crypto/x509: Authority Key Identifier must be included in all CRLs issued

According to RFC5280 the authority key identifier extension MUST included in all
CRLs issued. This patch includes the authority key identifier extension when the
Subject Key Identifier is present in the signing certificate.

RFC5280 states:

"The authority key identifier extension provides a means of identifying the
public key corresponding to the private key used to sign a CRL.  The
identification can be based on either the key identifier (the subject key
identifier in the CRL signer's certificate) or the issuer name and serial
number.  This extension is especially useful where an issuer has more than one
signing key, either due to multiple concurrent key pairs or due to changeover."

Conforming CRL issuers MUST use the key identifier method, and MUST include this
extension in all CRLs issued."

This CL has been discussed at: http://golang.org/cl/177760043

Change-Id: I9bf50521908bfe777ea2398f154c13e8c90d14ad
Reviewed-on: https://go-review.googlesource.com/2258
Reviewed-by: Adam Langley <agl@golang.org>

diff --git a/src/crypto/x509/x509.go b/src/crypto/x509/x509.go
index a69efce63332eec906d406e7bb1ae6f140602b34..9616d54cedbec8ae2a7108f65ee1f9038772afd6 100644 (file)
--- a/src/crypto/x509/x509.go
+++ b/src/crypto/x509/x509.go
@@ -1587,6 +1587,17 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv crypto.Signer, revokedCerts
                RevokedCertificates: revokedCerts,
        }
 
+       // Authority Key Id
+       if len(c.SubjectKeyId) > 0 {
+               var aki pkix.Extension
+               aki.Id = oidExtensionAuthorityKeyId
+               aki.Value, err = asn1.Marshal(authKeyId{Id: c.SubjectKeyId})
+               if err != nil {
+                       return
+               }
+               tbsCertList.Extensions = append(tbsCertList.Extensions, aki)
+       }
+
        tbsCertListContents, err := asn1.Marshal(tbsCertList)
        if err != nil {
                return