Skip to content

affected/package: x509 CreateRevocationList incorrect serial? #53923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
daveteu opened this issue Jul 17, 2022 · 1 comment
Closed

affected/package: x509 CreateRevocationList incorrect serial? #53923

daveteu opened this issue Jul 17, 2022 · 1 comment
Labels
FrozenDueToAge

Comments

@daveteu
Copy link

daveteu commented Jul 17, 2022
edited
Loading

What version of Go are you using (go version)?

1.18

Does this issue reproduce with the latest release?

Ues

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOOS="darwin"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.18.3"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/ql/l3trxc6s4d3bjs8ks9s3k7zw0000gn/T/go-build3444320077=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I am trying to create a revocation list with the following codes

revocationList := x509.RevocationList{
		RevokedCertificates: removeDups(list),
		Number:              crlNumber, // +1 on every update
		ThisUpdate:          time.Now(),
		NextUpdate:          time.Now().Add(1 * time.Minute),
	}

	crlBytes, err := x509.CreateRevocationList(rand.Reader, &revocationList, caCert, caKey)
// create the pem
	crlPem := pem.EncodeToMemory(&pem.Block{
		Type:  PEMx509CRLBlock,
		Bytes: crlBytes,
	})

The RevokedCertificates is as follow

[
  {
    "SerialNumber": 97,
    "RevocationTime": "2022-07-17T04:46:04Z",
    "Extensions": null
  },
  {
    "SerialNumber": 117,
    "RevocationTime": "2022-07-17T05:17:22Z",
    "Extensions": null
  },
  {
    "SerialNumber": 118,
    "RevocationTime": "2022-07-17T07:46:12Z",
    "Extensions": null
  },
  {
    "SerialNumber": 119,
    "RevocationTime": "2022-07-17T07:56:26Z",
    "Extensions": null
  }
]

What did you expect to see?

I am expecting to see the revoked serial number in the PEM.

What did you see instead?

content of openssl crl -noout -in crl.pem -text

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=/ST=/L=/O=/OU=/CN=3rd time after cleaning up
        Last Update: Jul 17 08:21:09 2022 GMT
        Next Update: Jul 17 08:22:09 2022 GMT
        CRL extensions:
            X509v3 Authority Key Identifier: 
                keyid:4C:10:E5:BC:4A:F2:D7:1A:E8:F9:40:02:DA:D0:B9:55:24:38:50:90

            X509v3 CRL Number: 
                21
Revoked Certificates:
    Serial Number: 61
        Revocation Date: Jul 17 04:46:04 2022 GMT
    Serial Number: 75
        Revocation Date: Jul 17 05:17:22 2022 GMT
    Serial Number: 76
        Revocation Date: Jul 17 07:46:12 2022 GMT
    Serial Number: 77
        Revocation Date: Jul 17 07:56:26 2022 GMT
    Signature Algorithm: sha256WithRSAEncryption
         d7:98:29:03:32:3b:4e:3c:57:f7:6b:95:0f:01:7b:df:21:f1:
         e7:72:ec:0e:68:21:63:14:6d:bc:ba:d2:e9:3b:f9:e3:ff:ae:
         d5:c6:0e:ae:06:6a:83:db:0e:92:4e:ac:0b:2b:ea:a2:fe:e1:
         a6:40:43:d7:7b:d0:34:68:82:f2:2d:bf:94:fd:54:63:2e:fd:
         61:cd:fe:5c:ea:6d:e0:89:e5:6b:c4:a6:9f:26:c4:55:fa:71:
         f2:71:5e:a5:12:51:79:f5:6c:d4:6f:58:2e:6d:9d:21:01:bd:
         16:38:d3:2d:91:dc:f6:54:38:aa:2d:6e:8c:8d:25:4b:77:ef:
         d9:de:7c:dd:8a:77:38:a3:a5:68:37:7f:04:b4:6b:0a:76:6a:
         98:7c:db:8b:6f:d1:aa:86:db:d3:4d:5e:26:91:3b:6d:e8:b7:
         25:11:bc:84:09:85:43:00:eb:90:7b:00:1b:35:77:74:98:86:
         04:64:ef:52:4f:c5:8e:87:a6:11:55:e5:5b:46:97:72:27:5f:
         db:ea:42:71:5b:9d:ac:b8:3e:76:95:c0:0d:af:d2:eb:30:2b:
         52:4c:5f:aa:d9:b8:d6:10:03:2e:50:55:48:20:cf:51:7e:59:
         af:d0:9e:70:f1:c2:58:28:5c:29:50:32:a0:e7:3d:24:ec:13:
         b5:44:7d:8d

