From 09d40378b946f363c9c351c2fdc8be30a09b238d Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Thu, 10 Mar 2016 14:25:50 -0800 Subject: [PATCH] crypto/x509/pkix: make 'v1' the default CRL version. PKIX versions are off-by-one, so v1 is actually a zero on the wire, v2 is a one, and so on. The RFC says that the version in a CRL is optional, but doesn't say what the default is. Since v2 is the only accepted version, I had made the default v2. However, OpenSSL considers the default to be v1. Also, if the default is v2 and the element is optional then we'll never actually write v2 on the wire. That's contrary to the RFC which clearly assumes that v2 will be expressed on the wire in some cases. Therefore, this change aligns with OpenSSL and assumes that v1 is the default CRL version. Fixes #13931 [1] https://tools.ietf.org/html/rfc5280#section-5.1 Change-Id: Ic0f638ebdd21981d92a99a882affebf3a77ab71a Reviewed-on: https://go-review.googlesource.com/20544 Reviewed-by: Brad Fitzpatrick --- src/crypto/x509/pkix/pkix.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/crypto/x509/pkix/pkix.go b/src/crypto/x509/pkix/pkix.go index 1b3e3c0440..faad4061fc 100644 --- a/src/crypto/x509/pkix/pkix.go +++ b/src/crypto/x509/pkix/pkix.go @@ -177,7 +177,7 @@ func (certList *CertificateList) HasExpired(now time.Time) bool { // 5280, section 5.1. type TBSCertificateList struct { Raw asn1.RawContent - Version int `asn1:"optional,default:1"` + Version int `asn1:"optional,default:0"` Signature AlgorithmIdentifier Issuer RDNSequence ThisUpdate time.Time