Skip to content

crypto/x509: ParseRevocationList accepts invalid thisUpdate UTCTimes without seconds #73019

New issue
New issue
Open
Open
crypto/x509: ParseRevocationList accepts invalid thisUpdate UTCTimes without seconds#73019
Labels
BugReportIssues describing a possible bug in the Go implementation.NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
@onepeople158

Description

@onepeople158
onepeople158
opened on Mar 24, 2025

Go version

go version go1.24.1 linux/amd64

Output of go env in your module/workspace:

2001-03-01 01:00:00 +0000 UTC
2100-01-01 00:00:00 +0000 UTC
1

What did you do?

The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, go1.24.1 accepts CRLs with a thisUpdate field of length 11 ("0103010100Z").

What did you see happen?

However, go1.24.1 accepts CRLs with a thisUpdate field of length 11 ("0103010100Z").

What did you expect to see?

The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRLs file with a thisUpdate
field length of 11 (e.g., "0103010100Z").
main.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugReportIssues describing a possible bug in the Go implementation.NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions