tests: add NA test case for e_tls_server_cert_valid_time_longer_than_398_days (#457)
34310bd this lint shouldn't apply to CA certs (#456)
ca9532d Create options for human-readable output formats (#437)
5f05d1d gTLD autopull: 2020-07-18T15:05:07Z (#455)
a9b0032 gTLD autopull: 2020-06-27T14:52:30Z (#452)
f530e42 docs: add Entrust Datacard to README ZLInt users. (#451)
d4acbba lints: cabf_br lint to verify .onion addresses are well-formed (#450)
84a8a20 Fix .onion tests to only apply to EV certificates (#449)
ecf8678 Move EV-specific tests to cabf_ev (#445)
c820d95 Fix the EV validity check (#447)
37a03da docs: correct link to integration test documentation (#446)
ce1631b autopull: 2020-06-03T14:39:17Z (#444)
de9eafb Check tbsCertificate signature algorithm matches certificate (#436)
82e1f43 gTLD autopull: 2020-05-28T14:35:00Z (#442)
da06a3a autopull: 2020-05-27T14:34:02Z (#441)
9957909 Deps: Update ZCrypto, fix assoc. test breakage. (#435)
a42b778 ci: remove vendor dir, Go 1.13.x -> 1.14.x, fix integration test data (#432)
bb6c7a7 docs: add ZLint announcements mailing list to README (#431)
ee0c915 Adding mailing list link to README.

v2.1.0

ZLint v2.1.0

The ZMap team is happy to announce the v2.1.0 release. This minor release primarily includes bug fixes and new lints.

New Lints

• New CABF Baseline Requirements Lint
  • e_ext_nc_intersects_reserved_ip
• New Mozilla PKI Policy Lints
  • e_mp_rsassa-pss_in_spki
  • e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
  • e_mp_ecdsa_pub_key_encoding_correct
  • e_mp_ecdsa_signature_encoding_correct
• New Apple PKI Policy Lints
  • e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

• The 2001:5::/32 network was removed from reserved networks list since it is no longer IANA reserved.

Misc

• Updated TLD data (Current to 2020-04-02).
• README updates.
• CI test for ensuring OpenSSL text prepend of test cert data.

Full Changelog

1e160b1 ci: update goreleaser install URL. (#429)
3bf4bbf lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378)
206df7d gTLD autopull: 2020-04-02T17:35:25Z (#425)
d933f03 autopull: 2020-03-28T17:34:11Z (#423)
4ca0695 Fix spelling of 'distinguished' in lint descriptions (#422)
94d7dde util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421)
83d24bd lints: lint for upcoming Apple max cert lifetime policy. (#417)
cfbfdec gTLD autopull: 2020-03-14T17:26:52Z (#420)
c7c6a31 lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377)
b28794b docs: fix template to use v2 package import. (#416)
1968515 lints: disallow reserved iPAddresses in NCs (#414)
48bf6ee remove lisp reserved range since no longer IANA reserved (#415)
3329bb6 README: fix a typo and fix the example for LintCertificateEx (#409)
5b2df5c lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376)

v2.1.0-rc1

ZLint v2.1.0

The ZMap team is proud to share a v2.1.0 release candidate. This minor release primary includes bug fixes and new lints.

New Lints

• New CABF Baseline Requirements Lint
  • e_ext_nc_intersects_reserved_ip
• New Mozilla PKI Policy Lints
  • e_mp_rsassa-pss_in_spki
  • e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
  • e_mp_ecdsa_pub_key_encoding_correct
  • e_mp_ecdsa_signature_encoding_correct
• New Apple PKI Policy Lints
  • e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

• The 2001:5::/32 network was removed from reserved networks list since it is no longer IANA reserved.

Misc

• Updated TLD data (Current to 2020-04-02).
• README updates.
• CI test for ensuring OpenSSL text prepend of test cert data.

Full Changelog

1e160b1 ci: update goreleaser install URL. (#429)
3bf4bbf lints: enforce Mozilla PKI policy for ECDSA pubkey/sig alg curves/encoding. (#378)
206df7d gTLD autopull: 2020-04-02T17:35:25Z (#425)
d933f03 autopull: 2020-03-28T17:34:11Z (#423)
4ca0695 Fix spelling of 'distinguished' in lint descriptions (#422)
94d7dde util: rewrite test/prepend_testcerts_openssl.sh, update testdata (#421)
83d24bd lints: lint for upcoming Apple max cert lifetime policy. (#417)
cfbfdec gTLD autopull: 2020-03-14T17:26:52Z (#420)
c7c6a31 lints: enforce Mozilla PKI policy RSASSA-PSS encoding requirements (#377)
b28794b docs: fix template to use v2 package import. (#416)
1968515 lints: disallow reserved iPAddresses in NCs (#414)
48bf6ee remove lisp reserved range since no longer IANA reserved (#415)
3329bb6 README: fix a typo and fix the example for LintCertificateEx (#409)
5b2df5c lints: enforce Mozilla PKI policy omission of id-RSASSA-PSS oid (#376)

v2.0.0

ZLint v2.0.0

The ZMap team is proud to share a finalized v2.0.0 release. This release contains fairly significant refactoring and testing/feedback would be most appreciated.

