Always revoke certificate on CRL RFC5280 does not state that the `revocationDate` should be checked. In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all. https://tools.ietf.org/html/rfc5280 Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>

commit: 2a8e9587a72ae7e6c11d7df2cd3c855d76f99bf0 [log] [tgz]
author: Raoul Strackx <raoul.strackx@fortanix.com> Mon Jun 15 17:03:13 2020 +0200
committer: Raoul Strackx <raoul.strackx@fortanix.com> Wed Aug 26 11:38:41 2020 +0200
tree: 3468b5f42a6718978c4bb02e64acaa09c7c8884b
parent: 84be024eb0f5bad4279bd4f074cc8f6fafc85ec6 [diff] [blame]
diff --git a/tests/data_files/test-ca.server1.future-crl.opensslconf b/tests/data_files/test-ca.server1.future-crl.opensslconf
new file mode 100644
index 0000000..e9ce754
--- /dev/null
+++ b/tests/data_files/test-ca.server1.future-crl.opensslconf

@@ -0,0 +1,18 @@
+ [ ca ]
+ default_ca             = test-ca
+
+ [ test-ca ]
+ certificate            = test-ca.crt
+ private_key            = test-ca.key
+ serial                 = test-ca.server1.serial
+ default_md             = sha1
+ default_startdate      = 110212144406Z
+ default_enddate        = 210212144406Z
+ new_certs_dir          = ./
+ database               = ./test-ca.server1.future-crl.db
+ policy                 = policy_match
+
+ [policy_match]
+ countryName            = supplied
+ organizationName       = supplied
+ commonName             = supplied
commit	2a8e9587a72ae7e6c11d7df2cd3c855d76f99bf0	[log] [tgz]
author	Raoul Strackx <raoul.strackx@fortanix.com>	Mon Jun 15 17:03:13 2020 +0200
committer	Raoul Strackx <raoul.strackx@fortanix.com>	Wed Aug 26 11:38:41 2020 +0200
tree	3468b5f42a6718978c4bb02e64acaa09c7c8884b
parent	84be024eb0f5bad4279bd4f074cc8f6fafc85ec6 [diff] [blame]