Add test for CRL expiration

rustls/examples/internal/test_ca.rs

@@ -70,18 +70,26 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
                         .unwrap(),
                     _ => panic!("unexpected role for CRL generation: {role:?}"),
                 };
-                let crl = crl_for_serial(
+
+                let revoked_crl = crl_for_serial(
                     cert.params()
                         .serial_number
                         .clone()
                         .unwrap(),
                 )
                 .signed_by(&issuer.cert, &issuer.key_pair)?;
-                let mut crl_file = File::create(
+                let mut revoked_crl_file = File::create(
                     alg.output_directory()
                         .join(format!("{}.revoked.crl.pem", role.label())),
                 )?;
-                crl_file.write_all(crl.pem().unwrap().as_bytes())?;
+                revoked_crl_file.write_all(revoked_crl.pem().unwrap().as_bytes())?;
+
+                let expired_crl = expired_crl().signed_by(&issuer.cert, &issuer.key_pair)?;
+                let mut expired_crl_file = File::create(
+                    alg.output_directory()
+                        .join(format!("{}.expired.crl.pem", role.label())),
+                )?;
+                expired_crl_file.write_all(expired_crl.pem().unwrap().as_bytes())?;
             }
 
             // When we're issuing end entity or client certs we have a bit of extra work to do
@@ -125,7 +133,7 @@ fn crl_for_serial(serial_number: SerialNumber) -> CertificateRevocationListParam
     let now = OffsetDateTime::now_utc();
     CertificateRevocationListParams {
         this_update: now,
-        next_update: now + Duration::from_secs(60 * 60 * 24 * 5),
+        next_update: now + Duration::from_secs(60 * 60 * 24 * 365 * 100), // 100 years
         crl_number: SerialNumber::from(1234),
         issuing_distribution_point: None,
         revoked_certs: vec![RevokedCertParams {
@@ -138,6 +146,18 @@ fn crl_for_serial(serial_number: SerialNumber) -> CertificateRevocationListParam
     }
 }
 
+fn expired_crl() -> CertificateRevocationListParams {
+    let now = OffsetDateTime::now_utc();
+    CertificateRevocationListParams {
+        this_update: now - Duration::from_secs(60),
+        next_update: now,
+        crl_number: SerialNumber::from(1234),
+        issuing_distribution_point: None,
+        revoked_certs: vec![],
+        key_identifier_method: KeyIdMethod::Sha256,
+    }
+}
+
 // Note: these are ordered such that the data dependencies for issuance are satisfied.
 const ROLES: [Role; 4] = [
     Role::TrustAnchor,

rustls/tests/api.rs

@@ -1373,6 +1373,51 @@ fn client_check_server_certificate_intermediate_revoked() {
     }
 }
 
+#[test]
+fn client_check_server_certificate_ee_crl_expired() {
+    for kt in ALL_KEY_TYPES {
+        let server_config = Arc::new(make_server_config(*kt));
+
+        // Setup a server verifier that will check the EE certificate's revocation status, with CRL expiration enforced.
+        let crls = vec![kt.end_entity_crl_expired()];
+        let enforce_expiration_builder = webpki_server_verifier_builder(get_client_root_store(*kt))
+            .with_crls(crls)
+            .only_check_end_entity_revocation()
+            .enforce_revocation_expiration();
+
+        // Also setup a server verifier without CRL expiration enforced.
+        let crls = vec![kt.end_entity_crl_expired()];
+        let ignore_expiration_builder = webpki_server_verifier_builder(get_client_root_store(*kt))
+            .with_crls(crls)
+            .only_check_end_entity_revocation();
+
+        for version in rustls::ALL_VERSIONS {
+            let client_config = make_client_config_with_verifier(&[version], enforce_expiration_builder.clone());
+            let mut client =
+                ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap();
+            let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap();
+
+            // We expect the handshake to fail since the CRL is expired.
+            let err = do_handshake_until_error(&mut client, &mut server);
+            assert_eq!(
+                err,
+                Err(ErrorFromPeer::Client(Error::InvalidCertificate(
+                    CertificateError::ExpiredRevocationList
+                )))
+            );
+
+            let client_config = make_client_config_with_verifier(&[version], ignore_expiration_builder.clone());
+            let mut client =
+                ClientConnection::new(Arc::new(client_config), server_name("localhost")).unwrap();
+            let mut server = ServerConnection::new(Arc::clone(&server_config)).unwrap();
+
+            // We expect the handshake to succeed when CRL expiration is ignored.
+            let res = do_handshake_until_error(&mut client, &mut server);
+            assert!(res.is_ok())
+        }
+    }
+}
+
 /// Simple smoke-test of the webpki verify_server_cert_signed_by_trust_anchor helper API.
 /// This public API is intended to be used by consumers implementing their own verifier and
 /// so isn't used by the other existing verifier tests.

