crypto/x509: accept CRLs without an expiry.

RFC5280 says that the nextUpdate field is optional. Fixes #8085. R=bradfitz CC=golang-codereviews https://golang.org/cl/149770044
2024-10-14 11:53:56 +00:00 · 2014-09-29 12:26:51 -07:00 · 2014-09-29 12:26:51 -07:00 · dfddd802ac
parent dca460574f
commit dfddd802ac
2 changed files with 12 additions and 1 deletions
--- a/src/crypto/x509/pkix/pkix.go
+++ b/src/crypto/x509/pkix/pkix.go
@ -164,7 +164,7 @@ type TBSCertificateList struct {
 	Signature           AlgorithmIdentifier
 	Issuer              RDNSequence
 	ThisUpdate          time.Time
-	NextUpdate          time.Time
+	NextUpdate          time.Time            `asn1:"optional"`
 	RevokedCertificates []RevokedCertificate `asn1:"optional"`
 	Extensions          []Extension          `asn1:"tag:0,optional,explicit"`
 }
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@ -707,6 +707,17 @@ func TestParseDERCRL(t *testing.T) {
 	// Can't check the signature here without a package cycle.
 }

+func TestCRLWithoutExpiry(t *testing.T) {
+	derBytes := fromBase64("MIHYMIGZMAkGByqGSM44BAMwEjEQMA4GA1UEAxMHQ2FybERTUxcNOTkwODI3MDcwMDAwWjBpMBMCAgDIFw05OTA4MjIwNzAwMDBaMBMCAgDJFw05OTA4MjIwNzAwMDBaMBMCAgDTFw05OTA4MjIwNzAwMDBaMBMCAgDSFw05OTA4MjIwNzAwMDBaMBMCAgDUFw05OTA4MjQwNzAwMDBaMAkGByqGSM44BAMDLwAwLAIUfmVSdjP+NHMX0feW+aDU2G1cfT0CFAJ6W7fVWxjBz4fvftok8yqDnDWh")
+	certList, err := ParseDERCRL(derBytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !certList.TBSCertList.NextUpdate.IsZero() {
+		t.Errorf("NextUpdate is not the zero value")
+	}
+}
+
 func TestParsePEMCRL(t *testing.T) {
 	pemBytes := fromBase64(pemCRLBase64)
 	certList, err := ParseCRL(pemBytes)