Source file src/github.com/google/certificate-transparency-go/x509/revoked_test.go

Documentation: github.com/google/certificate-transparency-go/x509

     1  // Copyright 2017 Google LLC. All Rights Reserved.
     2  //
     3  // Use of this source code is governed by a BSD-style
     4  // license that can be found in the LICENSE file.
     5  
     6  package x509
     7  
     8  import (
     9  	"encoding/pem"
    10  	"math/big"
    11  	"reflect"
    12  	"strings"
    13  	"testing"
    14  	"time"
    15  
    16  	"github.com/google/certificate-transparency-go/asn1"
    17  	"github.com/google/certificate-transparency-go/x509/pkix"
    18  )
    19  
    20  func TestParseCertificateList(t *testing.T) {
    21  	var tests = []struct {
    22  		desc    string
    23  		data    string // as hex
    24  		want    TBSCertList
    25  		wantErr string
    26  	}{
    27  		{
    28  			desc: "valid-certlist",
    29  			data: ("3082026c" + // SEQUENCE CertificateList
    30  				("30820154" + // SEQUENCE TBSCertList
    31  					("0201" + "01") + // version 2(0x01)
    32  					("300d" + // SEQUENCE AlgorithmIdentifier
    33  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
    34  						"0500") + // NULL
    35  					("3049" + // SEQUENCE Name
    36  						("310b" +
    37  							("3009" +
    38  								("0603" + "550406") + // OID: country
    39  								("1302" + "5553"))) + // "US"
    40  						("3113" +
    41  							("3011" +
    42  								("0603" + "55040a") + // OID: organization
    43  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
    44  						("3125" +
    45  							("3023" +
    46  								("0603" + "550403") + // OID: commonName
    47  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
    48  					("170d" + "3137303632393031303030325a") + // UTCTime
    49  					("170d" + "3137303730393031303030325a") + // UTCTime
    50  					("3081a4" + // SEQUENCE OF
    51  						("3027" +
    52  							("0208" + "764bedd38afd51f7") + // serial number
    53  							("170d" + "3137303131333134313835385a") + // revocation time
    54  							("300c" +
    55  								("300a" +
    56  									("0603" + "551d15") +
    57  									("0403" + "0a0103")))) +
    58  						("3027" +
    59  							("0208" + "3b772e5f1202118e") +
    60  							("170d" + "3137303531303130353530375a") +
    61  							("300c" +
    62  								("300a" +
    63  									("0603" + "551d15") +
    64  									("0403" + "0a0101")))) +
    65  						("3027" +
    66  							("0208" + "0b54e3090079ad4b") +
    67  							("170d" + "3137303431323038353331375a") +
    68  							("300c" +
    69  								("300a" +
    70  									("0603" + "551d15") +
    71  									("0403" + "0a0101")))) +
    72  						("3027" +
    73  							("0208" + "31da3380182af9b2") +
    74  							("170d" + "3136303931353230323231335a") +
    75  							("300c" +
    76  								("300a" +
    77  									("0603" + "551d15") +
    78  									("0403" + "0a0103"))))) +
    79  					("a030" +
    80  						("302e" +
    81  							("301f" +
    82  								("0603" + "551d23") + // OID: authority-key-id
    83  								("0418" +
    84  									("3016" +
    85  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
    86  							("300b" +
    87  								("0603" + "551d14") + // OID: CRL-number
    88  								("0404" + "02020623"))))) +
    89  				("300d" +
    90  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
    91  					"0500") + // NULL
    92  				("03820101" + // BIT STRING length 0x101
    93  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
    94  			want: TBSCertList{
    95  				Version: 1,
    96  				Signature: pkix.AlgorithmIdentifier{
    97  					Algorithm:  oidSignatureSHA256WithRSA,
    98  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
    99  				},
   100  				Issuer: pkix.RDNSequence{
   101  					[]pkix.AttributeTypeAndValue{
   102  						{Type: pkix.OIDCountry, Value: "US"},
   103  					},
   104  					[]pkix.AttributeTypeAndValue{
   105  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
   106  					},
   107  					[]pkix.AttributeTypeAndValue{
   108  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
   109  					},
   110  				},
   111  				ThisUpdate: time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
   112  				NextUpdate: time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
   113  				RevokedCertificates: []*RevokedCertificate{
   114  					{
   115  						RevokedCertificate: pkix.RevokedCertificate{
   116  							SerialNumber:   big.NewInt(0x764bedd38afd51f7),
   117  							RevocationTime: time.Date(2017, 1, 13, 14, 18, 58, 0, time.UTC),
   118  						},
   119  						RevocationReason: AffiliationChanged,
   120  					},
   121  					{
   122  						RevokedCertificate: pkix.RevokedCertificate{
   123  							SerialNumber:   big.NewInt(0x3b772e5f1202118e),
   124  							RevocationTime: time.Date(2017, 5, 10, 10, 55, 7, 0, time.UTC),
   125  						},
   126  						RevocationReason: KeyCompromise,
   127  					},
   128  					{
   129  						RevokedCertificate: pkix.RevokedCertificate{
   130  							SerialNumber:   big.NewInt(0x0b54e3090079ad4b),
   131  							RevocationTime: time.Date(2017, 4, 12, 8, 53, 17, 0, time.UTC),
   132  						},
   133  						RevocationReason: KeyCompromise,
   134  					},
   135  					{
   136  						RevokedCertificate: pkix.RevokedCertificate{
   137  							SerialNumber:   big.NewInt(0x31da3380182af9b2),
   138  							RevocationTime: time.Date(2016, 9, 15, 20, 22, 13, 0, time.UTC),
   139  						},
   140  						RevocationReason: AffiliationChanged,
   141  					},
   142  				},
   143  				AuthorityKeyID: fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
   144  				CRLNumber:      1571,
   145  				BaseCRLNumber:  -1,
   146  			},
   147  		},
   148  		{
   149  			desc: "invalid-cert-critical-ext-revocation-time",
   150  			data: ("3082026f" + // SEQUENCE CertificateList
   151  				("30820157" + // SEQUENCE TBSCertList
   152  					("0201" + "01") + // version 2(0x01)
   153  					("300d" + // SEQUENCE AlgorithmIdentifier
   154  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   155  						"0500") + // NULL
   156  					("3049" + // SEQUENCE Name
   157  						("310b" +
   158  							("3009" +
   159  								("0603" + "550406") + // OID: country
   160  								("1302" + "5553"))) + // "US"
   161  						("3113" +
   162  							("3011" +
   163  								("0603" + "55040a") + // OID: organization
   164  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   165  						("3125" +
   166  							("3023" +
   167  								("0603" + "550403") + // OID: commonName
   168  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   169  					("170d" + "3137303632393031303030325a") + // UTCTime
   170  					("170d" + "3137303730393031303030325a") + // UTCTime
   171  					("3081a7" + // SEQUENCE OF
   172  						("302a" +
   173  							("0208" + "764bedd38afd51f7") + // serial number
   174  							("170d" + "3137303131333134313835385a") + // revocation time
   175  							("300f" +
   176  								("300d" +
   177  									("0603" + "551d15") +
   178  									("0101ff") + // INVALID critical: true
   179  									("0403" + "0a0103")))) +
   180  						("3027" +
   181  							("0208" + "3b772e5f1202118e") +
   182  							("170d" + "3137303531303130353530375a") +
   183  							("300c" +
   184  								("300a" +
   185  									("0603" + "551d15") +
   186  									("0403" + "0a0101")))) +
   187  						("3027" +
   188  							("0208" + "0b54e3090079ad4b") +
   189  							("170d" + "3137303431323038353331375a") +
   190  							("300c" +
   191  								("300a" +
   192  									("0603" + "551d15") +
   193  									("0403" + "0a0101")))) +
   194  						("3027" +
   195  							("0208" + "31da3380182af9b2") +
   196  							("170d" + "3136303931353230323231335a") +
   197  							("300c" +
   198  								("300a" +
   199  									("0603" + "551d15") +
   200  									("0403" + "0a0103"))))) +
   201  					("a030" +
   202  						("302e" +
   203  							("301f" +
   204  								("0603" + "551d23") + // OID: authority-key-id
   205  								("0418" +
   206  									("3016" +
   207  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   208  							("300b" +
   209  								("0603" + "551d14") + // OID: CRL-number
   210  								("0404" + "02020623"))))) +
   211  				("300d" +
   212  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   213  					"0500") + // NULL
   214  				("03820101" + // BIT STRING length 0x101
   215  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   216  			wantErr: "marked critical",
   217  		},
   218  		{
   219  			desc: "invalid-unknown-critical-ext",
   220  			data: ("308201c9" + // SEQUENCE CertificateList
   221  				("3081b2" + // SEQUENCE TBSCertList
   222  					("0201" + "01") + // version 2(0x01)
   223  					("300d" + // SEQUENCE AlgorithmIdentifier
   224  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   225  						"0500") + // NULL
   226  					("3049" + // SEQUENCE Name
   227  						("310b" +
   228  							("3009" +
   229  								("0603" + "550406") + // OID: country
   230  								("1302" + "5553"))) + // "US"
   231  						("3113" +
   232  							("3011" +
   233  								("0603" + "55040a") + // OID: organization
   234  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   235  						("3125" +
   236  							("3023" +
   237  								("0603" + "550403") + // OID: commonName
   238  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   239  					("170d" + "3137303632393031303030325a") + // UTCTime
   240  					("170d" + "3137303730393031303030325a") + // UTCTime
   241  					("3000") + // no revoked certs
   242  					("a033" +
   243  						("3031" +
   244  							("301f" +
   245  								("0603" + "551d23") + // OID: authority-key-id
   246  								("0418" +
   247  									("3016" +
   248  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   249  							("300e" +
   250  								("0603" + "551d1f") + // OID: unknown
   251  								("0101ff") + // critical: true
   252  								("0404" + "02020623"))))) +
   253  				("300d" +
   254  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   255  					"0500") + // NULL
   256  				("03820101" + // BIT STRING length 0x101
   257  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   258  			wantErr: "unhandled critical extension",
   259  		},
   260  		{
   261  			desc: "invalid-unknown-ext-trailing-data",
   262  			data: ("308201c9" + // SEQUENCE CertificateList
   263  				("3081b2" + // SEQUENCE TBSCertList
   264  					("0201" + "01") + // version 2(0x01)
   265  					("300d" + // SEQUENCE AlgorithmIdentifier
   266  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   267  						"0500") + // NULL
   268  					("3049" + // SEQUENCE Name
   269  						("310b" +
   270  							("3009" +
   271  								("0603" + "550406") + // OID: country
   272  								("1302" + "5553"))) + // "US"
   273  						("3113" +
   274  							("3011" +
   275  								("0603" + "55040a") + // OID: organization
   276  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   277  						("3125" +
   278  							("3023" +
   279  								("0603" + "550403") + // OID: commonName
   280  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   281  					("170d" + "3137303632393031303030325a") + // UTCTime
   282  					("170d" + "3137303730393031303030325a") + // UTCTime
