zmap · digirenpeter · Feb 4, 2026
diff --git a/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_39_months.go b/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_39_months.go
@@ -0,0 +1,50 @@
+package cabf_cs_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+/*
+6.3.2 Certificate operational periods and key pair usage periods
+For Code Signing Certificates issued before March 1st, 2026, the validity period MUST NOT exceed
+39 months. For Code Signing Certificates issued on or after March 1st, 2026, the validity period
+MUST NOT exceed 460 days.
+*/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:            "e_cs_max_validity_period_39_months",
+			Description:     "Code Signing certificate validity must not exceed 39 months for certificates issued before March 1st, 2026",
+			Citation:        "CS BR 6.3.2 - v3.10",
+			Source:          lint.CABFCSBaselineRequirements,
+			EffectiveDate:   util.CABF_CS_BRs_1_2_Date, // Effective from v1.2, the quote is from v3.10
+			IneffectiveDate: util.CABF_CS_CSC_31_Date,
+		},
+		Lint: NewCsMaxValidityPeriodLongerThan39Months,
+	})
+}
+
+type csMaxValidityPeriodLongerThan39Months struct{}
+
+func NewCsMaxValidityPeriodLongerThan39Months() lint.CertificateLintInterface {
+	return &csMaxValidityPeriodLongerThan39Months{}
+}
+
+func (l *csMaxValidityPeriodLongerThan39Months) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c)
+}
+
+func (l *csMaxValidityPeriodLongerThan39Months) Execute(c *x509.Certificate) *lint.LintResult {
+	// difference between notBefore and notAfter MUST not be longer than 39 months
+	maxValidity := c.NotBefore.AddDate(0, 39, 0)
+
+	if c.NotAfter.After(maxValidity) {
+		return &lint.LintResult{Status: lint.Error, Details: "Code Signing certificates must have a validity period of 39 months or less"}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_39_months_test.go b/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_39_months_test.go
@@ -0,0 +1,40 @@
+package cabf_cs_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestCsMaxValidityPeriod39Months(t *testing.T) {
+	testCases := []struct {
+		Name           string
+		InputFilename  string
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - code signing certificate with validity period 39 months or less",
+			InputFilename:  "code_signing/validCodeSigningCertificate.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "fail - code signing certificate with validity period longer than 39 months",
+			InputFilename:  "code_signing/validityPeriodLongerThan39Months.pem",
+			ExpectedResult: lint.Error,
+		},
+		{
+			Name:           "NE - code signing certificate issued on or after March 1st, 2026",
+			InputFilename:  "code_signing/validCodeSigningCertificateIssuedAfterMarch1st2026.pem",
+			ExpectedResult: lint.NE,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_cs_max_validity_period_39_months", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_460_days.go b/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_460_days.go
@@ -0,0 +1,49 @@
+package cabf_cs_br
+
+import (
+	"github.com/zmap/zcrypto/x509"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/util"
+)
+
+/*
+6.3.2 Certificate operational periods and key pair usage periods
+For Code Signing Certificates issued before March 1st, 2026, the validity period MUST NOT exceed
+39 months. For Code Signing Certificates issued on or after March 1st, 2026, the validity period
+MUST NOT exceed 460 days.
