crypto/x509: correctly parse CRL entry extensions

author Aaron Gable <aaron@letsencrypt.org>

Tue, 28 Jun 2022 22:28:21 +0000 (15:28 -0700)

committer Gopher Robot <gobot@golang.org>

Thu, 7 Jul 2022 19:26:16 +0000 (19:26 +0000)
author Aaron Gable <aaron@letsencrypt.org>
Tue, 28 Jun 2022 22:28:21 +0000 (15:28 -0700)
committer Gopher Robot <gobot@golang.org>
Thu, 7 Jul 2022 19:26:16 +0000 (19:26 +0000)
diff --git a/src/crypto/x509/parser.go b/src/crypto/x509/parser.go

index cd87044d17d4ff7af82730857d4a0bec69435341..a2d3d809642b221fbde361eabaa86166c5b72c8f 100644 (file)
--- a/src/crypto/x509/parser.go
+++ b/src/crypto/x509/parser.go
@@ -1106,13 +1106,10 @@ func ParseRevocationList(der []byte) (*RevocationList, error) {
                         }
                         var extensions cryptobyte.String
                         var present bool
-                       if !tbs.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) {
+                       if !certSeq.ReadOptionalASN1(&extensions, &present, cryptobyte_asn1.SEQUENCE) {
                                 return nil, errors.New("x509: malformed extensions")
                         }
                         if present {
-                               if !extensions.ReadASN1(&extensions, cryptobyte_asn1.SEQUENCE) {
-                                       return nil, errors.New("x509: malformed extensions")
-                               }
                                 for !extensions.Empty() {
                                         var extension cryptobyte.String
                                         if !extensions.ReadASN1(&extension, cryptobyte_asn1.SEQUENCE) {
diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go

index 594ee1dceb0b7f1d6eba78c0d9efecb91b05056e..cddad1e246c299d182f7de052ab6a3629398b574 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -2524,6 +2524,34 @@ func TestCreateRevocationList(t *testing.T) {
                                 NextUpdate: time.Time{}.Add(time.Hour * 48),
                         },
                 },
+               {
+                       name: "valid, extra entry extension",
+                       key:  ec256Priv,
+                       issuer: &Certificate{
+                               KeyUsage: KeyUsageCRLSign,
+                               Subject: pkix.Name{
+                                       CommonName: "testing",
+                               },
+                               SubjectKeyId: []byte{1, 2, 3},
+                       },
+                       template: &RevocationList{
+                               RevokedCertificates: []pkix.RevokedCertificate{
+                                       {
+                                               SerialNumber:   big.NewInt(2),
+                                               RevocationTime: time.Time{}.Add(time.Hour),
+                                               Extensions: []pkix.Extension{
+                                                       {
+                                                               Id:    []int{2, 5, 29, 99},
+                                                               Value: []byte{5, 0},
+                                                       },
+                                               },
+                                       },
+                               },
+                               Number:     big.NewInt(5),
+                               ThisUpdate: time.Time{}.Add(time.Hour * 24),
+                               NextUpdate: time.Time{}.Add(time.Hour * 48),
+                       },
+               },
                 {
                         name: "valid, Ed25519 key",
                         key:  ed25519Priv,
author	Aaron Gable <aaron@letsencrypt.org>
	Tue, 28 Jun 2022 22:28:21 +0000 (15:28 -0700)
committer	Gopher Robot <gobot@golang.org>
	Thu, 7 Jul 2022 19:26:16 +0000 (19:26 +0000)
src/crypto/x509/parser.go		patch \| blob \| history
src/crypto/x509/x509_test.go		patch \| blob \| history