rustls/tests/common/mod.rs

@@ -56,6 +56,7 @@ embed_files! {
     (ECDSA_P256_END_CRL_PEM, "ecdsa-p256", "end.revoked.crl.pem");
     (ECDSA_P256_CLIENT_CRL_PEM, "ecdsa-p256", "client.revoked.crl.pem");
     (ECDSA_P256_INTERMEDIATE_CRL_PEM, "ecdsa-p256", "inter.revoked.crl.pem");
+    (ECDSA_P256_EXPIRED_CRL_PEM, "ecdsa-p256", "end.expired.crl.pem");
     (ECDSA_P256_END_CERT, "ecdsa-p256", "end.cert");
     (ECDSA_P256_END_CHAIN, "ecdsa-p256", "end.chain");
     (ECDSA_P256_END_FULLCHAIN, "ecdsa-p256", "end.fullchain");
@@ -73,6 +74,7 @@ embed_files! {
     (ECDSA_P384_END_CRL_PEM, "ecdsa-p384", "end.revoked.crl.pem");
     (ECDSA_P384_CLIENT_CRL_PEM, "ecdsa-p384", "client.revoked.crl.pem");
     (ECDSA_P384_INTERMEDIATE_CRL_PEM, "ecdsa-p384", "inter.revoked.crl.pem");
+    (ECDSA_P384_EXPIRED_CRL_PEM, "ecdsa-p384", "end.expired.crl.pem");
     (ECDSA_P384_END_CERT, "ecdsa-p384", "end.cert");
     (ECDSA_P384_END_CHAIN, "ecdsa-p384", "end.chain");
     (ECDSA_P384_END_FULLCHAIN, "ecdsa-p384", "end.fullchain");
@@ -90,6 +92,7 @@ embed_files! {
     (ECDSA_P521_END_CRL_PEM, "ecdsa-p521", "end.revoked.crl.pem");
     (ECDSA_P521_CLIENT_CRL_PEM, "ecdsa-p521", "client.revoked.crl.pem");
     (ECDSA_P521_INTERMEDIATE_CRL_PEM, "ecdsa-p521", "inter.revoked.crl.pem");
+    (ECDSA_P521_EXPIRED_CRL_PEM, "ecdsa-p521", "end.expired.crl.pem");
     (ECDSA_P521_END_CERT, "ecdsa-p521", "end.cert");
     (ECDSA_P521_END_CHAIN, "ecdsa-p521", "end.chain");
     (ECDSA_P521_END_FULLCHAIN, "ecdsa-p521", "end.fullchain");
@@ -107,6 +110,7 @@ embed_files! {
     (EDDSA_END_CRL_PEM, "eddsa", "end.revoked.crl.pem");
     (EDDSA_CLIENT_CRL_PEM, "eddsa", "client.revoked.crl.pem");
     (EDDSA_INTERMEDIATE_CRL_PEM, "eddsa", "inter.revoked.crl.pem");
+    (EDDSA_EXPIRED_CRL_PEM, "eddsa", "end.expired.crl.pem");
     (EDDSA_END_CERT, "eddsa", "end.cert");
     (EDDSA_END_CHAIN, "eddsa", "end.chain");
     (EDDSA_END_FULLCHAIN, "eddsa", "end.fullchain");
@@ -124,6 +128,7 @@ embed_files! {
     (RSA_2048_END_CRL_PEM, "rsa-2048", "end.revoked.crl.pem");
     (RSA_2048_CLIENT_CRL_PEM, "rsa-2048", "client.revoked.crl.pem");
     (RSA_2048_INTERMEDIATE_CRL_PEM, "rsa-2048", "inter.revoked.crl.pem");
+    (RSA_2048_EXPIRED_CRL_PEM, "rsa-2048", "end.expired.crl.pem");
     (RSA_2048_END_CERT, "rsa-2048", "end.cert");
     (RSA_2048_END_CHAIN, "rsa-2048", "end.chain");
     (RSA_2048_END_FULLCHAIN, "rsa-2048", "end.fullchain");
@@ -141,6 +146,7 @@ embed_files! {
     (RSA_3072_END_CRL_PEM, "rsa-3072", "end.revoked.crl.pem");
     (RSA_3072_CLIENT_CRL_PEM, "rsa-3072", "client.revoked.crl.pem");
     (RSA_3072_INTERMEDIATE_CRL_PEM, "rsa-3072", "inter.revoked.crl.pem");
+    (RSA_3072_EXPIRED_CRL_PEM, "rsa-3072", "end.expired.crl.pem");
     (RSA_3072_END_CERT, "rsa-3072", "end.cert");
     (RSA_3072_END_CHAIN, "rsa-3072", "end.chain");
     (RSA_3072_END_FULLCHAIN, "rsa-3072", "end.fullchain");
@@ -158,6 +164,7 @@ embed_files! {
     (RSA_4096_END_CRL_PEM, "rsa-4096", "end.revoked.crl.pem");
     (RSA_4096_CLIENT_CRL_PEM, "rsa-4096", "client.revoked.crl.pem");
     (RSA_4096_INTERMEDIATE_CRL_PEM, "rsa-4096", "inter.revoked.crl.pem");
+    (RSA_4096_EXPIRED_CRL_PEM, "rsa-4096", "end.expired.crl.pem");
     (RSA_4096_END_CERT, "rsa-4096", "end.cert");
     (RSA_4096_END_CHAIN, "rsa-4096", "end.chain");
     (RSA_4096_END_FULLCHAIN, "rsa-4096", "end.fullchain");
@@ -315,15 +322,19 @@ impl KeyType {
     }
 
