OpenSSL has hand-coded templates that correspond to ASN.1 modules for PKIX. That hand-coding can have mistakes, but otherwise the OpenSSL template system is pretty solid. Here we had a mistake in that hand-coding. If they had an ASN.1 compiler then that wouldn't have happened because they could have just compiled the modules from RFC 5280.