-
Notifications
You must be signed in to change notification settings - Fork 193
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add revoked-intermediate #278
Comments
Do you specifically want/mind whether it's something from a legacy root (#218), or something else? It helps to know the specific use case, and if it's related to browsers or security UI, then that's a good signal of priority. |
The specific roots were not part of MY use cases, but perhaps they are
relevant (I do not know) I am tasked with testing revocation in these
scenarios
A trusted root, issues an intermediate, who issues a server cert.
1) the server cert has crl and/or ocsp data, and is revoked...
2) the server cert has crl and ocsp data, but ocsp is unreachable, and is
revoked
3) the server cert has crl and ocsp data, but both are unreachable, and is
revoked (expect overall a fail closed result)
4) the server cert has no revocation urls, but is revoked (expect a overall
failed open result)
5) the server cert is not revoked, the intermediate cert has crl and/or
ocsp data, and is revoked
6) the server cert is not revoked, the intermediate cert has crl and ocsp
data, but ocsp is unreachable, and is revoke
7) the server cert is not revoked, the intermediate cert has crl and ocsp
data, but both are unreachable, and is revoked (expect overall a fail
closed result)
8) the server cert is not revoked, the intermediate cert has no revocation
urls, but is revoked (expect a overall failed open result)
9) the root cert is Not in keystore, the intermediate is in keystore and is
trustedcacert. The server cert is not revoked, the intermediate cert is
not revoked (I am not sure the expect result here, according to RFC,
openssl, schannel)
10) the root cert is Not in keystore, the intermediate is in keystore and
is trustedcacert. The server cert is not revoked, the intermediate cert is
revoked.
Not all test are equally valuable, but all are of interest. 10) was the
original use case asked by a firewall admin
|
That's... a lot of ideas. :-P I don't have time to pursue any of them, but I'm happy to look at PRs or talk to CAs if they have any appropriate intermediates. How would you check for revocation in #10? |
I believe this is a duplicate of #136. |
would it be possible for you to add a "revoked" chain test
Server Cert (valid) -> Issuing CA (valid, EXCEPT "is REVOKED") -> Root CA (valid)
Aaron
The text was updated successfully, but these errors were encountered: