31 files changed, 410 insertions, 7 deletions

diff --git a/luni/src/test/java/libcore/java/security/cert/X509CRLTest.java b/luni/src/test/java/libcore/java/security/cert/X509CRLTest.java
new file mode 100644
index 0000000..161a8d5
--- /dev/null
+++ b/luni/src/test/java/libcore/java/security/cert/X509CRLTest.java
@@ -0,0 +1,367 @@
+/*
+ * Copyright (C) 2012 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package libcore.java.security.cert;
+
+import tests.support.resource.Support_Resources;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.PrintStream;
+import java.security.Provider;
+import java.security.Security;
+import java.security.cert.CRL;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
+import java.security.cert.X509Certificate;
+import java.text.SimpleDateFormat;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+import junit.framework.TestCase;
+import libcore.java.security.StandardNames;
+
+public class X509CRLTest extends TestCase {
+    private Provider[] mX509Providers;
+
+    private static final String CERT_RSA = "x509/cert-rsa.der";
+
+    private static final String CERT_DSA = "x509/cert-dsa.der";
+
+    private static final String CRL_RSA = "x509/crl-rsa.der";
+
+    private static final String CRL_RSA_DSA = "x509/crl-rsa-dsa.der";
+
+    private static final String CRL_UNSUPPORTED = "x509/crl-unsupported.der";
+
+    private static final String CRL_RSA_DATES = "x509/crl-rsa-dates.txt";
+
+    private static final String CRL_RSA_DSA_DATES = "x509/crl-rsa-dsa-dates.txt";
+
+    private static final String CRL_RSA_SIG = "x509/crl-rsa-sig.der";
+
+    private static final String CRL_RSA_TBS = "x509/crl-rsa-tbs.der";
+
+    private final X509Certificate getCertificate(CertificateFactory f, String name)
+            throws Exception {
+        final InputStream is = Support_Resources.getStream(name);
+        assertNotNull("File does not exist: " + name, is);
+        try {
+            return (X509Certificate) f.generateCertificate(is);
+        } finally {
+            try {
+                is.close();
+            } catch (IOException ignored) {
+            }
+        }
+    }
+
+    private final X509CRL getCRL(CertificateFactory f, String name) throws Exception {
+        final InputStream is = Support_Resources.getStream(name);
+        assertNotNull("File does not exist: " + name, is);
+        try {
+            return (X509CRL) f.generateCRL(is);
+        } finally {
+            try {
+                is.close();
+            } catch (IOException ignored) {
+            }
+        }
+    }
+
+    private byte[] getResourceAsBytes(String name) throws Exception {
+        final InputStream ris = Support_Resources.getStream(name);
+        try {
+            DataInputStream dis = new DataInputStream(ris);
+            byte[] buf = new byte[ris.available()];
+            dis.readFully(buf);
+            return buf;
+        } finally {
+            try {
+                ris.close();
+            } catch (IOException ignored) {
+            }
+        }
+    }
+
+    private Map<String, Date> getCrlDates(String name) throws Exception {
+        Map<String, Date> dates = new HashMap<String, Date>();
+        final SimpleDateFormat sdf = new SimpleDateFormat("MMM dd HH:mm:ss yyyy zzz");
+
+        final InputStream ris = Support_Resources.getStream(name);
+        try {
+
+            final BufferedReader buf = new BufferedReader(new InputStreamReader(ris));
+
+            String line;
+            while ((line = buf.readLine()) != null) {
+                int index = line.indexOf('=');
+                String key = line.substring(0, index);
+                final Date value = sdf.parse(line.substring(index + 1));
+                dates.put(key, value);
+            }
+
+            return dates;
+        } finally {
+            try {
+                ris.close();
+            } catch (IOException ignored) {
+            }
+        }
+    }
+
