Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: CRL generated by Certificate.CreateCRL is still version 1 #13931

Closed
hujun-open opened this issue Jan 13, 2016 · 3 comments
Closed

crypto/x509: CRL generated by Certificate.CreateCRL is still version 1 #13931

hujun-open opened this issue Jan 13, 2016 · 3 comments
Assignees
Milestone

Comments

@hujun-open
Copy link

@hujun-open hujun-open commented Jan 13, 2016

I think majority applications today that use certificate/CRL uses (or expects) version 2.
Plus,I checked the source code of x509.go, the function CreateCRL uses pkix.TBSCertificateList, and line 1650 initialize the version =1.
however according to the Go DOC, quote here "TBSCertificateList represents the ASN.1 structure of the same name. See RFC 5280, section 5.1.", but RFC5280 is profile for CRLv2, not v1. so I think if TBSCertificateList following RFC5280, then the created CRL should be v2.

following is the snip of a CRL generated by Go 1.5.2 on windows/amd64:
[SVR ~]$ openssl crl -in crl.crl -text -inform der|more
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=EXAMPLEROOTCA
Last Update: Nov 10 23:00:00 2009 GMT
Next Update: Nov 10 23:00:00 2019 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:9B:C9:78:89:2F:90:86:71:98:77:87:19:98:CC:E8:09:A9:48:95:12

Revoked Certificates:
Serial Number: 01
Revocation Date: Nov 10 23:00:00 2010 GMT
Serial Number: 02
Revocation Date: Nov 10 23:00:00 2010 GMT
....

@mdempsky mdempsky changed the title CRL generated by crypto/x509/Certificate.CreateCRL is still version 1 crypto/x509: CRL generated by Certificate.CreateCRL is still version 1 Jan 13, 2016
@mdempsky
Copy link
Member

@mdempsky mdempsky commented Jan 13, 2016

/cc @agl

@bradfitz bradfitz added this to the Go1.7 milestone Jan 21, 2016
@agl agl self-assigned this Jan 31, 2016
@agl
Copy link
Contributor

@agl agl commented Mar 10, 2016

What's happening is that v2 is being specified, but it's also set as the default value of that ASN.1 element. Therefore it's not getting written because it's the default and the element is optional.

OpenSSL considers the default to be v1 and the RFC doesn't say. https://go-review.googlesource.com/#/c/20544/ sets the default to be v1 so that the version will get written out.

@gopherbot
Copy link

@gopherbot gopherbot commented Mar 10, 2016

CL https://golang.org/cl/20544 mentions this issue.

@gopherbot gopherbot closed this in 09d4037 Mar 10, 2016
@golang golang locked and limited conversation to collaborators Mar 13, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.