Tags

Upstream version 3.2.0

ZLint v3.2.0

The ZMap team is happy to share ZLint v3.2.0.

Thank you to everyone who contributes to Zlint!

No breaking changes were made in this release.

* `w_subject_given_name_recommended_max_length`, RFC 5280
    > X.411 (1988) describes ub-common-name-length to be 64 bytes long. As systems may have targeted this length, for compatibility purposes it may be prudent to limit given names to this length.
* `e_prohibit_dsa_usage`, Mozilla Root Store Policy - §5.1
    > The usage of DSA as the public key algorithm is no longer allowed. Effective March 31st, 2017.
* `e_br_prohibit_dsa_usage`, CABF Baseline requirements, v1.7.1
    > DSA was removed from the Baseline Requirements as a valid signature algorithm in 1.7.1. Effective Augst 20th, 2020.

* `e_serial_number_not_positive` no longer consideres zero to be valid.
* `e_subject_given_name_max_length` now checks whether given names are under 32769 characters long (was 17).
* `e_subject_surname_max_length` now checks whether given names are under 32769 characters long (was 17).
* `e_dsa_params_missing` is no ineffective as of Agust 20th, 2020.

* Updated TLD data (Current to 2021-04-22).
* ZCrypto dependency bumped to ea3fdbd5ea2.
* Switched ZLint to Go 1.16.
* Added the `-version` flag to `zlint`/`zlint-gtld-update`.
* Support for `IneffectiveDate`, which complements `EffectiveDate` and marks when a lint is no longer enforced.
* A certificate generating playground tool was added under `v3/cmd/genTestCerts/`. This script should hopefully accelerate the process of generating test certificates for most edge cases.
* Added static analysis to the repository which enforces function ordering in lints in CI/CD.

Release of 3.1.0

Tag for ZLint v3.1.0-rc1

ZLint v3.0.0

The ZMap team is happy to share ZLint v3.0.0. Above bugfixes and new
lints this major release also has a few breaking changes from v2.x.x
that we want to draw to your attention.

Breaking Changes:
  * `w_dnsname_wildcard_left_of_public_suffix` and `w_san_iana_pub_suffix_empty`
    have been demoted from warnings to notices and renamed accordingly
    (`n_dnsname_wildcard_left_of_public_suffix` and
    `n_san_iana_pub_suffix_empty`).
  * The `e_tls_server_cert_valid_time_longer_than_398_days` lint now only returns
    an error finding for certs exceeding the 398 lifetime. The warning result
    previously returned for exceeding the 397 day lifetime suggestion is now
    a separate `w_tls_server_cert_valid_time_longer_than_397_days` lint.
  * The `lint.AppleCTPolicy` lint source was renamed to `lint.AppleRootStorePolicy`.
  * The `lint.AWSLabs` and `lint.ZLint` lint sources were combined into one new lint
    source `lint.Community`.

New Lints:
  * `w_tls_server_cert_valid_time_longer_than_397_days` - see breaking change
    notes above.

Bug Fixes:
  * Previously `n_san_iana_pub_suffix_empty` could only flag one DNS name in
    a certificate and would potentially return NA for certificates with one or
    more names that fail to be parsed by publicsuffix-go. It now handles both cases
    correctly.
  * Removed `testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem` and test
    case. Updated Go 1.15/ZCrypto throw a parse error for this test case now
    that they are QcStatement aware.

Misc:
  * Project and releases now built with Go 1.15.x
  * Updated TLD data (Current to 2020-11-21).
  * Integration test failures now include error/warning/info overviews.
  * ZCrypto dependency bumped to latest commit.
  * Project CI converted from Travis CI to Github Actions.

ZLint v3.0.0-rc1

The ZMap team is happy to share ZLint v3.0.0-rc1. Above bugfixes and new lints
this major release candidate also has a few breaking changes from v2.x.x that we
want to draw to your attention.

Breaking Changes:
  * `w_dnsname_wildcard_left_of_public_suffix` and `w_san_iana_pub_suffix_empty`
    have been demoted from warnings to notices and renamed accordingly
    (`n_dnsname_wildcard_left_of_public_suffix` and
    `n_san_iana_pub_suffix_empty`).
  * The `e_tls_server_cert_valid_time_longer_than_398_days` lint now only returns
    an error finding for certs exceeeding the 398 lifetime. The warning result
    previously returned for exceeding the 397 day lifetime suggestion is now
    a separate `w_tls_server_cert_valid_time_longer_than_397_days` lint.
  * The `lint.AppleCTPolicy` lint source was renamed to `lint.AppleRootStorePolicy`.
  * The `lint.AWSLabs` and `lint.ZLint` lint sources were combined into one new lint
    source `lint.Community`.