+*/
+
+func init() {
+	lint.RegisterCertificateLint(&lint.CertificateLint{
+		LintMetadata: lint.LintMetadata{
+			Name:          "e_cs_max_validity_period_460_days",
+			Description:   "Code Signing certificate validity must not exceed 460 days for certificates issued on or after March 1st, 2026",
+			Citation:      "CS BR 6.3.2 - v3.10",
+			Source:        lint.CABFCSBaselineRequirements,
+			EffectiveDate: util.CABF_CS_CSC_31_Date,
+		},
+		Lint: NewCsMaxValidityPeriodLongerThan460Days,
+	})
+}
+
+type csMaxValidityPeriodLongerThan460Days struct{}
+
+func NewCsMaxValidityPeriodLongerThan460Days() lint.CertificateLintInterface {
+	return &csMaxValidityPeriodLongerThan460Days{}
+}
+
+func (l *csMaxValidityPeriodLongerThan460Days) CheckApplies(c *x509.Certificate) bool {
+	return util.IsSubscriberCert(c)
+}
+
+func (l *csMaxValidityPeriodLongerThan460Days) Execute(c *x509.Certificate) *lint.LintResult {
+	// difference between notBefore and notAfter MUST not be longer than 460 days
+	maxValidity := c.NotBefore.AddDate(0, 0, 460)
+
+	if c.NotAfter.After(maxValidity) {
+		return &lint.LintResult{Status: lint.Error, Details: "Code Signing certificates must have a validity period of 460 days or less"}
+	}
+
+	return &lint.LintResult{Status: lint.Pass}
+}
diff --git a/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_460_days_test.go b/v3/lints/cabf_cs_br/lint_cs_validity_period_longer_than_460_days_test.go
@@ -0,0 +1,40 @@
+package cabf_cs_br
+
+import (
+	"testing"
+
+	"github.com/zmap/zlint/v3/lint"
+	"github.com/zmap/zlint/v3/test"
+)
+
+func TestCsMaxValidityPeriod460Days(t *testing.T) {
+	testCases := []struct {
+		Name           string
+		InputFilename  string
+		ExpectedResult lint.LintStatus
+	}{
+		{
+			Name:           "pass - code signing certificate with validity period 460 days or less",
+			InputFilename:  "code_signing/validCodeSigningCertificateIssuedAfterMarch1st2026.pem",
+			ExpectedResult: lint.Pass,
+		},
+		{
+			Name:           "fail - code signing certificate with validity period longer than 460 days",
+			InputFilename:  "code_signing/validityPeriodLongerThan460Days.pem",
+			ExpectedResult: lint.Error,
+		},
+		{
+			Name:           "NE - code signing certificate issued before March 1st, 2026",
+			InputFilename:  "code_signing/validCodeSigningCertificate.pem",
+			ExpectedResult: lint.NE,
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			result := test.TestLint("e_cs_max_validity_period_460_days", tc.InputFilename)
