ZLint v3.7.1

The ZMap team is happy to share ZLint v3.7.1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_cabf_ecc_allowed_key_usages For certificates with ECC public keys, digitalSignature MUST be present and only digitalSignature and keyAgreement key usages are allowed.
• e_crl_sigalgo_missing_null_params Checks for mandatory NULL parameters in the SignatureAlgorithm

Bug Fixes

• Migrate from crypto/rsa to zcrypto/rsa to resolve an issue when linting certificates using RSA keys.

Misc

• ca_is_ca an update to citations

Changelog

ec384e2 Adapt to zcrypto RSA library fork (#1045)
77ce217 Add lint to check for NULL parameters in the AlgorithmIdentifier element of CRLs, when mandatory per RFC 4055 (#1040)
e9f6f87 Add cabf tls ecc key usage lint (#1041)
c32a53a update ca_is_ca citations, language, expand test coverage (#1038)

Full Changelog:v3.7.0...v3.7.1

ZLint v3.7.1-rc1

The ZMap team is happy to share ZLint v3.7.1-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_cabf_ecc_allowed_key_usages For certificates with ECC public keys, digitalSignature MUST be present and only digitalSignature and keyAgreement key usages are allowed.
• e_crl_sigalgo_missing_null_params Checks for mandatory NULL parameters in the SignatureAlgorithm

Bug Fixes

• Migrate from crypto/rsa to zcrypto/rsa to resolve an issue when linting certificates using RSA keys.

Misc

• ca_is_ca an update to citations

Changelog

ec384e2 Adapt to zcrypto RSA library fork (#1045)
77ce217 Add lint to check for NULL parameters in the AlgorithmIdentifier element of CRLs, when mandatory per RFC 4055 (#1040)
e9f6f87 Add cabf tls ecc key usage lint (#1041)
c32a53a update ca_is_ca citations, language, expand test coverage (#1038)

Full Changelog:v3.7.0...v3.7.1-rc1

ZLint v3.7.0

The ZMap team is happy to share ZLint v3.7.0.

Thank you to everyone who contributes to ZLint!

New Lints

• e_arpa_domain_not_allowed CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
• e_basic_constr_invalid_der Checks the correct DER encoding of the cA field in the BasicConstraints ext
• e_client_auth_not_allowed Checks that Server certs do not contain clientAuth in the EKU extension
• e_cs_aia_missing_ca_issuers_http_url The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
• e_cs_aia_ocsp_not_http If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP
  responder (id-ad-ocsp)
• e_cs_authority_information_access The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
• e_cs_ecdsa_prohibited_curve If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
• e_cs_max_validity_period_39_months Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
• e_cs_max_validity_period_460_days Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
• e_cs_signature_algorithm_not_supported Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
• e_exactly_one_smime_policy The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
• e_excessively backdated notBefore [must be] a value within 48 hours of the certificate signing
• e_ext_cannot_be_empty_sequence Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
• e_ocsp_cert_cdp_forbidden In OCSP certificates, the CDP extension MUST NOT appear
• e_ocsp_cert_cp_forbidden In OCSP certificates, the CP extension MUST NOT appear
• e_ocsp_cert_invalid_ku For OCSP certificates, only digitalSignature is allowed in the KU ext
• e_qcstatem_qctype_oneonly Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
• e_state_or_province_name_must_not_contain_control_characters stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
• e_subj_email_not_in_san Certificates with email addresses MUST include them in the SAN extension

Bug Fixes

• e_cert_policy_iv_requires_country fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
• e_qcstatem_qctype_web fixed to not return an error for legitimate e-signature and e-seal qualified certificates

