Does GnuTLS need to check “last update” or “next update” of CRL during revoking certificate(s)?
I created two CRLs [test1.crl, test2.crl] and a certificate chain revoked by test1.crl. When “next update” of two CRLs is earlier than current time (or “last update” is later than current time), GnuTLS 3.6.10 takes them as normal CRLs during certificate(s) validation, lacking check on last update/next update of CRL.
Comparatively, OpenSSL will check the validity of CRL no matter using it to revoke certificate(s) or not.
The command I used is:
certtool --verify --load_crl=test1.crl --load_ca_certificate=root.pem < leaf.pem
and
certtool --verify --load_crl=test2.crl --load_ca_certificate=root.pem < leaf.pem
Results of test1.crl:
GnuTLS:
Loaded CAs (2 available)
Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Signature algorithm: RSA-SHA256
Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Output: Not verified. The certificate is NOT trusted. The certificate chain is revoked.
Chain verification output: Not verified. The certificate is NOT trusted. The certificate chain is revoked.
OpenSSL:
C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd
error 12 at 0 depth lookup: CRL has expired
C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd
error 23 at 0 depth lookup: certificate revoked
error leaf.pem: verification failed
Results of test2.crl:
GnuTLS:
Loaded CAs (2 available)
Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Checked against: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Signature algorithm: RSA-SHA256
Output: Verified. The certificate is trusted.
Subject: O=My Company Ltd,L=Newbury,ST=Berkshire,C=GB
Issuer: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Signature algorithm: RSA-SHA256
Checked against CRL[00] of: CN=NCRL,OU=DDST,O=SJTU,ST=SH,C=CN
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
OpenSSL:
C = GB, ST = Berkshire, L = Newbury, O = My Company Ltd
error 12 at 0 depth lookup: CRL has expired
C = CN, ST = SH, O = SJTU, OU = DDST, CN = NCRL
error 12 at 1 depth lookup: CRL has expired
error leaf.pem: verification failed
root.pem:
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIJAPU0AU3ad04vMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsGA1UECwwERERT
VDENMAsGA1UEAwwETkNSTDAeFw0yMDAzMjYwODI3NDlaFw0yMzAxMTQwODI3NDla
MEcxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJTSDENMAsGA1UECgwEU0pUVTENMAsG
A1UECwwERERTVDENMAsGA1UEAwwETkNSTDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAPNLlu+KPCcjj1KiZ1/sUFvFRDt3Z7WZTWjOYeJUFvycHNcYN9cE
laGJ32hfjgaPw9u3cOgs0JJHwIhlQkNhSexUvgGatw336H/3FjPQCJKs48lDJG13
sDF7TK1MvG5wcF1pgRkfvoRSWOyr30aqoeQHaRnqMnT0lWBy26mmV6mgM7LPeNq8
E6jh6aLy7uep3+rO/Ef7LvFi/QWqy+vVVmr5MljXtFyWI+aLs4uFtZZ6rFw5Va4U
Y6OffwchjkVex1eML4D593fobkmkubxZEm2o2Upi/Eiech7CM8HuwgqrAwoIVxi6
