qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-16 20:14:48 -07:00
Code Releases Activity

crypto/x509: restrict CRL number to <=20 octets

Browse Source 
Similar to certificate serial numbers, RFC 5280 restricts the length of
the CRL number field to no more than 20 octets. Enforce this in
CreateRevocationList.

Fixes #53543

Change-Id: If392ef6b0844db716ae9ee6ef317135fceab039c
Reviewed-on: https://go-review.googlesource.com/c/go/+/415134
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Roland Shoemaker 2022-06-29 11:30:47 -07:00 committed by Gopher Robot
parent 486fc01770
commit c177d9d98a
2 changed files with 38 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/crypto/x509/x509.go
View File

@ -2196,6 +2196,10 @@ func CreateRevocationList(rand io.Reader, template *RevocationList, issuer *Cert
if err != nil { if err != nil {
return nil, err return nil, err
} }
if numBytes := template.Number.Bytes(); len(numBytes) > 20 || (len(numBytes) == 20 && numBytes[0]&0x80 != 0) {
return nil, errors.New("x509: CRL number exceeds 20 octets")
}
crlNum, err := asn1.Marshal(template.Number) crlNum, err := asn1.Marshal(template.Number)
if err != nil { if err != nil {
return nil, err return nil, err

34
src/crypto/x509/x509_test.go
View File

@ -2478,6 +2478,40 @@ func TestCreateRevocationList(t *testing.T) {
}, },
expectedError: "x509: template contains nil Number field", expectedError: "x509: template contains nil Number field",
}, },
{
name: "long Number",
key: ec256Priv,
issuer: &Certificate{
KeyUsage: KeyUsageCRLSign,
Subject: pkix.Name{
CommonName: "testing",
},
SubjectKeyId: []byte{1, 2, 3},
},
template: &RevocationList{
ThisUpdate: time.Time{}.Add(time.Hour * 24),
NextUpdate: time.Time{}.Add(time.Hour * 48),
Number: big.NewInt(0).SetBytes(append([]byte{1}, make([]byte, 20)...)),
},
expectedError: "x509: CRL number exceeds 20 octets",
},
{
name: "long Number (20 bytes, MSB set)",
key: ec256Priv,
issuer: &Certificate{
KeyUsage: KeyUsageCRLSign,
Subject: pkix.Name{
CommonName: "testing",
},
SubjectKeyId: []byte{1, 2, 3},
},
template: &RevocationList{
ThisUpdate: time.Time{}.Add(time.Hour * 24),
NextUpdate: time.Time{}.Add(time.Hour * 48),
Number: big.NewInt(0).SetBytes(append([]byte{255}, make([]byte, 19)...)),
},
expectedError: "x509: CRL number exceeds 20 octets",
},
{ {
name: "invalid signature algorithm", name: "invalid signature algorithm",
key: ec256Priv, key: ec256Priv,