   283  					("3000") + // no revoked certs
   284  					("a033" +
   285  						("3031" +
   286  							("301f" +
   287  								("0603" + "551d23") + // OID: authority-key-id
   288  								("0418" +
   289  									("3016" +
   290  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   291  							("300e" +
   292  								("0603" + "551d1f") + // OID: unknown
   293  								("010100") + // critical: false
   294  								("0404" + "02020623"))))) +
   295  				("300d" +
   296  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   297  					"0500") + // NULL
   298  				("03820101" + // BIT STRING length 0x101
   299  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369") +
   300  				"00"),
   301  			wantErr: "trailing data",
   302  		},
   303  		{
   304  			desc:    "invalid-wrong-asn1",
   305  			data:    "0a0101",
   306  			wantErr: "structure error",
   307  		},
   308  		// The following example is used as the template for other variations
   309  		{
   310  			desc: "valid-empty-certlist",
   311  			data: ("308201c6" + // SEQUENCE CertificateList
   312  				("3081af" + // SEQUENCE TBSCertList
   313  					("0201" + "01") + // version 2(0x01)
   314  					("300d" + // SEQUENCE AlgorithmIdentifier
   315  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   316  						"0500") + // NULL
   317  					("3049" + // SEQUENCE Name
   318  						("310b" +
   319  							("3009" +
   320  								("0603" + "550406") + // OID: country
   321  								("1302" + "5553"))) + // "US"
   322  						("3113" +
   323  							("3011" +
   324  								("0603" + "55040a") + // OID: organization
   325  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   326  						("3125" +
   327  							("3023" +
   328  								("0603" + "550403") + // OID: commonName
   329  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   330  					("170d" + "3137303632393031303030325a") + // UTCTime
   331  					("170d" + "3137303730393031303030325a") + // UTCTime
   332  					("3000") + // SEQUENCE OF no revoked certs
   333  					("a030" +
   334  						("302e" +
   335  							("301f" +
   336  								("0603" + "551d23") + // OID: authority-key-id
   337  								("0418" +
   338  									("3016" +
   339  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   340  							("300b" +
   341  								("0603" + "551d14") + // OID: CRL-number
   342  								("0404" + "02020623"))))) +
   343  				("300d" +
   344  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   345  					"0500") + // NULL
   346  				("03820101" + // BIT STRING length 0x101
   347  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   348  			want: TBSCertList{
   349  				Version: 1,
   350  				Signature: pkix.AlgorithmIdentifier{
   351  					Algorithm:  oidSignatureSHA256WithRSA,
   352  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
   353  				},
   354  				Issuer: pkix.RDNSequence{
   355  					[]pkix.AttributeTypeAndValue{
   356  						{Type: pkix.OIDCountry, Value: "US"},
   357  					},
   358  					[]pkix.AttributeTypeAndValue{
   359  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
   360  					},
   361  					[]pkix.AttributeTypeAndValue{
   362  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
   363  					},
   364  				},
   365  				ThisUpdate:          time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
   366  				NextUpdate:          time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
   367  				RevokedCertificates: []*RevokedCertificate{},
   368  				AuthorityKeyID:      fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
   369  				CRLNumber:           1571,
   370  				BaseCRLNumber:       -1,
   371  			},
   372  		},
   373  		{
   374  			desc: "valid-delta-crl-indicator-ext",
   375  			data: ("308201d6" + // SEQUENCE CertificateList
   376  				("3081bf" + // SEQUENCE TBSCertList
   377  					("0201" + "01") + // version 2(0x01)
   378  					("300d" + // SEQUENCE AlgorithmIdentifier
   379  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   380  						"0500") + // NULL
   381  					("3049" + // SEQUENCE Name
   382  						("310b" +
   383  							("3009" +
   384  								("0603" + "550406") + // OID: country
   385  								("1302" + "5553"))) + // "US"
   386  						("3113" +
   387  							("3011" +
   388  								("0603" + "55040a") + // OID: organization
   389  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   390  						("3125" +
   391  							("3023" +
   392  								("0603" + "550403") + // OID: commonName
   393  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   394  					("170d" + "3137303632393031303030325a") + // UTCTime
   395  					("170d" + "3137303730393031303030325a") + // UTCTime
   396  					("3000") + // SEQUENCE OF no revoked certs
   397  					("a040" +
   398  						("303e" +
   399  							("301f" +
   400  								("0603" + "551d23") + // OID: authority-key-id
   401  								("0418" +
   402  									("3016" +
   403  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   404  							("300e" +
   405  								("0603" + "551d1b") + // OID: delta-crl-indicator
   406  								("0101ff") + // critical: true
   407  								("0404" + "02020120")) +
   408  							("300b" +
   409  								("0603" + "551d14") + // OID: CRL-number
   410  								("0404" + "02020623"))))) +
   411  				("300d" +
   412  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   413  					"0500") + // NULL
   414  				("03820101" + // BIT STRING length 0x101
   415  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   416  			want: TBSCertList{
   417  				Version: 1,
   418  				Signature: pkix.AlgorithmIdentifier{
   419  					Algorithm:  oidSignatureSHA256WithRSA,
   420  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
   421  				},
   422  				Issuer: pkix.RDNSequence{
   423  					[]pkix.AttributeTypeAndValue{
   424  						{Type: pkix.OIDCountry, Value: "US"},
   425  					},
   426  					[]pkix.AttributeTypeAndValue{
   427  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
   428  					},
   429  					[]pkix.AttributeTypeAndValue{
   430  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
   431  					},
   432  				},
   433  				ThisUpdate:          time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
   434  				NextUpdate:          time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
   435  				RevokedCertificates: []*RevokedCertificate{},
   436  				AuthorityKeyID:      fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
   437  				CRLNumber:           1571,
   438  				BaseCRLNumber:       288,
   439  			},
   440  		},
   441  		{
   442  			desc: "invalid-delta-crl-indicator-ext-non-critical",
   443  			data: ("308201d6" + // SEQUENCE CertificateList
   444  				("3081bf" + // SEQUENCE TBSCertList
   445  					("0201" + "01") + // version 2(0x01)
   446  					("300d" + // SEQUENCE AlgorithmIdentifier
   447  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   448  						"0500") + // NULL
   449  					("3049" + // SEQUENCE Name
   450  						("310b" +
   451  							("3009" +
   452  								("0603" + "550406") + // OID: country
   453  								("1302" + "5553"))) + // "US"
   454  						("3113" +
   455  							("3011" +
   456  								("0603" + "55040a") + // OID: organization
   457  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   458  						("3125" +
   459  							("3023" +
   460  								("0603" + "550403") + // OID: commonName
   461  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   462  					("170d" + "3137303632393031303030325a") + // UTCTime
   463  					("170d" + "3137303730393031303030325a") + // UTCTime
   464  					("3000") + // SEQUENCE OF no revoked certs
   465  					("a040" +
   466  						("303e" +
   467  							("301f" +
   468  								("0603" + "551d23") + // OID: authority-key-id
   469  								("0418" +
   470  									("3016" +
   471  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   472  							("300e" +
   473  								("0603" + "551d1b") + // OID: delta-crl-indicator
   474  								("010100") + // INVALID: critical: false
   475  								("0404" + "02020120")) +
   476  							("300b" +
   477  								("0603" + "551d14") + // OID: CRL-number
   478  								("0404" + "02020623"))))) +
   479  				("300d" +
   480  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   481  					"0500") + // NULL
   482  				("03820101" + // BIT STRING length 0x101
   483  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   484  			wantErr: "marked non-critical",
   485  		},
   486  		{
   487  			desc: "invalid-delta-crl-indicator-ext-wrong-asn1",
   488  			data: ("308201d6" + // SEQUENCE CertificateList
   489  				("3081bf" + // SEQUENCE TBSCertList
   490  					("0201" + "01") + // version 2(0x01)
   491  					("300d" + // SEQUENCE AlgorithmIdentifier
   492  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   493  						"0500") + // NULL
   494  					("3049" + // SEQUENCE Name
   495  						("310b" +
   496  							("3009" +
   497  								("0603" + "550406") + // OID: country
   498  								("1302" + "5553"))) + // "US"
   499  						("3113" +
   500  							("3011" +
   501  								("0603" + "55040a") + // OID: organization
   502  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   503  						("3125" +
   504  							("3023" +
   505  								("0603" + "550403") + // OID: commonName
   506  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   507  					("170d" + "3137303632393031303030325a") + // UTCTime
   508  					("170d" + "3137303730393031303030325a") + // UTCTime
   509  					("3000") + // SEQUENCE OF no revoked certs
   510  					("a040" +
   511  						("303e" +
   512  							("301f" +
   513  								("0603" + "551d23") + // OID: authority-key-id
   514  								("0418" +
   515  									("3016" +
   516  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   517  							("300e" +
   518  								("0603" + "551d1b") + // OID: delta-crl-indicator
   519  								("0101ff") + // critical: true
   520  								("0404" + "0a020123")) + // INVALID: tag ENUM not int
   521  							("300b" +
   522  								("0603" + "551d14") + // OID: CRL-number
   523  								("0404" + "02020623"))))) +
   524  				("300d" +
   525  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   526  					"0500") + // NULL
   527  				("03820101" + // BIT STRING length 0x101
   528  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   529  			wantErr: "failed to unmarshal",
   530  		},
   531  		{
   532  			desc: "invalid-delta-crl-indicator-ext-trailing-data",
   533  			data: ("308201d6" + // SEQUENCE CertificateList
   534  				("3081bf" + // SEQUENCE TBSCertList
   535  					("0201" + "01") + // version 2(0x01)
   536  					("300d" + // SEQUENCE AlgorithmIdentifier
   537  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   538  						"0500") + // NULL
   539  					("3049" + // SEQUENCE Name
   540  						("310b" +
   541  							("3009" +
   542  								("0603" + "550406") + // OID: country
   543  								("1302" + "5553"))) + // "US"
   544  						("3113" +
   545  							("3011" +
   546  								("0603" + "55040a") + // OID: organization
   547  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   548  						("3125" +
   549  							("3023" +
   550  								("0603" + "550403") + // OID: commonName
   551  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   552  					("170d" + "3137303632393031303030325a") + // UTCTime
   553  					("170d" + "3137303730393031303030325a") + // UTCTime