FlObraD90sUSUKUwohvl03tkjCTXakXF2TUCAwEAAaMjMCEwEgYDVR0TAQH/BAgw
BgEB/wIBAzALBgNVHQ8EBAMCAeYwDQYJKoZIhvcNAQELBQADggEBACb6hOtUCqD5
sH4VucCO4FYFHM6nfBvB9vx+c2RPC/psam9clOvL5llrUhY070pXbZnd2hwxfnzj
cdr448sVyJkHosukzZj/MyEBV9BERTUMOaY4etQxM2L33uyzn5++/NeRC2Yd53AL
vY/s4znat7txqBK/izvLemLerp1Z5E58VFzLOvYNz+7vEoxMmNaU55TGh88VJIvo
THaZ3LflTc7hv9eUWin0LTV0mg7cvM+/qWrM2N2hyOukztF5gCcMEgoVkpEgUCJP
WsrvOumtDNuXnPr80r4N54n5TaQCTBG22Tj89klc6jUji63+UR9KKACCV44KT8hc
+0ecJPmXqEU=
-----END CERTIFICATE-----
leaf.pem:
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNV
BAMMBE5DUkwwHhcNOTYwODAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjBMMQswCQYD
VQQGEwJHQjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcw
FQYDVQQKEw5NeSBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL+N0yePi18I/+MxN/31iBehb2rO5s8MzykUz3aGp3BG/5uEFueqoYZN
CNLA38wIUT/ry8wIw+jlTNj29L7Q9uOX8+10XgF4VTVtN14KT0s7tZ5dLjGRD7ft
fZF03ifbGYp39fW2Wjutjo4Jyop+Bm7g6SrSJB3uaioITpZh8Xf7MHo+kNjJKPsu
ZlVVNQ3T5WQWzoskcpRRIujv7U/NATuRzXODUzqnw+HGavu2qTX3falo5i0dzzrt
9yCtLKqtC+0oX+kZPIi3ib/o20fY3hEXwYstq5sKpvV25xgKTbtwRN1KlMIhfSQN
uFXIg/Rd6rbd9P60zPYxzOTwMsaEysECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAKhf5CQGxsJCzkFJv26ggzi2HxN/X/eXcwJyy
3gfPP0JZNLzRb6bmracLui58LyCX+0tmY5TA1G3V94Vdu2LIUMRoANwKszTxhW/n
8oNvXDji+E62EsivCtoPgYRAwFE0q4flvcWzDwGlqCfEdaG1uqYGLlLxW8gmHdFs
pKJf4yCzQOn04RmReXOhaAtyUT+xp9AUzawzr2PPGA75x7B07HT4ezLPWy+l1X0o
gMBOWm3AwrwTD8k1B488NiKivCYjBn6UPG0r9/gKxSvdEJEJ6SyM8+Jw+f7lij8i
55LYqy8oyPPknQOAWzB+KZkCbqkcBGJLEPR35agBN/SDSdioXA==
-----END CERTIFICATE-----
test1.crl:
-----BEGIN X509 CRL-----
MIIBtjCBnwIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE
CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D
UkwXDTIwMDIxMDAzMjczMloXDTIwMDMzMTAzMjczMlowFDASAgEBFw0yMTAzMTYw
MzI3MzJaoA4wDDAKBgNVHRQEAwIBADANBgkqhkiG9w0BAQ4FAAOCAQEA2Pdr+xMb
XqLhN50342Kvv7QZyr8ocgVDjmeg15PjbbdubTqFwxgvBy62VscE46NuYBFHBL9D
aDXGngVgxyQeBDFDTozcb2AcqbMtT1UtFQ/KnkYL9FZg+Vv4xJywAz0GjXvjcUiw
wMzL4nzwarnLyLElNdyXA9+aMWdCYySaumUDS0fWFEpAKgjByNJ2neDPW/SF8G87
E5tbdC28lMNJepewQC5lJONeleNOz65U5zjd60KY+vjEPtf85RAf8W3dzSSWzY6W
qe2IOt4hGrE6aOVc+yE4ykrPoagZeA4c4oOZTq7b3T+MidrDV3ckdIYYC4vWvcVj
/CoixkTJXBRnYw==
-----END X509 CRL-----
test2.crl:
-----BEGIN X509 CRL-----
MIIBoDCBiQIBATANBgkqhkiG9w0BAQ4FADBHMQswCQYDVQQGEwJDTjELMAkGA1UE
CAwCU0gxDTALBgNVBAoMBFNKVFUxDTALBgNVBAsMBEREU1QxDTALBgNVBAMMBE5D
UkwXDTIwMDIxMDAzMzEyNloXDTIwMDMzMTAzMzEyNlqgDjAMMAoGA1UdFAQDAgEA
MA0GCSqGSIb3DQEBDgUAA4IBAQCYxlVo38+wlB1zt+VIWusPZGJhe5Kda5B7lgB7
qxoAio79rY/in0ydTKbvPa4CJk4HfwcFxbDlZE/9uDlt9teVsYSvrswQnCriab02
DvQMA8pi7qtOB0I6l+3jajojZ4TqulDhJiZAqnjjEUmkXgbN+oIdj4+TVt4mGGBA
HGjQdDpnDLpYEqNqhLvP7H8D0ErsSIw+M74iTP/1hMWdhfPjdYDwrtJ2EyIo5OpW
HQ23xQRgTh/65qqdc7165vI6PTUCAeB2rIFiDX5SSF+teCjQM47sONLFoglFz1me
gqHldvb5wHvdhrSbTNCgCCkksgnJmnm9w7vYwnaNvD1BK+n7
-----END X509 CRL-----