crypto/x509: ParseRevocationList accepts having both onlyContainsUserCerts and onlyContainsCACerts set to true

[onepeople158]

Go version

go version go1.24.2 linux/amd64

Output of go env in your module/workspace:

IDP Extension Flags:
 Only Contains User Certificates: true
 Only Contains CA Certificates: true
 Indirect CRL: false

What did you do?

I successfully parsed the information from a CRL file using Go, where both onlyContainsUserCerts and onlyContainsCACerts are set to True, and there were no errors. Is this a bug?Since Go does not have a direct API to parse the IDP value, I'm not sure if this is a bug, or if I need to implement error detection for this in the code myself.

What did you see happen?

Go parsed a CRL file where both onlyContainsUserCerts and onlyContainsCACerts are set to True

What did you expect to see?

crl_IDP_ou_oa.zip

[gabyhelp]

Related Issues

• crypto/x509: Go accepts the IDP extension with DER encoding as an empty sequence #73284
• crypto/x509: Go parsed a GeneralName with an incorrect tag. #73285

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}