[Swan-dev] dist_certs.py and crl tests

[Paul Wouters 🔓]

On Fri, 28 Nov 2014, Matt Rogers wrote:

(moved discussion to swan-dev)

>> The intent was that the signature made by the CAcert over the CRL was
>> either not yet valid or expired. This is unrelated to the content of the
>> CRL.
>>
> The signature being expired? Do you mean a scenario where the CRL is signed
> by an old CA key (i.e. it got reissued but the CA attributes stay the same)?

build at bofh:~/libreswan/testing/x509/crls (master *)$ openssl crl -in cacrlnotyetvalid.pem -noout -text

Certificate Revocation List (CRL):
         Version 1 (0x0)
     Signature Algorithm: md5WithRSAEncryption
         Issuer: /C=ca/ST=Ontario/L=Toronto/O=Libreswan/OU=Test
Department/CN=Libreswan test CA for
mainca/emailAddress=testing at libreswan.org
         Last Update: Sep 29 21:55:50 2014 GMT
         Next Update: Oct 29 21:55:50 2014 GMT
No Revoked Certificates.
     Signature Algorithm: md5WithRSAEncryption
          3c:bc:29:67:e9:1e:ee:55:d4:18:9e:69:25:a6:a3:54:b6:3e:
          93:28:6b:43:44:f1:1e:a1:0d:14:24:c6:2f:f8:6b:14:c4:5d:
          9d:f0:b3:47:e6:c6:32:5e:fe:cb:53:f3:2b:dd:d1:09:70:7f:
          b9:00:fb:8b:9e:40:1f:b5:a5:ff:93:fe:81:e7:30:66:06:64:
          e9:1b:d4:38:11:4b:31:20:e8:8f:83:e0:06:1a:ed:20:d3:df:
          20:c9:8b:96:2e:8d:84:54:87:34:1c:ed:75:6a:75:e8:4b:00:
          67:01:d1:c3:f7:e9:69:3e:6e:fc:ff:94:08:b1:f1:88:02:19:
          e9:87

Note the "Next Update". When this crl file is used after this time it is
"expired".

> That should be doable. There's also the "otherca" crl that's signed by a
> different CA and should result in a failed verification.

Yes, I assumed you had that one already :)

Paul