Breaking Changes

• The exported types from lints have been moved to lint (e.g. lints.LintInterface, lints.LintSource, lints.LintStatus, lints.LintResult are now lint.LintInterface, lint.LintSource, lint.LintStatus, lint.LintResult)
• Lints are now separated in the source code tree under lints/ by source.
• The lint.LintMap exported map of registered lints was removed. Users should rely on the exported functions of the Registry returned by lint.GlobalRegistry() instead.
• The zlint.LintCertificateFiltered function was removed. The same behaviour can be achieved using zlint.LintCertificateEx (see below).
• The zlint.EncodeLintDescriptionsToJSON function was removed. The same behaviour can be achieved by calling WriteJSON on a Registry.
• The lint.Source type was changed from an int enum to a string enum.

ZLint CMD Updates

The zlint command (cmd/zlint/main.go) was updated to add four new command line flags:

• -list-lints-sources - Prints a list of lint sources, one per line.
• -excludeSources - Comma-separated list of lint sources to exclude.
• -includeSources - Comma-separated list of lint sources to include.
• -nameFilter - Regex used to match lint names to include (cannot be used at the same time as -excludeSources or -includeSources)

Two existing flags were renamed:

• -include is now -includeNames
• -exclude is now -excludeNames.

One flag was removed:

• -list-lints-schema was removed. ZSchema is deprecated for ZLint.

Library Updates

• A new zlint.LintCertificateEx function was introduced allowing customizing which lints are applied by providing an explicit Registry of lints. Lints can be excluded/included by source and name by filtering the lint.GlobalRegistry() with lint.FilterOptions.

New Lints

• New Mozilla PKI Policy Lints
  • n_mp_allowed_eku
  • e_mp_authority_key_identifier_correct
  • e_mp_exponent_cannot_be_one
  • e_mp_modulus_must_be_2048_bits_or_more
  • e_mp_modulus_must_be_divisible_by_8

Bug Fixes

• The golang.org/crypto dependency was updated to to 8b5121be2f68 to address CVE-2020-7919
• The e_signature_algorithm_not_supported lint was updated to return lint.Warn for RSA-PSS with SHA256, SHA384 or SHA512.
• The w_subject_contains_malformed_arpa_ip lint was updated to clarify its citation/description.

Misc

• Updated TLD data (Current to 2020-01-30).
• README updates.

Full Changelog

36d042e ci: try and fix goreleaser for v2 structure (round 2) (#406)
a03f722 ci: try and fix goreleaser for v2 structure (#405)
fd40f57 Fix v2 with go.mod (#398)
53441bd misc: update newLint.sh script and contributing guide. (#397)
24e7a0d README: Update, split out a CONTRIBUTING.md (#386)
79424f2 cmd/zlint: fix panic w/ deref of nil registry. (#385)
7741587 zlint: refactor lint reg., allow filtering lints used. (#372)
72fb7ad project: add goreleaser configuration. (#374)
8a37cc7 gTLD autopull: 2020-01-30T17:10:08Z (#375)
1107123 deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373)
77026f6 Add reference to RFC 6818 to clarify explicitText (#370)
c0407b6 lints: improve template_test.go (#367)
dbb54ce lints/mozilla: fix moz lint packages (#365)
cc90ed6 test: more comments in helpers.go (#366)
2cce203 lints: better test utils, avoid accessing lint.Lints directly (#364)
566701e Lints: add new lints for Mozilla Root Store Policy (adopted) (#353)
ea19827 README: fix crt.sh link target. (#349)
4a01d2e README: Link to company sites, not bugzilla bugs. (#348)
2c5688e README: Add Google Trust Services to list of users/integrations (#347)
b7425cb lints: add more context to w_subject_contains_malformed_arpa_ip. (#345)
9bba7b7 lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342)
359be75 gTLD autopull: 2020-01-06T16:47:48Z (#341)
86bcc67 Misc. cleanups, unit test for finding leftover template bits. (#340)
e3ad0f9 Split of lints into directories by source (#337)
0ab41f2 README: add note about small PRs (#339)
257d49d gTLD autopull: 2019-12-25T16:40:11Z (#338)
c74b45b CI: Add golangci-lint, enforce Go best practices (#335)
872e431 gTLD autopull: 2019-12-06T16:32:55Z (#334)

v2.0.0-rc4

ZLint v2.0.0 RC-4

The ZMap team is proud to share a v2.0.0 release candidate. This release contains fairly significant refactoring and testing/feedback would be most appreciated.

