crypto/x509: correctly parse CRL entry extensions

When checking to see if a CRL entry has any extensions, attempt to read them from the individual revokedCertificate, rather than from the parent TBSCertList. Additionally, crlEntryExtensions is not an EXPLICIT field (c.f. crlExtension and Certificate extensions), so do not perform an extra layer of unwrapping when parsing the field. The added test case fails without the accompanying changes. Fixes #53592 Change-Id: Icc00e4c911f196aef77e3248117de64ddc5ea27f Reviewed-on: https://go-review.googlesource.com/c/go/+/414877 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
2024-09-29 01:34:32 -06:00 · 2022-06-28 15:28:21 -07:00 · 2022-06-28 15:28:21 -07:00 · 486fc01770
commit 486fc01770
parent 8ac58de185
2 changed files with 29 additions and 4 deletions
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@ -1106,13 +1106,10 @@ func ParseRevocationList(der []byte) (*RevocationList, error) {
 			}
 			var extensions cryptobyte.String
 			var present bool
-			if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) {
+			if !certSeq.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) {
 				return nil, errors.New("x509: malformed extensions")
 			}
 			if present {
-				if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) {
-					return nil, errors.New("x509: malformed extensions")
-				}
 				for !extensions.Empty() {
 					var extension cryptobyte.String
 					if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) {
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@ -2524,6 +2524,34 @@ func TestCreateRevocationList(t *testing.T) {
 				NextUpdate: time.Time{}.Add(time.Hour * 48),
 			},
 		},
+		{
+			name: "valid, extra entry extension",
+			key:  ec256Priv,
+			issuer: &Certificate{
+				KeyUsage: KeyUsageCRLSign,
+				Subject: pkix.Name{
+					CommonName: "testing",
+				},
+				SubjectKeyId: []byte{1, 2, 3},
+			},
+			template: &RevocationList{
+				RevokedCertificates: []pkix.RevokedCertificate{
+					{
+						SerialNumber:   big.NewInt(2),
+						RevocationTime: time.Time{}.Add(time.Hour),
+						Extensions: []pkix.Extension{
+							{
+								Id:    []int{2, 5, 29, 99},
+								Value: []byte{5, 0},
+							},
+						},
+					},
+				},
+				Number:     big.NewInt(5),
+				ThisUpdate: time.Time{}.Add(time.Hour * 24),
+				NextUpdate: time.Time{}.Add(time.Hour * 48),
+			},
+		},
 		{
 			name: "valid, Ed25519 key",
 			key:  ed25519Priv,