crypto/x509: marshal certificate revocation times in UTC (Zulu time).

This is required by RFC 5280.

Fixes #16686

Change-Id: I291c68dd97410a4f7ae7c4e524b91a2493ac50a9
Reviewed-on: https://go-review.googlesource.com/34245
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
index d9077db653260c3bed213ae9f89b2b5de1804f69..949ce0185615516f5bdbede356e5f9f5d84eb70d 100644 (file)
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@@ -1850,13 +1850,20 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts [
                return nil, err
        }
 
+       // Force revocation times to UTC per RFC 5280.
+       revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
+       for i, rc := range revokedCerts {
+               rc.RevocationTime = rc.RevocationTime.UTC()
+               revokedCertsUTC[i] = rc
+       }
+
        tbsCertList := pkix.TBSCertificateList{
                Version:             1,
                Signature:           signatureAlgorithm,
                Issuer:              c.Subject.ToRDNSequence(),
                ThisUpdate:          now.UTC(),
                NextUpdate:          expiry.UTC(),
-               RevokedCertificates: revokedCerts,
+               RevokedCertificates: revokedCertsUTC,
        }
 
        // Authority Key Id

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index 354545ccbcbe70974a1a8c8d1ad586e600aef6df..aa30d85b7da06de25236732d0536b7c572831454 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -850,17 +850,31 @@ func TestCRLCreation(t *testing.T) {
        block, _ = pem.Decode([]byte(pemCertificate))
        cert, _ := ParseCertificate(block.Bytes)
 
-       now := time.Unix(1000, 0)
+       loc := time.FixedZone("Oz/Atlantis", int((2 * time.Hour).Seconds()))
+
+       now := time.Unix(1000, 0).In(loc)
+       nowUTC := now.UTC()
        expiry := time.Unix(10000, 0)
 
        revokedCerts := []pkix.RevokedCertificate{
                {
                        SerialNumber:   big.NewInt(1),
+                       RevocationTime: nowUTC,
+               },
+               {
+                       SerialNumber: big.NewInt(42),
+                       // RevocationTime should be converted to UTC before marshaling.
                        RevocationTime: now,
                },
+       }
+       expectedCerts := []pkix.RevokedCertificate{
+               {
+                       SerialNumber:   big.NewInt(1),
+                       RevocationTime: nowUTC,
+               },
                {
                        SerialNumber:   big.NewInt(42),
-                       RevocationTime: now,
+                       RevocationTime: nowUTC,
                },
        }
 
@@ -869,10 +883,14 @@ func TestCRLCreation(t *testing.T) {
                t.Errorf("error creating CRL: %s", err)
        }
 
-       _, err = ParseDERCRL(crlBytes)
+       parsedCRL, err := ParseDERCRL(crlBytes)
        if err != nil {
                t.Errorf("error reparsing CRL: %s", err)
        }
+       if !reflect.DeepEqual(parsedCRL.TBSCertList.RevokedCertificates, expectedCerts) {
+               t.Errorf("RevokedCertificates mismatch: got %v; want %v.",
+                       parsedCRL.TBSCertList.RevokedCertificates, expectedCerts)
+       }
 }
 
 func fromBase64(in string) []byte {