Compared to RC-1 this release candidate meets Go modules semantic versioning requirements. See PR #398 for more information.

Breaking Changes

• The exported types from lints have been moved to lint (e.g. lints.LintInterface, lints.LintSource, lints.LintStatus, lints.LintResult are now lint.LintInterface, lint.LintSource, lint.LintStatus, lint.LintResult)
• Lints are now separated in the source code tree under lints/ by source.
• The lint.LintMap exported map of registered lints was removed. Users should rely on the exported functions of the Registry returned by lint.GlobalRegistry() instead.
• The zlint.LintCertificateFiltered function was removed. The same behaviour can be achieved using zlint.LintCertificateEx (see below).
• The zlint.EncodeLintDescriptionsToJSON function was removed. The same behaviour can be achieved by calling WriteJSON on a Registry.
• The lint.Source type was changed from an int enum to a string enum.

ZLint CMD Updates

The zlint command (cmd/zlint/main.go) was updated to add four new command line flags:

• -list-lints-sources - Prints a list of lint sources, one per line.
• -excludeSources - Comma-separated list of lint sources to exclude.
• -includeSources - Comma-separated list of lint sources to include.
• -nameFilter - Regex used to match lint names to include (cannot be used at the same time as -excludeSources or -includeSources)

Two existing flags were renamed:

• -include is now -includeNames
• -exclude is now -excludeNames.

One flag was removed:

• -list-lints-schema was removed. ZSchema is deprecated for ZLint.

Library Updates

• A new zlint.LintCertificateEx function was introduced allowing customizing which lints are applied by providing an explicit Registry of lints. Lints can be excluded/included by source and name by filtering the lint.GlobalRegistry() with lint.FilterOptions.

New Lints

• New Mozilla PKI Policy Lints
  • n_mp_allowed_eku
  • e_mp_authority_key_identifier_correct
  • e_mp_exponent_cannot_be_one
  • e_mp_modulus_must_be_2048_bits_or_more
  • e_mp_modulus_must_be_divisible_by_8

Bug Fixes

• The golang.org/crypto dependency was updated to to 8b5121be2f68 to address CVE-2020-7919
• The e_signature_algorithm_not_supported lint was updated to return lint.Warn for RSA-PSS with SHA256, SHA384 or SHA512.
• The w_subject_contains_malformed_arpa_ip lint was updated to clarify its citation/description.

Misc

• Updated TLD data (Current to 2020-01-30).
• README updates.

Full Changelog

36d042e ci: try and fix goreleaser for v2 structure (round 2) (#406)
a03f722 ci: try and fix goreleaser for v2 structure (#405)
fd40f57 Fix v2 with go.mod (#398)
53441bd misc: update newLint.sh script and contributing guide. (#397)
24e7a0d README: Update, split out a CONTRIBUTING.md (#386)
79424f2 cmd/zlint: fix panic w/ deref of nil registry. (#385)
7741587 zlint: refactor lint reg., allow filtering lints used. (#372)
72fb7ad project: add goreleaser configuration. (#374)
8a37cc7 gTLD autopull: 2020-01-30T17:10:08Z (#375)
1107123 deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373)
77026f6 Add reference to RFC 6818 to clarify explicitText (#370)
c0407b6 lints: improve template_test.go (#367)
dbb54ce lints/mozilla: fix moz lint packages (#365)
cc90ed6 test: more comments in helpers.go (#366)
2cce203 lints: better test utils, avoid accessing lint.Lints directly (#364)
566701e Lints: add new lints for Mozilla Root Store Policy (adopted) (#353)
ea19827 README: fix crt.sh link target. (#349)
4a01d2e README: Link to company sites, not bugzilla bugs. (#348)
2c5688e README: Add Google Trust Services to list of users/integrations (#347)
b7425cb lints: add more context to w_subject_contains_malformed_arpa_ip. (#345)
9bba7b7 lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342)
359be75 gTLD autopull: 2020-01-06T16:47:48Z (#341)
86bcc67 Misc. cleanups, unit test for finding leftover template bits. (#340)
e3ad0f9 Split of lints into directories by source (#337)
0ab41f2 README: add note about small PRs (#339)
257d49d gTLD autopull: 2019-12-25T16:40:11Z (#338)
c74b45b CI: Add golangci-lint, enforce Go best practices (#335)
872e431 gTLD autopull: 2019-12-06T16:32:55Z (#334)

v2.0.0-rc1

ZLint v2.0.0 RC-1

The ZMap team is proud to share the first v2.0.0 release candidate. This release contains fairly significant refactoring and testing/feedback would be most appreciated.