New Lints:
  * `w_tls_server_cert_valid_time_longer_than_397_days` - see breaking change
    notes above.

Bug Fixes:
  * Previously `n_san_iana_pub_suffix_empty` could only flag one DNS name in
    a certificate and would potentially return NA for certificates with one or
    more names that fail to be parsed by publicsuffix-go. It now handles both cases
    correctly.
  * Removed `testdata/QcStmtEtsiQcComplWithNonEmptyStmtInfoCert19.pem` and test
    case. Updated Go 1.15/ZCrypto throw a parse error for this test case now
    that they are QcStatement aware.

Misc:
  * Project and releases now built with Go 1.15.x
  * Updated TLD data (Current to 2020-11-21).
  * Integration test failures now include error/warning/info overviews.
  * ZCrypto dependency bumped to latest commit.
  * Project CI converted from Travis CI to Github Actions.

ZLint v2.2.1

The ZMap team is happy to share ZLint v2.2.1. This minor release primarily
includes a fix for a security vulnerability in a dependency. We encourage anyone
using ZLint on untrusted certificate inputs to upgrade.

Bug Fixes:
  * `golang.org/x/text` dependency bumped to v0.3.3 to address CVE-2020-14040.

Misc:
  * Better error message from `test/helpers.go`'s `ReadTestCert` helper in the case
    where an input certificate causes a panic during parse.
  * Updated TLD data (Current to 2020-10-08).

ZLint v2.2.1-rc1

The ZMap team is happy to share a v2.2.1 release candidate. This minor
release primarily includes a fix for a security vulnerability in a dependency.
We encourage anyone using ZLint on untrusted certificates to upgrade.

Bug Fixes:
  * `golang.org/x/text` dependency bumped to v0.3.3 to address CVE-2020-14040.

Misc:
  * Better error message from `test/helpers.go`'s `ReadTestCert` helper in the case
    where an input certificate causes a panic during parse.

v2.2.0

The ZMap team is happy to share ZLint v2.2.0. This minor release
primarily includes bug fixes and new lints.

New Lints:
  * New RFC 5280 Lints
    * `e_cert_sig_alg_not_match_tbs_sig_alg` to verify `tbsCertificate` algorithm
       matches certificate's signature algorithm.

  * New CA/Browser Forum Lints:
    * `e_san_dns_name_onion_invalid` to validate `.onion` certificate subject
       addresses are well-formed.

Updated Lints:
  * `e_ext_tor_service_descriptor_hash_invalid` updated for Ballot SC27 to only
     require the extension for EV certificates.

Removed Lints:
  * `e_sub_ca_aia_does_not_contain_ocsp_url`, as of Ballot SC31 this lint is no
     longer required.

Command Line Utility Updates:
  * `-summary` and `-longSummary` command line flags added to `zlint` utility
    for presenting lint results in a human-readable tabular form.

Bug Fixes:
  * `lint_ev_valid_time_too_long` maximum validity calculation fixed and
     source/citation/package corrected to CABF EV Guidelines.
  * `e_ev_business_category_missing`, `e_ev_country_name_missing`,
    `e_ev_organization_name_missing`, and `e_ev_serial_number_missing`
    `e_ev_serial_number_missing` source/citation/package corrected to CABF EV
    Guidelines.
  * `e_tls_server_cert_valid_time_longer_than_398_days` fixed to not apply to CA
    certificates.
  * `e_tls_server_cert_valid_time_longer_than_398_days` fixed off-by-one
    calculation of validity period.

Misc:
  * README updates.
  * Updated ZCrypto dependency (Added QCStatement support).
  * Updated TLD data (Current to 2020-09-08).

ZLint v2.2.0-rc2.
The ZMap team is happy to share a second v2.2.0 release candidate. This minor
release primary includes bug fixes and new lints.

New Lints:
  * New RFC 5280 Lints
    * `e_cert_sig_alg_not_match_tbs_sig_alg` to verify `tbsCertificate` algorithm
      matches certificate's signature algorithm.

  * New CA/Browser Forum Lints:
    * `e_san_dns_name_onion_invalid` to validate `.onion` certificate subject
      addresses are well-formed.

Updated Lints:
  * `e_ext_tor_service_descriptor_hash_invalid` updated for Ballot SC27 to only
    require the extension for EV certificates.

Removed Lints:
  * `e_sub_ca_aia_does_not_contain_ocsp_url`, as of Ballot SC31 this lint is no
    longer required.

