ZLint v3.7.1

ZLint v3.7.1-rc1

ZLint v3.7.0

ZLint v3.7.0-rc4

ZLint v3.7.0-rc3

ZLint v3.7.0-rc2

 The ZMap team is happy to share ZLint v3.7.0-rc1.

  Thank you to everyone who contributes to ZLint!

  ## New Lints
  * `e_arpa_domain_not_allowed` CAs SHALL NOT issue Certificates containing Domain Names that end in an IP Reverse Zone Suffix
  * `e_basic_constr_invalid_der` Checks the correct DER encoding of the cA field in the BasicConstraints ext
  * `e_client_auth_not_allowed` Checks that Server certs do not contain clientAuth in the EKU extension
  * `e_cs_aia_missing_ca_issuers_http_url` The authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's certificate (id-ad-caIssuers)
  * `e_cs_aia_ocsp_not_http` If the CA provides OCSP responses, the authorityInformationAccess extension MUST contain the HTTP URL of the Issuing CA's OCSP
  responder (id-ad-ocsp)
  * `e_cs_authority_information_access` The authorityInformationAccess extension MUST be present and MUST NOT be marked critical
  * `e_cs_ecdsa_prohibited_curve` If the Key is ECDSA, then the curve MUST be one of NIST P-256, P-384, or P-521
  * `e_cs_max_validity_period_39_months` Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026
  * `e_cs_max_validity_period_460_days` Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026
  * `e_cs_signature_algorithm_not_supported` Certificates MUST meet the following requirements for algorithm Source: SHA-1*, SHA-256, SHA-384, SHA-512
  * `e_exactly_one_smime_policy` The subscriber cert SHALL include exactly one of the reserved policy OIDs in §7.1.6.1
  * `e_excessively backdated` notBefore [must be] a value within 48 hours of the certificate signing
  * `e_ext_cannot_be_empty_sequence` Extensions whose value is SEQUENCE SIZE (1..MAX) OF must have at least 1 element
  * `e_ocsp_cert_cdp_forbidden` In OCSP certificates, the CDP extension MUST NOT appear
  * `e_ocsp_cert_cp_forbidden` In OCSP certificates, the CP extension MUST NOT appear
  * `e_ocsp_cert_invalid_ku` For OCSP certificates, only digitalSignature is allowed in the KU ext
  * `e_qcstatem_qctype_oneonly` Checks that a QC Statement of the type Id-etsi-qcs-QcType features exactly one of the allowed QcType OIDs
  * `e_state_or_province_name_must_not_contain_control_characters` stateOrProvinceName MUST come from an authoritative data source of plain, human readable, names
  * `e_subj_email_not_in_san` Certificates with email addresses MUST include them in the SAN extension

  ## Bug Fixes
  * `e_cert_policy_iv_requires_country` fixed a bug where IV-issuing policy constrained CAs were inadvertently linted
  * `e_qcstatem_qctype_web` fixed to not return an error for legitimate e-signature and e-seal qualified certificates

  ## Security
  * Patched CVE-2025-58181
  * Bumped `golang.org/x/crypto` from 0.36.0 to 0.45.0

  ## Misc
  * Added support for Chrome Root Program Policy-based lints as a new lint source
  * `e_state_or_province_name_must_not_contain_control_characters` extended to also check localityName
  * `cab_dv_conflicts_with_locality`, `cab_dv_conflicts_with_org`, `cab_dv_conflicts_with_postal`, `cab_dv_conflicts_with_province`, and
  `cab_dv_conflicts_with_street` lints marked as superseded
  * `e_ca_country_name_invalid` CheckApplies logic refactored with additional test coverage
  * `e_cert_policy_iv_requires_country` citation updated to current location
  * Broad dependency updates
  * Updated gtld_map

  ## Changelog
  * 5dc4eaf Cs add aia lints (#1036)
  * 31204be Add lint for checking curve param requirements (#1035)
  * da562d2 Add support for Chrome Root Program Policy-based lints, plus a first such lint addressing clientAuth deprecation (#1031)
  * fe04242 util: gtld_map autopull updates for 2026-04-18T03:19:55 UTC (#1037)
  * 12ccc55 refactor ca country check applies, add tests (#1032)
  * 215f568 Add cs sig alg lint (#1033)
  * 90f1337 Add lint to check for certain extensions to have at least 1 element according to RFC 5280 (#1028)
  * f804eca fix iv countryName lint checkApplies, add personal name lint history (#1027)
  * b536041 Add lint to address Ballot SC-086v3 (Sunset the Inclusion of IP Reverse Address Domain Names) (#1030)
  * 48f6dc7 Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6) (#1026)
  * 7eb7ba8 Qc sttmnt only one qc type (#1025)
  * 145bd26 mark cab_dv_conflicts_with* lints superseded (#1023)
  * 505d5f4 Add lint to check that the notBefore timestamp is not too early compared to the SCTs (#1022)
  * bc0c81e Added validity period lints for before and after CSC-31, included unit tests with test certificates (#1020)
  * 67d05d8 util: gtld_map autopull updates for 2026-02-14T04:48:16 UTC (#1021)
  * 1bb9b40 go mod tidy (#1017)
  * 234d2d4 Adding locality to e_state_or_province_name_must_not_contain_control_characters (#1015)
  * 570d5a6 Lint to ensure that stateOrProvinceName is in a plain human, readable, format (#1014)
  * 4f6ffa4 Add lint to check for a reserved policy identifier in S/MIME certificates (#1011)
  * 5dfb580 Broad Dependency Updates (#1013)
  * 04b6958 Patch for CVE-2025-58181 (#1009)
  * 46db9bf build(deps): bump golang.org/x/crypto in /v3/cmd/gen_test_crl (#1008)
  * 736cd7c build(deps): bump golang.org/x/crypto from 0.36.0 to 0.45.0 in /v3 (#1007)
  * 8be747f Add lint to check for correct DER encoding of the cA field in BasicConstraints (#1006)
  * d96b640 Lint e_qcstatem_qctype_web throws an error for legitimate e-signature and e-seal qualified certificates (#1004)
  * cfa6a89 Add some lints for OCSP Responder certificates (#1002)

  **Full Changelog**: v3.6.8...v3.7.0-rc1

ZLint v3.6.8

ZLint v3.6.8-rc1

ZLint v3.6.7