From 7e81d05ce9ceadc9e75d9567dc3ff3c1cb3555e8 Mon Sep 17 00:00:00 2001
From: Sun Yimin <emmansun@users.noreply.github.com>
Date: Fri, 15 Jul 2022 10:25:53 +0800
Subject: [PATCH] [sync] crypto/x509: restrict CRL number to <=20 octets #69

---
 smx509/x509.go      |  3 +++
 smx509/x509_test.go | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/smx509/x509.go b/smx509/x509.go
index a6f8cb3..a3bd49c 100644
--- a/smx509/x509.go
+++ b/smx509/x509.go
@@ -1909,6 +1909,9 @@ func CreateRevocationList(rand io.Reader, template *x509.RevocationList, issuer
 	if err != nil {
 		return nil, err
 	}
+	if numBytes := template.Number.Bytes(); len(numBytes) > 20 || (len(numBytes) == 20 && numBytes[0]&0x80 != 0) {
+		return nil, errors.New("x509: CRL number exceeds 20 octets")
+	}
 	crlNum, err := asn1.Marshal(template.Number)
 	if err != nil {
 		return nil, err
diff --git a/smx509/x509_test.go b/smx509/x509_test.go
index 2530b1f..d63e4a6 100644
--- a/smx509/x509_test.go
+++ b/smx509/x509_test.go
@@ -1789,6 +1789,40 @@ func TestCreateRevocationList(t *testing.T) {
 			},
 			expectedError: "x509: template contains nil Number field",
 		},
+		{
+			name: "long Number",
+			key:  sm2Priv,
+			issuer: &x509.Certificate{
+				KeyUsage: KeyUsageCRLSign,
+				Subject: pkix.Name{
+					CommonName: "testing",
+				},
+				SubjectKeyId: []byte{1, 2, 3},
+			},
+			template: &x509.RevocationList{
+				ThisUpdate: time.Time{}.Add(time.Hour * 24),
+				NextUpdate: time.Time{}.Add(time.Hour * 48),
+				Number:     big.NewInt(0).SetBytes(append([]byte{1}, make([]byte, 20)...)),
+			},
+			expectedError: "x509: CRL number exceeds 20 octets",
+		},
+		{
+			name: "long Number (20 bytes, MSB set)",
+			key:  sm2Priv,
+			issuer: &x509.Certificate{
+				KeyUsage: KeyUsageCRLSign,
+				Subject: pkix.Name{
+					CommonName: "testing",
+				},
+				SubjectKeyId: []byte{1, 2, 3},
+			},
+			template: &x509.RevocationList{
+				ThisUpdate: time.Time{}.Add(time.Hour * 24),
+				NextUpdate: time.Time{}.Add(time.Hour * 48),
+				Number:     big.NewInt(0).SetBytes(append([]byte{255}, make([]byte, 19)...)),
+			},
+			expectedError: "x509: CRL number exceeds 20 octets",
+		},
 		{
 			name: "invalid signature algorithm",
 			key:  sm2Priv,