crypto/x509/pkix: change the semantics of the expiration of a CRL #22568
Description
I'm talking about changing this function:
go/src/crypto/x509/pkix/pkix.go
Line 251 in d6ebbef
Presently, the way CertificateList.HasExpired works is by checking whether the now time.Time argument is after the next update. However RFC 5280 Section 5, defines the nextUpdate field as the date by which the next CRL will be issued. Thus, at the nextUpdate time, the next CRL must have been issued and so the one we have now is expired. Thus, CertificateList.HasExpired should consider a CRL expired if nextUpdate is equal to now.
I've already submitted a patch for this at https://go-review.googlesource.com/c/go/+/71972