Description
Description
PR #2444, "openssl_x509_parse fails to parse ASN.1 UTCTime without seconds" added support for UTCTimes in certificates omitting seconds. This seems incorrect. While it is true that seconds are optional in the ASN.1 specification of UTCTime in ITU T-REC X.680 section 47.3, the same is not true for its DER encoding, in particular for certificates or CRLs. RFC 5280, 4.1.2.5.1:
For the purposes of this profile, UTCTime values MUST be expressed in
Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are
YYMMDDHHMMSSZ), even where the number of seconds is zero.
ITU-TREC X.690, section 11.8.2 also states explicitly: "the seconds shall always be present".
Similar statements hold true for GeneralizedTime. (For some reason no exception was made despite the fact that the ASN.1 spec allows omitting minutes or seconds).
As an aside, it is a bit dangerous to use strlen() on the data in an ASN1_STRING. These have historically been NUL terminated in OpenSSL, but this is an implementation detail, not a documented API contract. There is no real reason for them to be NUL-terminated: ASN.1 strings are length-prefixed strings.
PHP Version
PHP 8.3.2
Operating System
No response