   554  					("3000") + // SEQUENCE OF no revoked certs
   555  					("a040" +
   556  						("303e" +
   557  							("301f" +
   558  								("0603" + "551d23") + // OID: authority-key-id
   559  								("0418" +
   560  									("3016" +
   561  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   562  							("300e" +
   563  								("0603" + "551d1b") + // OID: delta-crl-indicator
   564  								("0101ff") + // critical: true
   565  								("0404" + "020101DD")) + // INVALID: trailing data
   566  							("300b" +
   567  								("0603" + "551d14") + // OID: CRL-number
   568  								("0404" + "02020623"))))) +
   569  				("300d" +
   570  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   571  					"0500") + // NULL
   572  				("03820101" + // BIT STRING length 0x101
   573  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   574  			wantErr: "trailing data",
   575  		},
   576  		{
   577  			desc: "invalid-delta-crl-indicator-ext-negative",
   578  			data: ("308201d6" + // SEQUENCE CertificateList
   579  				("3081bf" + // SEQUENCE TBSCertList
   580  					("0201" + "01") + // version 2(0x01)
   581  					("300d" + // SEQUENCE AlgorithmIdentifier
   582  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   583  						"0500") + // NULL
   584  					("3049" + // SEQUENCE Name
   585  						("310b" +
   586  							("3009" +
   587  								("0603" + "550406") + // OID: country
   588  								("1302" + "5553"))) + // "US"
   589  						("3113" +
   590  							("3011" +
   591  								("0603" + "55040a") + // OID: organization
   592  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   593  						("3125" +
   594  							("3023" +
   595  								("0603" + "550403") + // OID: commonName
   596  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   597  					("170d" + "3137303632393031303030325a") + // UTCTime
   598  					("170d" + "3137303730393031303030325a") + // UTCTime
   599  					("3000") + // SEQUENCE OF no revoked certs
   600  					("a040" +
   601  						("303e" +
   602  							("301f" +
   603  								("0603" + "551d23") + // OID: authority-key-id
   604  								("0418" +
   605  									("3016" +
   606  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   607  							("300e" +
   608  								("0603" + "551d1b") + // OID: delta-crl-indicator
   609  								("0101ff") + // critical: true
   610  								("0404" + "02028120")) + // INVALID: negative base CRL
   611  							("300b" +
   612  								("0603" + "551d14") + // OID: CRL-number
   613  								("0404" + "02020623"))))) +
   614  				("300d" +
   615  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   616  					"0500") + // NULL
   617  				("03820101" + // BIT STRING length 0x101
   618  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   619  			wantErr: "negative",
   620  		},
   621  		{
   622  			desc: "invalid-crl-number-ext-critical",
   623  			data: ("308201c9" + // SEQUENCE CertificateList
   624  				("3081b2" + // SEQUENCE TBSCertList
   625  					("0201" + "01") + // version 2(0x01)
   626  					("300d" + // SEQUENCE AlgorithmIdentifier
   627  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   628  						"0500") + // NULL
   629  					("3049" + // SEQUENCE Name
   630  						("310b" +
   631  							("3009" +
   632  								("0603" + "550406") + // OID: country
   633  								("1302" + "5553"))) + // "US"
   634  						("3113" +
   635  							("3011" +
   636  								("0603" + "55040a") + // OID: organization
   637  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   638  						("3125" +
   639  							("3023" +
   640  								("0603" + "550403") + // OID: commonName
   641  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   642  					("170d" + "3137303632393031303030325a") + // UTCTime
   643  					("170d" + "3137303730393031303030325a") + // UTCTime
   644  					("3000") + // no revoked certs
   645  					("a033" +
   646  						("3031" +
   647  							("301f" +
   648  								("0603" + "551d23") + // OID: authority-key-id
   649  								("0418" +
   650  									("3016" +
   651  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   652  							("300e" +
   653  								("0603" + "551d14") + // OID: CRL-number
   654  								("0101ff") + // critical: true
   655  								("0404" + "02020623"))))) +
   656  				("300d" +
   657  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   658  					"0500") + // NULL
   659  				("03820101" + // BIT STRING length 0x101
   660  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   661  			wantErr: "marked critical",
   662  		},
   663  		{
   664  			desc: "invalid-crl-number-ext-trailing-data",
   665  			data: ("308201c6" + // SEQUENCE CertificateList
   666  				("3081af" + // SEQUENCE TBSCertList
   667  					("0201" + "01") + // version 2(0x01)
   668  					("300d" + // SEQUENCE AlgorithmIdentifier
   669  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   670  						"0500") + // NULL
   671  					("3049" + // SEQUENCE Name
   672  						("310b" +
   673  							("3009" +
   674  								("0603" + "550406") + // OID: country
   675  								("1302" + "5553"))) + // "US"
   676  						("3113" +
   677  							("3011" +
   678  								("0603" + "55040a") + // OID: organization
   679  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   680  						("3125" +
   681  							("3023" +
   682  								("0603" + "550403") + // OID: commonName
   683  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   684  					("170d" + "3137303632393031303030325a") + // UTCTime
   685  					("170d" + "3137303730393031303030325a") + // UTCTime
   686  					("3000") + // no revoked certs
   687  					("a030" +
   688  						("302e" +
   689  							("301f" +
   690  								("0603" + "551d23") + // OID: authority-key-id
   691  								("0418" +
   692  									("3016" +
   693  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   694  							("300b" +
   695  								("0603" + "551d14") + // OID: CRL-number
   696  								("0404" + "0201" + "0623"))))) + // INVALID: trailing data
   697  				("300d" +
   698  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   699  					"0500") + // NULL
   700  				("03820101" + // BIT STRING length 0x101
   701  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   702  			wantErr: "trailing data",
   703  		},
   704  		{
   705  			desc: "invalid-crl-number-ext-negative",
   706  			data: ("308201c6" + // SEQUENCE CertificateList
   707  				("3081af" + // SEQUENCE TBSCertList
   708  					("0201" + "01") + // version 2(0x01)
   709  					("300d" + // SEQUENCE AlgorithmIdentifier
   710  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   711  						"0500") + // NULL
   712  					("3049" + // SEQUENCE Name
   713  						("310b" +
   714  							("3009" +
   715  								("0603" + "550406") + // OID: country
   716  								("1302" + "5553"))) + // "US"
   717  						("3113" +
   718  							("3011" +
   719  								("0603" + "55040a") + // OID: organization
   720  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   721  						("3125" +
   722  							("3023" +
   723  								("0603" + "550403") + // OID: commonName
   724  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   725  					("170d" + "3137303632393031303030325a") + // UTCTime
   726  					("170d" + "3137303730393031303030325a") + // UTCTime
   727  					("3000") + // no revoked certs
   728  					("a030" +
   729  						("302e" +
   730  							("301f" +
   731  								("0603" + "551d23") + // OID: authority-key-id
   732  								("0418" +
   733  									("3016" +
   734  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   735  							("300b" +
   736  								("0603" + "551d14") + // OID: CRL-number
   737  								("0404" + "0202" + "8623"))))) + // INVALID: negative value
   738  				("300d" +
   739  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   740  					"0500") + // NULL
   741  				("03820101" + // BIT STRING length 0x101
   742  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   743  			wantErr: "negative",
   744  		},
   745  		{
   746  			desc: "invalid-crl-number-ext-wrong-asn1",
   747  			data: ("308201c6" + // SEQUENCE CertificateList
   748  				("3081af" + // SEQUENCE TBSCertList
   749  					("0201" + "01") + // version 2(0x01)
   750  					("300d" + // SEQUENCE AlgorithmIdentifier
   751  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   752  						"0500") + // NULL
   753  					("3049" + // SEQUENCE Name
   754  						("310b" +
   755  							("3009" +
   756  								("0603" + "550406") + // OID: country
   757  								("1302" + "5553"))) + // "US"
   758  						("3113" +
   759  							("3011" +
   760  								("0603" + "55040a") + // OID: organization
   761  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   762  						("3125" +
   763  							("3023" +
   764  								("0603" + "550403") + // OID: commonName
   765  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   766  					("170d" + "3137303632393031303030325a") + // UTCTime
   767  					("170d" + "3137303730393031303030325a") + // UTCTime
   768  					("3000") + // no revoked certs
   769  					("a030" +
   770  						("302e" +
   771  							("301f" +
   772  								("0603" + "551d23") + // OID: authority-key-id
   773  								("0418" +
   774  									("3016" +
   775  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   776  							("300b" +
   777  								("0603" + "551d14") + // OID: CRL-number
   778  								("0404" + "0a02" + "0623"))))) + // INVALID: enum tag
   779  				("300d" +
   780  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   781  					"0500") + // NULL
   782  				("03820101" + // BIT STRING length 0x101
   783  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   784  			wantErr: "structure error",
   785  		},
   786  		{
   787  			desc: "invalid-auth-key-id-ext-trailing-data",
   788  			data: ("308201c6" + // SEQUENCE CertificateList
   789  				("3081af" + // SEQUENCE TBSCertList
   790  					("0201" + "01") + // version 2(0x01)
   791  					("300d" + // SEQUENCE AlgorithmIdentifier
   792  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   793  						"0500") + // NULL
   794  					("3049" + // SEQUENCE Name
   795  						("310b" +
   796  							("3009" +
   797  								("0603" + "550406") + // OID: country
   798  								("1302" + "5553"))) + // "US"
   799  						("3113" +
   800  							("3011" +
   801  								("0603" + "55040a") + // OID: organization
   802  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   803  						("3125" +
   804  							("3023" +
   805  								("0603" + "550403") + // OID: commonName
   806  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   807  					("170d" + "3137303632393031303030325a") + // UTCTime
   808  					("170d" + "3137303730393031303030325a") + // UTCTime
   809  					("3000") + // no revoked certs
   810  					("a030" +
   811  						("302e" +
   812  							("301f" +
   813  								("0603" + "551d23") + // OID: authority-key-id
   814  								("0418" +
   815  									("3015" +
   816  										"8013" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) + // INVALID: trailing data
   817  							("300b" +
   818  								("0603" + "551d14") + // OID: CRL-number
   819  								("0404" + "0202" + "0623"))))) +
   820  				("300d" +
   821  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   822  					"0500") + // NULL