     pub fn end_entity_crl(&self) -> CertificateRevocationListDer<'static> {
-        self.get_crl("end")
+        self.get_crl("end", "revoked")
     }
 
     pub fn client_crl(&self) -> CertificateRevocationListDer<'static> {
-        self.get_crl("client")
+        self.get_crl("client", "revoked")
     }
 
     pub fn intermediate_crl(&self) -> CertificateRevocationListDer<'static> {
-        self.get_crl("inter")
+        self.get_crl("inter", "revoked")
+    }
+
+    pub fn end_entity_crl_expired(&self) -> CertificateRevocationListDer<'static> {
+        self.get_crl("end", "expired")
     }
 
     fn get_client_key(&self) -> PrivateKeyDer<'static> {
@@ -337,9 +348,9 @@ impl KeyType {
         )
     }
 
-    fn get_crl(&self, role: &str) -> CertificateRevocationListDer<'static> {
+    fn get_crl(&self, role: &str, r#type: &str) -> CertificateRevocationListDer<'static> {
         rustls_pemfile::crls(&mut io::BufReader::new(
-            self.bytes_for(&format!("{role}.revoked.crl.pem")),
+            self.bytes_for(&format!("{role}.{type}.crl.pem")),
         ))
         .map(|result| result.unwrap())
         .next() // We only expect one CRL.

