crypto/x509: ParseRevocationList incorrect handling of the CRL Number field

[onepeople158]

Go version

go version go1.24.1 linux/amd64

Output of go env in your module/workspace:

CN=US,OU=US,O=US,L=US,ST=US,C=US
2025-01-01 00:00:00 +0000 UTC
2025-12-01 00:00:00 +0000 UTC
-36
1

What did you do?

Hello Developer, I have a CRL file with a CRL number value of -36. According to RFC5280, the CRL number should be a non-negative integer, but Go successfully parsed the CRL Number field of this CRL without any errors.

What did you see happen?

Go successfully parsed the CRL Number field of this CRL without any errors.

What did you expect to see?

crl_file_test_.zip

[gabyhelp]

Related Issues

• crypto/x509: CreateRevocationList() does not enforce that the CRL Number is at most 20 octets #53543 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[dmitshur]

CC @golang/security.

[cpu]

I agree with the premise that a negative CRL number extension is out of spec, but I'm not sure there's a strong motivator for making it a parse-time error. The extension is described as non-critical, and AIUI largely serves as a hint for when one CRL super-cedes another. It doesn't feel like a case worth wiring up a GODEBUG for.

Perhaps we leave ParseRevocationList alone but make CreateRevocationList error for an invalid RevocationList.Number in the input template?