Security

• Patched CVE-2025-58181
• Bumped golang.org/x/crypto from 0.36.0 to 0.45.0

Misc

• Added support for Chrome Root Program Policy-based lints as a new lint source
• e_state_or_province_name_must_not_contain_control_characters extended to also check localityName
• cab_dv_conflicts_with_locality, cab_dv_conflicts_with_org, cab_dv_conflicts_with_postal, cab_dv_conflicts_with_province, and
  cab_dv_conflicts_with_street lints marked as superseded
• e_ca_country_name_invalid CheckApplies logic refactored with additional test coverage
• e_cert_policy_iv_requires_country citation updated to current location
• Broad dependency updates
• Updated gtld_map

Changelog

• e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
• 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)
• e17555a Upgrade zcrypto, golang, and golangci-lint to latest (#1039)
• 5dc4eaf Cs add ria lints (#1036)
• 31204be Add lint for checking curve param requirements (#1035)
• da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lint addressing clientAuth deprecation (#1031)
• fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
• 12ccc55 refactor ca country check applies, add tests (#1032)
• 215f568 Add cs sig alg lint (#1033)
• 90f1337 Add lint to check for certain extensions to have at least 1 element according to RFC 5280 (#1028)
• f804eca fix iv countryName lint checkApplies, add personal name lint history (#1027)
• b536041 Add lint to address Ballot SC-086v3 (Sunset the Inclusion of IP Reverse Address Domain Names) (#1030)
• 48f6dc7 Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6) (#1026)
• 7eb7ba8 Qc sttmnt only one qc type (#1025)
• 145bd26 mark cab_dv_conflicts_with* lints superseded (#1023)
• 505d5f4 Add lint to check that the notBefore timestamp is not too early compared to the SCTs (#1022)
• bc0c81e Added validity period lints for before and after CSC-31, included unit tests with test certificates (#1020)
• 67d05d8 util: gtld_map autopull updates for 2026-02-14T04:48:16 UTC (#1021)
• 1bb9b40 go mod tidy (#1017)
• 234d2d4 Adding locality to e_state_or_province_name_must_not_contain_control_characters (#1015)
• 570d5a6 Lint to ensure that stateOrProvinceName is in a plain human, readable, format (#1014)
• 4f6ffa4 Add lint to check for a reserved policy identifier in S/MIME certificates (#1011)
• 5dfb580 Broad Dependency Updates (#1013)
• 04b6958 Patch for CVE-2025-58181 (#1009)
• 46db9bf build(deps): bump golang.org/x/crypto in /v3/cmd/gen_test_crl (#1008)
• 736cd7c build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 (#1007)
• 8be747f Add lint to check for correct DER encoding of the cA field in BasicConstraints (#1006)
• d96b640 Lint e_qcstatem_qctype_web throws an error for legitimate e-signature and e-seal qualified certificates (#1004)
• cfa6a89 Add some lints for OCSP Responder certificates (#1002)

Full Changelog: v3.6.8...v3.7.0

ZLint v3.7.0-rc4

The ZMap team is happy to share ZLint v3.7.0-rc4.

Thank you to everyone who contributes to ZLint!

New Lints

• e_arpa_domain_not_allowed CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
• e_basic_constr_invalid_der Checks the correct DER encoding of the cA field in the BasicConstraints ext
• e_client_auth_not_allowed Checks that Server certs do not contain clientAuth in the EKU extension
• e_cs_aia_missing_ca_issuers_http_url The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
• e_cs_aia_ocsp_not_http If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP
  responder (id-ad-ocsp)
• e_cs_authority_information_access The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
• e_cs_ecdsa_prohibited_curve If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
• e_cs_max_validity_period_39_months Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
• e_cs_max_validity_period_460_days Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
• e_cs_signature_algorithm_not_supported Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
• e_exactly_one_smime_policy The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
• e_excessively backdated notBefore [must be] a value within 48 hours of the certificate signing
• e_ext_cannot_be_empty_sequence Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
• e_ocsp_cert_cdp_forbidden In OCSP certificates, the CDP extension MUST NOT appear
• e_ocsp_cert_cp_forbidden In OCSP certificates, the CP extension MUST NOT appear
• e_ocsp_cert_invalid_ku For OCSP certificates, only digitalSignature is allowed in the KU ext
• e_qcstatem_qctype_oneonly Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
• e_state_or_province_name_must_not_contain_control_characters stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
• e_subj_email_not_in_san Certificates with email addresses MUST include them in the SAN extension