The content of the crl.pem is as follow

-----BEGIN X509 CRL-----
MIICKTCCARECAQEwDQYJKoZIhvcNAQELBQAwXDEJMAcGA1UEBhMAMQkwBwYDVQQI
EwAxCTAHBgNVBAcTADEJMAcGA1UEChMAMQkwBwYDVQQLEwAxIzAhBgNVBAMTGjNy
ZCB0aW1lIGFmdGVyIGNsZWFuaW5nIHVwFw0yMjA3MTcwODIxMDlaFw0yMjA3MTcw
ODIyMDlaMFAwEgIBYRcNMjIwNzE3MDQ0NjA0WjASAgF1Fw0yMjA3MTcwNTE3MjJa
MBICAXYXDTIyMDcxNzA3NDYxMlowEgIBdxcNMjIwNzE3MDc1NjI2WqAvMC0wHwYD
VR0jBBgwFoAUTBDlvEry1xro+UAC2tC5VSQ4UJAwCgYDVR0UBAMCARUwDQYJKoZI
hvcNAQELBQADggEBANeYKQMyO048V/drlQ8Be98h8edy7A5oIWMUbby60uk7+eP/
rtXGDq4GaoPbDpJOrAsr6qL+4aZAQ9d70DRogvItv5T9VGMu/WHN/lzqbeCJ5WvE
pp8mxFX6cfJxXqUSUXn1bNRvWC5tnSEBvRY40y2R3PZUOKotboyNJUt379nefN2K
dzijpWg3fwS0awp2aph824tv0aqG29NNXiaRO23otyURvIQJhUMA65B7ABs1d3SY
hgRk71JPxY6HphFV5VtGl3InX9vqQnFbnay4PnaVwA2v0uswK1JMX6rZuNYQAy5Q
VUggz1F+Wa/QnnDxwlgoXClQMqDnPSTsE7VEfY0=
-----END X509 CRL-----

One of the online decoder I used, however shows the correct number

              Version: 2
             IssuerDN: C=,ST=,L=,O=,OU=,CN=3rd time after cleaning up
          This update: Sun Jul 17 08:21:09 UTC 2022
          Next update: Sun Jul 17 08:22:09 UTC 2022
  Signature Algorithm: SHA256WITHRSA
            Signature: d7982903323b4e3c57f76b950f017bdf21f1e772
                       ec0e682163146dbcbad2e93bf9e3ffaed5c60eae
                       066a83db0e924eac0b2beaa2fee1a64043d77bd0
                       346882f22dbf94fd54632efd61cdfe5cea6de089
                       e56bc4a69f26c455fa71f2715ea5125179f56cd4
                       6f582e6d9d2101bd1638d32d91dcf65438aa2d6e
                       8c8d254b77efd9de7cdd8a7738a3a568377f04b4
                       6b0a766a987cdb8b6fd1aa86dbd34d5e26913b6d
                       e8b72511bc8409854300eb907b001b3577749886
                       0464ef524fc58e87a61155e55b469772275fdbea
                       42715b9dacb83e7695c00dafd2eb302b524c5faa
                       d9b8d610032e50554820cf517e59afd09e70f1c2
                       58285c295032a0e73d24ec13b5447d8d
           Extensions: 
                       critical(false) 2.5.29.35 value = Sequence
    Tagged [0] IMPLICIT 
        DER Octet String[20] 

                       critical(false) CRLNumber: 21
      userCertificate: 119
       revocationDate: Sun Jul 17 07:56:26 UTC 2022
       certificateIssuer: null

      userCertificate: 118
       revocationDate: Sun Jul 17 07:46:12 UTC 2022
       certificateIssuer: null

      userCertificate: 117
       revocationDate: Sun Jul 17 05:17:22 UTC 2022
       certificateIssuer: null

      userCertificate: 97
       revocationDate: Sun Jul 17 04:46:04 UTC 2022
       certificateIssuer: null

PS: Maybe it's my codes that's wrong, if it is, please enlighten me.
@daveteu daveteu changed the title affected/package: x509 CreateRevocationList affected/package: x509 CreateRevocationList incorrect serial? Jul 17, 2022
@seankhliao
Copy link
Member

seankhliao commented Jul 17, 2022
edited
Loading

The openssl output is in hexadecimal.

0x61 = 97
0x77 = 119

Closing as not a bug

@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Jul 17, 2022
@golang golang locked and limited conversation to collaborators Jul 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @daveteu