+    public void test_Provider() throws Exception {
+        final ByteArrayOutputStream errBuffer = new ByteArrayOutputStream();
+        PrintStream out = new PrintStream(errBuffer);
+
+        for (Provider p : mX509Providers) {
+            try {
+                CertificateFactory f = CertificateFactory.getInstance("X.509", p);
+                isRevoked(f);
+                getType(f);
+                getEncoded(f);
+                getVersion(f);
+                hasUnsupportedCriticalExtension(f);
+                getSignature(f);
+                getTBSCertList(f);
+                getRevokedCertificates(f);
+                getThisUpdateNextUpdate(f);
+                getSigAlgName(f);
+                getSigAlgOID(f);
+                test_toString(f);
+                test_equals(f);
+            } catch (Throwable e) {
+                out.append("Error encountered checking " + p.getName() + "\n");
+                e.printStackTrace(out);
+            }
+        }
+
+        out.flush();
+        if (errBuffer.size() > 0) {
+            throw new Exception("Errors encountered:\n\n" + errBuffer.toString() + "\n\n");
+        }
+    }
+
+    private void getType(CertificateFactory f) throws Exception {
+        CRL crlRsa = getCRL(f, CRL_RSA);
+
+        assertEquals("X.509", crlRsa.getType());
+    }
+
+    private void isRevoked(CertificateFactory f) throws Exception {
+        X509Certificate rsaCert = getCertificate(f, CERT_RSA);
+        X509Certificate dsaCert = getCertificate(f, CERT_DSA);
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+        X509CRL crlRsaDsa = getCRL(f, CRL_RSA_DSA);
+
+        assertTrue(crlRsa.isRevoked(rsaCert));
+        assertFalse(crlRsa.isRevoked(dsaCert));
+
+        assertTrue(crlRsaDsa.isRevoked(rsaCert));
+        assertTrue(crlRsaDsa.isRevoked(dsaCert));
+
+        try {
+            assertFalse(crlRsa.isRevoked(null));
+            if ("BC".equals(f.getProvider().getName())) {
+                fail("BouncyCastle throws on null input");
+            }
+        } catch (NullPointerException e) {
+            if (!"BC".equals(f.getProvider().getName())) {
+                fail("Should not throw on null input");
+            }
+        }
+    }
+
+    private void getThisUpdateNextUpdate(CertificateFactory f) throws Exception {
+        {
+            X509CRL crl = getCRL(f, CRL_RSA);
+            Map<String, Date> dates = getCrlDates(CRL_RSA_DATES);
+
+            Date lastUpdate = dates.get("lastUpdate");
+            Date nextUpdate = dates.get("nextUpdate");
+
+            assertNotNull(lastUpdate);
+            assertNotNull(nextUpdate);
+
+            assertEquals(lastUpdate, crl.getThisUpdate());
+            assertEquals(nextUpdate, crl.getNextUpdate());
+        }
+
+        {
+            X509CRL crl = getCRL(f, CRL_RSA_DSA);
+            Map<String, Date> dates = getCrlDates(CRL_RSA_DSA_DATES);
+
+            Date lastUpdate = dates.get("lastUpdate");
+            Date nextUpdate = dates.get("nextUpdate");
+
+            assertNotNull(lastUpdate);
+            assertNotNull(nextUpdate);
+
+            assertEquals(lastUpdate, crl.getThisUpdate());
+            assertEquals(nextUpdate, crl.getNextUpdate());
+        }
+    }
+
+    private void getSigAlgName(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+
+        String actual = crlRsa.getSigAlgName().toUpperCase(Locale.US);
+
+        // Bouncycastle is broken
+        if ("BC".equals(f.getProvider().getName())) {
+            assertEquals("1.2.840.113549.1.1.5", actual);
+        } else {
+            assertEquals("SHA1WITHRSA", actual);
+        }
+    }
+
+    private void getSigAlgOID(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+
+        assertEquals("1.2.840.113549.1.1.5", crlRsa.getSigAlgOID());
+    }
+
+    private void getVersion(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+
+        assertEquals(1, crlRsa.getVersion());
+    }
+
+    private void hasUnsupportedCriticalExtension(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+        assertFalse(crlRsa.hasUnsupportedCriticalExtension());
+
+        X509CRL unsupportedCrl = getCRL(f, CRL_UNSUPPORTED);
+        assertTrue(unsupportedCrl.hasUnsupportedCriticalExtension());
+    }
+
+    private void getSignature(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+        byte[] expected = getResourceAsBytes(CRL_RSA_SIG);
+
+        assertEquals(Arrays.toString(expected), Arrays.toString(crlRsa.getSignature()));
+    }
+
+    private void getTBSCertList(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+        byte[] expected = getResourceAsBytes(CRL_RSA_TBS);
+
+        assertEquals(Arrays.toString(expected), Arrays.toString(crlRsa.getTBSCertList()));
+    }
+
+    private void getEncoded(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+
+        byte[] crlRsaBytes = getResourceAsBytes(CRL_RSA);
+
+        assertEquals(Arrays.toString(crlRsa.getEncoded()), Arrays.toString(crlRsaBytes));
+    }
+
+    private void assertRsaCrl(CertificateFactory f, X509CRLEntry rsaEntry) throws Exception {
+        X509Certificate rsaCert = getCertificate(f, CERT_RSA);
+        Map<String, Date> dates = getCrlDates(CRL_RSA_DSA_DATES);
+        Date expectedDate = dates.get("lastUpdate");
+
+        assertEquals(rsaCert.getSerialNumber(), rsaEntry.getSerialNumber());
+        assertEquals(expectedDate, rsaEntry.getRevocationDate());
+        assertNull(rsaEntry.getCertificateIssuer());
+        assertFalse(rsaEntry.hasExtensions());
+        assertNull(rsaEntry.getCriticalExtensionOIDs());
+        assertNull(rsaEntry.getNonCriticalExtensionOIDs());
+    }
+
+    private void assertDsaCrl(CertificateFactory f, X509CRLEntry dsaEntry) throws Exception {
+        X509Certificate dsaCert = getCertificate(f, CERT_DSA);
+        Map<String, Date> dates = getCrlDates(CRL_RSA_DSA_DATES);
+        Date expectedDate = dates.get("lastUpdate");
+
+        assertEquals(dsaCert.getSerialNumber(), dsaEntry.getSerialNumber());
+        assertEquals(expectedDate, dsaEntry.getRevocationDate());
+        assertNull(dsaEntry.getCertificateIssuer());
+        assertTrue(dsaEntry.hasExtensions());
+        /* TODO: get the OID */
+        assertNotNull(dsaEntry.getCriticalExtensionOIDs());
+        /* TODO: get the OID */
+        assertNotNull(dsaEntry.getNonCriticalExtensionOIDs());
+    }
+
+    private void getRevokedCertificates(CertificateFactory f) throws Exception {
+        X509CRL crlRsa = getCRL(f, CRL_RSA);
+        X509Certificate rsaCert = getCertificate(f, CERT_RSA);
+        X509Certificate dsaCert = getCertificate(f, CERT_DSA);
+
+        Set<? extends X509CRLEntry> entries = crlRsa.getRevokedCertificates();
+        assertEquals(1, entries.size());
+        for (X509CRLEntry e : entries) {
+            assertRsaCrl(f, e);
+        }
+
+        X509CRL crlRsaDsa = getCRL(f, CRL_RSA_DSA);
+        Set<? extends X509CRLEntry> entries2 = crlRsaDsa.getRevokedCertificates();
+        assertEquals(2, entries2.size());
+        assertRsaCrl(f, crlRsaDsa.getRevokedCertificate(rsaCert));
+        assertDsaCrl(f, crlRsaDsa.getRevokedCertificate(dsaCert));
+    }
+
+    private void test_toString(CertificateFactory f) throws Exception {
+        X509CRL crl1 = getCRL(f, CRL_RSA);
+        X509CRL crl2 = getCRL(f, CRL_RSA);
+
+        X509CRL crlRsaDsa = getCRL(f, CRL_RSA_DSA);
+
+        assertNotNull(crl1);
+
+        assertNotNull(crlRsaDsa);
+
+        assertEquals(crl1.toString(), crl2.toString());
+
+        assertFalse(crl1.toString().equals(crlRsaDsa.toString()));
+    }
+
+    private void test_equals(CertificateFactory f) throws Exception {
+        X509CRL crl1 = getCRL(f, CRL_RSA);
+        X509CRL crl2 = getCRL(f, CRL_RSA);
+        X509Certificate rsaCert = getCertificate(f, CERT_RSA);
+
+        X509CRL crlRsaDsa = getCRL(f, CRL_RSA_DSA);
+
+        assertEquals(crl1, crl2);
+        assertFalse(crl1.equals(crlRsaDsa));
+
+        X509CRLEntry entry1 = crl1.getRevokedCertificate(rsaCert);
+        assertNotNull(entry1);
+        X509CRLEntry entry2 = crl2.getRevokedCertificate(rsaCert);
+        assertNotNull(entry2);
+
+        assertEquals(entry1, entry2);
+    }
+
+    @Override
+    protected void setUp() throws Exception {
+        super.setUp();
+
+        mX509Providers = Security.getProviders("CertificateFactory.X509");
+    }
+}
diff --git a/support/src/test/java/tests/resources/x509/cert-alt-dirname.der b/support/src/test/java/tests/resources/x509/cert-alt-dirname.der
index ae2d2a8..69e4033 100644
--- a/support/src/test/java/tests/resources/x509/cert-alt-dirname.der
+++ b/support/src/test/java/tests/resources/x509/cert-alt-dirname.der
diff --git a/support/src/test/java/tests/resources/x509/cert-alt-dns.der b/support/src/test/java/tests/resources/x509/cert-alt-dns.der
index 008ef31..d9b1e87 100644
--- a/support/src/test/java/tests/resources/x509/cert-alt-dns.der
+++ b/support/src/test/java/tests/resources/x509/cert-alt-dns.der
diff --git a/support/src/test/java/tests/resources/x509/cert-alt-email.der b/support/src/test/java/tests/resources/x509/cert-alt-email.der
index 4b0189b..f10bc43 100644
--- a/support/src/test/java/tests/resources/x509/cert-alt-email.der
+++ b/support/src/test/java/tests/resources/x509/cert-alt-email.der
diff --git a/support/src/test/java/tests/resources/x509/cert-alt-other.der b/support/src/test/java/tests/resources/x509/cert-alt-other.der
index 772d9e9..7a06ff7 100644
--- a/support/src/test/java/tests/resources/x509/cert-alt-other.der
+++ b/support/src/test/java/tests/resources/x509/cert-alt-other.der
diff --git a/support/src/test/java/tests/resources/x509/cert-alt-rid.der b/support/src/test/java/tests/resources/x509/cert-alt-rid.der
index 8a1bf42..242a49d 100644
--- a/support/src/test/java/tests/resources/x509/cert-alt-rid.der
+++ b/support/src/test/java/tests/resources/x509/cert-alt-rid.der
diff --git a/support/src/test/java/tests/resources/x509/cert-alt-uri.der b/support/src/test/java/tests/resources/x509/cert-alt-uri.der
index 262ffa8..5a9b882 100644
--- a/support/src/test/java/tests/resources/x509/cert-alt-uri.der
+++ b/support/src/test/java/tests/resources/x509/cert-alt-uri.der
diff --git a/support/src/test/java/tests/resources/x509/cert-ca.der b/support/src/test/java/tests/resources/x509/cert-ca.der
index 8699071..7c787ea 100644
--- a/support/src/test/java/tests/resources/x509/cert-ca.der
+++ b/support/src/test/java/tests/resources/x509/cert-ca.der
diff --git a/support/src/test/java/tests/resources/x509/cert-caWithPathLen.der b/support/src/test/java/tests/resources/x509/cert-caWithPathLen.der
index ac56314..2886091 100644
--- a/support/src/test/java/tests/resources/x509/cert-caWithPathLen.der
+++ b/support/src/test/java/tests/resources/x509/cert-caWithPathLen.der
diff --git a/support/src/test/java/tests/resources/x509/cert-dsa.der b/support/src/test/java/tests/resources/x509/cert-dsa.der
index 9b5e62a..d17c4ce 100644
--- a/support/src/test/java/tests/resources/x509/cert-dsa.der
+++ b/support/src/test/java/tests/resources/x509/cert-dsa.der
diff --git a/support/src/test/java/tests/resources/x509/cert-ec.der b/support/src/test/java/tests/resources/x509/cert-ec.der
index a683a5e..07bdf7a 100644
--- a/support/src/test/java/tests/resources/x509/cert-ec.der
+++ b/support/src/test/java/tests/resources/x509/cert-ec.der
diff --git a/support/src/test/java/tests/resources/x509/cert-extendedKeyUsage.der b/support/src/test/java/tests/resources/x509/cert-extendedKeyUsage.der
index be2d20c..ac36013 100644
--- a/support/src/test/java/tests/resources/x509/cert-extendedKeyUsage.der
+++ b/support/src/test/java/tests/resources/x509/cert-extendedKeyUsage.der
diff --git a/support/src/test/java/tests/resources/x509/cert-ipv6.der b/support/src/test/java/tests/resources/x509/cert-ipv6.der
index 4ee144a..11b440e 100644
--- a/support/src/test/java/tests/resources/x509/cert-ipv6.der
