Upgrade zlint v3.6.4 (#7897)

This brings in several new and useful lints. It also brings in one CABF
BR lint which we have to ignore in our default profile which includes
the Subject Key Identifier extension:
"w_ext_subject_key_identifier_not_recommended_subscriber". In our modern
profile which omits several fields, we have to ignore the opposite
RFC5280 lint "w_ext_subject_key_identifier_missing_sub_cert".

Release notes: https://github.com/zmap/zlint/releases/tag/v3.6.4
Changelog: zmap/zlint@v3.6.0...v3.6.4
Note that the majority of the ~400 file changes are merely copyright
date changes.

The corresponding production config changes tracked in IN-10466 are
complete.

cmd/cert-checker/main_test.go

@@ -631,11 +631,11 @@ func TestIgnoredLint(t *testing.T) {
 		Expires: subjectCert.NotAfter,
 	}
 
-	// Without any ignored lints we expect one error level result due to the
-	// missing OCSP url in the template.
+	// Without any ignored lints we expect several errors and warnings about SCTs,
+	// the common name, and the subject key identifier extension.
 	expectedProblems := []string{
-		"zlint error: e_sub_cert_aia_does_not_contain_ocsp_url",
 		"zlint warn: w_subject_common_name_included",
+		"zlint warn: w_ext_subject_key_identifier_not_recommended_subscriber",
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
@@ -650,10 +650,10 @@ func TestIgnoredLint(t *testing.T) {
 	// Check the certificate again with an ignore map that excludes the affected
 	// lints. This should return no problems.
 	_, problems = checker.checkCert(context.Background(), cert, map[string]bool{
-		"e_sub_cert_aia_does_not_contain_ocsp_url": true,
-		"w_subject_common_name_included":           true,
-		"w_ct_sct_policy_count_unsatisfied":        true,
-		"e_scts_from_same_operator":                true,
+		"w_subject_common_name_included":                          true,
+		"w_ext_subject_key_identifier_not_recommended_subscriber": true,
+		"w_ct_sct_policy_count_unsatisfied":                       true,
+		"e_scts_from_same_operator":                               true,
 	})
 	test.AssertEquals(t, len(problems), 0)
 }

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	github.com/weppos/publicsuffix-go v0.40.3-0.20240815124645-a8ed110559c9
 	github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c
-	github.com/zmap/zlint/v3 v3.6.0
+	github.com/zmap/zlint/v3 v3.6.4
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.55.0
 	go.opentelemetry.io/otel v1.30.0

go.sum

@@ -267,8 +267,8 @@ github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL
 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c h1:U1b4THKcgOpJ+kILupuznNwPiURtwVW3e9alJvji9+s=
 github.com/zmap/zcrypto v0.0.0-20231219022726-a1f61fb1661c/go.mod h1:GSDpFDD4TASObxvfZfvpZZ3OWHIUHMlhVWlkOe4ewVk=
 github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
-github.com/zmap/zlint/v3 v3.6.0 h1:vTEaDRtYN0d/1Ax60T+ypvbLQUHwHxbvYRnUMVr35ug=
-github.com/zmap/zlint/v3 v3.6.0/go.mod h1:NVgiIWssgzp0bNl8P4Gz94NHV2ep/4Jyj9V69uTmZyg=
+github.com/zmap/zlint/v3 v3.6.4 h1:r2kHfRF7mIsxW0IH4Og2iZnrlpCLTZBFjnXy1x/ZnZI=
+github.com/zmap/zlint/v3 v3.6.4/go.mod h1:KQLVUquVaO5YJDl5a4k/7RPIbIW2v66+sRoBPNZusI8=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0 h1:hCq2hNMwsegUvPzI7sPOvtO9cqyy5GbWt/Ybp2xrx8Q=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.55.0/go.mod h1:LqaApwGx/oUmzsbqxkzuBvyoPpkxk3JQWnqfVrJ3wCA=

issuance/cert.go

@@ -105,18 +105,7 @@ func NewProfile(profileConfig *ProfileConfig) (*Profile, error) {
 		return nil, fmt.Errorf("validity period %q is too large", profileConfig.MaxValidityPeriod.Duration)
 	}
 
-	// TODO(#7756): These lint names don't yet exist in our current zlint v3.6.0 but exist in v3.6.2.
-	// In order to upgrade without throwing errors, we need to add these to our ignored lints.
-	// However, v3.6.0 will error if it sees ignored lints it doesn't recognize. Solution: filter
-	// out these specific lints. As part of the PR that updates to v3.6.2, we will remove this code.
-	var ignoredLints []string
-	for _, lintName := range profileConfig.IgnoredLints {
-		if lintName != "e_cab_dv_subject_invalid_values" && lintName != "w_ext_subject_key_identifier_not_recommended_subscriber" {
-			ignoredLints = append(ignoredLints, lintName)
-		}
-	}
-
-	lints, err := linter.NewRegistry(ignoredLints)
+	lints, err := linter.NewRegistry(profileConfig.IgnoredLints)
 	cmd.FailOnError(err, "Failed to create zlint registry")
 	if profileConfig.LintConfig != "" {
 		lintconfig, err := lint.NewConfigFromFile(profileConfig.LintConfig)