   823  				("03820101" + // BIT STRING length 0x101
   824  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   825  			wantErr: "trailing data",
   826  		},
   827  		{
   828  			desc: "invalid-auth-key-id-ext-wrong-asn1",
   829  			data: ("308201c6" + // SEQUENCE CertificateList
   830  				("3081af" + // SEQUENCE TBSCertList
   831  					("0201" + "01") + // version 2(0x01)
   832  					("300d" + // SEQUENCE AlgorithmIdentifier
   833  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   834  						"0500") + // NULL
   835  					("3049" + // SEQUENCE Name
   836  						("310b" +
   837  							("3009" +
   838  								("0603" + "550406") + // OID: country
   839  								("1302" + "5553"))) + // "US"
   840  						("3113" +
   841  							("3011" +
   842  								("0603" + "55040a") + // OID: organization
   843  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   844  						("3125" +
   845  							("3023" +
   846  								("0603" + "550403") + // OID: commonName
   847  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   848  					("170d" + "3137303632393031303030325a") + // UTCTime
   849  					("170d" + "3137303730393031303030325a") + // UTCTime
   850  					("3000") + // no revoked certs
   851  					("a030" +
   852  						("302e" +
   853  							("301f" +
   854  								("0603" + "551d23") + // OID: authority-key-id
   855  								("0418" +
   856  									("3116" + // INVALID: set not sequence
   857  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   858  							("300b" +
   859  								("0603" + "551d14") + // OID: CRL-number
   860  								("0404" + "0202" + "0623"))))) +
   861  				("300d" +
   862  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   863  					"0500") + // NULL
   864  				("03820101" + // BIT STRING length 0x101
   865  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   866  			wantErr: "failed to unmarshal",
   867  		},
   868  
   869  		{
   870  			desc: "valid-auth-info-access-ext-ca-issuer",
   871  			data: ("308201ee" + // SEQUENCE CertificateList
   872  				("3081d7" + // SEQUENCE TBSCertList
   873  					("0201" + "01") + // version 2(0x01)
   874  					("300d" + // SEQUENCE AlgorithmIdentifier
   875  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   876  						"0500") + // NULL
   877  					("3049" + // SEQUENCE Name
   878  						("310b" +
   879  							("3009" +
   880  								("0603" + "550406") + // OID: country
   881  								("1302" + "5553"))) + // "US"
   882  						("3113" +
   883  							("3011" +
   884  								("0603" + "55040a") + // OID: organization
   885  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   886  						("3125" +
   887  							("3023" +
   888  								("0603" + "550403") + // OID: commonName
   889  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   890  					("170d" + "3137303632393031303030325a") + // UTCTime
   891  					("170d" + "3137303730393031303030325a") + // UTCTime
   892  					("3000") + // SEQUENCE OF no revoked certs
   893  					("a058" +
   894  						("3056" +
   895  							("301f" +
   896  								("0603" + "551d23") + // OID: authority-key-id
   897  								("0418" +
   898  									("3016" +
   899  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   900  							("3026" +
   901  								("0608" + "2b06010505070101") + // OID: authority-info-access
   902  								("041a" +
   903  									("3018" +
   904  										("3016" +
   905  											("0608" + "2b06010505073002") + // OID: CA issuers
   906  											("860a" + "687474703a2f2f777777"))))) + // 'http://www'
   907  							("300b" +
   908  								("0603" + "551d14") + // OID: CRL-number
   909  								("0404" + "02020623"))))) +
   910  				("300d" +
   911  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   912  					"0500") + // NULL
   913  				("03820101" + // BIT STRING length 0x101
   914  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   915  			want: TBSCertList{
   916  				Version: 1,
   917  				Signature: pkix.AlgorithmIdentifier{
   918  					Algorithm:  oidSignatureSHA256WithRSA,
   919  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
   920  				},
   921  				Issuer: pkix.RDNSequence{
   922  					[]pkix.AttributeTypeAndValue{
   923  						{Type: pkix.OIDCountry, Value: "US"},
   924  					},
   925  					[]pkix.AttributeTypeAndValue{
   926  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
   927  					},
   928  					[]pkix.AttributeTypeAndValue{
   929  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
   930  					},
   931  				},
   932  				ThisUpdate:            time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
   933  				NextUpdate:            time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
   934  				RevokedCertificates:   []*RevokedCertificate{},
   935  				AuthorityKeyID:        fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
   936  				CRLNumber:             1571,
   937  				BaseCRLNumber:         -1,
   938  				IssuingCertificateURL: []string{"http://www"},
   939  			},
   940  		},
   941  		{
   942  			desc: "valid-auth-info-access-ext-ocsp-server",
   943  			data: ("308201ee" + // SEQUENCE CertificateList
   944  				("3081d7" + // SEQUENCE TBSCertList
   945  					("0201" + "01") + // version 2(0x01)
   946  					("300d" + // SEQUENCE AlgorithmIdentifier
   947  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   948  						"0500") + // NULL
   949  					("3049" + // SEQUENCE Name
   950  						("310b" +
   951  							("3009" +
   952  								("0603" + "550406") + // OID: country
   953  								("1302" + "5553"))) + // "US"
   954  						("3113" +
   955  							("3011" +
   956  								("0603" + "55040a") + // OID: organization
   957  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
   958  						("3125" +
   959  							("3023" +
   960  								("0603" + "550403") + // OID: commonName
   961  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
   962  					("170d" + "3137303632393031303030325a") + // UTCTime
   963  					("170d" + "3137303730393031303030325a") + // UTCTime
   964  					("3000") + // SEQUENCE OF no revoked certs
   965  					("a058" +
   966  						("3056" +
   967  							("301f" +
   968  								("0603" + "551d23") + // OID: authority-key-id
   969  								("0418" +
   970  									("3016" +
   971  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
   972  							("3026" +
   973  								("0608" + "2b06010505070101") + // OID: authority-info-access
   974  								("041a" +
   975  									("3018" +
   976  										("3016" +
   977  											("0608" + "2b06010505073001") + // OID: OCSP
   978  											("860a" + "687474703a2f2f777777"))))) + // 'http://www'
   979  							("300b" +
   980  								("0603" + "551d14") + // OID: CRL-number
   981  								("0404" + "02020623"))))) +
   982  				("300d" +
   983  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
   984  					"0500") + // NULL
   985  				("03820101" + // BIT STRING length 0x101
   986  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
   987  			want: TBSCertList{
   988  				Version: 1,
   989  				Signature: pkix.AlgorithmIdentifier{
   990  					Algorithm:  oidSignatureSHA256WithRSA,
   991  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
   992  				},
   993  				Issuer: pkix.RDNSequence{
   994  					[]pkix.AttributeTypeAndValue{
   995  						{Type: pkix.OIDCountry, Value: "US"},
   996  					},
   997  					[]pkix.AttributeTypeAndValue{
   998  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
   999  					},
  1000  					[]pkix.AttributeTypeAndValue{
  1001  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
  1002  					},
  1003  				},
  1004  				ThisUpdate:          time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
  1005  				NextUpdate:          time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
  1006  				RevokedCertificates: []*RevokedCertificate{},
  1007  				AuthorityKeyID:      fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
  1008  				CRLNumber:           1571,
  1009  				BaseCRLNumber:       -1,
  1010  				OCSPServer:          []string{"http://www"},
  1011  			},
  1012  		},
  1013  		{
  1014  			desc: "valid-auth-info-access-ext-non-uri-ignored",
  1015  			data: ("308201ee" + // SEQUENCE CertificateList
  1016  				("3081d7" + // SEQUENCE TBSCertList
  1017  					("0201" + "01") + // version 2(0x01)
  1018  					("300d" + // SEQUENCE AlgorithmIdentifier
  1019  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1020  						"0500") + // NULL
  1021  					("3049" + // SEQUENCE Name
  1022  						("310b" +
  1023  							("3009" +
  1024  								("0603" + "550406") + // OID: country
  1025  								("1302" + "5553"))) + // "US"
  1026  						("3113" +
  1027  							("3011" +
  1028  								("0603" + "55040a") + // OID: organization
  1029  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1030  						("3125" +
  1031  							("3023" +
  1032  								("0603" + "550403") + // OID: commonName
  1033  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1034  					("170d" + "3137303632393031303030325a") + // UTCTime
  1035  					("170d" + "3137303730393031303030325a") + // UTCTime
  1036  					("3000") + // SEQUENCE OF no revoked certs
  1037  					("a058" +
  1038  						("3056" +
  1039  							("301f" +
  1040  								("0603" + "551d23") + // OID: authority-key-id
  1041  								("0418" +
  1042  									("3016" +
  1043  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1044  							("3026" +
  1045  								("0608" + "2b06010505070101") + // OID: authority-info-access
  1046  								("041a" +
  1047  									("3018" +
  1048  										("3016" +
  1049  											("0608" + "2b06010505073001") + // OID: OCSP
  1050  											("820a" + "687474703a2f2f777777"))))) + // dNSName: 'http://www'
  1051  							("300b" +
  1052  								("0603" + "551d14") + // OID: CRL-number
  1053  								("0404" + "02020623"))))) +
  1054  				("300d" +
  1055  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1056  					"0500") + // NULL
  1057  				("03820101" + // BIT STRING length 0x101
  1058  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1059  			want: TBSCertList{
  1060  				Version: 1,
  1061  				Signature: pkix.AlgorithmIdentifier{
  1062  					Algorithm:  oidSignatureSHA256WithRSA,
  1063  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
  1064  				},
  1065  				Issuer: pkix.RDNSequence{
  1066  					[]pkix.AttributeTypeAndValue{
  1067  						{Type: pkix.OIDCountry, Value: "US"},
  1068  					},
  1069  					[]pkix.AttributeTypeAndValue{
  1070  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
  1071  					},
  1072  					[]pkix.AttributeTypeAndValue{
  1073  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
  1074  					},
  1075  				},
  1076  				ThisUpdate:          time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
  1077  				NextUpdate:          time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
  1078  				RevokedCertificates: []*RevokedCertificate{},
  1079  				AuthorityKeyID:      fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
  1080  				CRLNumber:           1571,
  1081  				BaseCRLNumber:       -1,
  1082  			},
  1083  		},
  1084  		{
  1085  			desc: "invalid-auth-info-access-ext-wrong-asn1",
  1086  			data: ("308201ee" + // SEQUENCE CertificateList
  1087  				("3081d7" + // SEQUENCE TBSCertList
  1088  					("0201" + "01") + // version 2(0x01)
