crypto/x509/pkix: change the semantics of the expiration of a CRL

[nhooyr]

I'm talking about changing this function:

go/src/crypto/x509/pkix/pkix.go

Line 251 in d6ebbef

func (certList *CertificateList) HasExpired(now time.Time) bool {

Presently, the way CertificateList.HasExpired works is by checking whether the now time.Time argument is after the next update. However RFC 5280 Section 5, defines the nextUpdate field as the date by which the next CRL will be issued. Thus, at the nextUpdate time, the next CRL must have been issued and so the one we have now is expired. Thus, CertificateList.HasExpired should consider a CRL expired if nextUpdate is equal to now.

I've already submitted a patch for this at https://go-review.googlesource.com/c/go/+/71972

[odeke-em]

/cc @agl @FiloSottile

[gopherbot]

Change https://golang.org/cl/71972 mentions this issue: crypto/x509/pkix: consider now==NextUpdate to be expired.