Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: CreateCRL allows non-UTC times in revokedCerts list #16686
Please answer these questions before submitting your issue. Thanks!
The CreateCRL function takes the given revoked certificate list and passes it straight to the asn1 package for marshaling. The asn1 package encodes
However, per RFC 5280 section 220.127.116.11, revocation time values must be expressed as described in https://tools.ietf.org/html/rfc5280#section-18.104.22.168 which itself indicates that the time must be expressed as defined in https://tools.ietf.org/html/rfc5280#section-22.214.171.124.1 -- and here, it specifies that all such times must be UTC.
Allowing CRLs to be created with non-UTC time values is not-RFC compliant. At worst, this is probably a documentation issue -- the docs should warn the caller that all times must be UTC. At best, the code would walk through the list of revoked certificates and ensure that the time values contained within are in UTC.
CRLs created with time zones that are disallowed per RFC.
CRLs created with time zones that are allowed per RFC.