  1089  					("300d" + // SEQUENCE AlgorithmIdentifier
  1090  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1091  						"0500") + // NULL
  1092  					("3049" + // SEQUENCE Name
  1093  						("310b" +
  1094  							("3009" +
  1095  								("0603" + "550406") + // OID: country
  1096  								("1302" + "5553"))) + // "US"
  1097  						("3113" +
  1098  							("3011" +
  1099  								("0603" + "55040a") + // OID: organization
  1100  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1101  						("3125" +
  1102  							("3023" +
  1103  								("0603" + "550403") + // OID: commonName
  1104  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1105  					("170d" + "3137303632393031303030325a") + // UTCTime
  1106  					("170d" + "3137303730393031303030325a") + // UTCTime
  1107  					("3000") + // SEQUENCE OF no revoked certs
  1108  					("a058" +
  1109  						("3056" +
  1110  							("301f" +
  1111  								("0603" + "551d23") + // OID: authority-key-id
  1112  								("0418" +
  1113  									("3016" +
  1114  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1115  							("3026" +
  1116  								("0608" + "2b06010505070101") + // OID: authority-info-access
  1117  								("041a" +
  1118  									("3018" +
  1119  										("3116" + // INVALID: set not sequence
  1120  											("0608" + "2b06010505073002") + // OID: CA issuers
  1121  											("860a" + "687474703a2f2f777777"))))) + // 'http://www'
  1122  							("300b" +
  1123  								("0603" + "551d14") + // OID: CRL-number
  1124  								("0404" + "02020623"))))) +
  1125  				("300d" +
  1126  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1127  					"0500") + // NULL
  1128  				("03820101" + // BIT STRING length 0x101
  1129  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1130  			wantErr: "failed to unmarshal",
  1131  		},
  1132  		{
  1133  			desc: "invalid-auth-info-access-ext-trailing-data",
  1134  			data: ("308201ee" + // SEQUENCE CertificateList
  1135  				("3081d7" + // SEQUENCE TBSCertList
  1136  					("0201" + "01") + // version 2(0x01)
  1137  					("300d" + // SEQUENCE AlgorithmIdentifier
  1138  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1139  						"0500") + // NULL
  1140  					("3049" + // SEQUENCE Name
  1141  						("310b" +
  1142  							("3009" +
  1143  								("0603" + "550406") + // OID: country
  1144  								("1302" + "5553"))) + // "US"
  1145  						("3113" +
  1146  							("3011" +
  1147  								("0603" + "55040a") + // OID: organization
  1148  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1149  						("3125" +
  1150  							("3023" +
  1151  								("0603" + "550403") + // OID: commonName
  1152  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1153  					("170d" + "3137303632393031303030325a") + // UTCTime
  1154  					("170d" + "3137303730393031303030325a") + // UTCTime
  1155  					("3000") + // SEQUENCE OF no revoked certs
  1156  					("a058" +
  1157  						("3056" +
  1158  							("301f" +
  1159  								("0603" + "551d23") + // OID: authority-key-id
  1160  								("0418" +
  1161  									("3016" +
  1162  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1163  							("3026" +
  1164  								("0608" + "2b06010505070101") + // OID: authority-info-access
  1165  								("041a" +
  1166  									("3017" +
  1167  										("3015" +
  1168  											("0608" + "2b06010505073002") + // OID: CA issuers
  1169  											("8609" + "687474703a2f2f7777"))) + "77")) + // INVALID: trailing data
  1170  							("300b" +
  1171  								("0603" + "551d14") + // OID: CRL-number
  1172  								("0404" + "02020623"))))) +
  1173  				("300d" +
  1174  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1175  					"0500") + // NULL
  1176  				("03820101" + // BIT STRING length 0x101
  1177  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1178  			wantErr: "trailing data",
  1179  		},
  1180  		{
  1181  			desc: "valid-issuer-alt-name-ext",
  1182  			data: ("308201d6" + // SEQUENCE CertificateList
  1183  				("3081bf" + // SEQUENCE TBSCertList
  1184  					("0201" + "01") + // version 2(0x01)
  1185  					("300d" + // SEQUENCE AlgorithmIdentifier
  1186  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1187  						"0500") + // NULL
  1188  					("3049" + // SEQUENCE Name
  1189  						("310b" +
  1190  							("3009" +
  1191  								("0603" + "550406") + // OID: country
  1192  								("1302" + "5553"))) + // "US"
  1193  						("3113" +
  1194  							("3011" +
  1195  								("0603" + "55040a") + // OID: organization
  1196  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1197  						("3125" +
  1198  							("3023" +
  1199  								("0603" + "550403") + // OID: commonName
  1200  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1201  					("170d" + "3137303632393031303030325a") + // UTCTime
  1202  					("170d" + "3137303730393031303030325a") + // UTCTime
  1203  					("3000") + // SEQUENCE OF no revoked certs
  1204  					("a040" +
  1205  						("303e" +
  1206  							("301f" +
  1207  								("0603" + "551d23") + // OID: authority-key-id
  1208  								("0418" +
  1209  									("3016" +
  1210  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1211  							("300e" +
  1212  								("0603" + "551d12") + // OID: issuer-alt-name
  1213  								("0407" +
  1214  									("3005" +
  1215  										"8203" + "777777"))) + // [2] dNSName = 'www'
  1216  							("300b" +
  1217  								("0603" + "551d14") + // OID: CRL-number
  1218  								("0404" + "02020623"))))) +
  1219  				("300d" +
  1220  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1221  					"0500") + // NULL
  1222  				("03820101" + // BIT STRING length 0x101
  1223  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1224  			want: TBSCertList{
  1225  				Version: 1,
  1226  				Signature: pkix.AlgorithmIdentifier{
  1227  					Algorithm:  oidSignatureSHA256WithRSA,
  1228  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
  1229  				},
  1230  				Issuer: pkix.RDNSequence{
  1231  					[]pkix.AttributeTypeAndValue{
  1232  						{Type: pkix.OIDCountry, Value: "US"},
  1233  					},
  1234  					[]pkix.AttributeTypeAndValue{
  1235  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
  1236  					},
  1237  					[]pkix.AttributeTypeAndValue{
  1238  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
  1239  					},
  1240  				},
  1241  				ThisUpdate:          time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
  1242  				NextUpdate:          time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
  1243  				RevokedCertificates: []*RevokedCertificate{},
  1244  				AuthorityKeyID:      fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
  1245  				CRLNumber:           1571,
  1246  				BaseCRLNumber:       -1,
  1247  				IssuerAltNames:      GeneralNames{DNSNames: []string{"www"}},
  1248  			},
  1249  		},
  1250  		{
  1251  			desc: "invalid-issuer-alt-name-ext",
  1252  			data: ("308201d6" + // SEQUENCE CertificateList
  1253  				("3081bf" + // SEQUENCE TBSCertList
  1254  					("0201" + "01") + // version 2(0x01)
  1255  					("300d" + // SEQUENCE AlgorithmIdentifier
  1256  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1257  						"0500") + // NULL
  1258  					("3049" + // SEQUENCE Name
  1259  						("310b" +
  1260  							("3009" +
  1261  								("0603" + "550406") + // OID: country
  1262  								("1302" + "5553"))) + // "US"
  1263  						("3113" +
  1264  							("3011" +
  1265  								("0603" + "55040a") + // OID: organization
  1266  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1267  						("3125" +
  1268  							("3023" +
  1269  								("0603" + "550403") + // OID: commonName
  1270  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1271  					("170d" + "3137303632393031303030325a") + // UTCTime
  1272  					("170d" + "3137303730393031303030325a") + // UTCTime
  1273  					("3000") + // SEQUENCE OF no revoked certs
  1274  					("a040" +
  1275  						("303e" +
  1276  							("301f" +
  1277  								("0603" + "551d23") + // OID: authority-key-id
  1278  								("0418" +
  1279  									("3016" +
  1280  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1281  							("300e" +
  1282  								("0603" + "551d12") + // OID: issuer-alt-name
  1283  								("0407" +
  1284  									("3005" +
  1285  										"8903" + "777777"))) + // INVALID: tag 9 not used
  1286  							("300b" +
  1287  								("0603" + "551d14") + // OID: CRL-number
  1288  								("0404" + "02020623"))))) +
  1289  				("300d" +
  1290  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1291  					"0500") + // NULL
  1292  				("03820101" + // BIT STRING length 0x101
  1293  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1294  			wantErr: "failed to parse",
  1295  		},
  1296  		{
  1297  			desc: "valid-freshest-crl-ext",
  1298  			data: ("308201e3" + // SEQUENCE CertificateList
  1299  				("3081cc" + // SEQUENCE TBSCertList
  1300  					("0201" + "01") + // version 2(0x01)
  1301  					("300d" + // SEQUENCE AlgorithmIdentifier
  1302  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1303  						"0500") + // NULL
  1304  					("3049" + // SEQUENCE Name
  1305  						("310b" +
  1306  							("3009" +
  1307  								("0603" + "550406") + // OID: country
  1308  								("1302" + "5553"))) + // "US"
  1309  						("3113" +
  1310  							("3011" +
  1311  								("0603" + "55040a") + // OID: organization
  1312  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1313  						("3125" +
  1314  							("3023" +
  1315  								("0603" + "550403") + // OID: commonName
  1316  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1317  					("170d" + "3137303632393031303030325a") + // UTCTime
  1318  					("170d" + "3137303730393031303030325a") + // UTCTime
  1319  					("3000") + // SEQUENCE OF no revoked certs
  1320  					("a04d" +
  1321  						("304b" +
  1322  							("301f" +
  1323  								("0603" + "551d23") + // OID: authority-key-id
  1324  								("0418" +
  1325  									("3016" +
  1326  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1327  							("301b" +
  1328  								("0603" + "551d2e") + // OID: freshest-crl
  1329  								("0414" +
  1330  									("3012" +
  1331  										("3010" +
  1332  											("a00e" +
  1333  												("a00c" +
  1334  													("860a" + "687474703a2f2f777777"))))))) + // uRI='http://www'
  1335  							("300b" +
  1336  								("0603" + "551d14") + // OID: CRL-number
  1337  								("0404" + "02020623"))))) +
  1338  				("300d" +
  1339  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1340  					"0500") + // NULL
  1341  				("03820101" + // BIT STRING length 0x101
  1342  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1343  			want: TBSCertList{
  1344  				Version: 1,
  1345  				Signature: pkix.AlgorithmIdentifier{
  1346  					Algorithm:  oidSignatureSHA256WithRSA,
  1347  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
  1348  				},
  1349  				Issuer: pkix.RDNSequence{
  1350  					[]pkix.AttributeTypeAndValue{
  1351  						{Type: pkix.OIDCountry, Value: "US"},
  1352  					},
  1353  					[]pkix.AttributeTypeAndValue{
  1354  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
  1355  					},
  1356  					[]pkix.AttributeTypeAndValue{
  1357  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
  1358  					},
  1359  				},
  1360  				ThisUpdate:                   time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
