diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 207321ce7..48bc23e2d 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -12211,12 +12211,18 @@ int GetAsnTimeString(void* currTime, byte* buf, word32 len)
 
     data_len = GetUnformattedTimeString(currTime, uf_time, len);
     /* ensure room to add 2 bytes (ASN type and length) before proceeding */
-    if (len < data_len + 2)
-        return BUFFER_E;
-    if(data_len <= 0)
+    if(data_len <= 0) {
         return ASN_TIME_E;
+    } else if (len < data_len + 2) {
+        return BUFFER_E;
+    }
 
-    /* Increment by 1 for ASN type */
+    /* Increment by 1 for ASN type, it is critical that this increment occur
+     * prior to the check on data_len being ASN_UTC_TIME_SIZE or
+     * ASN_GENERALIZED_TIME_SIZE since GetUnformattedTimeString returns the
+     * length without NULL terminator
+     * (IE 13 instead of 14 for ASN_UTC_TIME_SIZE) This logic WILL NEED updated
+     * if ASN_UTC_TIME_SIZE or ASN_GENERALIZED_TIME_SIZE are ever modified */
     data_len++;
 
     if (data_len == ASN_UTC_TIME_SIZE) {
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index c0abf71c3..17239d87e 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -156,8 +156,13 @@ enum ASN_Tags {
     ASN_ASYMKEY_PUBKEY    = 0x01,
 };
 
-#define ASN_UTC_TIME_SIZE 14
-#define ASN_GENERALIZED_TIME_SIZE 16
+/* NOTE: If ASN_UTC_TIME_SIZE or ASN_GENERALIZED_TIME_SIZE are ever modified
+ *       one needs to update the logic in asn.c function GetAsnTimeString()
+ *       which depends on the size 14 and/or 16 to determine which format to
+ *       place in the "buf" (output)
+ */
+#define ASN_UTC_TIME_SIZE 14 /* Read note above before modifying */
+#define ASN_GENERALIZED_TIME_SIZE 16 /* Read note above before modifying */
 #define ASN_GENERALIZED_TIME_MAX 68
 
 #ifdef WOLFSSL_ASN_TEMPLATE