+			if result.Status != tc.ExpectedResult {
+				t.Errorf("expected result %v was %v - details: %v", tc.ExpectedResult, result.Status, result.Details)
+			}
+		})
+	}
+}
diff --git a/v3/testdata/code_signing/validCodeSigningCertificateIssuedAfterMarch1st2026.pem b/v3/testdata/code_signing/validCodeSigningCertificateIssuedAfterMarch1st2026.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFtDCCBBygAwIBAgIRAITfgrve8ZlynKGF6VYa2YwwDQYJKoZIhvcNAQELBQAw
+TDEbMBkGA1UEAxMST1YgQ29kZSBTaWduaW5nIENBMQswCQYDVQQLEwJDQTETMBEG
+A1UEChMKRXhhbXBsZSBDbzELMAkGA1UEBhMCVVMwHhcNMjYwNTA0MDQxNzIzWhcN
+MjcwMjA0MDUxNzIzWjCBmDETMBEGA1UEAxMKRXhhbXBsZSBDbzETMBEGA1UEChMK
+RXhhbXBsZSBDbzEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzETMBEGA1UECBMKQ2Fs
+aWZvcm5pYTELMAkGA1UEBhMCVVMxEzARBgsrBgEEAYI3PAIBAxMCVVMxHTAbBgNV
+BA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+MIIBigKCAYEAzxgjhynVT0Tpwfedv3oMlR/2vfIWNX7W+OFAMQV08bA3RpWtBf/x
+PG+WfuEkO53gRRjLws3Gj0s+QZXF/Xu5FpIshL0oBF/4eKIntTN7o8pAbtTPcMlh
+0XtWl0mEcsQNFdZadrufbFouwWXqILvfVBBa8MeZyEHB3sXmAcpYr1zMSf8sOOKv
+bOpwTp5jCngxcbpuPAX7FDScA4XFGXTbudhdzqYz8GNEcRRz/WzmwPFsTHj+Gbhi
+LDhJuaFcoj66jnjmprWR7uVVE63IxSCKTKB8c5pILt6NR57k74SSY6zAR+Q/E12s
+9tMswsymELYbUhXaxKDrucb7xAu0MxU+tPMHLeUrTAdSTCChc3sbKbuhbWXtXK1A
+nTpSxq++HVig7Uno3sx1paMM4IBFjb3cV5Nih9oVtpw88GOxFh3nz8oLSzEgAiG6
+nSWrIRjaM370ZmSbXKzvcTb+NXAqyU34RtZzt1zYUiQi//8g1gyO3PnZ10m+ZOyu
+sBFDLvqq5WetAgMBAAGjggFCMIIBPjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww
+CgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUMJ6ILqTUJgMMJ/1f
+EgSF019oCOowHwYDVR0jBBgwFoAUeAK8PmNbQi5PcHPTJtVF2RkKylAwWwYIKwYB
+BQUHAQEETzBNMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5leGFtcGxlLmNvbTAm
+BggrBgEFBQcwAoYaaHR0cDovL2V4YW1wbGUuY29tL2NhMS5jcnQwEwYDVR0gBAww
+CjAIBgZngQwBBAEwVwYDVR0fBFAwTjAloCOgIYYfaHR0cDovL2NybDEuZXhhbXBs
+ZS5jb20vY2ExLmNybDAloCOgIYYfaHR0cDovL2NybDIuZXhhbXBsZS5jb20vY2Ex
+LmNybDANBgkqhkiG9w0BAQsFAAOCAYEAsyIWm9Nh1loCFELNjl+BVds/j3Gzoqby
+wjiENsJz9tHET8zdi/96MXkGi8frLmQVDjd4TQ2k60dMTRae52QRi7Cy8j9IXH83
+USjNKCpLQu/WqDkL0rP02enSlJ3ehj1uPOEFUmsNsMoMVAQu71DrBT5AhjkmU27c
+ncCH/e6iudVjOOBtgf6cR3pLQPvKBstXp1dirEtFWUSSVueke2WapE0Wx258caoZ
+Im35csqKcDFNdiFyoVbWZzIm9KFigfSY8eGakqlGgWQuMUimfO8qwuncNaL6MRaI
+ywQQeIIU4Ny8Trv/bSkbi8zktje5uuNh9cbPjHnz3VBQGnQ+LISVbghvDxyrZWJw
+Vse2S01RC9QhQ+JsN62hCmV1E8Z+tvnC9bGxCKIaIhp0atqp7TJEWWJUMx+1pjtw
+9fYzpSzX89GDQxzQW5E/xAgKY3rtGuLwTAPE4o+mEV1ykDr2XgBirV/EXZdqWgPi
