[Swan-dev] dist_certs.py and crl tests
Matt Rogers
mrogers at redhat.com
Mon Dec 1 16:29:11 EET 2014
On 11/28, Paul Wouters ? wrote:
> On Fri, 28 Nov 2014, Matt Rogers wrote:
>
> (moved discussion to swan-dev)
>
> >>The intent was that the signature made by the CAcert over the CRL was
> >>either not yet valid or expired. This is unrelated to the content of the
> >>CRL.
> >>
> >The signature being expired? Do you mean a scenario where the CRL is signed
> >by an old CA key (i.e. it got reissued but the CA attributes stay the same)?
>
> build at bofh:~/libreswan/testing/x509/crls (master *)$ openssl crl -in cacrlnotyetvalid.pem -noout -text
>
> Certificate Revocation List (CRL):
> Version 1 (0x0)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: /C=ca/ST=Ontario/L=Toronto/O=Libreswan/OU=Test
> Department/CN=Libreswan test CA for
> mainca/emailAddress=testing at libreswan.org
> Last Update: Sep 29 21:55:50 2014 GMT
> Next Update: Oct 29 21:55:50 2014 GMT
> No Revoked Certificates.
> Signature Algorithm: md5WithRSAEncryption
> 3c:bc:29:67:e9:1e:ee:55:d4:18:9e:69:25:a6:a3:54:b6:3e:
> 93:28:6b:43:44:f1:1e:a1:0d:14:24:c6:2f:f8:6b:14:c4:5d:
> 9d:f0:b3:47:e6:c6:32:5e:fe:cb:53:f3:2b:dd:d1:09:70:7f:
> b9:00:fb:8b:9e:40:1f:b5:a5:ff:93:fe:81:e7:30:66:06:64:
> e9:1b:d4:38:11:4b:31:20:e8:8f:83:e0:06:1a:ed:20:d3:df:
> 20:c9:8b:96:2e:8d:84:54:87:34:1c:ed:75:6a:75:e8:4b:00:
> 67:01:d1:c3:f7:e9:69:3e:6e:fc:ff:94:08:b1:f1:88:02:19:
> e9:87
>
> Note the "Next Update". When this crl file is used after this time it is
> "expired".
>
Ahh, yes that's what the needupdate crl will cover. By setting the CRL period to 0
days, Last Update and Next Update are both the creation timestamp, so by the time you run the test
Next Update is past due and will need a fetch.
Thanks,
Matt
> >That should be doable. There's also the "otherca" crl that's signed by a
> >different CA and should result in a failed verification.
>
> Yes, I assumed you had that one already :)
>
> Paul
More information about the Swan-dev
mailing list