test-ca/ecdsa-p256/ca.cert

@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBtzCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
+MIIBuDCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
 biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw
 WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMjU2IENBMFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEt7wL3biRoR6fSefjp0t08cudi2zQUounGCxjHQY1brlh
-IVUp2VfP/FhPKBX7VgHRHTJoukAAtg12Aks7cqalEKOBgzCBgDAfBgNVHSMEGDAW
-gBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw
-FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRfW6pxJGPHn4+tADqUNDV6
-Uo8xyDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFZel8Z3muq9
-cA5ZQfnoPyXbPv5yf0aT+VsXDk0mirdoAiEAjzViKYx3OOYAnlRSvlDabDbqXy2f
-Vezw14zRbrDN9D4=
+AQYIKoZIzj0DAQcDQgAEIWDRAiNc4PlgbWENf/rx9zK3his5SIVcxu3FYxFP373u
+u0AkaihNKcMRilOMHp7nRDFaoEdhtG39l2yMnIWyFaOBgzCBgDAfBgNVHSMEGDAW
+gBT5ZI4b2HIp/Qx0uhqxVahE4Ru2jzAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBT5ZI4b2HIp/Qx0uhqxVahE
+4Ru2jzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCDF92qG5i+
+iUTLZHkmq2DIdl7btDjb2duW9elQ2fH0/AIhAMiAkN4NlC+vLl7UJQhw98CPOQ1T
+oap++H3F6OeEVtgM
 -----END CERTIFICATE-----

test-ca/ecdsa-p256/ca.key

@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWt4c8/RCyscfwu+3
-LIqwCr3yXgeOp4wuW2EYIrq7pM2hRANCAAS3vAvduJGhHp9J5+OnS3Txy52LbNBS
-i6cYLGMdBjVuuWEhVSnZV8/8WE8oFftWAdEdMmi6QAC2DXYCSztypqUQ
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXVYU5wqbgYVhEZwJ
+wDJcX0e/p1Hwe6M1Pn5xTRgZ0QehRANCAAQhYNECI1zg+WBtYQ1/+vH3MreGKzlI
+hVzG7cVjEU/fve67QCRqKE0pwxGKU4wenudEMVqgR2G0bf2XbIychbIV
 -----END PRIVATE KEY-----

test-ca/ecdsa-p256/client.cert

@@ -1,12 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB3DCCAYOgAwIBAgIBGTAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93
+MIIB3jCCAYOgAwIBAgIBGTAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93
 biBFQ0RTQSBwMjU2IGxldmVsIDIgaW50ZXJtZWRpYXRlMCAXDTc1MDEwMTAwMDAw
 MFoYDzQwOTYwMTAxMDAwMDAwWjAaMRgwFgYDVQQDDA9wb255dG93biBjbGllbnQw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5lySX2Sk4ARvwe/LA2dOoydi6ON7g
-T9Bs4ANHRaciSXMhOSyWAroUREFj5TvBtoa4Q76v3R8Ka/BbVkXbyOxto4GeMIGb
-MB8GA1UdIwQYMBaAFNIznKRve7JAqQ5j9QRKRX43FZxyMFMGA1UdEQRMMEqCDnRl
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLihQc1+QHr2mlAYjpHOVdzP0zSNq6
+SpxGZDMulVm2gUT8GmHYQeTbgBszUSASHQukhLPJU7MdNR1/ohOX0SVHo4GeMIGb
+MB8GA1UdIwQYMBaAFCK1qP6zPz5Re4f9g160j5iYOWQZMFMGA1UdEQRMMEqCDnRl
 c3RzZXJ2ZXIuY29tghVzZWNvbmQudGVzdHNlcnZlci5jb22CCWxvY2FsaG9zdIcE
 xjNkAYcQIAENuAAAAAAAAAAAAAAAATAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0lBAww
-CgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDRwAwRAIgP+TVXW+AAGmCzQ20vKYJsq5O
-bdLEcIfurw4FBwNuUm8CIDLHWoHOiC4zbpLhSoSLO20QzkIob48K1CRLLkcYKxNE
+CgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhAIZpxnTyeWP8kB6zZ1gPJT1B
+0b7a7cV6qR+XLAMOD8xbAiEAyCFOfxdqQGRIl1ejK7YtwwlH/lZ7jpV4sg1ekzQm
+mEg=
 -----END CERTIFICATE-----

