Skip to content

ZLint v3.3.0
Compare
Choose a tag to compare
@github-actions github-actions released this 10 Oct 19:13
· 168 commits to master since this release
v3.3.0
b4060ec
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

ZLint v3.3.0

The ZMap team is happy to share ZLint v3.3.0.

Thank you to everyone who contributes to ZLint!

Breaking Changes:

No breaking changes were made in this release.

New Lints:

  • e_sub_ca_aia_missing was split into two lints - e_sub_ca_aia_missing and w_sub_ca_aia_missing. The error variant becomes ineffective for certificates issued after August 20th, 2020. Conversely, the warning variant becomes effective for certificates issued after August 20th, 2020.
  • e_subject_common_name_not_exactly_from_san. The common name field in subscriber certificates must include only names from the SAN extension.
  • e_rfc_dnsname_empty_label. DNSNames should not have an empty label.
  • e_rfc_dnsname_hyphen_in_sld. . DNSName should not have a hyphen beginning or ending the SLD.
  • e_rfc_dnsname_label_too_long. DNSName labels MUST be less than or equal to 63 characters.
  • e_rfc_dnsname_underscore_in_sld. DNSName MUST NOT contain underscore characters.
  • w_rfc_dnsname_underscore_in_trd. DNSName MUST NOT contain underscore characters.

Bug Fixes:

  • The ZCrypto dependency was upgraded to v0.0.0-20210811211718-6f9bc4aff20f in order to fix issue #626, which was causing a compilation error when attempting to consume ZLint as a library rather than a binary application.
  • A bug was fixed in the project's test certificate generation script wherein generated sample certificates did not properly cryptographically chain

Misc:

  • All lints had their initialize methods migrated to proper Go style constructors. This reduces the reliance upon singletons in the code base and improves multi-threaded test stability.
  • The ZLint test integration framework now rejects config.json files that have duplicate entries. This improves reasoning of test results as duplicate definitions elsewhere in the could unknowingly override test expectations.
  • Updated ZCrypto to allow for more permissive ASN.1 parsing.
  • e_subject_common_name_not_from_san was configured to no longer be effective as of CABF 1.8.0.

Changelog

1b89405 bump zcrypto to v0.0.0-20210811211718-6f9bc4aff20f (#629)
9da3c9f disallow duplicate entries in config.json (#616)
4940d55 Test certificate generator doesn't create a certificate chain (#622)
e274215 split lint_sub_ca_aia_missing lint into an error lint for before CABF_BR 1.7.1 and a warning for after. Add test data (#613)
7bba362 Code clarification to match BRs wording. (#621)
48b300e Update README.md (#614)
8e8930e subsitute the initialize method for a constructor in the Lint struct (#607)
dbd9bfd dep: upgrade to latest ZCrypto with permissive asn1 parsing (#611)
b4060ec Correct lint attribution for dnsname_etc lints and limit scope to just DNS SAN entries (#609)
74dfff2 Update README.md (#631)
0944e91 e_subject_common_name_not_from_san is no longer sufficient for enforcing CABF BRs (#627)

Assets 7
Loading