ZLint v3.3.0
ZLint v3.3.0
The ZMap team is happy to share ZLint v3.3.0.
Thank you to everyone who contributes to ZLint!
Breaking Changes:
No breaking changes were made in this release.
New Lints:
e_sub_ca_aia_missing
was split into two lints -e_sub_ca_aia_missing
andw_sub_ca_aia_missing
. The error variant becomes ineffective for certificates issued after August 20th, 2020. Conversely, the warning variant becomes effective for certificates issued after August 20th, 2020.e_subject_common_name_not_exactly_from_san
. The common name field in subscriber certificates must include only names from the SAN extension.e_rfc_dnsname_empty_label
. DNSNames should not have an empty label.e_rfc_dnsname_hyphen_in_sld.
. DNSName should not have a hyphen beginning or ending the SLD.e_rfc_dnsname_label_too_long
. DNSName labels MUST be less than or equal to 63 characters.e_rfc_dnsname_underscore_in_sld
. DNSName MUST NOT contain underscore characters.w_rfc_dnsname_underscore_in_trd
. DNSName MUST NOT contain underscore characters.
Bug Fixes:
- The ZCrypto dependency was upgraded to
v0.0.0-20210811211718-6f9bc4aff20f
in order to fix issue #626, which was causing a compilation error when attempting to consume ZLint as a library rather than a binary application. - A bug was fixed in the project's test certificate generation script wherein generated sample certificates did not properly cryptographically chain
Misc:
- All lints had their
initialize
methods migrated to proper Go style constructors. This reduces the reliance upon singletons in the code base and improves multi-threaded test stability. - The ZLint test integration framework now rejects
config.json
files that have duplicate entries. This improves reasoning of test results as duplicate definitions elsewhere in the could unknowingly override test expectations. - Updated ZCrypto to allow for more permissive ASN.1 parsing.
e_subject_common_name_not_from_san
was configured to no longer be effective as of CABF 1.8.0.
Changelog
1b89405 bump zcrypto to v0.0.0-20210811211718-6f9bc4aff20f (#629)
9da3c9f disallow duplicate entries in config.json (#616)
4940d55 Test certificate generator doesn't create a certificate chain (#622)
e274215 split lint_sub_ca_aia_missing lint into an error lint for before CABF_BR 1.7.1 and a warning for after. Add test data (#613)
7bba362 Code clarification to match BRs wording. (#621)
48b300e Update README.md (#614)
8e8930e subsitute the initialize method for a constructor in the Lint struct (#607)
dbd9bfd dep: upgrade to latest ZCrypto with permissive asn1 parsing (#611)
b4060ec Correct lint attribution for dnsname_etc lints and limit scope to just DNS SAN entries (#609)
74dfff2 Update README.md (#631)
0944e91 e_subject_common_name_not_from_san is no longer sufficient for enforcing CABF BRs (#627)