test-ca/ecdsa-p256/client.chain

@@ -1,24 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIByDCCAW+gAwIBAgIBCzAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
+MIIByTCCAW+gAwIBAgIBCzAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
 biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw
 WjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RTQSBwMjU2IGxldmVsIDIgaW50ZXJt
-ZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtj1/NrV2DF8pdu0nbz8e
-GWJC9loBDlmVy0SCKcBezKOErTzNV6PvE3qPy2vNJgzkEKZYpgjEMYKvDImZlOE2
-OqOBgzCBgDAfBgNVHSMEGDAWgBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8B
+ZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExI5YPrwz3uD1jx+Wy/ai
+FF7V1NqqiF61WjUduN/JWrDxQ2K5VxgPzNNaEM7Ors07WbRQ2btWK60lY+aIHu2P
+NKOBgzCBgDAfBgNVHSMEGDAWgBT5ZI4b2HIp/Qx0uhqxVahE4Ru2jzAOBgNVHQ8B
 Af8EBAMCAf4wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
-BBTSM5ykb3uyQKkOY/UESkV+NxWccjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
-BAMCA0cAMEQCIBKOv7CRDiJ/zXyxL6hJwlxrBSoSSrZBeTyVND5jqAvSAiBu3OSo
-KaMUQcDSi8/dXkxIC/Wpp8D0IUV2AyEC+7kBZA==
+BBQitaj+sz8+UXuH/YNetI+YmDlkGTAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
+BAMCA0gAMEUCIQCdGYi9ebaxVvmw8H/r9ZZVAcqmgqCpZF/OZ9bIGLzOjgIgWJyM
+yHVgM+P8aoFgFMbZV//U5j+sGfeocX5NWDtDTDk=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIBtzCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
+MIIBuDCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
 biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw
 WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMjU2IENBMFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEt7wL3biRoR6fSefjp0t08cudi2zQUounGCxjHQY1brlh
-IVUp2VfP/FhPKBX7VgHRHTJoukAAtg12Aks7cqalEKOBgzCBgDAfBgNVHSMEGDAW
-gBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw
-FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRfW6pxJGPHn4+tADqUNDV6
-Uo8xyDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFZel8Z3muq9
-cA5ZQfnoPyXbPv5yf0aT+VsXDk0mirdoAiEAjzViKYx3OOYAnlRSvlDabDbqXy2f
-Vezw14zRbrDN9D4=
+AQYIKoZIzj0DAQcDQgAEIWDRAiNc4PlgbWENf/rx9zK3his5SIVcxu3FYxFP373u
+u0AkaihNKcMRilOMHp7nRDFaoEdhtG39l2yMnIWyFaOBgzCBgDAfBgNVHSMEGDAW
+gBT5ZI4b2HIp/Qx0uhqxVahE4Ru2jzAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBT5ZI4b2HIp/Qx0uhqxVahE
+4Ru2jzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCDF92qG5i+
+iUTLZHkmq2DIdl7btDjb2duW9elQ2fH0/AIhAMiAkN4NlC+vLl7UJQhw98CPOQ1T
+oap++H3F6OeEVtgM
 -----END CERTIFICATE-----

test-ca/ecdsa-p256/client.expired.crl.pem

@@ -0,0 +1,7 @@
+-----BEGIN X509 CRL-----
+MIHtMIGUAgEBMAoGCCqGSM49BAMCMDMxMTAvBgNVBAMMKHBvbnl0b3duIEVDRFNB
+IHAyNTYgbGV2ZWwgMiBpbnRlcm1lZGlhdGUXDTI0MDUwNzE4NDYwNVoXDTI0MDUw
+NzE4NDcwNVqgMDAuMB8GA1UdIwQYMBaAFCK1qP6zPz5Re4f9g160j5iYOWQZMAsG
+A1UdFAQEAgIE0jAKBggqhkjOPQQDAgNIADBFAiEAvw2zv5n5jziLWxJAN5KqAN1S
+XEqh+1lh4FL99yzAj7ICIDzw0Hnmt0njc8x2V4gLcC1Xt39SIVDWY0k2nWlbLpdO
+-----END X509 CRL-----