  1361  				NextUpdate:                   time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
  1362  				RevokedCertificates:          []*RevokedCertificate{},
  1363  				AuthorityKeyID:               fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
  1364  				CRLNumber:                    1571,
  1365  				BaseCRLNumber:                -1,
  1366  				FreshestCRLDistributionPoint: []string{"http://www"},
  1367  			},
  1368  		},
  1369  		{
  1370  			desc: "invalid-freshest-crl-ext",
  1371  			data: ("308201e3" + // SEQUENCE CertificateList
  1372  				("3081cc" + // SEQUENCE TBSCertList
  1373  					("0201" + "01") + // version 2(0x01)
  1374  					("300d" + // SEQUENCE AlgorithmIdentifier
  1375  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1376  						"0500") + // NULL
  1377  					("3049" + // SEQUENCE Name
  1378  						("310b" +
  1379  							("3009" +
  1380  								("0603" + "550406") + // OID: country
  1381  								("1302" + "5553"))) + // "US"
  1382  						("3113" +
  1383  							("3011" +
  1384  								("0603" + "55040a") + // OID: organization
  1385  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1386  						("3125" +
  1387  							("3023" +
  1388  								("0603" + "550403") + // OID: commonName
  1389  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1390  					("170d" + "3137303632393031303030325a") + // UTCTime
  1391  					("170d" + "3137303730393031303030325a") + // UTCTime
  1392  					("3000") + // SEQUENCE OF no revoked certs
  1393  					("a04d" +
  1394  						("304b" +
  1395  							("301f" +
  1396  								("0603" + "551d23") + // OID: authority-key-id
  1397  								("0418" +
  1398  									("3016" +
  1399  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1400  							("301b" +
  1401  								("0603" + "551d2e") + // OID: freshest-crl
  1402  								("0414" +
  1403  									("3112" + // INVALID: set-of not sequence-of
  1404  										("3010" +
  1405  											("a00e" +
  1406  												("a00c" +
  1407  													("860a" + "687474703a2f2f777777"))))))) + // uRI='http://www'
  1408  							("300b" +
  1409  								("0603" + "551d14") + // OID: CRL-number
  1410  								("0404" + "02020623"))))) +
  1411  				("300d" +
  1412  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1413  					"0500") + // NULL
  1414  				("03820101" + // BIT STRING length 0x101
  1415  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1416  			wantErr: "structure error",
  1417  		},
  1418  		{
  1419  			desc: "valid-issuing-dp-ext",
  1420  			data: ("308201d7" + // SEQUENCE CertificateList
  1421  				("3081c0" + // SEQUENCE TBSCertList
  1422  					("0201" + "01") + // version 2(0x01)
  1423  					("300d" + // SEQUENCE AlgorithmIdentifier
  1424  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1425  						"0500") + // NULL
  1426  					("3049" + // SEQUENCE Name
  1427  						("310b" +
  1428  							("3009" +
  1429  								("0603" + "550406") + // OID: country
  1430  								("1302" + "5553"))) + // "US"
  1431  						("3113" +
  1432  							("3011" +
  1433  								("0603" + "55040a") + // OID: organization
  1434  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1435  						("3125" +
  1436  							("3023" +
  1437  								("0603" + "550403") + // OID: commonName
  1438  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1439  					("170d" + "3137303632393031303030325a") + // UTCTime
  1440  					("170d" + "3137303730393031303030325a") + // UTCTime
  1441  					("3000") + // SEQUENCE OF no revoked certs
  1442  					("a041" +
  1443  						("303f" +
  1444  							("301f" +
  1445  								("0603" + "551d23") + // OID: authority-key-id
  1446  								("0418" +
  1447  									("3016" +
  1448  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1449  							("300f" +
  1450  								("0603" + "551d1c") + // OID: issuing-distribution-point
  1451  								("0101ff") + // critical: true
  1452  								("0405" +
  1453  									("3003" + // SEQUENCE
  1454  										"8101" + "ff"))) + // [1]: onlyContainsUserCerts: true
  1455  							("300b" +
  1456  								("0603" + "551d14") + // OID: CRL-number
  1457  								("0404" + "02020623"))))) +
  1458  				("300d" +
  1459  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1460  					"0500") + // NULL
  1461  				("03820101" + // BIT STRING length 0x101
  1462  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1463  			want: TBSCertList{
  1464  				Version: 1,
  1465  				Signature: pkix.AlgorithmIdentifier{
  1466  					Algorithm:  oidSignatureSHA256WithRSA,
  1467  					Parameters: asn1.RawValue{Class: 0, Tag: 5, Bytes: []byte{}, FullBytes: []byte{5, 0}},
  1468  				},
  1469  				Issuer: pkix.RDNSequence{
  1470  					[]pkix.AttributeTypeAndValue{
  1471  						{Type: pkix.OIDCountry, Value: "US"},
  1472  					},
  1473  					[]pkix.AttributeTypeAndValue{
  1474  						{Type: pkix.OIDOrganization, Value: "Google Inc"},
  1475  					},
  1476  					[]pkix.AttributeTypeAndValue{
  1477  						{Type: pkix.OIDCommonName, Value: "Google Internet Authority G2"},
  1478  					},
  1479  				},
  1480  				ThisUpdate:               time.Date(2017, 6, 29, 01, 0, 2, 0, time.UTC),
  1481  				NextUpdate:               time.Date(2017, 7, 9, 01, 0, 2, 0, time.UTC),
  1482  				RevokedCertificates:      []*RevokedCertificate{},
  1483  				AuthorityKeyID:           fromHex("4add06161bbcf668b576f581b6bb621aba5a812f"),
  1484  				CRLNumber:                1571,
  1485  				BaseCRLNumber:            -1,
  1486  				IssuingDistributionPoint: IssuingDistributionPoint{OnlyContainsUserCerts: true},
  1487  			},
  1488  		},
  1489  		{
  1490  			desc: "invalid-issuing-dp-ext",
  1491  			data: ("308201d7" + // SEQUENCE CertificateList
  1492  				("3081c0" + // SEQUENCE TBSCertList
  1493  					("0201" + "01") + // version 2(0x01)
  1494  					("300d" + // SEQUENCE AlgorithmIdentifier
  1495  						("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1496  						"0500") + // NULL
  1497  					("3049" + // SEQUENCE Name
  1498  						("310b" +
  1499  							("3009" +
  1500  								("0603" + "550406") + // OID: country
  1501  								("1302" + "5553"))) + // "US"
  1502  						("3113" +
  1503  							("3011" +
  1504  								("0603" + "55040a") + // OID: organization
  1505  								("130a" + "476f6f676c6520496e63"))) + // "Google Inc"
  1506  						("3125" +
  1507  							("3023" +
  1508  								("0603" + "550403") + // OID: commonName
  1509  								("131c" + "476f6f676c6520496e7465726e657420417574686f72697479204732")))) +
  1510  					("170d" + "3137303632393031303030325a") + // UTCTime
  1511  					("170d" + "3137303730393031303030325a") + // UTCTime
  1512  					("3000") + // SEQUENCE OF no revoked certs
  1513  					("a041" +
  1514  						("303f" +
  1515  							("301f" +
  1516  								("0603" + "551d23") + // OID: authority-key-id
  1517  								("0418" +
  1518  									("3016" +
  1519  										"8014" + "4add06161bbcf668b576f581b6bb621aba5a812f"))) +
  1520  							("300f" +
  1521  								("0603" + "551d1c") + // OID: issuing-distribution-point
  1522  								("0101ff") + // critical: true
  1523  								("0405" +
  1524  									("3103" + // INVALID: SET not SEQUENCE
  1525  										"8101" + "ff"))) + // [1]: onlyContainsUserCerts: true
  1526  							("300b" +
  1527  								("0603" + "551d14") + // OID: CRL-number
  1528  								("0404" + "02020623"))))) +
  1529  				("300d" +
  1530  					("0609" + "2a864886f70d01010b") + // OID: sha256WithRSA
  1531  					"0500") + // NULL
  1532  				("03820101" + // BIT STRING length 0x101
  1533  					"004dcde29667973239cca344c58b72128fb5c5db03efdc75cfb7d9a0410ec03c8cd21160b449cd80224f41ca9d91529295ef7d0179ca4b08bb688cecce13cc07b20ecd87ffde1bc356554083c40bea7a387dacc54b3848b3710acf2fa613d007b12afc37f0a77082655b8dbb6683ba2fc52555e9f74bb5ba9429377ff38e193e799fc05c4c9bbcee29492945a732db67ba3575a79a83427a1f6d18d9ede01c544f3ccd68e5680a9b5418e03e1d80b3e77e69860982a4d21c6b111b07c87fe32c561e871554896b37651d5aaf42b2d092ce8d4dd4ae1d7a97091c0a06c03d71580e0557a51408513fde3012f02dac76536822a564faa2553048729633b68f1fc369")),
  1534  			wantErr: "failed to unmarshal",
  1535  		},
  1536  	}
  1537  
  1538  	for _, test := range tests {
  1539  		inData := fromHex(test.data)
  1540  		got, err := ParseCertificateList(inData)
  1541  		if err != nil {
  1542  			if test.wantErr == "" {
  1543  				t.Errorf("ParseCertificateList(%q)=%+v,%v; want _,nil", test.desc, got, err)
  1544  			} else if !strings.Contains(err.Error(), test.wantErr) {
  1545  				t.Errorf("ParseCertificateList(%q)=%+v,%v; want _,%q", test.desc, got, err, test.wantErr)
  1546  			}
  1547  			continue
  1548  		}
  1549  		if test.wantErr != "" {
  1550  			t.Errorf("ParseCertificateList(%q)=%+v,nil; want _,%q", test.desc, got, test.wantErr)
  1551  			continue
  1552  		}
  1553  
  1554  		// Zero out unparsed extensions before comparison to make test data simpler.
  1555  		got.TBSCertList.Raw = nil
  1556  		got.TBSCertList.Extensions = nil
  1557  		for _, rc := range got.TBSCertList.RevokedCertificates {
  1558  			rc.Extensions = nil
  1559  		}
  1560  
  1561  		if !reflect.DeepEqual(got.TBSCertList, test.want) {
  1562  			t.Errorf("ParseCertificateList(%q)=%+v; want %+v", test.desc, got.TBSCertList, test.want)
  1563  		}
  1564  	}
  1565  }
  1566  
  1567  func TestParseRevokedCertificate(t *testing.T) {
  1568  	var tests = []struct {
  1569  		desc    string
  1570  		data    string // as hex
  1571  		want    RevokedCertificate
  1572  		wantErr string
  1573  	}{
  1574  		// CRL Reason
  1575  		{
  1576  			desc: "valid-reason-ext",
  1577  			data: ("3027" + // sequence
  1578  				("0208" + "3b772e5f1202118e") + // serial number
  1579  				("170d" + "3137303531303130353530375a") + // revocation time
  1580  				("300c" + // extensions
  1581  					("300a" + // extension
  1582  						("0603" + "551d15") + // OID: reason
  1583  						("0403" + // octet string
  1584  							"0a01" + "01")))), // enum:1
  1585  			want: RevokedCertificate{
  1586  				RevokedCertificate: pkix.RevokedCertificate{
  1587  					SerialNumber:   big.NewInt(4284944556325212558),
  1588  					RevocationTime: time.Date(2017, 05, 10, 10, 55, 07, 0, time.UTC),
  1589  					Extensions: []pkix.Extension{
  1590  						{
  1591  							Id:       OIDExtensionCRLReasons,
  1592  							Critical: false,
  1593  							Value:    fromHex("0a01" + "01"),
  1594  						},
  1595  					},
  1596  				},
  1597  				RevocationReason: KeyCompromise,
  1598  			},
  1599  		},
  1600  		{
  1601  			desc: "invalid-reason-ext-wrong-type",
  1602  			data: ("3027" + // sequence
  1603  				("0208" + "3b772e5f1202118e") + // serial number
  1604  				("170d" + "3137303531303130353530375a") + // revocation time
  1605  				("300c" + // extensions
  1606  					("300a" + // extension
  1607  						("0603" + "551d15") + // OID: reason
  1608  						("0403" + // octet string
  1609  							"0201" + "01")))), // int:1
  1610  			wantErr: "tags don't match",
  1611  		},
  1612  		{
  1613  			desc: "invalid-reason-ext-trailing-data",
  1614  			data: ("3028" + // sequence
  1615  				("0208" + "3b772e5f1202118e") + // serial number
  1616  				("170d" + "3137303531303130353530375a") + // revocation time
  1617  				("300d" + // extensions
  1618  					("300b" + // extension
  1619  						("0603" + "551d15") + // OID: reason
  1620  						("0404" + // octet string
  1621  							"0a01" + "01" + "aa")))), // enum:1
  1622  			wantErr: "trailing data",
  1623  		},
  1624  		{
  1625  			desc: "invalid-reason-ext-critical",
  1626  			data: ("302b" + // sequence
  1627  				("0208" + "3b772e5f1202118e") + // serial number
  1628  				("170d" + "3137303531303130353530375a") + // revocation time
  1629  				("3010" + // extensions
  1630  					("300e" + // extension
  1631  						("0603" + "551d15") + // OID: reason
  1632  						("0101ff") + // critical: true
  1633  						("0404" + // octet string
  1634  							"0a01" + "01" + "aa")))), // enum:1
  1635  			wantErr: "marked critical",
  1636  		},
  1637  		// Invalidity Date
  1638  		{
  1639  			desc: "valid-invalidity-date-ext",
  1640  			data: ("3033" + // sequence
  1641  				("0208" + "3b772e5f1202118e") + // serial number
  1642  				("170d" + "3137303531303130353530375a") + // revocation time
  1643  				("3018" + // extensions
  1644  					("3016" + // extension
  1645  						("0603" + "551d18") + // OID: invalidity date
  1646  						("040f" + // octet string
  1647  							"170d" + "3137303531303130353530375a")))),
  1648  			want: RevokedCertificate{
  1649  				RevokedCertificate: pkix.RevokedCertificate{
  1650  					SerialNumber:   big.NewInt(4284944556325212558),
  1651  					RevocationTime: time.Date(2017, 05, 10, 10, 55, 07, 0, time.UTC),
  1652  					Extensions: []pkix.Extension{
  1653  						{
  1654  							Id:       OIDExtensionInvalidityDate,
  1655  							Critical: false,
  1656  							Value:    fromHex("170d" + "3137303531303130353530375a"),
  1657  						},
  1658  					},
  1659  				},
  1660  				InvalidityDate: time.Date(2017, 05, 10, 10, 55, 07, 0, time.UTC),
  1661  			},
  1662  		},
  1663  		{
  1664  			desc: "invalid-invalidity-date-ext-wrong-type",
  1665  			data: ("3027" + // sequence
  1666  				("0208" + "3b772e5f1202118e") + // serial number
  1667  				("170d" + "3137303531303130353530375a") + // revocation time
  1668  				("300c" + // extensions
  1669  					("300a" + // extension
  1670  						("0603" + "551d18") + // OID: invalidity date
  1671  						("0403" + // octet string
  1672  							"0a01" + "01")))), // enum:1
  1673  			wantErr: "failed to parse",
  1674  		},
  1675  		{
  1676  			desc: "invalid-invalidity-date-ext-trailing-data",
  1677  			data: ("3036" + // sequence
  1678  				("0208" + "3b772e5f1202118e") + // serial number
  1679  				("170d" + "3137303531303130353530375a") + // revocation time
  1680  				("301b" + // extensions
  1681  					("3019" + // extension
  1682  						("0603" + "551d18") + // OID: invalidity date
  1683  						("0412" + // octet string
  1684  							"170d" + "3137303531303130353530375a" + "0a0101")))),
  1685  			wantErr: "trailing data",
  1686  		},
  1687  		{
  1688  			desc: "invalid-invalidity-date-ext-critical",
  1689  			data: ("3036" + // sequence
  1690  				("0208" + "3b772e5f1202118e") + // serial number
  1691  				("170d" + "3137303531303130353530375a") + // revocation time
  1692  				("301b" + // extensions
  1693  					("3019" + // extension
  1694  						("0603" + "551d18") + // OID: invalidity date
  1695  						("0101ff") + // critical: true
  1696  						("040f" + // octet string
  1697  							"170d" + "3137303531303130353530375a")))),
  1698  			wantErr: "marked critical",
  1699  		},
  1700  		// Issuer
  1701  		{
  1702  			desc: "valid-issuer-ext",
  1703  			data: ("303b" + // sequence
  1704  				("0208" + "3b772e5f1202118e") + // serial number
  1705  				("170d" + "3137303531303130353530375a") + // revocation time
  1706  				("3020" + // extensions
  1707  					("301e" + // extension
  1708  						("0603" + "551d1d") + // OID: issuer
  1709  						("0101ff") + // critical: true
  1710  						("0414" + // octet string
  1711  							("3012" +
  1712  								("8210" + "7777772e676f6f676c652e636f2e756b")))))), // "www.google.co.uk"
  1713  			want: RevokedCertificate{
  1714  				RevokedCertificate: pkix.RevokedCertificate{
  1715  					SerialNumber:   big.NewInt(4284944556325212558),
  1716  					RevocationTime: time.Date(2017, 05, 10, 10, 55, 07, 0, time.UTC),
  1717  					Extensions: []pkix.Extension{
  1718  						{
  1719  							Id:       OIDExtensionCertificateIssuer,
  1720  							Critical: true,
  1721  							Value: fromHex("3012" +
  1722  								("8210" + "7777772e676f6f676c652e636f2e756b")),
  1723  						},
  1724  					},
  1725  				},
  1726  				Issuer: GeneralNames{
  1727  					DNSNames: []string{"www.google.co.uk"},
  1728  				},
  1729  			},
  1730  		},
  1731  		{
  1732  			desc: "invalid-issuer-ext-wrong-type",
  1733  			data: ("302a" + // sequence
  1734  				("0208" + "3b772e5f1202118e") + // serial number
  1735  				("170d" + "3137303531303130353530375a") + // revocation time
  1736  				("300f" + // extensions
  1737  					("300d" + // extension
  1738  						("0603" + "551d1d") + // OID: issuer
  1739  						("0101ff") + // critical: true
  1740  						("0403" + // octet string
  1741  							"0a01" + "01")))), // enum:1
  1742  			wantErr: "failed to parse",
  1743  		},
  1744  		{
  1745  			desc: "invalid-issuer-ext-non-critical",
  1746  			data: ("303b" + // sequence
  1747  				("0208" + "3b772e5f1202118e") + // serial number
  1748  				("170d" + "3137303531303130353530375a") + // revocation time
  1749  				("3020" + // extensions
  1750  					("301e" + // extension
  1751  						("0603" + "551d1d") + // OID: issuer
  1752  						("010100") + // critical: false
  1753  						("0414" + // octet string
  1754  							("3012" +
  1755  								("8210" + "7777772e676f6f676c652e636f2e756b")))))), // "www.google.co.uk"
  1756  			wantErr: "marked non-critical",
  1757  		},
  1758  		// Unknown extension
  1759  		{
  1760  			desc: "valid-unknown-ext",
  1761  			data: ("3027" + // sequence
  1762  				("0208" + "3b772e5f1202118e") + // serial number
  1763  				("170d" + "3137303531303130353530375a") + // revocation time
  1764  				("300c" + // extensions
  1765  					("300a" + // extension
  1766  						("0603" + "551d14") + // OID: CRL number
  1767  						("0403" + // octet string
  1768  							"0a01" + "01")))), // enum:1
  1769  			want: RevokedCertificate{
  1770  				RevokedCertificate: pkix.RevokedCertificate{
  1771  					SerialNumber:   big.NewInt(4284944556325212558),
  1772  					RevocationTime: time.Date(2017, 05, 10, 10, 55, 07, 0, time.UTC),
  1773  					Extensions: []pkix.Extension{
  1774  						{
  1775  							Id:       OIDExtensionCRLNumber,
  1776  							Critical: false,
  1777  							Value:    fromHex("0a01" + "01"),
  1778  						},
  1779  					},
  1780  				},
  1781  			},
  1782  		},
  1783  		{
  1784  			desc: "invalid-unknown-ext-critical",
  1785  			data: ("302a" + // sequence
  1786  				("0208" + "3b772e5f1202118e") + // serial number
  1787  				("170d" + "3137303531303130353530375a") + // revocation time
  1788  				("300f" + // extensions
  1789  					("300d" + // extension
  1790  						("0603" + "551d14") + // OID: CRL number
  1791  						("0101ff") + // critical: true
  1792  						("0403" + // octet string
  1793  							"0a01" + "01")))), // enum:1
  1794  			wantErr: "unhandled critical extension",
  1795  		},
  1796  	}
  1797  
  1798  	for _, test := range tests {
  1799  		inData := fromHex(test.data)
  1800  		var pkixCert pkix.RevokedCertificate
  1801  		if _, err := asn1.Unmarshal(inData, &pkixCert); err != nil {
  1802  			t.Errorf("asn1.Unmarshal(%s)=_,%v; want _,nil", test.data, err)
  1803  			continue
  1804  		}
  1805  		var errs Errors
  1806  		got := parseRevokedCertificate(pkixCert, &errs)
  1807  		if len(errs.Errs) > 0 {
  1808  			err := errs.Errs[0]
  1809  			if test.wantErr == "" {
  1810  				t.Errorf("parseRevokedCertificate(%q)=%+v,%v; want _,nil", test.desc, got, err)
  1811  			} else if !strings.Contains(err.Error(), test.wantErr) {
  1812  				t.Errorf("parseRevokedCertificate(%q)=%+v,%v; want _,%q", test.desc, got, err, test.wantErr)
  1813  			}
  1814  			continue
  1815  		}
  1816  		if test.wantErr != "" {
  1817  			t.Errorf("parseRevokedCertificate(%q)=%+v,nil; want _,%q", test.desc, got, test.wantErr)
  1818  			continue
  1819  		}
  1820  		if !reflect.DeepEqual(got, &test.want) {
  1821  			t.Errorf("parseRevokedCertificate(%q)=%+v; want %+v", test.desc, got, test.want)
  1822  		}
  1823  	}
  1824  }
  1825  
  1826  func TestParseIssuingDistributionPoint(t *testing.T) {
  1827  	var tests = []struct {
  1828  		data    string // as hex
  1829  		want    IssuingDistributionPoint
  1830  		wantErr string
  1831  	}{
  1832  		{
  1833  			data: ("3003" + "8101ff"),
  1834  			want: IssuingDistributionPoint{OnlyContainsUserCerts: true},
  1835  		},
  1836  		{
  1837  			data: ("3003" + "8201ff"),
  1838  			want: IssuingDistributionPoint{OnlyContainsCACerts: true},
  1839  		},
  1840  		{
  1841  			data: ("3003" + "8501ff"),
  1842  			want: IssuingDistributionPoint{OnlyContainsAttributeCerts: true},
  1843  		},
  1844  		{
  1845  			data: ("3006" + "810100" + "8501ff"),
  1846  			want: IssuingDistributionPoint{OnlyContainsAttributeCerts: true},
  1847  		},
  1848  		{
  1849  			data: ("3009" + // SEQUENCE
  1850  				("a007" + // tag [0] = distributionPoint / DistributionPointName
  1851  					("a005" + // CHOICE [0] = fullName / GeneralNames
  1852  						"8203" + "777777"))), // CHOICE [2] = dNSName
  1853  			want: IssuingDistributionPoint{
  1854  				DistributionPoint: distributionPointName{
  1855  					FullName: []asn1.RawValue{
  1856  						{
  1857  							Class:      asn1.ClassContextSpecific,
  1858  							Tag:        2,
  1859  							IsCompound: false,
  1860  							Bytes:      fromHex("777777"),
  1861  							FullBytes:  fromHex("8203777777"),
  1862  						},
  1863  					},
  1864  				},
  1865  			},
  1866  		},
  1867  		{
  1868  			data: ("3019" + // SEQUENCE
  1869  				("a017" + // tag [0] = distributionPoint / DistributionPointName
  1870  					("a115" + // CHOICE [1] = nameRelativeToCRLIssuer / RelativeDistinguishedName
  1871  						("3113" + // SET OF
  1872  							("3011" + // SEQUENCE
  1873  								("0603" + "55040a") + // OID: organization
  1874  								("130a" + "476f6f676c6520496e63")))))), // "Google Inc"
  1875  			want: IssuingDistributionPoint{
  1876  				DistributionPoint: distributionPointName{
  1877  					RelativeName: pkix.RDNSequence{
  1878  						pkix.RelativeDistinguishedNameSET{
  1879  							pkix.AttributeTypeAndValue{
  1880  								Type:  pkix.OIDOrganization,
  1881  								Value: "Google Inc",
  1882  							},
  1883  						},
  1884  					},
  1885  				},
  1886  			},
  1887  		},
  1888  		{
  1889  			data:    ("3006" + "8101ff" + "8501ff"),
  1890  			wantErr: "multiple cert",
  1891  		},
  1892  		{
  1893  			data:    ("3003" + "8501ff" + "00"),
  1894  			wantErr: "trailing data",
  1895  		},
  1896  		{
  1897  			data:    ("3103" + "8101ff"), // INVALID: SET not SEQUENCE
  1898  			wantErr: "failed to unmarshal",
  1899  		},
  1900  		{
  1901  			data: ("3009" + // SEQUENCE
  1902  				("a007" + // tag [0] = distributionPoint / DistributionPointName
  1903  					("a005" + // CHOICE [0] = fullName / GeneralNames
  1904  						"8903" + "777777"))), // INVALID: choice 9 not allowed
  1905  			wantErr: "failed to unmarshal GeneralName",
  1906  		},
  1907  	}
  1908  	for _, test := range tests {
  1909  		inData := fromHex(test.data)
  1910  		var got IssuingDistributionPoint