Bug Fixes

• e_cert_policy_iv_requires_country fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
• e_qcstatem_qctype_web fixed to not return an error for legitimate e-signature and e-seal qualified certificates

Security

• Patched CVE-2025-58181
• Bumped golang.org/x/crypto from 0.36.0 to 0.45.0

Misc

• Added support for Chrome Root Program Policy-based lints as a new lint source
• e_state_or_province_name_must_not_contain_control_characters extended to also check localityName
• cab_dv_conflicts_with_locality, cab_dv_conflicts_with_org, cab_dv_conflicts_with_postal, cab_dv_conflicts_with_province, and
  cab_dv_conflicts_with_street lints marked as superseded
• e_ca_country_name_invalid CheckApplies logic refactored with additional test coverage
• e_cert_policy_iv_requires_country citation updated to current location
• Broad dependency updates
• Updated gtld_map

Changelog

• e07faf0 Remove Windows as a release target due to compilation errors in zcrypto (#1043)
• 1533c39 Remove FreeBSD as a release target due to compilation errors in zcrypto (#1042)
• e17555a Upgrade zcrypto, golang, and golangci-lint to latest (#1039)
• 5dc4eaf Cs add ria lints (#1036)
• 31204be Add lint for checking curve param requirements (#1035)
• da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lint addressing clientAuth deprecation (#1031)
• fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
• 12ccc55 refactor ca country check applies, add tests (#1032)
• 215f568 Add cs sig alg lint (#1033)
• 90f1337 Add lint to check for certain extensions to have at least 1 element according to RFC 5280 (#1028)
• f804eca fix iv countryName lint checkApplies, add personal name lint history (#1027)
• b536041 Add lint to address Ballot SC-086v3 (Sunset the Inclusion of IP Reverse Address Domain Names) (#1030)
• 48f6dc7 Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6) (#1026)
• 7eb7ba8 Qc sttmnt only one qc type (#1025)
• 145bd26 mark cab_dv_conflicts_with* lints superseded (#1023)
• 505d5f4 Add lint to check that the notBefore timestamp is not too early compared to the SCTs (#1022)
• bc0c81e Added validity period lints for before and after CSC-31, included unit tests with test certificates (#1020)
• 67d05d8 util: gtld_map autopull updates for 2026-02-14T04:48:16 UTC (#1021)
• 1bb9b40 go mod tidy (#1017)
• 234d2d4 Adding locality to e_state_or_province_name_must_not_contain_control_characters (#1015)
• 570d5a6 Lint to ensure that stateOrProvinceName is in a plain human, readable, format (#1014)
• 4f6ffa4 Add lint to check for a reserved policy identifier in S/MIME certificates (#1011)
• 5dfb580 Broad Dependency Updates (#1013)
• 04b6958 Patch for CVE-2025-58181 (#1009)
• 46db9bf build(deps): bump golang.org/x/crypto in /v3/cmd/gen_test_crl (#1008)
• 736cd7c build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 (#1007)
• 8be747f Add lint to check for correct DER encoding of the cA field in BasicConstraints (#1006)
• d96b640 Lint e_qcstatem_qctype_web throws an error for legitimate e-signature and e-seal qualified certificates (#1004)
• cfa6a89 Add some lints for OCSP Responder certificates (#1002)

Full Changelog: v3.6.8...v3.7.0-rc4

ZLint v3.6.8

The ZMap team is happy to share ZLint v3.6.8.

Thank you to everyone who contributes to ZLint!

