crypto/x509: CreateRevocationList() does not enforce that the CRL Number is at most 20 octets #53543
Labels
FrozenDueToAge
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What did you do?
I created a CRL template containing a very large CRL Number. I passed this template to
CreateRevocationList
.See https://go.dev/play/p/EcM1FoNQb_P for a running example.
What did you expect to see?
An error, because
CreateRevocationList()
says that it "creates a new X.509 v2 Certificate Revocation List, according to RFC 5280", but RFC 5280 says "Conforming CRL issuers MUST NOT use CRLNumber values longer than 20 octets.".What did you see instead?
Success, and the creation of a CRL whose CRLNumber is longer than 20 octets.
The text was updated successfully, but these errors were encountered: