From 1a3f898e7e3fd33178b1d33d6e48fd4fb916b2e0 Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Thu, 6 Mar 2025 10:01:03 -0600
Subject: [PATCH] crl: Improve crlNumber and thisUpdate comparison (#8037)

Fixes https://github.com/letsencrypt/boulder/issues/8036
---
 crl/checker/checker.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crl/checker/checker.go b/crl/checker/checker.go
index 9bceb308f..08a1add8f 100644
--- a/crl/checker/checker.go
+++ b/crl/checker/checker.go
@@ -59,11 +59,11 @@ func Diff(old, new *x509.RevocationList) (*diffResult, error) {
 		return nil, fmt.Errorf("CRLs were not issued by same issuer")
 	}
 
-	if !old.ThisUpdate.Before(new.ThisUpdate) {
+	if old.Number.Cmp(new.Number) >= 0 {
 		return nil, fmt.Errorf("old CRL does not precede new CRL")
 	}
 
-	if old.Number.Cmp(new.Number) >= 0 {
+	if new.ThisUpdate.Before(old.ThisUpdate) {
 		return nil, fmt.Errorf("old CRL does not precede new CRL")
 	}