test-ca/ecdsa-p256/client.fullchain

@@ -1,36 +1,37 @@
 -----BEGIN CERTIFICATE-----
-MIIB3DCCAYOgAwIBAgIBGTAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93
+MIIB3jCCAYOgAwIBAgIBGTAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93
 biBFQ0RTQSBwMjU2IGxldmVsIDIgaW50ZXJtZWRpYXRlMCAXDTc1MDEwMTAwMDAw
 MFoYDzQwOTYwMTAxMDAwMDAwWjAaMRgwFgYDVQQDDA9wb255dG93biBjbGllbnQw
-WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT5lySX2Sk4ARvwe/LA2dOoydi6ON7g
-T9Bs4ANHRaciSXMhOSyWAroUREFj5TvBtoa4Q76v3R8Ka/BbVkXbyOxto4GeMIGb
-MB8GA1UdIwQYMBaAFNIznKRve7JAqQ5j9QRKRX43FZxyMFMGA1UdEQRMMEqCDnRl
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATLihQc1+QHr2mlAYjpHOVdzP0zSNq6
+SpxGZDMulVm2gUT8GmHYQeTbgBszUSASHQukhLPJU7MdNR1/ohOX0SVHo4GeMIGb
+MB8GA1UdIwQYMBaAFCK1qP6zPz5Re4f9g160j5iYOWQZMFMGA1UdEQRMMEqCDnRl
 c3RzZXJ2ZXIuY29tghVzZWNvbmQudGVzdHNlcnZlci5jb22CCWxvY2FsaG9zdIcE
 xjNkAYcQIAENuAAAAAAAAAAAAAAAATAOBgNVHQ8BAf8EBAMCBsAwEwYDVR0lBAww
-CgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDRwAwRAIgP+TVXW+AAGmCzQ20vKYJsq5O
-bdLEcIfurw4FBwNuUm8CIDLHWoHOiC4zbpLhSoSLO20QzkIob48K1CRLLkcYKxNE
+CgYIKwYBBQUHAwIwCgYIKoZIzj0EAwIDSQAwRgIhAIZpxnTyeWP8kB6zZ1gPJT1B
+0b7a7cV6qR+XLAMOD8xbAiEAyCFOfxdqQGRIl1ejK7YtwwlH/lZ7jpV4sg1ekzQm
+mEg=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIByDCCAW+gAwIBAgIBCzAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
+MIIByTCCAW+gAwIBAgIBCzAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
 biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw
 WjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RTQSBwMjU2IGxldmVsIDIgaW50ZXJt
-ZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtj1/NrV2DF8pdu0nbz8e
-GWJC9loBDlmVy0SCKcBezKOErTzNV6PvE3qPy2vNJgzkEKZYpgjEMYKvDImZlOE2
-OqOBgzCBgDAfBgNVHSMEGDAWgBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8B
+ZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExI5YPrwz3uD1jx+Wy/ai
+FF7V1NqqiF61WjUduN/JWrDxQ2K5VxgPzNNaEM7Ors07WbRQ2btWK60lY+aIHu2P
+NKOBgzCBgDAfBgNVHSMEGDAWgBT5ZI4b2HIp/Qx0uhqxVahE4Ru2jzAOBgNVHQ8B
 Af8EBAMCAf4wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
-BBTSM5ykb3uyQKkOY/UESkV+NxWccjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
-BAMCA0cAMEQCIBKOv7CRDiJ/zXyxL6hJwlxrBSoSSrZBeTyVND5jqAvSAiBu3OSo
-KaMUQcDSi8/dXkxIC/Wpp8D0IUV2AyEC+7kBZA==
+BBQitaj+sz8+UXuH/YNetI+YmDlkGTAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
+BAMCA0gAMEUCIQCdGYi9ebaxVvmw8H/r9ZZVAcqmgqCpZF/OZ9bIGLzOjgIgWJyM
+yHVgM+P8aoFgFMbZV//U5j+sGfeocX5NWDtDTDk=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
-MIIBtzCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
+MIIBuDCCAV2gAwIBAgIBBDAKBggqhkjOPQQDAjAhMR8wHQYDVQQDDBZwb255dG93
 biBFQ0RTQSBwMjU2IENBMCAXDTc1MDEwMTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAw
 WjAhMR8wHQYDVQQDDBZwb255dG93biBFQ0RTQSBwMjU2IENBMFkwEwYHKoZIzj0C
-AQYIKoZIzj0DAQcDQgAEt7wL3biRoR6fSefjp0t08cudi2zQUounGCxjHQY1brlh
-IVUp2VfP/FhPKBX7VgHRHTJoukAAtg12Aks7cqalEKOBgzCBgDAfBgNVHSMEGDAW
-gBRfW6pxJGPHn4+tADqUNDV6Uo8xyDAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw
-FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRfW6pxJGPHn4+tADqUNDV6
-Uo8xyDAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIFZel8Z3muq9
-cA5ZQfnoPyXbPv5yf0aT+VsXDk0mirdoAiEAjzViKYx3OOYAnlRSvlDabDbqXy2f
-Vezw14zRbrDN9D4=
+AQYIKoZIzj0DAQcDQgAEIWDRAiNc4PlgbWENf/rx9zK3his5SIVcxu3FYxFP373u
+u0AkaihNKcMRilOMHp7nRDFaoEdhtG39l2yMnIWyFaOBgzCBgDAfBgNVHSMEGDAW
+gBT5ZI4b2HIp/Qx0uhqxVahE4Ru2jzAOBgNVHQ8BAf8EBAMCAf4wHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBT5ZI4b2HIp/Qx0uhqxVahE
+4Ru2jzAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kAMEYCIQCDF92qG5i+
+iUTLZHkmq2DIdl7btDjb2duW9elQ2fH0/AIhAMiAkN4NlC+vLl7UJQhw98CPOQ1T
+oap++H3F6OeEVtgM
 -----END CERTIFICATE-----