Command Line Utility Updates:
  * `-summary` and `-longSummary` command line flags added to `zlint` utility
    for presenting lint results in a human-readable tabular form.

Bug Fixes:
  * `lint_ev_valid_time_too_long` maximum validity calculation fixed and
    source/citation/package corrected to CABF EV Guidelines.
  * `e_ev_business_category_missing`, `e_ev_country_name_missing`,
    `e_ev_organization_name_missing`, and `e_ev_serial_number_missing`
    source/citation/package corrected to CABF EV Guidelines.
  * `e_tls_server_cert_valid_time_longer_than_398_days` fixed to not apply to CA
    certificates.
  * `e_tls_server_cert_valid_time_longer_than_398_days` off by one second fix

Misc:
  * README updatesa.
  * Updated ZCrypto dependency (Added QCStatement support).
  * Updated TLD data (Current to 2020-07-29).

ZLint v2.2.0-rc1.

The ZMap team is happy to share a v2.2.0 release candidate. This minor
release primary includes bug fixes and new lints.

New Lints:
  * New RFC 5280 Lints
    * `e_cert_sig_alg_not_match_tbs_sig_alg` to verify `tbsCertificate` algorithm
      matches certificate's signature algorithm.

  * New CA/Browser Forum Lints:
    * `e_san_dns_name_onion_invalid` to validate `.onion` certificate subject
      addresses are well-formed.

Updated Lints:
  * `e_ext_tor_service_descriptor_hash_invalid` updated for Ballot SC27 to only
    require the extension for EV certificates.

Removed Lints:
  * `e_sub_ca_aia_does_not_contain_ocsp_url`, as of Ballot SC31 this lint is no
    longer required.

Command Line Utility Updates:
  * `-summary` and `-longSummary` command line flags added to `zlint` utility
    for presenting lint results in a human-readable tabular form.

Bug Fixes:
  * `lint_ev_valid_time_too_long` maximum validity calculation fixed and
    source/citation/package corrected to CABF EV Guidelines.
  * `e_ev_business_category_missing`, `e_ev_country_name_missing`,
    `e_ev_organization_name_missing`, and `e_ev_serial_number_missing`
    source/citation/package corrected to CABF EV Guidelines.
  * `e_tls_server_cert_valid_time_longer_than_398_days` fixed to not apply to CA
    certificates.

Misc:
  * README updatesa.
  * Updated ZCrypto dependency (Added QCStatement support).
  * Updated TLD data (Current to 2020-07-29).

v2.1.0

The ZMap team is happy to announce the v2.1.0 release. This minor
release primary includes bug fixes and new lints.

New Lints:
  * New CABF Baseline Requirements Lint
    * `e_ext_nc_intersects_reserved_ip`

  * New Mozilla PKI Policy Lints
    * `e_mp_rsassa-pss_in_spki`
    * `e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct``
    * `e_mp_ecdsa_pub_key_encoding_correct`
    * `e_mp_ecdsa_signature_encoding_correct`

  * New Apple PKI Policy Lints
    * `e_tls_server_cert_valid_time_longer_than_398_days`

Bug Fixes:

  * The `2001:5::/32` network was removed from reserved networks list since it
    is no longer IANA reserved.

Misc:

  * Updated TLD data (Current to 2020-04-02).
  * README updates.
  * CI test for ensuring OpenSSL text prepend of test cert data.

ZLint v2.1.0 RC-1

The ZMap team is proud to share a v2.1.0 release candidate. This minor
release primary includes bug fixes and new lints.

New Lints:
  * New CABF Baseline Requirements Lint
    * `e_ext_nc_intersects_reserved_ip`

  * New Mozilla PKI Policy Lints
    * `e_mp_rsassa-pss_in_spki`
    * `e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct``
    * `e_mp_ecdsa_pub_key_encoding_correct`
    * `e_mp_ecdsa_signature_encoding_correct`

  * New Apple PKI Policy Lints
    * `e_tls_server_cert_valid_time_longer_than_398_days`

Bug Fixes:

  * The `2001:5::/32` network was removed from reserved networks list since it is
    no longer IANA reserved.

Misc:

  * Updated TLD data (Current to 2020-04-02).
  * README updates.
  * CI test for ensuring OpenSSL text prepend of test cert data.

ZLint v2.0.0

ZLint v2.0.0-rc4

ZLint v2.0.0-rc3

ZLint v2.0.0-rc2

ZLint v2.0.0-rc1

ZLint 1.1.0

New lints:
	* `w_extra_subject_common_names` - emits Warn result for multiple subj. CNs.

Misc:
	* updated gTLD map data (current to 2019-12-02)
	* large cert corpus integration tests