v3.1.0

ZLint v3.1.0

The ZMap team is happy to share ZLint v3.1.0.

Thank you to everyone who contributes to Zlint; whether it be code, knowledge, wisdom or the grace of all three you are appreciated.

Breaking Changes:

No breaking changes were made in this release.

New Lints:

• e_ocsp_id_pkix_ocsp_nocheck_ext_not_included_server_auth, CABF Baseline Requirements - §4.9.9

  OCSP signing Certificate MUST contain an extension of type id-pkixocsp-nocheck, as defined by RFC6960.

• e_ev_organization_id_missing lint, CABF EV Guidelines v1.7.0 - §9.8.2

  Effective January 31, 2020, if the subject:organizationIdentifier field is present, this [cabfOrganizationIdentifier] field MUST be present.

• e_name_constraint_not_fqdn, RFC 5280 - §4.2.1.10

  For URIs, the constraint MUST be specified as a fully qualified domain name [...] When the constraint begins with a period, it MAY be expanded with one or more labels.

Bug Fixes:

• e_serial_number_longer_than_20_octets has been corrected to count the number of octets taken to represent a serial number after it has been serialized to ASN.1. Since ASN.1 numbers are signed values, serial numbers that are greater-than-or-equal-to 2^160 will begin to fail this lint as they are prefixed with a 0x00 to maintain their positive sign.
• Previously the e_ext_duplicate_extension lint from the lint.RFC5280 source only returned a lint.Error result as soon as one duplicate extension was found in a certificate. It did not indicate which extension OID was duplicated, or if there was more than one duplicated extensions. In this release, the lint now does both of these things. The detail string now indicates all of the extension OIDs that were present more than once.

Misc:

• Updated TLD data (Current to 2020-12-11).
• ZCrypto dependency bumped to 9cf5bea.
• Changed the project style guide to asking that lints have their init function declared near the top of the file as it often contains the most useful information for outside readers.
• Removed an unused utility function.
• Copyright updated to 2021.

Full Changelog

848c50b integration: fix resultCount types to not overflow, update expected vals. (#557)
12bb0ed lints: revert e_key_usage_and_extended_key_usage_inconsistent. (#556)
c1c6681 lints: fix description of e_ext_ian_uri_not_ia5 (#554)
2549ed3 lints: return detail for e_ext_duplicate_extension. (#550)
6dde095 deps: update zcrypto to 9cf5bea (#548)
3094399 tests: coverage for e_name_constraint_not_fqdn detail msgs (#547)
ea23311 lints: move init to start of lint_name_constraint_not_fqdn.go (#544)
6d643b9 project: re-order lint init functions (#536)
edd0d0c lints: adds e_name_constraint_not_fqdn lint (RFC5280 4.2.1.10) (#533)
186e2c1 project: update copyright year to 2021 (#543)
5316fa5 lints: adds e_ev_organization_id_missing lint (CABF EVG 1.7.0 Section 9.8.2) (#532)
b0e20c8 docs: CONTRIBUTING.md updates, couple copyright year tweaks. (#535)
747b41f lints: fix boundary condition in e_serial_number_longer_than_20_octets lint (#527)
3042438 KU and EKU Inconsistent lint correction (#528)
4d0ac7a deps: update zmap/zcrypto to 1eef276 (#529)
b691fe9 Added a new lint and tests for correlation between KU&EKU (#497)
a1b837a deps: update zmap/zcrypto to deeac00. (#526)
9e16bfc util: remove unused ICANNPublicSuffixParse helper. (#525)
f47c9d6 CI: Cleanup hacky tld-update workflow env var use. (#524)
d8314a3 CI: Have tld-update workflow build & test pre-PR. (#521)
83f15ca util: gtld_map autopull updates for 2020-12-11T05:27:56 UTC (#520)
b6e5ba7 util: gtld_map autopull updates for 2020-12-08T18:31:14 UTC (#518)
1eb11ce Ocsp eku check for tls certificates (#490)
662504d change tld updator to not be me (#516)
931c5d4 util: gtld_map autopull updates for 2020-11-30T23:23:57 UTC (#514)
12dfc18 CI: Add cron workflow for gTLD update PRs. (#513)