test-ca/ecdsa-p256/client.key

@@ -1,5 +1,5 @@
 -----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg76P/gQzHBJBD0vLk
-GmXVpgoCk9l7mzortH3xuaTrXl6hRANCAAT5lySX2Sk4ARvwe/LA2dOoydi6ON7g
-T9Bs4ANHRaciSXMhOSyWAroUREFj5TvBtoa4Q76v3R8Ka/BbVkXbyOxt
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgH1VFIwhQjGskNw8i
+HvGz+VRGvk+KS0KKW1G3EMJoTAOhRANCAATLihQc1+QHr2mlAYjpHOVdzP0zSNq6
+SpxGZDMulVm2gUT8GmHYQeTbgBszUSASHQukhLPJU7MdNR1/ohOX0SVH
 -----END PRIVATE KEY-----

test-ca/ecdsa-p256/client.revoked.crl.pem

@@ -1,8 +1,8 @@
 -----BEGIN X509 CRL-----
-MIIBEDCBuAIBATAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RT
-QSBwMjU2IGxldmVsIDIgaW50ZXJtZWRpYXRlFw0yNDA0MDcxODI0NDVaFw0yNDA0
-MTIxODI0NDVaMCIwIAIBGRcNMjQwNDA3MTgyNDQ1WjAMMAoGA1UdFQQDCgEBoDAw
-LjAfBgNVHSMEGDAWgBTSM5ykb3uyQKkOY/UESkV+NxWccjALBgNVHRQEBAICBNIw
-CgYIKoZIzj0EAwIDRwAwRAIgElc0GG3PLfCdcPNFKMCBR4WxKHMl7VxUwqStByV8
-RwcCICY/LAN71P9xXdrmuTajIF+RCm29JBXisK2HCRkF9nWC
+MIIBFDCBugIBATAKBggqhkjOPQQDAjAzMTEwLwYDVQQDDChwb255dG93biBFQ0RT
+QSBwMjU2IGxldmVsIDIgaW50ZXJtZWRpYXRlFw0yNDA1MDcxODQ3MDVaGA8yMTI0
+MDQxMzE4NDcwNVowIjAgAgEZFw0yNDA1MDcxODQ3MDVaMAwwCgYDVR0VBAMKAQGg
+MDAuMB8GA1UdIwQYMBaAFCK1qP6zPz5Re4f9g160j5iYOWQZMAsGA1UdFAQEAgIE
+0jAKBggqhkjOPQQDAgNJADBGAiEA1TTizEnDnTJabCy6kpp9gpuJt/A9O0p/N8lU
+0yfEzzcCIQDBThCbA9NuQBY2qkviPZfYERgSte+PIvws3RSBOXYsYA==
 -----END X509 CRL-----