Breaking Changes

• The exported types from lints have been moved to lint (e.g. lints.LintInterface, lints.LintSource, lints.LintStatus, lints.LintResult are now lint.LintInterface, lint.LintSource, lint.LintStatus, lint.LintResult)
• Lints are now separated in the source code tree under lints/ by source.
• The lint.LintMap exported map of registered lints was removed. Users should rely on the exported functions of the Registry returned by lint.GlobalRegistry() instead.
• The zlint.LintCertificateFiltered function was removed. The same behaviour can be achieved using zlint.LintCertificateEx (see below).
• The zlint.EncodeLintDescriptionsToJSON function was removed. The same behaviour can be achieved by calling WriteJSON on a Registry.
• The lint.Source type was changed from an int enum to a string enum.

ZLint CMD Updates

The zlint command (cmd/zlint/main.go) was updated to add four new command line flags:

• -list-lints-sources - Prints a list of lint sources, one per line.
• -excludeSources - Comma-separated list of lint sources to exclude.
• -includeSources - Comma-separated list of lint sources to include.
• -nameFilter - Regex used to match lint names to include (cannot be used at the same time as -excludeSources or -includeSources)

Two existing flags were renamed:

• -include is now -includeNames
• -exclude is now -excludeNames.

One flag was removed:

• -list-lints-schema was removed. ZSchema is deprecated for ZLint.

Library Updates

• A new zlint.LintCertificateEx function was introduced allowing customizing which lints are applied by providing an explicit Registry of lints. Lints can be excluded/included by source and name by filtering the lint.GlobalRegistry() with lint.FilterOptions.

New Lints

• New Mozilla PKI Policy Lints
  • n_mp_allowed_eku
  • e_mp_authority_key_identifier_correct
  • e_mp_exponent_cannot_be_one
  • e_mp_modulus_must_be_2048_bits_or_more
  • e_mp_modulus_must_be_divisible_by_8

Bug Fixes

• The golang.org/crypto dependency was updated to to 8b5121be2f68 to address CVE-2020-7919
• The e_signature_algorithm_not_supported lint was updated to return lint.Warn for RSA-PSS with SHA256, SHA384 or SHA512.
• The w_subject_contains_malformed_arpa_ip lint was updated to clarify its citation/description.

Misc

• Updated TLD data (Current to 2020-01-30).
• README updates.

Full Changelog

24e7a0d README: Update, split out a CONTRIBUTING.md (#386)
79424f2 cmd/zlint: fix panic w/ deref of nil registry. (#385)
7741587 zlint: refactor lint reg., allow filtering lints used. (#372)
72fb7ad project: add goreleaser configuration. (#374)
8a37cc7 gTLD autopull: 2020-01-30T17:10:08Z (#375)
1107123 deps: update golang.org/crypto/cryptobyte to 8b5121be2f68. (#373)
77026f6 Add reference to RFC 6818 to clarify explicitText (#370)
c0407b6 lints: improve template_test.go (#367)
dbb54ce lints/mozilla: fix moz lint packages (#365)
cc90ed6 test: more comments in helpers.go (#366)
2cce203 lints: better test utils, avoid accessing lint.Lints directly (#364)
566701e Lints: add new lints for Mozilla Root Store Policy (adopted) (#353)
ea19827 README: fix crt.sh link target. (#349)
4a01d2e README: Link to company sites, not bugzilla bugs. (#348)
2c5688e README: Add Google Trust Services to list of users/integrations (#347)
b7425cb lints: add more context to w_subject_contains_malformed_arpa_ip. (#345)
9bba7b7 lints: warn for RSA-PSS sigalg in cabf lint, not err. (#342)
359be75 gTLD autopull: 2020-01-06T16:47:48Z (#341)
86bcc67 Misc. cleanups, unit test for finding leftover template bits. (#340)
e3ad0f9 Split of lints into directories by source (#337)
0ab41f2 README: add note about small PRs (#339)
257d49d gTLD autopull: 2019-12-25T16:40:11Z (#338)
c74b45b CI: Add golangci-lint, enforce Go best practices (#335)
872e431 gTLD autopull: 2019-12-06T16:32:55Z (#334)

ZLint 1.1.0

New lints:

• w_extra_subject_common_names - emits Warn result for multiple subj. CNs.

Misc:

• updated gTLD map data (current to 2019-12-02)
• large cert corpus integration tests

ZLint 1.0.2

Bugfixes:

• lints: fixed e_qcstatem_qclimitvalue_valid lint to use correct OID for EtsiQcsQcLimitValue

ZLint 1.0.1

Bugfixes:

• lints: fixed e_subject_printable_string_badalpha lint to allow for single quotes.

ZLint v1.0.0

Initial semantically versioned release of ZLint.