crypto/x509: ParseCRL allows the Invalidity Date of revoked certificates in the CRL to be UTC time

[onepeople158]

Go version

go version go1.24.2 linux/amd64

Output of go env in your module/workspace:

CRL Issuer: CN=My Root CA,OU=My Root CA,O=My Company,L=San Francisco,ST=California,C=US
This Update Time: 2025-01-01 08:00:00 +0800 CST
Next Update Time: 2025-12-01 08:00:00 +0800 CST
Signature Algorithm: SHA256-RSA
Number of Revoked Certificates: 2

Revoked Entry Details:
============================
Serial Number: 1c80022ef81f2405ee96a612dcb61fe0ac701e5e
Revocation Time: 2025-04-17 18:16:51 +0800 CST
  (No extensions)
----------------------------
Serial Number: 8cb8193ecce671ec00000000582c8a7a
Revocation Time: 2025-03-04 08:00:00 +0800 CST
  Extensions:
    2.5.29.21 (CRL Reason): Superseded
    2.5.29.24 (Invalidity Date): 2024-11-14 14:44:00 +0800 CST
----------------------------

What did you do?

Hello developer, I successfully parsed the revoked certificate information with the Invalidity Date as UTC time ("241114064400Z") in Go. However, according to RFC5280, it states:

The Invalidity Date must be in GeneralizedTime format.

Is this a problem?

What did you see happen?

I successfully parsed the revoked certificate information with the Invalidity Date as UTC time ("241114064400Z") in Go.

What did you expect to see?

Test Case:

Invalidity Date(utc).zip

[gabyhelp]

Related Issues

• crypto/x509: CreateCRL allows non-UTC times in revokedCerts list #16686 (closed)
• crypto/x509: ParseCRL allows revocation serial number that is a non-positive integer #73433
• crypto/x509: accepts invalid thisUpdate UTCTimes without seconds #73019

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[JunyangShao]

@rolandshoemaker