openssl/openssl

Misjudgment of CRL Distribution Points extension

Open

#26,161 opened on Dec 12, 2024

View on GitHub
 (3 comments) (0 reactions) (1 assignee)C (11,262 forks)batch import
branch: masterhelp wantedtriaged: feature

Repository metrics

Stars
 (30,157 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

RFC5280 describes this extension as follows: When a conforming CA includes a cRLDistributionPoints extension in a certificate, it MUST include at least one DistributionPoint that points to a CRL that covers the certificate for all reasons. I provided a test case that included a CRL distribution point extension, but the extension value was empty, which does not comply with RFC5280. I used the this certificate to conduct a format conversion experiment.Golang throws error for certificate: invalid CRL distribution points, but openssl incorrectly conversion successful. cert.zip image

Contributor guide