-
Notifications
You must be signed in to change notification settings - Fork 17.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: add RevocationList and CreateRevocationList #36945
crypto/x509: add RevocationList and CreateRevocationList #36945
Conversation
The existing Certificate.CreateCRL method generates non-conformant CRLs and as such cannot be used for implementations that require standards compliance. This change implements a new top level method, CreateCRL, which generates compliant CRLs, and offers an extensible API if any extensions/fields need to be supported in the future. Fixes golang#35428 Change-Id: I06ef833cb860077b2d42c1bb262a72c3e918aa0d
Change-Id: I2f00afbd80cb9d30ebdca338a9b812359c762c3f
This PR (HEAD: 1da2356) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/217298 to see it. Tip: You can toggle comments from me using the |
Message from Gobot Gobot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be During May-July and Nov-Jan the Go project is in a code freeze, during which Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Paul van Brouwershaven: Patch Set 1: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Emmanuel Odeke: Patch Set 1: Run-TryBot+1 Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Gobot Gobot: Patch Set 1: TryBots beginning. Status page: https://farmer.golang.org/try?commit=687d1666 Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Gobot Gobot: Patch Set 1: TryBot-Result+1 TryBots are happy. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Change-Id: I96a7d4454838cd30b5fe53196eae8709eedfdb44
This PR (HEAD: 03be885) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/217298 to see it. Tip: You can toggle comments from me using the |
Message from Roland Shoemaker: Patch Set 1: (2 comments) Thanks for the review Paul, I've addressed both of your comments. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Paul van Brouwershaven: Patch Set 2: Code-Review+1 (2 comments) LGTM Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Bilal Ashraf: Patch Set 2: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Change-Id: I2feee394004948c6544a982aedfda5e815f92dc8
Change-Id: I4babc5e0c817228e5c66711ce15ba12b7bebc113
This PR (HEAD: 3aaef85) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/217298 to see it. Tip: You can toggle comments from me using the |
Message from Roland Shoemaker: Patch Set 2: (1 comment) Seems reasonable to allow setting SignatureAlgorithm, done. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Change-Id: Id8496a6a6e61627c321a42c88535dcc31a4affc1
This PR (HEAD: f0cdbcd) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/217298 to see it. Tip: You can toggle comments from me using the |
Change-Id: I3153f58a7ea47f1d63dc0e7a83340e0fe36126d6
This PR (HEAD: 8eabd2f) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/217298 to see it. Tip: You can toggle comments from me using the |
Message from Paul van Brouwershaven: Patch Set 5: Should we add a ParseRevocationList function to the new RevocationList type, currently it only exposes a CreateRevocationList function but naturally I would also expose a parse for this new type. I would also like to suggest to include the RawIssuer similar to the Certificate type. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Filippo Valsorda: Patch Set 5: Run-TryBot+1 (10 comments) LGTM with some docs comments, and making sure we are handling the zero length case correctly. Can you drop in the commit message a issuer / CRL pair we can verify with OpenSSL? Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Gobot Gobot: Patch Set 5: TryBots beginning. Status page: https://farmer.golang.org/try?commit=2657199f Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Gobot Gobot: Patch Set 5: TryBot-Result+1 TryBots are happy. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Change-Id: Id3aac8ac51844b473ce1914a25c6e4fdc444a02a
Change-Id: I6050fdde7e61fd55bd3cb24aba9a4da233208071
Change-Id: If40a06e7b7ff5481e16a32e51676bc00f3c6e8a2
This PR (HEAD: c83a601) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/go/+/217298 to see it. Tip: You can toggle comments from me using the |
Message from Roland Shoemaker: Patch Set 7:
I think I hit all these comments, and added an extra test case or two. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Roland Shoemaker: Patch Set 7: (9 comments) (Always forget to publish my drafts ._.) Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Filippo Valsorda: Patch Set 7: Run-TryBot+1 Code-Review+2
$ openssl crl -in crl.pem -CAfile ca.pem Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Gobot Gobot: Patch Set 7: TryBots beginning. Status page: https://farmer.golang.org/try?commit=d93e9761 Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
