[sync] crypto/x509: restrict CRL number to <=20 octets #69

2025-04-21 17:56:19 +08:00 · 2022-07-15 10:25:53 +08:00 · 2022-07-15 10:25:53 +08:00 · 7e81d05ce9
commit 7e81d05ce9
parent 99bfac3a2b
2 changed files with 37 additions and 0 deletions
--- a/smx509/x509.go
+++ b/smx509/x509.go
@ -1909,6 +1909,9 @@ func CreateRevocationList(rand io.Reader, template *x509.RevocationList, issuer
 	if err != nil {
 		return nil, err
 	}
+	if numBytes := template.Number.Bytes(); len(numBytes) > 20 || (len(numBytes) == 20 && numBytes[0]&0x80 != 0) {
+		return nil, errors.New("x509: CRL number exceeds 20 octets")
+	}
 	crlNum, err := asn1.Marshal(template.Number)
 	if err != nil {
 		return nil, err
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@ -1789,6 +1789,40 @@ func TestCreateRevocationList(t *testing.T) {
 			},
 			expectedError: "x509: template contains nil Number field",
 		},
+		{
+			name: "long Number",
+			key:  sm2Priv,
+			issuer: &x509.Certificate{
+				KeyUsage: KeyUsageCRLSign,
+				Subject: pkix.Name{
+					CommonName: "testing",
+				},
+				SubjectKeyId: []byte{1, 2, 3},
+			},
+			template: &x509.RevocationList{
+				ThisUpdate: time.Time{}.Add(time.Hour * 24),
+				NextUpdate: time.Time{}.Add(time.Hour * 48),
+				Number:     big.NewInt(0).SetBytes(append([]byte{1}, make([]byte, 20)...)),
+			},
+			expectedError: "x509: CRL number exceeds 20 octets",
+		},
+		{
+			name: "long Number (20 bytes, MSB set)",
+			key:  sm2Priv,
+			issuer: &x509.Certificate{
+				KeyUsage: KeyUsageCRLSign,
+				Subject: pkix.Name{
+					CommonName: "testing",
+				},
+				SubjectKeyId: []byte{1, 2, 3},
+			},
+			template: &x509.RevocationList{
+				ThisUpdate: time.Time{}.Add(time.Hour * 24),
+				NextUpdate: time.Time{}.Add(time.Hour * 48),
+				Number:     big.NewInt(0).SetBytes(append([]byte{255}, make([]byte, 19)...)),
+			},
+			expectedError: "x509: CRL number exceeds 20 octets",
+		},
 		{
 			name: "invalid signature algorithm",
 			key:  sm2Priv,