Commit 4c71af71 authored by Martin Kreichgauer's avatar Martin Kreichgauer Committed by Brad Fitzpatrick

crypto/x509: marshal certificate revocation times in UTC (Zulu time).

This is required by RFC 5280.

Fixes #16686

Change-Id: I291c68dd97410a4f7ae7c4e524b91a2493ac50a9
Reviewed-on: https://go-review.googlesource.com/34245Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent 8c190e58
......@@ -1850,13 +1850,20 @@ func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts [
return nil, err
}
// Force revocation times to UTC per RFC 5280.
revokedCertsUTC := make([]pkix.RevokedCertificate, len(revokedCerts))
for i, rc := range revokedCerts {
rc.RevocationTime = rc.RevocationTime.UTC()
revokedCertsUTC[i] = rc
}
tbsCertList := pkix.TBSCertificateList{
Version: 1,
Signature: signatureAlgorithm,
Issuer: c.Subject.ToRDNSequence(),
ThisUpdate: now.UTC(),
NextUpdate: expiry.UTC(),
RevokedCertificates: revokedCerts,
RevokedCertificates: revokedCertsUTC,
}
// Authority Key Id
......
......@@ -850,29 +850,47 @@ func TestCRLCreation(t *testing.T) {
block, _ = pem.Decode([]byte(pemCertificate))
cert, _ := ParseCertificate(block.Bytes)
now := time.Unix(1000, 0)
loc := time.FixedZone("Oz/Atlantis", int((2 * time.Hour).Seconds()))
now := time.Unix(1000, 0).In(loc)
nowUTC := now.UTC()
expiry := time.Unix(10000, 0)
revokedCerts := []pkix.RevokedCertificate{
{
SerialNumber: big.NewInt(1),
RevocationTime: now,
RevocationTime: nowUTC,
},
{
SerialNumber: big.NewInt(42),
// RevocationTime should be converted to UTC before marshaling.
RevocationTime: now,
},
}
expectedCerts := []pkix.RevokedCertificate{
{
SerialNumber: big.NewInt(1),
RevocationTime: nowUTC,
},
{
SerialNumber: big.NewInt(42),
RevocationTime: nowUTC,
},
}
crlBytes, err := cert.CreateCRL(rand.Reader, priv, revokedCerts, now, expiry)
if err != nil {
t.Errorf("error creating CRL: %s", err)
}
_, err = ParseDERCRL(crlBytes)
parsedCRL, err := ParseDERCRL(crlBytes)
if err != nil {
t.Errorf("error reparsing CRL: %s", err)
}
if !reflect.DeepEqual(parsedCRL.TBSCertList.RevokedCertificates, expectedCerts) {
t.Errorf("RevokedCertificates mismatch: got %v; want %v.",
parsedCRL.TBSCertList.RevokedCertificates, expectedCerts)
}
}
func fromBase64(in string) []byte {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment