codecov[bot]
commented
2 months ago Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 97.30%. Comparing base (
6cd6d03) to head (e830981).
Additional details and impacted files
```diff @@ Coverage Diff @@ ## main #276 +/- ## ========================================== - Coverage 97.30% 97.30% -0.01% ========================================== Files 19 19 Lines 4237 4234 -3 ========================================== - Hits 4123 4120 -3 Misses 114 114 ```:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Previously the logic in
src/crl/types.rswas strict when considering whether a certificate with a CRL distribution extension was covered by a CRL that had no issuing distribution point extension. This branch updates the logic to allow this case.In practice we've seen the previous logic is too strict; some CAs (notably Amazon) issue end entity certificates that include a CRL DP ext, but do not include an IDP ext in the corresponding CRL.
The chapter-and-verse in 5280 doesn't impose a requirement here and our strictness on the matter was informed by concerns about potential replacement attacks that are not applicable here. The CRL is assumed to have a global scope (e.g. that it covers all certificates issued by the CRL issuer) when there is no IDP ext specifying otherwise. See discussion in https://github.com/rustls/webpki/issues/228 for more information.
We of course continue to require the issuer of the CRL match the issuer of the cert, and that signatures verify, in order to consider the CRL authoritative for the cert.
Unit tests are updated accordingly (which requires regenerating the test CRL data).
Resolves https://github.com/rustls/webpki/issues/228