[Swan-dev] dist_certs.py and crl tests

Paul Wouters 🔓 paul at nohats.ca
Sat Nov 29 05:25:45 EET 2014

On Fri, 28 Nov 2014, Matt Rogers wrote:

(moved discussion to swan-dev)

>> The intent was that the signature made by the CAcert over the CRL was
>> either not yet valid or expired. This is unrelated to the content of the
>> CRL.
> The signature being expired? Do you mean a scenario where the CRL is signed
> by an old CA key (i.e. it got reissued but the CA attributes stay the same)?

build at bofh:~/libreswan/testing/x509/crls (master *)$ openssl crl -in cacrlnotyetvalid.pem -noout -text

Certificate Revocation List (CRL):
         Version 1 (0x0)
     Signature Algorithm: md5WithRSAEncryption
         Issuer: /C=ca/ST=Ontario/L=Toronto/O=Libreswan/OU=Test
Department/CN=Libreswan test CA for
mainca/emailAddress=testing at libreswan.org
         Last Update: Sep 29 21:55:50 2014 GMT
         Next Update: Oct 29 21:55:50 2014 GMT
No Revoked Certificates.
     Signature Algorithm: md5WithRSAEncryption

Note the "Next Update". When this crl file is used after this time it is

> That should be doable. There's also the "otherca" crl that's signed by a
> different CA and should result in a failed verification.

Yes, I assumed you had that one already :)


More information about the Swan-dev mailing list