crl
crl::revoked-certificate-with-crl
Tests a Certificate Revocation List (CRL) that revokes a certificate.
Produces a simple test case where a certificate has been revoked by the CA
through a CRL. The CA certificate and CRL are provided, and the leaf certificate
is expected to be rejected due to its revoked status.
| Expected result |
Validation kind |
Validation time |
Features |
Importance |
Conflicts |
| FAILURE |
SERVER |
2024-01-01T00:00:00+00:00 |
has-crl |
high |
N/A |
| Harness |
Result |
Context |
openssl-3.2.4 |
✅ |
certificate revoked |
gnutls-certtool-3.8.3 |
🚧 |
CRLs not supported yet |
openssl-3.4.1 |
✅ |
certificate revoked |
openssl-1.1 |
✅ |
certificate revoked |
rustls-webpki |
✅ |
CertRevoked |
openssl-3.5.0 |
✅ |
certificate revoked |
rust-webpki |
🚧 |
CRLs are not supported by this API |
certvalidator-0.11.1 |
🚧 |
testcase skipped (explicit unsupported feature) |
pyca-cryptography-45.0.4 |
🚧 |
testcase skipped (explicit unsupported feature) |
openssl-3.3.3 |
✅ |
certificate revoked |
gocryptox509-go1.24.4 |
🚧 |
CRLs not supported |
openssl-3.0.16 |
✅ |
certificate revoked |
crl::crlnumber-missing
Tests handling of a CRL that's missing the CRLNumber extension.
Per RFC 5280 5.2.3 this extension MUST be included in a CRL.
| Expected result |
Validation kind |
Validation time |
Features |
Importance |
Conflicts |
| FAILURE |
SERVER |
1970-01-01T00:00:03+00:00 |
has-crl |
high |
N/A |
| Harness |
Result |
Context |
openssl-3.2.4 |
❌ (unexpected success) |
N/A |
gnutls-certtool-3.8.3 |
🚧 |
CRLs not supported yet |
openssl-3.4.1 |
❌ (unexpected success) |
N/A |
openssl-1.1 |
❌ (unexpected success) |
N/A |
rustls-webpki |
❌ (unexpected success) |
N/A |
openssl-3.5.0 |
❌ (unexpected success) |
N/A |
rust-webpki |
🚧 |
CRLs are not supported by this API |
certvalidator-0.11.1 |
🚧 |
testcase skipped (explicit unsupported feature) |
pyca-cryptography-45.0.4 |
🚧 |
testcase skipped (explicit unsupported feature) |
openssl-3.3.3 |
❌ (unexpected success) |
N/A |
gocryptox509-go1.24.4 |
🚧 |
CRLs not supported |
openssl-3.0.16 |
❌ (unexpected success) |
N/A |
crl::certificate-not-on-crl
Tests a certificate that is not present on any of the CRLs (expected pass).
| Expected result |
Validation kind |
Validation time |
Features |
Importance |
Conflicts |
| SUCCESS |
SERVER |
2024-01-01T00:00:00+00:00 |
has-crl |
high |
N/A |
| Harness |
Result |
Context |
openssl-3.2.4 |
✅ |
N/A |
gnutls-certtool-3.8.3 |
🚧 |
CRLs not supported yet |
openssl-3.4.1 |
✅ |
N/A |
openssl-1.1 |
✅ |
N/A |
rustls-webpki |
✅ |
N/A |
openssl-3.5.0 |
✅ |
N/A |
rust-webpki |
🚧 |
CRLs are not supported by this API |
certvalidator-0.11.1 |
🚧 |
testcase skipped (explicit unsupported feature) |
pyca-cryptography-45.0.4 |
🚧 |
testcase skipped (explicit unsupported feature) |
openssl-3.3.3 |
✅ |
N/A |
gocryptox509-go1.24.4 |
🚧 |
CRLs not supported |
openssl-3.0.16 |
✅ |
N/A |
crl::certificate-serial-on-crl-different-issuer
Tests a certificate whose serial number is found on a CRL, but that CRL
has a different issuer than the certificate (expected pass).
Produces a test case where a certificate's serial number appears on a CRL,
but the CRL is issued by a different CA than the one that issued the
certificate. The certificate should be accepted since the CRL from a
different issuer should not affect this certificate's validity.
| Expected result |
Validation kind |
Validation time |
Features |
Importance |
Conflicts |
| SUCCESS |
SERVER |
2024-01-01T00:00:00+00:00 |
has-crl |
high |
N/A |
| Harness |
Result |
Context |
openssl-3.2.4 |
✅ |
N/A |
gnutls-certtool-3.8.3 |
🚧 |
CRLs not supported yet |
openssl-3.4.1 |
✅ |
N/A |
openssl-1.1 |
✅ |
N/A |
rustls-webpki |
✅ |
N/A |
openssl-3.5.0 |
✅ |
N/A |
rust-webpki |
🚧 |
CRLs are not supported by this API |
certvalidator-0.11.1 |
🚧 |
testcase skipped (explicit unsupported feature) |
pyca-cryptography-45.0.4 |
🚧 |
testcase skipped (explicit unsupported feature) |
openssl-3.3.3 |
✅ |
N/A |
gocryptox509-go1.24.4 |
🚧 |
CRLs not supported |
openssl-3.0.16 |
✅ |
N/A |
crl::crlnumber-critical
Tests handling of a CRL that has a critical CRLNumber extension.
Per RFC 5280 5.2.3, the CRLNumber extension is mandatory but MUST
be marked as non-critical.
| Expected result |
Validation kind |
Validation time |
Features |
Importance |
Conflicts |
| FAILURE |
SERVER |
1970-01-01T00:00:03+00:00 |
has-crl |
high |
N/A |
| Harness |
Result |
Context |
openssl-3.2.4 |
✅ |
unhandled critical CRL extension |
gnutls-certtool-3.8.3 |
🚧 |
CRLs not supported yet |
openssl-3.4.1 |
✅ |
unhandled critical CRL extension |
openssl-1.1 |
✅ |
unhandled critical CRL extension |
rustls-webpki |
❌ (unexpected success) |
N/A |
openssl-3.5.0 |
✅ |
unhandled critical CRL extension |
rust-webpki |
🚧 |
CRLs are not supported by this API |
certvalidator-0.11.1 |
🚧 |
testcase skipped (explicit unsupported feature) |
pyca-cryptography-45.0.4 |
🚧 |
testcase skipped (explicit unsupported feature) |
openssl-3.3.3 |
✅ |
unhandled critical CRL extension |
gocryptox509-go1.24.4 |
🚧 |
CRLs not supported |
openssl-3.0.16 |
✅ |
unhandled critical CRL extension |