crypto/x509: CreateRevocationList() does not enforce that the CRL Number is at most 20 octets #53543
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Comments
|
CC @golang/security @rolandshoemaker |
ianlancetaylor
added
the
NeedsInvestigation
|
Change https://go.dev/cl/415134 mentions this issue: |
jproberts
pushed a commit
to jproberts/go
that referenced
this issue
Aug 10, 2022
Similar to certificate serial numbers, RFC 5280 restricts the length of the CRL number field to no more than 20 octets. Enforce this in CreateRevocationList. Fixes golang#53543 Change-Id: If392ef6b0844db716ae9ee6ef317135fceab039c Reviewed-on: https://go-review.googlesource.com/c/go/+/415134 Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org> Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version)?Does this issue reproduce with the latest release?
Yes.
What did you do?
I created a CRL template containing a very large CRL Number. I passed this template to
CreateRevocationList.See https://go.dev/play/p/EcM1FoNQb_P for a running example.
What did you expect to see?
An error, because
CreateRevocationList()says that it "creates a new X.509 v2 Certificate Revocation List, according to RFC 5280", but RFC 5280 says "Conforming CRL issuers MUST NOT use CRLNumber values longer than 20 octets.".What did you see instead?
Success, and the creation of a CRL whose CRLNumber is longer than 20 octets.
The text was updated successfully, but these errors were encountered: