[Swan-dev] dist_certs.py and crl tests

Matt Rogers mrogers at redhat.com
Mon Dec 1 16:29:11 EET 2014


On 11/28, Paul Wouters ? wrote:
> On Fri, 28 Nov 2014, Matt Rogers wrote:
> 
> (moved discussion to swan-dev)
> 
> >>The intent was that the signature made by the CAcert over the CRL was
> >>either not yet valid or expired. This is unrelated to the content of the
> >>CRL.
> >>
> >The signature being expired? Do you mean a scenario where the CRL is signed
> >by an old CA key (i.e. it got reissued but the CA attributes stay the same)?
> 
> build at bofh:~/libreswan/testing/x509/crls (master *)$ openssl crl -in cacrlnotyetvalid.pem -noout -text
> 
> Certificate Revocation List (CRL):
>         Version 1 (0x0)
>     Signature Algorithm: md5WithRSAEncryption
>         Issuer: /C=ca/ST=Ontario/L=Toronto/O=Libreswan/OU=Test
> Department/CN=Libreswan test CA for
> mainca/emailAddress=testing at libreswan.org
>         Last Update: Sep 29 21:55:50 2014 GMT
>         Next Update: Oct 29 21:55:50 2014 GMT
> No Revoked Certificates.
>     Signature Algorithm: md5WithRSAEncryption
>          3c:bc:29:67:e9:1e:ee:55:d4:18:9e:69:25:a6:a3:54:b6:3e:
>          93:28:6b:43:44:f1:1e:a1:0d:14:24:c6:2f:f8:6b:14:c4:5d:
>          9d:f0:b3:47:e6:c6:32:5e:fe:cb:53:f3:2b:dd:d1:09:70:7f:
>          b9:00:fb:8b:9e:40:1f:b5:a5:ff:93:fe:81:e7:30:66:06:64:
>          e9:1b:d4:38:11:4b:31:20:e8:8f:83:e0:06:1a:ed:20:d3:df:
>          20:c9:8b:96:2e:8d:84:54:87:34:1c:ed:75:6a:75:e8:4b:00:
>          67:01:d1:c3:f7:e9:69:3e:6e:fc:ff:94:08:b1:f1:88:02:19:
>          e9:87
> 
> Note the "Next Update". When this crl file is used after this time it is
> "expired".
> 

Ahh, yes that's what the needupdate crl will cover. By setting the CRL period to 0
days, Last Update and Next Update are both the creation timestamp, so by the time you run the test
Next Update is past due and will need a fetch.

Thanks,
Matt

> >That should be doable. There's also the "otherca" crl that's signed by a
> >different CA and should result in a failed verification.
> 
> Yes, I assumed you had that one already :)
> 
> Paul


More information about the Swan-dev mailing list