From cc1fffeda83b4528020a404c9dcb724eb3499c58 Mon Sep 17 00:00:00 2001
From: marco <marco@crowdsec.net>
Date: Thu, 8 Feb 2024 23:59:09 +0100
Subject: [PATCH] update deprecated x509 methods

---
 pkg/apiserver/middlewares/v1/tls_auth.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pkg/apiserver/middlewares/v1/tls_auth.go b/pkg/apiserver/middlewares/v1/tls_auth.go
index 904f6cd445a..d8e7e06ef37 100644
--- a/pkg/apiserver/middlewares/v1/tls_auth.go
+++ b/pkg/apiserver/middlewares/v1/tls_auth.go
@@ -130,17 +130,22 @@ func (ta *TLSAuth) isCRLRevoked(cert *x509.Certificate) (bool, error) {
 		return false, nil
 	}
 
-	crl, err := x509.ParseCRL(crlContent)
+	crl, err := x509.ParseRevocationList(crlContent)
 	if err != nil {
 		ta.logger.Warnf("could not parse CRL file, skipping check: %s", err)
 		return false, nil
 	}
 
-	if crl.HasExpired(time.Now().UTC()) {
+	now := time.Now()
+	if now.After(crl.NextUpdate) {
 		ta.logger.Warn("CRL has expired, will still validate the cert against it.")
 	}
 
-	for _, revoked := range crl.TBSCertList.RevokedCertificates {
+	if now.Before(crl.ThisUpdate) {
+		ta.logger.Warn("CRL is not yet valid, will still validate the cert against it.")
+	}
+
+	for _, revoked := range crl.RevokedCertificateEntries {
 		if revoked.SerialNumber.Cmp(cert.SerialNumber) == 0 {
 			return true, fmt.Errorf("client certificate is revoked by CRL")
 		}