Commit c7620840bf for openssl.org
commit c7620840bfbc0eae1e535cf77c10dea768aae321
Author: Jaeho Nam <njh215@snu.ac.kr>
Date: Sun Mar 15 08:31:49 2026 +0000
x509: fix bug in timeSpecification printing
Fix i2r_OSSL_DAY_TIME() to check dt->second before decoding the
optional seconds field. Add a regression certificate and x509 recipe
coverage for the periodic timeSpecification case with no seconds.
Resolves: https://github.com/openssl/openssl/issues/30424
Fixes: 70b17e5a00da "feat: support the timeSpecification X.509v3 extension"
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Fri Mar 20 18:47:04 2026
(Merged from https://github.com/openssl/openssl/pull/30425)
diff --git a/crypto/x509/v3_timespec.c b/crypto/x509/v3_timespec.c
index 28f9a1c610..f29265f4be 100644
--- a/crypto/x509/v3_timespec.c
+++ b/crypto/x509/v3_timespec.c
@@ -167,7 +167,7 @@ static int i2r_OSSL_DAY_TIME(X509V3_EXT_METHOD *method,
return 0;
if (dt->minute && !ASN1_INTEGER_get_int64(&m, dt->minute))
return 0;
- if (dt->minute && !ASN1_INTEGER_get_int64(&s, dt->second))
+ if (dt->second && !ASN1_INTEGER_get_int64(&s, dt->second))
return 0;
return BIO_printf(out, "%02lld:%02lld:%02lld",
(long long int)h, (long long int)m, (long long int)s)
diff --git a/test/certs/ext-timeSpecification-periodic-no-second.pem b/test/certs/ext-timeSpecification-periodic-no-second.pem
new file mode 100644
index 0000000000..9b23ddbb16
--- /dev/null
+++ b/test/certs/ext-timeSpecification-periodic-no-second.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICLzCCAhmgAwIBAgIEDCI4TjANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDDAZI
+aSBtb20wIhgPMjAyMjEyMjExNDQ5NDJaGA8yMDIyMTIyMTE0NDk0MlowETEPMA0G
+A1UEAwwGSGkgbW9tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtnjL
+m1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmqnuGrBOUfgbmH
+3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWirGu0oDRzhWLHe
+1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqIqpOynJB02thX
+rTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06GkwLFJHNv2tU
++tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3VuspVz+6pU2xgl3
+nrAVMQHB4fReQPH0pQIDAQABo4GMMIGJMIGGBgNVHSsEfzB9MXUwUaAlMSMwIaAM
+MAqgAwIBBaEDAgEroREwD6ADAgEMoQMCASKiAwIBOKEIMQYCAQECAQKiCDEGAgED
+AgEEowgxBgIBBQIBBqQKMQgCAgfmAgIH5zAgoQgxBgIBAwIBBKMIMQYCAQcCAQik
+CjEIAgIH5wICB+gBAf8CAfswDQYJKoZIhvcNAQEFBQADAQA=
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 34a6d17be1..d438de0fe2 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -17,7 +17,7 @@ use File::Compare qw/compare_text/;
setup("test_x509");
-plan tests => 150;
+plan tests => 151;
# Prevent MSys2 filename munging for arguments that look like file paths but
# aren't
@@ -414,6 +414,12 @@ cert_contains($time_spec_per_cert,
"Years: 2023, 2024",
1, 'X.509 Time Specification (Periodic)');
+my $time_spec_per_no_second_cert =
+ srctop_file(@certs, "ext-timeSpecification-periodic-no-second.pem");
+cert_contains($time_spec_per_no_second_cert,
+ "05:43:00 - 12:34:56",
+ 1, 'X.509 Time Specification (Periodic, no second)');
+
my $attr_map_cert = srctop_file(@certs, "ext-attributeMappings.pem");
cert_contains($attr_map_cert,
"commonName == localityName",