+nF1PAVnkJxLIXOvNpAx7tA+OPX7LyPcL
+-----END CERTIFICATE-----
diff --git a/v3/testdata/code_signing/validityPeriodLongerThan39Months.pem b/v3/testdata/code_signing/validityPeriodLongerThan39Months.pem
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFtDCCBBygAwIBAgIRAIf9WhYp8E+MzQnow7GxOncwDQYJKoZIhvcNAQELBQAw
+TDEbMBkGA1UEAxMST1YgQ29kZSBTaWduaW5nIENBMQswCQYDVQQLEwJDQTETMBEG
+A1UEChMKRXhhbXBsZSBDbzELMAkGA1UEBhMCVVMwHhcNMjYwMjA0MTc0MzAxWhcN
+MjkwNTA1MTY0MzAxWjCBmDETMBEGA1UEAxMKRXhhbXBsZSBDbzETMBEGA1UEChMK
+RXhhbXBsZSBDbzEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzETMBEGA1UECBMKQ2Fs
+aWZvcm5pYTELMAkGA1UEBhMCVVMxEzARBgsrBgEEAYI3PAIBAxMCVVMxHTAbBgNV
+BA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMIIBojANBgkqhkiG9w0BAQEFAAOCAY8A
+MIIBigKCAYEA2PxIaAHUHmcmQrQA/UkO3yhJg5ahWEebA7hPTt82YldK2Ny6Hd4R
+/0V1sK/pmlTPdW/SZmrYqAYSTmOcCQjEZ10JOfwhY/qsnR94PjBd4VSI9wBdS+Ms
+BkQDuDO+bGB3WMgMobw1NNkBgJMsDelXcpTTZRKC+HjG5+NbiGdgcbZ1BhtqXGK3
+IMSdDftXjZvQfvNG5DHZdEsVQJQllceK7sdzjv9K2mbrAfDAlhtQ39wgspDSZMJ6
+QBt14iOviBizd4uFNM+hdPDZfidAmrt+eg6ANiqUqSs3RKF/iJ/Hp9fU5Xh0uO6y
+rK//2NGrp+2ua+dSUn2mna+H/Tb1GXMScVAhLAV66bMucwbx4w0n3Xd1itTSBtFc
+gdzZjH70VdNNwyLzuUlQZ7VQ//ZUgXxxgpi1tINpb3ma/BeQZZgTkNdk78bdDb75
+ahpKNUcgYKie8Cf1sUhExMkquihIAkxskcKoyb7+1FR4PW/m71Qx6Hl9k/l3GOtU
+vVGTvDH51NwzAgMBAAGjggFCMIIBPjAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAww
+CgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUdSe11HA/USHEt/Wi
+rwytpIqSOUAwHwYDVR0jBBgwFoAUIw+Vp0TaKLcNOmsJzpw99Gy1gGQwWwYIKwYB
+BQUHAQEETzBNMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5leGFtcGxlLmNvbTAm
+BggrBgEFBQcwAoYaaHR0cDovL2V4YW1wbGUuY29tL2NhMS5jcnQwEwYDVR0gBAww
+CjAIBgZngQwBBAEwVwYDVR0fBFAwTjAloCOgIYYfaHR0cDovL2NybDEuZXhhbXBs
+ZS5jb20vY2ExLmNybDAloCOgIYYfaHR0cDovL2NybDIuZXhhbXBsZS5jb20vY2Ex
+LmNybDANBgkqhkiG9w0BAQsFAAOCAYEAdtKvw/T9iMj/W7BfbT4pEGirYm8ApeCn
+uT1yTAUVFrfJOKHlz1RWOb5d3MgkWORfwQDuViG8LvUbFb9khXMwKqCR00devqpB
+EaTJNZO9kbX4xoEuLjklaDflHb5ZrpOA+xwABIN8A1zqs9RA38F6MdIOZ/jwjVUG
+9I25M0ogO6pO7bGRKsuyJNlkv4PPMgQPdf7Jr8KfWpZV6ITPmmaNUnVeblyAgIIO
+0FDC5ZJNz/MdMKozXaZEvaeE2IWAUWJ1AAl+Y3sWbgg7+ORQBF/BdtGHsq8yip8n
+6x2Za/bOt7lMntFWp7XQiO6/X2o8DlIBK+7k8zsVdiJ4JzQ8sQyAfTmAaXSIh6EP
+YkF2FjtqMs9zYN6jkGXhxnGGvRDDOaK99D9Bk22zkg7TuGdeepNNCmNeOiTeeqjk
+F2vopS6AwaWYQHwYgNVAFi5ZFrXPnWet/d3TmQtmjXDmJiYEHJ0MRcqJP75g8Rw/
+Npm1qgeXCAtrI2XrS2865Sjjj154s29U
+-----END CERTIFICATE-----