New Lints

• e_cab_iv_requires_personal_name_strict If certificate policy 2.23.140.1.2.3 is included givenName and surname MUST be included in subject
• e_invalid_legacy_spki_algoid Checks that SubjectPublicKeyInfo.AlgorithmIdentifier is allowed
• e_mailbox_validated_allowed_subjectdn_attributes Only certain Subject DN attributes are permitted to be present in mailbox-validated certificates.
• e_crl_revoked_certificate_crl_entry_has_no_duplicate_extensions The revoked certificate in the CRL must not have duplicate extensions.
• e_crl_auth_key_id_only_contains_keyid The AuthKey extension must only contain the KeyIdentifier field.

Bug Fixes

• e_crl_extensions_validity corrected to check for Issuing Distribution Point rather than CRL Distribution Points.
• e_crl_extensions_validity corrected the lint to return warnings, rather than errors, on CRL extensions that are not recommended.

Misc

• e_ca_common_name_missing an update to citations
• e_ca_organization_name_missing an update to citations
• e_ca_country_name_invalid an update to citations
• e_ca_aia_non_http_url an update to citations
• e_ca_crl_sign_not_set an update to citations
• n_ca_digital_signature_not_set an update to citations
• Removed a duplicate entry in the integrations test suite
• Added new logic to Added new logic to e_ca_common_name_missing, e_ca_country_name_invalid, e_ca_country_name_missing, and e_ca_organization_name_missing lints that allows for the global boolean configuration CrossSignedCa. Doing so enables these lints to intelligently switch its logic to be accurate for cross signed CA certificates.
• A new facility has been added wherein an individual lint is given the opportunity to override the framework's applicability rules. This is especially useful for a handful of cases whereing OCSP signing certificates were subject to requirementes defined in CABF/BRs, however the framework filters out OSCP certificates for CABF/BRs.
• Added the ability to lint OCSP responses via the CLI interface. This functionality was previously only available via the usage of ZLint as a library.

Changelog

• f201c98 remove duplicate integration test data entry (#999)
• 85b3ef4 util: gtld_map autopull updates for 2025-10-22T07:20:44 UTC (#1001)
• 7dfef30 update n_ca_digital_signature_not_set citation, notice, and doc comment (#998)
• e8db7b4 update ca ku error lint citations (#997)
• a1126c8 add requirements comment to e_ca_aia_non_http_url (#996)
• 1a79b47 Add lint to check Authkey extension contain KID only (#995)
• 597a098 Zlint CLI supports linting ocsp responses (#993)
• 30a1e16 Add lint to check that revoked certificates in a CRL doesn't have duplicate extensions (#994)
• a03ec2d Allowed subjectdn attributes (#992)
• 2e19b4c Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules (#842)
• 341cb05 util: gtld_map autopull updates for 2025-09-14T15:20:04 UTC (#991)
• c63416f (Chris) Add lint to check encoding of SubjectPublicKeyInfo.AlgorithmIdentifier in S/MIME certificates (#989)
• 81bb184 Add cross-sign configuration for CA name tests (#987)
• 77960bf util: gtld_map autopull updates for 2025-08-27T05:20:31 UTC (#988)
• bb63cf4 Update README.md with 2025 reference to coverage spreadsheet (#985)
• 34901b1 Fix CRL extensions lint (#984)
• 8c38228 Update cab_iv_requires_personal_name lint to only require Personal Name (#980)
• 79c3465 update CA countryName lints' citations (#979)
• 130542a update language and citations for e_ca_organization_name_missing (#981)
• bdb982d Formatting for a contributor (#977)
• 5b6b916 Replace CRL Distribution Points oid(2.5.29.31) with Issuing Distribution Point oid(2.5.29.28) when checking crl extension validity (#974)
• 5891820 update citation for e_ca_common_name_missing (#976)

