[Swan-dev] dist_certs.py and crl tests
Paul Wouters 🔓
paul at nohats.ca
Sat Nov 29 05:25:45 EET 2014
On Fri, 28 Nov 2014, Matt Rogers wrote:
(moved discussion to swan-dev)
>> The intent was that the signature made by the CAcert over the CRL was
>> either not yet valid or expired. This is unrelated to the content of the
>> CRL.
>>
> The signature being expired? Do you mean a scenario where the CRL is signed
> by an old CA key (i.e. it got reissued but the CA attributes stay the same)?
build at bofh:~/libreswan/testing/x509/crls (master *)$ openssl crl -in cacrlnotyetvalid.pem -noout -text
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: /C=ca/ST=Ontario/L=Toronto/O=Libreswan/OU=Test
Department/CN=Libreswan test CA for
mainca/emailAddress=testing at libreswan.org
Last Update: Sep 29 21:55:50 2014 GMT
Next Update: Oct 29 21:55:50 2014 GMT
No Revoked Certificates.
Signature Algorithm: md5WithRSAEncryption
3c:bc:29:67:e9:1e:ee:55:d4:18:9e:69:25:a6:a3:54:b6:3e:
93:28:6b:43:44:f1:1e:a1:0d:14:24:c6:2f:f8:6b:14:c4:5d:
9d:f0:b3:47:e6:c6:32:5e:fe:cb:53:f3:2b:dd:d1:09:70:7f:
b9:00:fb:8b:9e:40:1f:b5:a5:ff:93:fe:81:e7:30:66:06:64:
e9:1b:d4:38:11:4b:31:20:e8:8f:83:e0:06:1a:ed:20:d3:df:
20:c9:8b:96:2e:8d:84:54:87:34:1c:ed:75:6a:75:e8:4b:00:
67:01:d1:c3:f7:e9:69:3e:6e:fc:ff:94:08:b1:f1:88:02:19:
e9:87
Note the "Next Update". When this crl file is used after this time it is
"expired".
> That should be doable. There's also the "otherca" crl that's signed by a
> different CA and should result in a failed verification.
Yes, I assumed you had that one already :)
Paul
More information about the Swan-dev
mailing list