Skip to content

crypto/x509: accepts invalid thisUpdate UTCTimes without seconds #73019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
onepeople158 opened this issue Mar 24, 2025 · 2 comments
Open

crypto/x509: accepts invalid thisUpdate UTCTimes without seconds #73019

onepeople158 opened this issue Mar 24, 2025 · 2 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@onepeople158
Copy link

onepeople158 commented Mar 24, 2025
edited
Loading

Go version

go version go1.24.1 linux/amd64

Output of go env in your module/workspace:

2001-03-01 01:00:00 +0000 UTC
2100-01-01 00:00:00 +0000 UTC
1

What did you do?

The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, go1.24.1 accepts CRLs with a thisUpdate field of length 11 ("0103010100Z").

What did you see happen?

However, go1.24.1 accepts CRLs with a thisUpdate field of length 11 ("0103010100Z").

What did you expect to see?

The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRLs file with a thisUpdate
field length of 11 (e.g., "0103010100Z").
main.zip
@gabyhelp
Copy link

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@seankhliao seankhliao changed the title go1.24.1cannot process thisUpdate field according to RFC5280 crypto/x509: accepts invalid time formats for CRL thisUpdate (RFC 5820) Mar 24, 2025
@seankhliao
Copy link
Member

The seconds in UTCTime are optional https://obj-sys.com/asn1tutorial/node15.html
which is what encoding/asn1 implements:
https://cs.opensource.google/go/go/+/refs/tags/go1.24.1:src/encoding/asn1/asn1.go;l=337-342

RFC 5820 tightens that to require seconds in UTCTime "MUST include seconds" https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5.1

cc @golang/security

@seankhliao seankhliao added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 24, 2025
@seankhliao seankhliao changed the title crypto/x509: accepts invalid time formats for CRL thisUpdate (RFC 5820) crypto/x509: accepts invalid thisUpdate UTCTimes without seconds Mar 24, 2025
@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label Mar 24, 2025
@gabyhelp gabyhelp mentioned this issue Apr 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@seankhliao @onepeople158 @gabyhelp