Full Changelog:v3.6.7...v3.6.8

ZLint v3.6.8-rc1

The ZMap team is happy to share ZLint v3.6.8-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_cab_iv_requires_personal_name_strict If certificate policy 2.23.140.1.2.3 is included givenName and surname MUST be included in subject
• e_invalid_legacy_spki_algoid Checks that SubjectPublicKeyInfo.AlgorithmIdentifier is allowed
• e_mailbox_validated_allowed_subjectdn_attributes Only certain Subject DN attributes are permitted to be present in mailbox-validated certificates.
• e_crl_revoked_certificate_crl_entry_has_no_duplicate_extensions The revoked certificate in the CRL must not have duplicate extensions.
• e_crl_auth_key_id_only_contains_keyid The AuthKey extension must only contain the KeyIdentifier field.

Bug Fixes

• e_crl_extensions_validity corrected to check for Issuing Distribution Point rather than CRL Distribution Points.
• e_crl_extensions_validity corrected the lint to return warnings, rather than errors, on CRL extensions that are not recommended.

Misc

• e_ca_common_name_missing an update to citations
• e_ca_organization_name_missing an update to citations
• e_ca_country_name_invalid an update to citations
• e_ca_aia_non_http_url an update to citations
• e_ca_crl_sign_not_set an update to citations
• n_ca_digital_signature_not_set an update to citations
• Removed a duplicate entry in the integrations test suite
• Added new logic to Added new logic to e_ca_common_name_missing, e_ca_country_name_invalid, e_ca_country_name_missing, and e_ca_organization_name_missing lints that allows for the global boolean configuration CrossSignedCa. Doing so enables these lints to intelligently switch its logic to be accurate for cross signed CA certificates.
• A new facility has been added wherein an individual lint is given the opportunity to override the framework's applicability rules. This is especially useful for a handful of cases whereing OCSP signing certificates were subject to requirementes defined in CABF/BRs, however the framework filters out OSCP certificates for CABF/BRs.
• Added the ability to lint OCSP responses via the CLI interface. This functionality was previously only available via the usage of ZLint as a library.

Changelog

• f201c98 remove duplicate integration test data entry (#999)
• 85b3ef4 util: gtld_map autopull updates for 2025-10-22T07:20:44 UTC (#1001)
• 7dfef30 update n_ca_digital_signature_not_set citation, notice, and doc comment (#998)
• e8db7b4 update ca ku error lint citations (#997)
• a1126c8 add requirements comment to e_ca_aia_non_http_url (#996)
• 1a79b47 Add lint to check Authkey extension contain KID only (#995)
• 597a098 Zlint CLI supports linting ocsp responses (#993)
• 30a1e16 Add lint to check that revoked certificates in a CRL doesn't have duplicate extensions (#994)
• a03ec2d Allowed subjectdn attributes (#992)
• 2e19b4c Allow for individual lints to opt-out of the ZLint framework executing pre-flight applicability rules (#842)
• 341cb05 util: gtld_map autopull updates for 2025-09-14T15:20:04 UTC (#991)
• c63416f (Chris) Add lint to check encoding of SubjectPublicKeyInfo.AlgorithmIdentifier in S/MIME certificates (#989)
• 81bb184 Add cross-sign configuration for CA name tests (#987)
• 77960bf util: gtld_map autopull updates for 2025-08-27T05:20:31 UTC (#988)
• bb63cf4 Update README.md with 2025 reference to coverage spreadsheet (#985)
• 34901b1 Fix CRL extensions lint (#984)
• 8c38228 Update cab_iv_requires_personal_name lint to only require Personal Name (#980)
• 79c3465 update CA countryName lints' citations (#979)
• 130542a update language and citations for e_ca_organization_name_missing (#981)
• bdb982d Formatting for a contributor (#977)
• 5b6b916 Replace CRL Distribution Points oid(2.5.29.31) with Issuing Distribution Point oid(2.5.29.28) when checking crl extension validity (#974)
• 5891820 update citation for e_ca_common_name_missing (#976)

Full Changelog:v3.6.7...v3.6.8-rc1

ZLint v3.6.7

The ZMap team is happy to share ZLint v3.6.7.

Thank you to everyone who contributes to ZLint!

New Lints

• e_qcstatem_pds_must_have_https_only, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
• e_server_cert_valid_time_longer_than_100_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
• e_server_cert_valid_time_longer_than_200_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
• e_server_cert_valid_time_longer_than_47_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
• w_server_cert_valid_time_longer_than_199_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
• w_server_cert_valid_time_longer_than_46_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
• w_server_cert_valid_time_longer_than_99_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
• e_legacy_generation_deprecated, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
• e_invalid_individual_identity, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
• e_ca_multiple_reserved_policy_oids, The CA MUST include exactly one Reserved Certificate Policy Identifier.
• e_missing_crl_distrib_point, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
• e_crl_revocation_date_too_early, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
• e_crl_extensions_validity, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
• e_crl_no_duplicate_extensions, The CRL must not include duplicate extensions.
• e_crl_revocation_time_after_this_update, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
• e_crl_number_out_of_range, The CRL number must be greater than or equal to 0 and less than 2^159.
• e_ca_aia_non_http_url, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.

Bug Fixes

• e_mp_ecdsa_pub_key_encoding_correct is now aware of P-521 algorithm identifiers.
• w_sub_ca_aia_does_not_contain_issuing_ca_url is now ineffective as of CABF/BRs 2.0.0.

Security

• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Misc

• Refactor of time utility functions.
• Upgraded Go version from 1.23.0 to 1.24.0.
• Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.

Changelog

• 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
• 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
• 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
• 341615f Add lint to check CRL Number range (#964)
• ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
• 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
• 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
• 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
• fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
• 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
• 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
• 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
• 0efbae8 Sc081 update (#955)
• 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
• 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
• c730a76 SC081 shorter validities (#952)
• e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
• f605149 qcstatem pds must have https only (#935)
• d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
• a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)

Full Changelog:v3.6.6...v3.6.7

ZLint v3.6.7-rc1

The ZMap team is happy to share ZLint v3.6.7-rc1.

Thank you to everyone who contributes to ZLint!

New Lints

• e_qcstatem_pds_must_have_https_only, Checks that a QC Statement of the type id-etsi-qcs-QcPDS contains a URL that uses the https scheme.
• e_server_cert_valid_time_longer_than_100_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days.
• e_server_cert_valid_time_longer_than_200_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC must not have a validity period greater than 200 days.
• e_server_cert_valid_time_longer_than_47_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC must not have a validity period greater than 47 days.
• w_server_cert_valid_time_longer_than_199_days, TLS server certificates issued on or after on or after March 15, 2026 00:00 GMT/UTC should not have a validity period greater than 199 days.
• w_server_cert_valid_time_longer_than_46_days, TLS server certificates issued on or after on or after March 15, 2029 00:00 GMT/UTC should not have a validity period greater than 46 days.
• w_server_cert_valid_time_longer_than_99_days, TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC should not have a validity period greater than 99 days.
• e_legacy_generation_deprecated, S/MIME Subscriber Certificates SHALL NOT be issued using the Legacy Generation profiles.
• e_invalid_individual_identity, Non-legacy IV and SV certificates... SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym.
• e_ca_multiple_reserved_policy_oids, The CA MUST include exactly one Reserved Certificate Policy Identifier.
• e_missing_crl_distrib_point, Checks for the CDP extension in non-Short-lived Subscriber Certificates lacking an OCSP pointer.
• e_crl_revocation_date_too_early, The revocation time of each revoked certificate should not before the publication date of RFC 2459.
• e_crl_extensions_validity, Checks that only allowed extensions are present in a CRL and that their criticality is set correctly.
• e_crl_no_duplicate_extensions, The CRL must not include duplicate extensions.
• e_crl_revocation_time_after_this_update, All revocation times for revoked certificates must be on or before the thisUpdate field of the CRL.
• e_crl_number_out_of_range, The CRL number must be greater than or equal to 0 and less than 2^159.
• e_ca_aia_non_http_url, Within the AIA extension of CA certificates, accessLocations must contain HTTP URLs.

