crypto/x509: ParseRevocationList accepts invalid thisUpdate UTCTimes without seconds

[onepeople158]

Go version

go version go1.24.1 linux/amd64

Output of go env in your module/workspace:

2001-03-01 01:00:00 +0000 UTC
2100-01-01 00:00:00 +0000 UTC
1

What did you do?

The RFC standard for X.509 CRLs restricts the thisUpdate field to only two formats, namely UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 representation, which are 13 and 15 characters wide, respectively. However, go1.24.1 accepts CRLs with a thisUpdate field of length 11 ("0103010100Z").

What did you see happen?

However, go1.24.1 accepts CRLs with a thisUpdate field of length 11 ("0103010100Z").

What did you expect to see?

The RFC standard for X.509 CRLs limits the thisUpdate field to only two formats: UTCTime (YYMMDDHHMMSSZ) and GeneralizedTime (YYYYMMDDHHMMSSZ) in ASN.1 encoding, which are 13 and 15 characters wide, respectively. Therefore, it should reject a CRLs file with a thisUpdate
field length of 11 (e.g., "0103010100Z").
main.zip

[gabyhelp]

Related Issues

• crypto/x509: CreateCRL allows non-UTC times in revokedCerts list #16686 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

The seconds in UTCTime are optional https://obj-sys.com/asn1tutorial/node15.html
which is what encoding/asn1 implements:
https://cs.opensource.google/go/go/+/refs/tags/go1.24.1:src/encoding/asn1/asn1.go;l=337-342

RFC 5820 tightens that to require seconds in UTCTime "MUST include seconds" https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.5.1

cc @golang/security