crypto/x509: distributionPointName not compliant with RFC 5280

[zhengping12]

Please answer these questions before submitting your issue. Thanks!

1. What version of Go are you using (go version)?
   1.7
2. What operating system and processor architecture are you using (go env)?
   GOARCH="amd64"
   GOBIN=""
   GOEXE=""
   GOHOSTARCH="amd64"
   GOHOSTOS="darwin"
   GOOS="darwin"
   GOPATH="/Users/Zhengping/Documents/nsrg"
   GORACE=""
   GOROOT="/usr/local/go"
   GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
   CC="clang"
   GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/c6/vwt_07cd62b102ynhmn2n7pm0000gn/T/go-build736045736=/tmp/go-build -gno-record-gcc-switches -fno-common"
   CXX="clang++"
   CGO_ENABLED="1"
3. What did you do?
   The x509 distributionPointName struct in x509.go is defined as

type distributionPointName struct {
FullName asn1.RawValue asn1:"optional,tag:0"
RelativeName pkix.RDNSequence asn1:"optional,tag:1"
}

But in RFC 5280, it is defined as

DistributionPointName ::= CHOICE {
fullName [0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName }

Clearly DistributionPointName is a choice, FullName and RelativeName cannot be present at the same time. Please consider making the struct contain one asn1.RawValue element to fix this issue.

type distributionPointName struct {
Name asn1.RawValue
}

[agl]

crypto/x509 attempts to cover the subset of X.509 that is used in the web PKI. In practice, the CRLDP is just a URL and the RFC is hugely over engineered. []string is perhaps even too general here and it should just have been a string or a url.URL.

When more detailed dissection of X.509 structures is needed it's more appropriate to handle that in the package where it's needed. (For which I apologise for encoding/asn1, which was a mistaken design. You might well want to build a simple, imperative DER parser.)