diff --git a/v3/testdata/code_signing/validityPeriodLongerThan460Days.pem b/v3/testdata/code_signing/validityPeriodLongerThan460Days.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEszCCA5ugAwIBAgIQbXnovJsbDIsvyPhHfPPcnjANBgkqhkiG9w0BAQsFADBM
+MRswGQYDVQQDExJPViBDb2RlIFNpZ25pbmcgQ0ExCzAJBgNVBAsTAkNBMRMwEQYD
+VQQKEwpFeGFtcGxlIENvMQswCQYDVQQGEwJVUzAeFw0yNjA1MDQwMjQ5MDBaFw0y
+ODAyMDQwMzQ5MDBaMIGYMRMwEQYDVQQDEwpFeGFtcGxlIENvMRMwEQYDVQQKEwpF
+eGFtcGxlIENvMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQIEwpDYWxp
+Zm9ybmlhMQswCQYDVQQGEwJVUzETMBEGCysGAQQBgjc8AgEDEwJVUzEdMBsGA1UE
+DxMUUHJpdmF0ZSBPcmdhbml6YXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC+nIn7B3L78pZY8LgbA7NCVgw0ExWgaa0rZ3WzB01cO4veghrkC/OM
+CU5OnLIurEOoMY1cJ87N5Qq4fC9ezEc6mI1Vm+VJm5lquXc/uyz1dviLtuHCLnzI
+yErkd/vu0Z6QolfXpJ5BU3uf2JMicSntFfJiD2zErrqIvAlcymAIv8Xs5s3fedbp
+/4mPrt10HvC5AHdqMda+ljc8ATsmPIGSr5H7aNxF845yukCy3aptXZivyD1+4ij4
+52DNIFEOcu77FcJ9y5Z88TCpYc5iUH+oFSLmrwun6dD5Dgb4CN8RwBCleI3nyzp7
+iV/lIkI3QiyGhtVjl730jqecgF/AFuaJAgMBAAGjggFCMIIBPjAOBgNVHQ8BAf8E
+BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
+FgQUQYxYxLRl0WE3lymTNUbXZJPKI9gwHwYDVR0jBBgwFoAUHMie1tQ4T4A6FXCD
+TaOvurwdiPIwWwYIKwYBBQUHAQEETzBNMCMGCCsGAQUFBzABhhdodHRwOi8vb2Nz
+cC5leGFtcGxlLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2V4YW1wbGUuY29tL2Nh
+MS5jcnQwEwYDVR0gBAwwCjAIBgZngQwBBAEwVwYDVR0fBFAwTjAloCOgIYYfaHR0
+cDovL2NybDEuZXhhbXBsZS5jb20vY2ExLmNybDAloCOgIYYfaHR0cDovL2NybDIu
+ZXhhbXBsZS5jb20vY2ExLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAHjs6qTKbwGUl
+4Fe7sp06PIB/4h4rrN0BfSVfpbp18T6TL9X5nU3U662Uf2fvXUyucvB4XWBGmyYb
+C2ul25MAJMzzpm7seb/wuSDiFAM7+F9znxL7xCi3VYh7OaCcDzX6NfsTFD3hZIlM
+gT9cxvwgOMS75KMZbnVzHM0f8pqOMKBBBhHhKqJ/wF2h120yX4I/WX4/pShA575o
+4u0plkM8phsdsjJSXmZSpqilPDNPh5thC5hsoMBitplKjlbzRV60BZK1F6w+eQR8
+TYL7lc4IeYDbfXNKoIkZI3lfW+VvmppMXiy/IyeGvtdqfXCi0BX5aVy99TmiNpiw
+m+10xgyiew==
+-----END CERTIFICATE-----
diff --git a/v3/util/time.go b/v3/util/time.go
@@ -106,6 +106,7 @@ var (
 	// Date when section 9.2.8 of CABF EVG became effective
 	CABFEV_Sec9_2_8_Date        = time.Date(2020, time.January, 31, 0, 0, 0, 0, time.UTC)
 	CABF_CS_BRs_1_2_Date        = time.Date(2019, time.August, 13, 0, 0, 0, 0, time.UTC)
+	CABF_CS_CSC_31_Date         = time.Date(2026, time.March, 1, 0, 0, 0, 0, time.UTC)
 	CABF_SC081_FIRST_MILESTONE  = time.Date(2026, time.March, 15, 0, 0, 0, 0, time.UTC)
 	CABF_SC081_SECOND_MILESTONE = time.Date(2027, time.March, 15, 0, 0, 0, 0, time.UTC)
 	CABF_SC081_THIRD_MILESTONE  = time.Date(2029, time.March, 15, 0, 0, 0, 0, time.UTC)