Message from Gobot Gobot: Patch Set 7: TryBot-Result+1 TryBots are happy. Please don’t reply on this GitHub thread. Visit golang.org/cl/217298. |
The existing Certificate.CreateCRL method generates non-conformant CRLs and as such cannot be used for implementations that require standards compliance. This change implements a new top level method, CreateCRL, which generates compliant CRLs, and offers an extensible API if any extensions/fields need to be supported in the future. Here is an example Issuer/CRL generated using this change: -----BEGIN CERTIFICATE----- MIIBNjCB3aADAgECAgEWMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB3Rlc3Rpbmcw IhgPMDAwMTAxMDEwMDAwMDBaGA8wMDAxMDEwMTAwMDAwMFowEjEQMA4GA1UEAxMH dGVzdGluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLHrudbSM36sn1VBrmm/ OfQTyEsI4tIUV1VmneOKHL9ENBGCiec4GhQm2SGnDT/sZy2bB3c3yozh/roS6cZJ UZqjIDAeMA4GA1UdDwEB/wQEAwIBAjAMBgNVHQ4EBQQDAQIDMAoGCCqGSM49BAMC A0gAMEUCIQCoAYN6CGZPgd5Sw5a1rd5VexciT5MCxTfXj+ZfJNfoiAIgQVCTB8AE Nm2xset7+HOgtQYlKNw/rGd8cFcv5Y9aUzo= -----END CERTIFICATE----- -----BEGIN X509 CRL----- MIHWMH0CAQEwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHdGVzdGluZxgPMDAwMTAx MDIwMDAwMDBaGA8wMDAxMDEwMzAwMDAwMFowFjAUAgECGA8wMDAxMDEwMTAxMDAw MFqgHjAcMA4GA1UdIwQHMAWAAwECAzAKBgNVHRQEAwIBBTAKBggqhkjOPQQDAgNJ ADBGAiEAjqfj/IG4ys5WkjrbTNpDbr+saHGO/NujLJotlLL9KzgCIQDm8VZPzj0f NYEQgAW4nsiUzlvEUCoHMw0141VCZXv67A== -----END X509 CRL----- Fixes #35428 Change-Id: Id96b6f47698d0bed39d586b46bd12374ee6ff88f GitHub-Last-Rev: c83a601 GitHub-Pull-Request: #36945 Reviewed-on: https://go-review.googlesource.com/c/go/+/217298 Reviewed-by: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This PR is being closed because golang.org/cl/217298 has been merged. |
The existing Certificate.CreateCRL method generates non-conformant CRLs and as such cannot be used for implementations that require standards compliance. This change implements a new top level method, CreateCRL, which generates compliant CRLs, and offers an extensible API if any extensions/fields need to be supported in the future. Here is an example Issuer/CRL generated using this change: -----BEGIN CERTIFICATE----- MIIBNjCB3aADAgECAgEWMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB3Rlc3Rpbmcw IhgPMDAwMTAxMDEwMDAwMDBaGA8wMDAxMDEwMTAwMDAwMFowEjEQMA4GA1UEAxMH dGVzdGluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLHrudbSM36sn1VBrmm/ OfQTyEsI4tIUV1VmneOKHL9ENBGCiec4GhQm2SGnDT/sZy2bB3c3yozh/roS6cZJ UZqjIDAeMA4GA1UdDwEB/wQEAwIBAjAMBgNVHQ4EBQQDAQIDMAoGCCqGSM49BAMC A0gAMEUCIQCoAYN6CGZPgd5Sw5a1rd5VexciT5MCxTfXj+ZfJNfoiAIgQVCTB8AE Nm2xset7+HOgtQYlKNw/rGd8cFcv5Y9aUzo= -----END CERTIFICATE----- -----BEGIN X509 CRL----- MIHWMH0CAQEwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHdGVzdGluZxgPMDAwMTAx MDIwMDAwMDBaGA8wMDAxMDEwMzAwMDAwMFowFjAUAgECGA8wMDAxMDEwMTAxMDAw MFqgHjAcMA4GA1UdIwQHMAWAAwECAzAKBgNVHRQEAwIBBTAKBggqhkjOPQQDAgNJ ADBGAiEAjqfj/IG4ys5WkjrbTNpDbr+saHGO/NujLJotlLL9KzgCIQDm8VZPzj0f NYEQgAW4nsiUzlvEUCoHMw0141VCZXv67A== -----END X509 CRL----- Fixes #35428 Change-Id: Id96b6f47698d0bed39d586b46bd12374ee6ff88f GitHub-Last-Rev: c83a6017164e71df3989fe57322b3b4869a09f37 GitHub-Pull-Request: golang/go#36945 Reviewed-on: https://go-review.googlesource.com/c/go/+/217298 Reviewed-by: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
The existing Certificate.CreateCRL method generates non-conformant CRLs and
as such cannot be used for implementations that require standards
compliance. This change implements a new top level method, CreateCRL, which
generates compliant CRLs, and offers an extensible API if any
extensions/fields need to be supported in the future.
Here is an example Issuer/CRL generated using this change:
-----BEGIN CERTIFICATE-----
MIIBNjCB3aADAgECAgEWMAoGCCqGSM49BAMCMBIxEDAOBgNVBAMTB3Rlc3Rpbmcw
IhgPMDAwMTAxMDEwMDAwMDBaGA8wMDAxMDEwMTAwMDAwMFowEjEQMA4GA1UEAxMH
dGVzdGluZzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLHrudbSM36sn1VBrmm/
OfQTyEsI4tIUV1VmneOKHL9ENBGCiec4GhQm2SGnDT/sZy2bB3c3yozh/roS6cZJ
UZqjIDAeMA4GA1UdDwEB/wQEAwIBAjAMBgNVHQ4EBQQDAQIDMAoGCCqGSM49BAMC
A0gAMEUCIQCoAYN6CGZPgd5Sw5a1rd5VexciT5MCxTfXj+ZfJNfoiAIgQVCTB8AE
Nm2xset7+HOgtQYlKNw/rGd8cFcv5Y9aUzo=
-----END CERTIFICATE-----
-----BEGIN X509 CRL-----
MIHWMH0CAQEwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHdGVzdGluZxgPMDAwMTAx
MDIwMDAwMDBaGA8wMDAxMDEwMzAwMDAwMFowFjAUAgECGA8wMDAxMDEwMTAxMDAw
MFqgHjAcMA4GA1UdIwQHMAWAAwECAzAKBgNVHRQEAwIBBTAKBggqhkjOPQQDAgNJ
ADBGAiEAjqfj/IG4ys5WkjrbTNpDbr+saHGO/NujLJotlLL9KzgCIQDm8VZPzj0f
NYEQgAW4nsiUzlvEUCoHMw0141VCZXv67A==
-----END X509 CRL-----
Fixes #35428