crl🔗
crl::revoked-certificate-with-crl🔗
Tests a Certificate Revocation List (CRL) that revokes a certificate.
Produces a simple test case where a certificate has been revoked by the CA through a CRL. The CA certificate and CRL are provided, and the leaf certificate is expected to be rejected due to its revoked status.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| FAILURE | SERVER | 2024-01-01T00:00:00+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
✅ | certificate revoked |
openssl-3.6.1 |
✅ | certificate revoked |
openssl-1.1 |
✅ | certificate revoked |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
✅ | certificate revoked |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
✅ | certificate revoked |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
✅ | certificate revoked |
rustls-webpki |
✅ | CertRevoked |
openssl-3.4.4 |
✅ | certificate revoked |
crl::crlnumber-missing🔗
Tests handling of a CRL that's missing the CRLNumber extension.
Per RFC 5280 5.2.3 this extension MUST be included in a CRL.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| FAILURE | SERVER | 1970-01-01T00:00:03+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
❌ (unexpected success) | N/A |
openssl-3.6.1 |
❌ (unexpected success) | N/A |
openssl-1.1 |
❌ (unexpected success) | N/A |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
❌ (unexpected success) | N/A |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
❌ (unexpected success) | N/A |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
❌ (unexpected success) | N/A |
rustls-webpki |
❌ (unexpected success) | N/A |
openssl-3.4.4 |
❌ (unexpected success) | N/A |
crl::certificate-not-on-crl🔗
Tests a certificate that is not present on any of the CRLs (expected pass).
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| SUCCESS | SERVER | 2024-01-01T00:00:00+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
✅ | N/A |
openssl-3.6.1 |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
✅ | N/A |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
✅ | N/A |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.4.4 |
✅ | N/A |
crl::certificate-serial-on-crl-different-issuer🔗
Tests a certificate whose serial number is found on a CRL, but that CRL has a different issuer than the certificate (expected pass).
Produces a test case where a certificate's serial number appears on a CRL, but the CRL is issued by a different CA than the one that issued the certificate. The certificate should be accepted since the CRL from a different issuer should not affect this certificate's validity.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| SUCCESS | SERVER | 2024-01-01T00:00:00+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
✅ | N/A |
openssl-3.6.1 |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
✅ | N/A |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
✅ | N/A |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.4.4 |
✅ | N/A |
crl::crlnumber-critical🔗
Tests handling of a CRL that has a critical CRLNumber extension.
Per RFC 5280 5.2.3, the CRLNumber extension is mandatory but MUST
be marked as non-critical.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| FAILURE | SERVER | 1970-01-01T00:00:03+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
✅ | unhandled critical CRL extension |
openssl-3.6.1 |
✅ | unhandled critical CRL extension |
openssl-1.1 |
✅ | unhandled critical CRL extension |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
✅ | unhandled critical CRL extension |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
✅ | unhandled critical CRL extension |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
✅ | unhandled critical CRL extension |
rustls-webpki |
❌ (unexpected success) | N/A |
openssl-3.4.4 |
✅ | unhandled critical CRL extension |
crl::issuer-missing-crlsign🔗
Tests CRL validation when the CA issuer has a keyUsage extension with only
keyCertSign set (no cRLSign).
Per RFC 5280 Section 4.2.1.3, if the keyUsage extension is present in a CA
certificate, the cRLSign bit MUST be set if the CA will be issuing CRLs.
A CRL signed by a CA without the cRLSign bit should be rejected.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| FAILURE | SERVER | 2024-01-01T00:00:00+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
✅ | key usage does not include CRL signing |
openssl-3.6.1 |
✅ | key usage does not include CRL signing |
openssl-1.1 |
✅ | key usage does not include CRL signing |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
✅ | key usage does not include CRL signing |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
✅ | key usage does not include CRL signing |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
✅ | key usage does not include CRL signing |
rustls-webpki |
❌ (unexpected success) | N/A |
openssl-3.4.4 |
✅ | key usage does not include CRL signing |
crl::issuer-no-keyusage-extension🔗
Tests CRL validation when the CA issuer has no keyUsage extension.
Per RFC 5280 Section 6.3.3(f), the CRL validation algorithm states: "If a key usage extension is present in the CRL issuer's certificate, verify that the cRLSign bit is set." This conditional check means that when keyUsage is absent, there is no cRLSign verification to perform.
Note: RFC 5280 Section 4.2.1.3 states that "Conforming CAs MUST include this extension in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs." However, this is a certificate issuance requirement, not a validation requirement. The validation algorithm in Section 6.3.3(f) explicitly uses conditional language ("If... is present").
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| SUCCESS | SERVER | 2024-01-01T00:00:00+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
❌ (unexpected failure) | CA cert does not include key usage extension |
openssl-3.6.1 |
❌ (unexpected failure) | CA cert does not include key usage extension |
openssl-1.1 |
✅ | N/A |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
❌ (unexpected failure) | CA cert does not include key usage extension |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
❌ (unexpected failure) | CA cert does not include key usage extension |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
❌ (unexpected failure) | CA cert does not include key usage extension |
rustls-webpki |
✅ | N/A |
openssl-3.4.4 |
❌ (unexpected failure) | CA cert does not include key usage extension |
crl::issuer-valid-crlsign-and-keycertsign🔗
Tests CRL validation when the CA issuer has a keyUsage extension with both
keyCertSign and cRLSign bits set.
This is the standard configuration for a CA that issues both certificates and CRLs. The CRL should be accepted.
| Expected result | Validation kind | Validation time | Features | Importance | Conflicts |
|---|---|---|---|---|---|
| SUCCESS | SERVER | 2024-01-01T00:00:00+00:00 | has-crl | high | N/A |
| Harness | Result | Context |
|---|---|---|
pyca-cryptography-46.0.5 |
🚧 | testcase skipped (explicit unsupported feature) |
openssl-3.0.19 |
✅ | N/A |
openssl-3.6.1 |
✅ | N/A |
openssl-1.1 |
✅ | N/A |
gocryptox509-go1.26.1 |
🚧 | CRLs not supported |
openssl-3.2.6 |
✅ | N/A |
rust-webpki |
🚧 | CRLs are not supported by this API |
openssl-3.3.6 |
✅ | N/A |
certvalidator-0.11.1 |
🚧 | testcase skipped (explicit unsupported feature) |
gnutls-certtool-3.8.3 |
🚧 | CRLs not supported yet |
openssl-3.5.5 |
✅ | N/A |
rustls-webpki |
✅ | N/A |
openssl-3.4.4 |
✅ | N/A |