crypto/x509: CRL generated by Certificate.CreateCRL is still version 1 #13931
Labels
Milestone
Comments
mdempsky
changed the title
|
/cc @agl |
|
What's happening is that v2 is being specified, but it's also set as the default value of that ASN.1 element. Therefore it's not getting written because it's the default and the element is optional. OpenSSL considers the default to be v1 and the RFC doesn't say. https://go-review.googlesource.com/#/c/20544/ sets the default to be v1 so that the version will get written out. |
|
CL https://golang.org/cl/20544 mentions this issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I think majority applications today that use certificate/CRL uses (or expects) version 2.
Plus,I checked the source code of x509.go, the function CreateCRL uses pkix.TBSCertificateList, and line 1650 initialize the version =1.
however according to the Go DOC, quote here "TBSCertificateList represents the ASN.1 structure of the same name. See RFC 5280, section 5.1.", but RFC5280 is profile for CRLv2, not v1. so I think if TBSCertificateList following RFC5280, then the created CRL should be v2.
following is the snip of a CRL generated by Go 1.5.2 on windows/amd64:
[SVR ~]$ openssl crl -in crl.crl -text -inform der|more
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=EXAMPLEROOTCA
Last Update: Nov 10 23:00:00 2009 GMT
Next Update: Nov 10 23:00:00 2019 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:9B:C9:78:89:2F:90:86:71:98:77:87:19:98:CC:E8:09:A9:48:95:12
Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 10 23:00:00 2010 GMT
Serial Number: 02
Revocation Date: Nov 10 23:00:00 2010 GMT
....
The text was updated successfully, but these errors were encountered: