crypto/x509/pkix: make 'v1' the default CRL version.

PKIX versions are off-by-one, so v1 is actually a zero on the wire, v2 is a one, and so on. The RFC says that the version in a CRL is optional, but doesn't say what the default is. Since v2 is the only accepted version, I had made the default v2. However, OpenSSL considers the default to be v1. Also, if the default is v2 and the element is optional then we'll never actually write v2 on the wire. That's contrary to the RFC which clearly assumes that v2 will be expressed on the wire in some cases. Therefore, this change aligns with OpenSSL and assumes that v1 is the default CRL version. Fixes #13931 [1] https://tools.ietf.org/html/rfc5280#section-5.1 Change-Id: Ic0f638ebdd21981d92a99a882affebf3a77ab71a Reviewed-on: https://go-review.googlesource.com/20544 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-10-02 04:18:33 -06:00 · 2016-03-10 14:25:50 -08:00 · 2016-03-10 14:25:50 -08:00 · 09d40378b9
commit 09d40378b9
parent 1b8d4caddb
1 changed files with 1 additions and 1 deletions
--- a/src/crypto/x509/pkix/pkix.go
+++ b/src/crypto/x509/pkix/pkix.go
@ -177,7 +177,7 @@ func (certList *CertificateList) HasExpired(now time.Time) bool {
 // 5280, section 5.1.
 type TBSCertificateList struct {
 	Raw                 asn1.RawContent
-	Version             int `asn1:"optional,default:1"`
+	Version             int `asn1:"optional,default:0"`
 	Signature           AlgorithmIdentifier
 	Issuer              RDNSequence
 	ThisUpdate          time.Time