Bug Fixes

• e_mp_ecdsa_pub_key_encoding_correct is now aware of P-521 algorithm identifiers.
• w_sub_ca_aia_does_not_contain_issuing_ca_url is now ineffective as of CABF/BRs 2.0.0.

Security

• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Misc

• Refactor of time utility functions.
• Upgraded Go version from 1.23.0 to 1.24.0.
• Upgraded golangci-lint from 1.62.0 to 1.62.8 to fix CICD compatibility breakages.

Changelog

• 7ede4d5 set IneffectiveDate for w_sub_ca_aia_does_not_contain_issuing_ca_url (#972)
• 4b2f3ab Upgrade Golang and tooling to fix the linter (#971)
• 91dfcc0 Add lint to check for HTTP URLs in the AIA extension of Subordinate CA certificates (#968)
• 341615f Add lint to check CRL Number range (#964)
• ee3ab84 Add lint to check that revoked certificates in a CRL has revocation time before or equal to thisUpdate. (#965)
• 09caaf7 Add lint to check for duplicate extensions in CRLs. (#963)
• 7ba4cea Add CRL lint to check CRL extensions and their validity (#962)
• 0747c42 Add CRL lint to check revocation time in revoked certificates (#961)
• fff6f82 Add lint to check for the CDP extension to be present in non-Short-lived Subscriber Certificates lacking an OCSP pointer (#966)
• 71f17a7 Add lint to check for multiple Reserved Policy Identifiers in Subordinate CA certificates (#959)
• 8696d6c Add lint to check for mandatory individual identity subject attributes in non-legacy IV and SV S/MIME certificates (#958)
• 28c4390 Please add lint to check for deprecated "legacy generation" S/MIME policy OIDs (#957)
• 0efbae8 Sc081 update (#955)
• 82294d2 Update Mozilla SPKI and SignatureAlgorithm encoding lints (#950)
• 4c12143 util: gtld_map autopull updates for 2025-05-17T01:50:26 UTC (#954)
• c730a76 SC081 shorter validities (#952)
• e835b93 util: gtld_map autopull updates for 2025-04-30T04:21:20 UTC (#948)
• f605149 qcstatem pds must have https only (#935)
• d1fdcb8 util: gtld_map autopull updates for 2025-04-24T03:28:02 UTC (#945)
• a790035 build(deps): bump golang.org/x/net in /v3/cmd/genTestCerts (#946)

Full Changelog:v3.6.6...v3.6.7-rc1

ZLint v3.6.6

The ZMap team is happy to share ZLint v3.6.6.

Thank you to everyone who contributes to ZLint!

New Feature

• Preliminary support for OCSP response linting via the library usage of ZLint

New Lints

• e_crl_next_update_invalid, For CRLs covering (EE|CA) certificates, nextUpdate must be at most (10 days|12 months) beyond thisUpdate
• e_qcstatem_qctype_smime, Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least one of the types IdEtsiQcsQctEsign or IdEtsiQcsQctEseal, in case of an S/MIME certificate
• e_utf8_latin1_mixup, Checks for wrongly encoded diacritics due to UTF-8 mistaken for Latin-1

Bug Fixes

• Panics from individual lints no longer impact the execution of other lints
• Corrected an issue in e_ev_extra_subject_attribs wherein OU was incorrectly marked as forbidden
• Corrected an issue with not all lint sources being considered correctly during filtering
• Corrected citation e_this_update_not_after_produced_at

Security

• Upgraded golang.org/x/net from 0.33.0 to 0.37.0 to address CVE-2025-22870
• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Changelog