  1911  		var gn GeneralNames
  1912  		var errs Errors
  1913  		parseIssuingDistributionPoint(inData, &got, &gn, &errs)
  1914  		if !errs.Empty() {
  1915  			err := errs.Errs[0]
  1916  			if test.wantErr == "" {
  1917  				t.Errorf("asn1.Unmarshal(%s)=_,%v; want _,nil", test.data, err)
  1918  			} else if !strings.Contains(err.Error(), test.wantErr) {
  1919  				t.Errorf("asn1.Unmarshal(%s)=_,%v; want _,%q", test.data, err, test.wantErr)
  1920  			}
  1921  			continue
  1922  		}
  1923  		if test.wantErr != "" {
  1924  			t.Errorf("asn1.Unmarshal(%s)=%+v,nil; want _,%q", test.data, got, test.wantErr)
  1925  			continue
  1926  		}
  1927  		if !reflect.DeepEqual(got, test.want) {
  1928  			t.Errorf("asn1.Unmarshal(%s)=%+v; want %+v", test.data, got, test.want)
  1929  		}
  1930  	}
  1931  }
  1932  
  1933  // CRL for Google Internet Authority G2:
  1934  //
  1935  //	Certificate Revocation List (CRL):
  1936  //	        Version 2 (0x1)
  1937  //	    Signature Algorithm: sha256WithRSAEncryption
  1938  //	        Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
  1939  //	        Last Update: Jun 29 01:00:02 2017 GMT
  1940  //	        Next Update: Jul  9 01:00:02 2017 GMT
  1941  //	        CRL extensions:
  1942  //	            X509v3 Authority Key Identifier:
  1943  //	                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
  1944  //	            X509v3 CRL Number:
  1945  //	                1571
  1946  //	Revoked Certificates:
  1947  //	    Serial Number: 764BEDD38AFD51F7
  1948  //	        Revocation Date: Jan 13 14:18:58 2017 GMT
  1949  //	        CRL entry extensions:
  1950  //	            X509v3 CRL Reason Code:
  1951  //	                Affiliation Changed
  1952  //	    Serial Number: 3B772E5F1202118E
  1953  //	        Revocation Date: May 10 10:55:07 2017 GMT
  1954  //	        CRL entry extensions:
  1955  //	            X509v3 CRL Reason Code:
  1956  //	                Key Compromise
  1957  //	    Serial Number: 0B54E3090079AD4B
  1958  //	        Revocation Date: Apr 12 08:53:17 2017 GMT
  1959  //	        CRL entry extensions:
  1960  //	            X509v3 CRL Reason Code:
  1961  //	                Key Compromise
  1962  //	    Serial Number: 31DA3380182AF9B2
  1963  //	        Revocation Date: Sep 15 20:22:13 2016 GMT
  1964  //	        CRL entry extensions:
  1965  //	            X509v3 CRL Reason Code:
  1966  //	                Affiliation Changed
  1967  //	    Signature Algorithm: sha256WithRSAEncryption
  1968  //	         4d:cd:e2:96:67:97:32:39:cc:a3:44:c5:8b:72:12:8f:b5:c5:
  1969  //	         db:03:ef:dc:75:cf:b7:d9:a0:41:0e:c0:3c:8c:d2:11:60:b4:
  1970  //	         49:cd:80:22:4f:41:ca:9d:91:52:92:95:ef:7d:01:79:ca:4b:
  1971  //	         08:bb:68:8c:ec:ce:13:cc:07:b2:0e:cd:87:ff:de:1b:c3:56:
  1972  //	         55:40:83:c4:0b:ea:7a:38:7d:ac:c5:4b:38:48:b3:71:0a:cf:
  1973  //	         2f:a6:13:d0:07:b1:2a:fc:37:f0:a7:70:82:65:5b:8d:bb:66:
  1974  //	         83:ba:2f:c5:25:55:e9:f7:4b:b5:ba:94:29:37:7f:f3:8e:19:
  1975  //	         3e:79:9f:c0:5c:4c:9b:bc:ee:29:49:29:45:a7:32:db:67:ba:
  1976  //	         35:75:a7:9a:83:42:7a:1f:6d:18:d9:ed:e0:1c:54:4f:3c:cd:
  1977  //	         68:e5:68:0a:9b:54:18:e0:3e:1d:80:b3:e7:7e:69:86:09:82:
  1978  //	         a4:d2:1c:6b:11:1b:07:c8:7f:e3:2c:56:1e:87:15:54:89:6b:
  1979  //	         37:65:1d:5a:af:42:b2:d0:92:ce:8d:4d:d4:ae:1d:7a:97:09:
  1980  //	         1c:0a:06:c0:3d:71:58:0e:05:57:a5:14:08:51:3f:de:30:12:
  1981  //	         f0:2d:ac:76:53:68:22:a5:64:fa:a2:55:30:48:72:96:33:b6:
  1982  //	         8f:1f:c3:69
  1983  const giag2CRL = `-----BEGIN X509 CRL-----
  1984  MIICbDCCAVQCAQEwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNV
  1985  BAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3Jp
  1986  dHkgRzIXDTE3MDYyOTAxMDAwMloXDTE3MDcwOTAxMDAwMlowgaQwJwIIdkvt04r9
  1987  UfcXDTE3MDExMzE0MTg1OFowDDAKBgNVHRUEAwoBAzAnAgg7dy5fEgIRjhcNMTcw
  1988  NTEwMTA1NTA3WjAMMAoGA1UdFQQDCgEBMCcCCAtU4wkAea1LFw0xNzA0MTIwODUz
  1989  MTdaMAwwCgYDVR0VBAMKAQEwJwIIMdozgBgq+bIXDTE2MDkxNTIwMjIxM1owDDAK
  1990  BgNVHRUEAwoBA6AwMC4wHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8w
  1991  CwYDVR0UBAQCAgYjMA0GCSqGSIb3DQEBCwUAA4IBAQBNzeKWZ5cyOcyjRMWLchKP
  1992  tcXbA+/cdc+32aBBDsA8jNIRYLRJzYAiT0HKnZFSkpXvfQF5yksIu2iM7M4TzAey
  1993  Ds2H/94bw1ZVQIPEC+p6OH2sxUs4SLNxCs8vphPQB7Eq/Dfwp3CCZVuNu2aDui/F
  1994  JVXp90u1upQpN3/zjhk+eZ/AXEybvO4pSSlFpzLbZ7o1daeag0J6H20Y2e3gHFRP
  1995  PM1o5WgKm1QY4D4dgLPnfmmGCYKk0hxrERsHyH/jLFYehxVUiWs3ZR1ar0Ky0JLO
  1996  jU3Urh16lwkcCgbAPXFYDgVXpRQIUT/eMBLwLax2U2gipWT6olUwSHKWM7aPH8Np
  1997  -----END X509 CRL-----`
  1998  
  1999  // Certificate for GIAG2:
  2000  //
  2001  //	Data:
  2002  //	    Version: 3 (0x2)
  2003  //	    Serial Number:
  2004  //	        01:00:21:25:88:b0:fa:59:a7:77:ef:05:7b:66:27:df
  2005  //	Signature Algorithm: sha256WithRSAEncryption
  2006  //	    Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
  2007  //	    Validity
  2008  //	        Not Before: May 22 11:32:37 2017 GMT
  2009  //	        Not After : Dec 31 23:59:59 2018 GMT
  2010  //	    Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
  2011  //	    Subject Public Key Info:
  2012  //	        Public Key Algorithm: rsaEncryption
  2013  //	            Public-Key: (2048 bit)
  2014  //	            Modulus:
  2015  //	                00:9c:2a:04:77:5c:d8:50:91:3a:06:a3:82:e0:d8:
  2016  //	                50:48:bc:89:3f:f1:19:70:1a:88:46:7e:e0:8f:c5:
  2017  //	                f1:89:ce:21:ee:5a:fe:61:0d:b7:32:44:89:a0:74:
  2018  //	                0b:53:4f:55:a4:ce:82:62:95:ee:eb:59:5f:c6:e1:
  2019  //	                05:80:12:c4:5e:94:3f:bc:5b:48:38:f4:53:f7:24:
  2020  //	                e6:fb:91:e9:15:c4:cf:f4:53:0d:f4:4a:fc:9f:54:
  2021  //	                de:7d:be:a0:6b:6f:87:c0:d0:50:1f:28:30:03:40:
  2022  //	                da:08:73:51:6c:7f:ff:3a:3c:a7:37:06:8e:bd:4b:
  2023  //	                11:04:eb:7d:24:de:e6:f9:fc:31:71:fb:94:d5:60:
  2024  //	                f3:2e:4a:af:42:d2:cb:ea:c4:6a:1a:b2:cc:53:dd:
  2025  //	                15:4b:8b:1f:c8:19:61:1f:cd:9d:a8:3e:63:2b:84:
  2026  //	                35:69:65:84:c8:19:c5:46:22:f8:53:95:be:e3:80:
  2027  //	                4a:10:c6:2a:ec:ba:97:20:11:c7:39:99:10:04:a0:
  2028  //	                f0:61:7a:95:25:8c:4e:52:75:e2:b6:ed:08:ca:14:
  2029  //	                fc:ce:22:6a:b3:4e:cf:46:03:97:97:03:7e:c0:b1:
  2030  //	                de:7b:af:45:33:cf:ba:3e:71:b7:de:f4:25:25:c2:
  2031  //	                0d:35:89:9d:9d:fb:0e:11:79:89:1e:37:c5:af:8e:
  2032  //	                72:69
  2033  //	            Exponent: 65537 (0x10001)
  2034  //	    X509v3 extensions:
  2035  //	        X509v3 Authority Key Identifier:
  2036  //	            keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
  2037  //
  2038  //	        X509v3 Subject Key Identifier:
  2039  //	            4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
  2040  //	        X509v3 Key Usage: critical
  2041  //	            Certificate Sign, CRL Sign
  2042  //	        Authority Information Access:
  2043  //	            OCSP - URI:http://g.symcd.com
  2044  //
  2045  //	        X509v3 Basic Constraints: critical
  2046  //	            CA:TRUE, pathlen:0
  2047  //	        X509v3 CRL Distribution Points:
  2048  //
  2049  //	            Full Name:
  2050  //	              URI:http://g.symcb.com/crls/gtglobal.crl
  2051  //
  2052  //	        X509v3 Certificate Policies:
  2053  //	            Policy: 1.3.6.1.4.1.11129.2.5.1
  2054  //	            Policy: 2.23.140.1.2.2
  2055  //
  2056  //	        X509v3 Extended Key Usage:
  2057  //	            TLS Web Server Authentication, TLS Web Client Authentication
  2058  //	Signature Algorithm: sha256WithRSAEncryption
  2059  //	     ca:49:e5:ac:d7:64:64:77:5b:be:71:fa:cf:f4:1e:23:c7:9a:
  2060  //	     69:63:54:5f:eb:4c:d6:19:28:23:64:66:8e:1c:c7:87:80:64:
  2061  //	     5f:04:8b:26:af:98:df:0a:70:bc:bc:19:3d:ee:7b:33:a9:7f:
  2062  //	     bd:f4:05:d4:70:bb:05:26:79:ea:9a:c7:98:b9:07:19:65:34:
  2063  //	     cc:3c:e9:3f:c5:01:fa:6f:0c:7e:db:7a:70:5c:4c:fe:2d:00:
  2064  //	     f0:ca:be:2d:8e:b4:a8:80:fb:01:13:88:cb:9c:3f:e5:bb:77:
  2065  //	     ca:3a:67:36:f3:ce:d5:27:02:72:43:a0:bd:6e:02:f1:47:05:
  2066  //	     71:3e:01:59:e9:11:9e:1a:f3:84:0f:80:a6:a2:78:35:2f:b6:
  2067  //	     c7:a2:7f:17:7c:e1:8b:56:ae:ee:67:88:51:27:30:60:a5:62:
  2068  //	     52:c3:37:d5:3b:ea:85:2a:01:38:87:a2:cf:70:ad:a4:7a:c9:
  2069  //	     c4:e7:ca:c5:da:bc:23:32:f2:fe:18:c2:7b:e0:df:3b:2f:d4:
  2070  //	     d0:10:e6:96:4c:fb:44:b7:21:64:0d:b9:00:94:30:12:26:87:
  2071  //	     58:98:39:05:38:0f:cc:82:48:0c:0a:47:66:ee:bf:b4:5f:c4:
  2072  //	     ff:70:a8:e1:7f:8b:79:2b:b8:65:32:a3:b9:b7:31:e9:0a:f5:
  2073  //	     f6:1f:32:dc
  2074  const giag2Cert = `-----BEGIN CERTIFICATE-----
  2075  MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC
  2076  MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
  2077  R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1
  2078  OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
  2079  HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA
  2080  A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu
  2081  Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0
  2082  Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx
  2083  +5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j
  2084  gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57
  2085  r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV
  2086  HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1
  2087  dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr
  2088  BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw
  2089  NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i
  2090  YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l
  2091  BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs
  2092  12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz
  2093  qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB
  2094  E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X
  2095  fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87
  2096  L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl
  2097  MqO5tzHpCvX2HzLc
  2098  -----END CERTIFICATE-----`
  2099  
  2100  func TestParseGIAG2CertificateList(t *testing.T) {
  2101  	certList, err := ParseCertificateList([]byte(giag2CRL))
  2102  	if err != nil {
  2103  		t.Fatalf("error parsing: %s", err)
  2104  	}
  2105  	if got, want := len(certList.TBSCertList.RevokedCertificates), 4; got != want {
  2106  		t.Errorf("len(ParseCertificateList(crl).TBSCertList.RevokedCertificates) = %d; want %d", got, want)
  2107  	}
  2108  
  2109  	when := time.Date(2017, 7, 7, 12, 0, 0, 0, time.UTC)
  2110  	if certList.ExpiredAt(when) {
  2111  		t.Errorf("certList.ExpiredAt(%v)=true; want false", when)
  2112  	}
  2113  	if got, want := certList.TBSCertList.CRLNumber, 1571; got != want {
  2114  		t.Errorf("ParseCertificateList(crl).TBSCertList.CRLNumber = %d; want %d", got, want)
  2115  	}
  2116  
  2117  	pemBlock, _ := pem.Decode([]byte(giag2Cert))
  2118  	giag2, err := ParseCertificate(pemBlock.Bytes)
  2119  	if err != nil {
  2120  		t.Fatalf("error parsing GIAG2 cert: %v", err)
  2121  	}
  2122  	if err := giag2.CheckCertificateListSignature(certList); err != nil {
  2123  		t.Errorf("CheckCertificateListSignature(giag2CRL)=%v; want nil", err)
  2124  	}
  2125  }
  2126  

View as plain text