Always revoke certificate on CRL RFC5280 does not state that the `revocationDate` should be checked. In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all. https://tools.ietf.org/html/rfc5280 Signed-off-by: Raoul Strackx <raoul.strackx@fortanix.com>

commit: a4e86141f1451e8097f85a823a4426e1c1cfdf7c [log] [tgz]
author: Raoul Strackx <raoul.strackx@fortanix.com> Mon Jun 15 17:03:13 2020 +0200
committer: Raoul Strackx <raoul.strackx@fortanix.com> Mon Aug 17 09:05:03 2020 +0200
tree: b090d395aa8be2d56cb6282fefeb76607615201d
parent: c60c30eb68dd70c71f902f55eb0db69b466e7503 [diff] [blame]
diff --git a/tests/data_files/crl-futureRevocationDate.pem b/tests/data_files/crl-futureRevocationDate.pem
new file mode 100644
index 0000000..f147a8f
--- /dev/null
+++ b/tests/data_files/crl-futureRevocationDate.pem

@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBqzCBlDANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwI
+UG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EXDTI4MTIzMDIzMDAw
+MFoXDTI5MTIzMDIzMDAwMFowKDASAgEBFw0yOTAxMDExMjQ0MDdaMBICAQMXDTI5
+MDEwMTEyNDQwN1owDQYJKoZIhvcNAQEFBQADggEBAKbL1mDpzCbLJmRZKM2KHPvK
+ijS4UMnanzzYpLAwom1NI69v2fE1/EfiXv0empE6mFqnLwOG4ZP8fECfxjMXO2Ee
+VhxYiRjly6q9hfIUk1e+N9ct8unNnLEBvf6Syfy9+FSO3Q/ahljpYlXsXxg62WXl
+9xp5b5Ok+/0sCv0eL5uFQKXQa8hS9dZo6py7jvFDQC+wVau1mXjQW85iXMLm7vik
+4lR+kfZloeq1jIbsx8cdMi32YVt7uccaqoFcjtrdrWfGmi0wvlDc8K5J0l4tIxZY
+9P+T4fzSgQLdqGZ3xADheEaGTRVL/5oe5L4zRH32BZONMFCijv+j1SpWLxHE8cM=
+-----END X509 CRL-----
commit	a4e86141f1451e8097f85a823a4426e1c1cfdf7c	[log] [tgz]
author	Raoul Strackx <raoul.strackx@fortanix.com>	Mon Jun 15 17:03:13 2020 +0200
committer	Raoul Strackx <raoul.strackx@fortanix.com>	Mon Aug 17 09:05:03 2020 +0200
tree	b090d395aa8be2d56cb6282fefeb76607615201d
parent	c60c30eb68dd70c71f902f55eb0db69b466e7503 [diff] [blame]