diff options
| author | Aaron Gable <aaron@letsencrypt.org> | 2022-06-28 15:28:21 -0700 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2022-07-07 19:26:16 +0000 |
| commit | 486fc0177068277a51235c7794660b238e70d622 (patch) | |
| tree | 329d84b700a36e37fac1334c6eeabeaab66207e0 | |
| parent | 8ac58de1857637f372a00ea16ab5497193b784a6 (diff) | |
| download | go-486fc0177068277a51235c7794660b238e70d622.tar.gz go-486fc0177068277a51235c7794660b238e70d622.zip | |
crypto/x509: correctly parse CRL entry extensions
When checking to see if a CRL entry has any extensions, attempt to read
them from the individual revokedCertificate, rather than from the parent
TBSCertList.
Additionally, crlEntryExtensions is not an EXPLICIT field (c.f.
crlExtension and Certificate extensions), so do not perform an extra
layer of unwrapping when parsing the field.
The added test case fails without the accompanying changes.
Fixes #53592
Change-Id: Icc00e4c911f196aef77e3248117de64ddc5ea27f
Reviewed-on: https://go-review.googlesource.com/c/go/+/414877
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
| -rw-r--r-- | src/crypto/x509/parser.go | 5 | ||||
| -rw-r--r-- | src/crypto/x509/x509_test.go | 28 |
2 files changed, 29 insertions, 4 deletions
diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go index cd87044d17..a2d3d80964 100644 --- a/src/crypto/x509/parser.go +++ b/src/crypto/x509/parser.go @@ -1106,13 +1106,10 @@ func ParseRevocationList(der []byte) (*RevocationList, error) { } var extensions cryptobyte.String var present bool - if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) { + if !certSeq.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) { return nil, errors.New("x509: malformed extensions") } if present { - if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) { - return nil, errors.New("x509: malformed extensions") - } for !extensions.Empty() { var extension cryptobyte.String if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) { diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index 594ee1dceb..cddad1e246 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -2525,6 +2525,34 @@ func TestCreateRevocationList(t *testing.T) { }, }, { + name: "valid, extra entry extension", + key: ec256Priv, + issuer: &Certificate{ + KeyUsage: KeyUsageCRLSign, + Subject: pkix.Name{ + CommonName: "testing", + }, + SubjectKeyId: []byte{1, 2, 3}, + }, + template: &RevocationList{ + RevokedCertificates: []pkix.RevokedCertificate{ + { + SerialNumber: big.NewInt(2), + RevocationTime: time.Time{}.Add(time.Hour), + Extensions: []pkix.Extension{ + { + Id: []int{2, 5, 29, 99}, + Value: []byte{5, 0}, + }, + }, + }, + }, + Number: big.NewInt(5), + ThisUpdate: time.Time{}.Add(time.Hour * 24), + NextUpdate: time.Time{}.Add(time.Hour * 48), + }, + }, + { name: "valid, Ed25519 key", key: ed25519Priv, issuer: &Certificate{ |