Closed cpu closed 2 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 97.30%. Comparing base (
6cd6d03
) to head (e830981
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
Previously the logic in
src/crl/types.rs
was strict when considering whether a certificate with a CRL distribution extension was covered by a CRL that had no issuing distribution point extension. This branch updates the logic to allow this case.In practice we've seen the previous logic is too strict; some CAs (notably Amazon) issue end entity certificates that include a CRL DP ext, but do not include an IDP ext in the corresponding CRL.
The chapter-and-verse in 5280 doesn't impose a requirement here and our strictness on the matter was informed by concerns about potential replacement attacks that are not applicable here. The CRL is assumed to have a global scope (e.g. that it covers all certificates issued by the CRL issuer) when there is no IDP ext specifying otherwise. See discussion in https://github.com/rustls/webpki/issues/228 for more information.
We of course continue to require the issuer of the CRL match the issuer of the cert, and that signatures verify, in order to consider the CRL authoritative for the cert.
Unit tests are updated accordingly (which requires regenerating the test CRL data).
Resolves https://github.com/rustls/webpki/issues/228