• c2d9286 Fix reference and description of OCSP lint (#937)
• b60a4b1 build(deps): bump golang.org/x/net in /v3/cmd/gen_test_crl (#939)
• d163497 build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /v3 (#936)
• e8d0409 Corrected an issue with not all lint sources being considered correctly during filtering (#934)
• 80afcba Framework for linting OSCP responses (#917)
• 7a0479c Add lint to detect wrongly encoded diacritics due to UTF-8 mistaken for Latin-1 (#931)
• f68dfde Patch golang.org/x/net for CVE-2025-22870 (#928)
• 3cc488f Update README.md (#926)
• 900a4d0 Fix the linter (#929)
• 502f687 Qc type web also smime (#919)
• 7f772fd Updating actions/cache to v4 to fix integration tests (#927)
• 59fffe7 util: gtld_map autopull updates for 2025-02-28T00:33:21 UTC (#920)
• a2721f2 Add lint to check CRLs for a valid nextUpdate as per CABF BRs (#916)
• f8bbdec OU (2.5.4.11) is incorrectly omitted from the allow list in e_ev_extra_subject_attribs (#915)
• 62639df Panics should not prevent other lints from running (#914)
• 32cb0bf Update README.md (#909)

Full Changelog:v3.6.5...v3.6.6

ZLint v3.6.6-rc2

The ZMap team is happy to share ZLint v3.6.6-rc2.

Thank you to everyone who contributes to ZLint!

New Feature

• Preliminary support for OCSP response linting via the library usage of ZLint

New Lints

• e_crl_next_update_invalid, For CRLs covering (EE|CA) certificates, nextUpdate must be at most (10 days|12 months) beyond thisUpdate
• e_qcstatem_qctype_smime, Checks that a QC Statement of the type Id-etsi-qcs-QcType features at least one of the types IdEtsiQcsQctEsign or IdEtsiQcsQctEseal, in case of an S/MIME certificate
• e_utf8_latin1_mixup, Checks for wrongly encoded diacritics due to UTF-8 mistaken for Latin-1

Bug Fixes

• Panics from individual lints no longer impact the execution of other lints
• Corrected an issue in e_ev_extra_subject_attribs wherein OU was incorrectly marked as forbidden
• Corrected an issue with not all lint sources being considered correctly during filtering
• Corrected citation e_this_update_not_after_produced_at

Security

• Upgraded golang.org/x/net from 0.33.0 to 0.37.0 to address CVE-2025-22870
• Upgraded golang.org/x/net from 0.37.0 to 0.38.0 to address CVE-2025-22872

Changelog

• c2d9286 Fix reference and description of OCSP lint (#937)
• b60a4b1 build(deps): bump golang.org/x/net in /v3/cmd/gen_test_crl (#939)
• d163497 build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 in /v3 (#936)
• e8d0409 Corrected an issue with not all lint sources being considered correctly during filtering (#934)
• 80afcba Framework for linting OSCP responses (#917)
• 7a0479c Add lint to detect wrongly encoded diacritics due to UTF-8 mistaken for Latin-1 (#931)
• f68dfde Patch golang.org/x/net for CVE-2025-22870 (#928)
• 3cc488f Update README.md (#926)
• 900a4d0 Fix the linter (#929)
• 502f687 Qc type web also smime (#919)
• 7f772fd Updating actions/cache to v4 to fix integration tests (#927)
• 59fffe7 util: gtld_map autopull updates for 2025-02-28T00:33:21 UTC (#920)
• a2721f2 Add lint to check CRLs for a valid nextUpdate as per CABF BRs (#916)
• f8bbdec OU (2.5.4.11) is incorrectly omitted from the allow list in e_ev_extra_subject_attribs (#915)
• 62639df Panics should not prevent other lints from running (#914)
• 32cb0bf Update README.md (#909)

Full Changelog:v3.6.5...v3.6.6-rc2