1
0
mirror of https://github.com/golang/go synced 2024-11-19 12:34:47 -07:00

crypto/x509/pkix: make 'v1' the default CRL version.

PKIX versions are off-by-one, so v1 is actually a zero on the wire, v2
is a one, and so on.

The RFC says that the version in a CRL is optional, but doesn't say what
the default is. Since v2 is the only accepted version, I had made the
default v2. However, OpenSSL considers the default to be v1. Also, if
the default is v2 and the element is optional then we'll never actually
write v2 on the wire. That's contrary to the RFC which clearly assumes
that v2 will be expressed on the wire in some cases.

Therefore, this change aligns with OpenSSL and assumes that v1 is the
default CRL version.

Fixes #13931

[1] https://tools.ietf.org/html/rfc5280#section-5.1

Change-Id: Ic0f638ebdd21981d92a99a882affebf3a77ab71a
Reviewed-on: https://go-review.googlesource.com/20544
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This commit is contained in:
Adam Langley 2016-03-10 14:25:50 -08:00
parent 1b8d4caddb
commit 09d40378b9

View File

@ -177,7 +177,7 @@ func (certList *CertificateList) HasExpired(now time.Time) bool {
// 5280, section 5.1. // 5280, section 5.1.
type TBSCertificateList struct { type TBSCertificateList struct {
Raw asn1.RawContent Raw asn1.RawContent
Version int `asn1:"optional,default:1"` Version int `asn1:"optional,default:0"`
Signature AlgorithmIdentifier Signature AlgorithmIdentifier
Issuer RDNSequence Issuer RDNSequence
ThisUpdate time.Time ThisUpdate time.Time