issuance/cert_test.go

@@ -387,11 +387,7 @@ func TestIssueCommonName(t *testing.T) {
 	fc.Set(time.Now())
 
 	prof := defaultProfileConfig()
-	prof.IgnoredLints = []string{
-		"w_subject_common_name_included",
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
+	prof.IgnoredLints = append(prof.IgnoredLints, "w_subject_common_name_included")
 	cnProfile, err := NewProfile(prof)
 	test.AssertNotError(t, err, "NewProfile failed")
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -450,9 +446,12 @@ func TestIssueOmissions(t *testing.T) {
 	pc.OmitClientAuth = true
 	pc.OmitSKID = true
 	pc.IgnoredLints = []string{
-		"w_ext_subject_key_identifier_missing_sub_cert",
+		// Reduce the lint ignores to just the minimal (SCT-related) set.
 		"w_ct_sct_policy_count_unsatisfied",
 		"e_scts_from_same_operator",
+		// Ignore the warning about *not* including the SubjectKeyIdentifier extension:
+		// zlint has both lints (one enforcing RFC5280, the other the BRs).
+		"w_ext_subject_key_identifier_missing_sub_cert",
 	}
 	prof, err := NewProfile(pc)
 	test.AssertNotError(t, err, "building test profile")
@@ -529,7 +528,10 @@ func TestIssueSCTList(t *testing.T) {
 	test.AssertNotError(t, err, "failed to load log list")
 
 	pc := defaultProfileConfig()
-	pc.IgnoredLints = []string{}
+	pc.IgnoredLints = []string{
+		// Only ignore the SKID lint, i.e., don't ignore the "missing SCT" lints.
+		"w_ext_subject_key_identifier_not_recommended_subscriber",
+	}
 	enforceSCTsProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")
 	signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc)
@@ -754,11 +756,7 @@ func TestMismatchedProfiles(t *testing.T) {
 	test.AssertNotError(t, err, "NewIssuer failed")
 
 	pc := defaultProfileConfig()
-	pc.IgnoredLints = []string{
-		"w_subject_common_name_included",
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
+	pc.IgnoredLints = append(pc.IgnoredLints, "w_subject_common_name_included")
 	cnProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")
 
@@ -782,10 +780,6 @@ func TestMismatchedProfiles(t *testing.T) {
 	// Create a new profile that differs slightly (no common name)
 	pc = defaultProfileConfig()
 	pc.AllowCommonName = false
-	pc.IgnoredLints = []string{
-		"w_ct_sct_policy_count_unsatisfied",
-		"e_scts_from_same_operator",
-	}
 	test.AssertNotError(t, err, "building test lint registry")
 	noCNProfile, err := NewProfile(pc)
 	test.AssertNotError(t, err, "NewProfile failed")

issuance/issuer_test.go

@@ -28,8 +28,12 @@ func defaultProfileConfig() *ProfileConfig {
 		MaxValidityPeriod:   config.Duration{Duration: time.Hour},
 		MaxValidityBackdate: config.Duration{Duration: time.Hour},
 		IgnoredLints: []string{
+			// Ignore the two SCT lints because these tests don't get SCTs.
 			"w_ct_sct_policy_count_unsatisfied",
 			"e_scts_from_same_operator",
+			// Ignore the warning about including the SubjectKeyIdentifier extension:
+			// we include it on purpose, but plan to remove it soon.
+			"w_ext_subject_key_identifier_not_recommended_subscriber",
 		},
 	}
 }

test/config-next/ca.json

@@ -51,7 +51,7 @@
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
 						"w_subject_common_name_included",
-						"w_sub_cert_aia_contains_internal_names"
+						"w_ext_subject_key_identifier_not_recommended_subscriber"
 					]
 				},
 				"modern": {
@@ -64,8 +64,7 @@
 					"maxValidityBackdate": "1h5m",
 					"lintConfig": "test/config-next/zlint.toml",
 					"ignoredLints": [
-						"w_ext_subject_key_identifier_missing_sub_cert",
-						"w_sub_cert_aia_contains_internal_names"
+						"w_ext_subject_key_identifier_missing_sub_cert"
 					]
 				}
 			},

test/config-next/cert-checker.json

@@ -14,7 +14,8 @@
 		],
 		"ignoredLints": [
 			"w_subject_common_name_included",
-			"w_sub_cert_aia_contains_internal_names"
+			"w_ext_subject_key_identifier_missing_sub_cert",
+			"w_ext_subject_key_identifier_not_recommended_subscriber"
 		],
 		"ctLogListFile": "test/ct-test-srv/log_list.json",
 		"features": {

test/config/ca.json

@@ -128,7 +128,7 @@
 			"lintConfig": "test/config/zlint.toml",
 			"ignoredLints": [
 				"w_subject_common_name_included",
-				"w_sub_cert_aia_contains_internal_names"
+				"w_ext_subject_key_identifier_not_recommended_subscriber"
 			]
 		},
 		"expiry": "7776000s",

test/config/cert-checker.json

@@ -17,7 +17,7 @@
 		],
 		"ignoredLints": [
 			"w_subject_common_name_included",
-			"w_sub_cert_aia_contains_internal_names"
+			"w_ext_subject_key_identifier_not_recommended_subscriber"
 		]
 	},
 	"pa": {