Always revoke certificate on CRL

RFC5280 does not state that the `revocationDate` should be checked. In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all. https://tools.ietf.org/html/rfc5280 Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>
2026-03-26 23:08:50 +00:00 · 2020-06-15 17:03:13 +02:00
parent 14cb46de24
commit 75475d8465
9 changed files with 66 additions and 4 deletions
--- a/tests/data_files/test-ca.server1.future-crl.opensslconf
+++ b/tests/data_files/test-ca.server1.future-crl.opensslconf
@@ -0,0 +1,18 @@
+ [ ca ]
+ default_ca             = test-ca
+
+ [ test-ca ]
+ certificate            = test-ca.crt
+ private_key            = test-ca.key
+ serial                 = test-ca.server1.serial
+ default_md             = sha1
+ default_startdate      = 110212144406Z
+ default_enddate        = 210212144406Z
+ new_certs_dir          = ./
+ database               = ./test-ca.server1.future-crl.db
+ policy                 = policy_match
+
+ [policy_match]
+ countryName            = supplied
+ organizationName       = supplied
+ commonName             = supplied