The issue is that they designed a API taking a NUL terminated string in the first place, as it should have been something more generic. They knew little enough of X.509 they didn't bother to handle every cases.

My understanding of RFC 3280 is pretty old, but the relevant ASN.1 type describing a subjectAltName seems to be :

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE { otherName [0] AnotherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER }

The IP address case is represented as an octet string, and the octet 0 is legitimate, making their API broken...

That's the X.509 certificate format, right? It's not a code interface.

My point was that it's not reasonable to expect an interface that appears to be accepting a string to also accept random bytes; "10.0.0.8" isn't the same as 0x0a000008.

Maybe he means a binary representation of an IP address (4 bytes for an IPv4). In this case serializing 10.0.0.1 would break.

Yes, lots of APIs that take char * will break if you pass them some arbitrary other type of data that you assume they will handle.

How about if they are implementing a public standard that states this other arbitrary type of data is valid?

It is a logical leap to assume that because the spec says other types of data are valid that means you should be able to pass arbitrary data to this function that is documented as requiring a 0 terminated string. Let's say you wanted to pass an IPv4 address. Would you expect to pass it a uint32_t pointer? A struct in_addr pointer? Host or network byte order?