+++ b/support/src/test/java/tests/resources/x509/cert-ipv6.der
diff --git a/support/src/test/java/tests/resources/x509/cert-keyUsage-extraLong.der b/support/src/test/java/tests/resources/x509/cert-keyUsage-extraLong.der
index 464799d..cf5e0f1 100644
--- a/support/src/test/java/tests/resources/x509/cert-keyUsage-extraLong.der
+++ b/support/src/test/java/tests/resources/x509/cert-keyUsage-extraLong.der
diff --git a/support/src/test/java/tests/resources/x509/cert-rsa-dates.txt b/support/src/test/java/tests/resources/x509/cert-rsa-dates.txt
index 2bb7733..d661409 100644
--- a/support/src/test/java/tests/resources/x509/cert-rsa-dates.txt
+++ b/support/src/test/java/tests/resources/x509/cert-rsa-dates.txt
@@ -1,2 +1,2 @@
-notBefore=Dec 31 01:16:36 2012 GMT
-notAfter=Dec 29 01:16:36 2022 GMT
+notBefore=Jan  2 00:03:12 2013 GMT
+notAfter=Dec 31 00:03:12 2022 GMT
diff --git a/support/src/test/java/tests/resources/x509/cert-rsa-pubkey.der b/support/src/test/java/tests/resources/x509/cert-rsa-pubkey.der
index dec442f..ab9f3db 100644
--- a/support/src/test/java/tests/resources/x509/cert-rsa-pubkey.der
+++ b/support/src/test/java/tests/resources/x509/cert-rsa-pubkey.der
diff --git a/support/src/test/java/tests/resources/x509/cert-rsa-serial.txt b/support/src/test/java/tests/resources/x509/cert-rsa-serial.txt
index c6f9585..ec3cebd 100644
--- a/support/src/test/java/tests/resources/x509/cert-rsa-serial.txt
+++ b/support/src/test/java/tests/resources/x509/cert-rsa-serial.txt
@@ -1 +1 @@
-serial=925D02E030B81D33
+serial=B96143E1D6F31E6F
diff --git a/support/src/test/java/tests/resources/x509/cert-rsa-sig.der b/support/src/test/java/tests/resources/x509/cert-rsa-sig.der
index 2b80ab0..62979ee 100644
--- a/support/src/test/java/tests/resources/x509/cert-rsa-sig.der
+++ b/support/src/test/java/tests/resources/x509/cert-rsa-sig.der
@@ -1,2 +1 @@
-f�D�\/�o�����'r9�#�m������
�[0n�2���'9�� �=^k����S5K���	V�IL�e6�$�:k�O�����H�yd:�S=���tMTl�ZK�̉�F�(��
Q����<����`
-f�)
\ No newline at end of file
+�ѴůK��ȁ��Ϗ����(����"��,/��I�L.�1��	����,�xһT�K$}��x�y����i��i��.O�O���M.m>�˻VbJQ�?ԥ��@���(>��_x�GM�����z%
\ No newline at end of file
diff --git a/support/src/test/java/tests/resources/x509/cert-rsa-tbs.der b/support/src/test/java/tests/resources/x509/cert-rsa-tbs.der
index 6982699..5ec2858 100644
--- a/support/src/test/java/tests/resources/x509/cert-rsa-tbs.der
+++ b/support/src/test/java/tests/resources/x509/cert-rsa-tbs.der
diff --git a/support/src/test/java/tests/resources/x509/cert-rsa.der b/support/src/test/java/tests/resources/x509/cert-rsa.der
index 5816ec3..23d7cc8 100644
--- a/support/src/test/java/tests/resources/x509/cert-rsa.der
+++ b/support/src/test/java/tests/resources/x509/cert-rsa.der
diff --git a/support/src/test/java/tests/resources/x509/cert-unsupported.der b/support/src/test/java/tests/resources/x509/cert-unsupported.der
index 525d782..0239b68 100644
--- a/support/src/test/java/tests/resources/x509/cert-unsupported.der
+++ b/support/src/test/java/tests/resources/x509/cert-unsupported.der
diff --git a/support/src/test/java/tests/resources/x509/cert-userWithPathLen.der b/support/src/test/java/tests/resources/x509/cert-userWithPathLen.der
index da64c51..c29c933 100644
--- a/support/src/test/java/tests/resources/x509/cert-userWithPathLen.der
+++ b/support/src/test/java/tests/resources/x509/cert-userWithPathLen.der
diff --git a/support/src/test/java/tests/resources/x509/create.sh b/support/src/test/java/tests/resources/x509/create.sh
index 5e78620..d73fcf6 100755
--- a/support/src/test/java/tests/resources/x509/create.sh
+++ b/support/src/test/java/tests/resources/x509/create.sh
@@ -67,6 +67,38 @@ openssl ecparam -name sect283k1 -out ecparam.pem
 openssl req -config ${DIR}/default.cnf -newkey ec:ecparam.pem -keyout ecpriv.pem -nodes -batch | openssl x509 -extfile ${DIR}/default.cnf -extensions keyUsage_critical_cert -req -signkey ecpriv.pem -outform d > cert-ec.der
 rm -f ecparam.pem
 
+# Create temporary CA for CRL generation
+rm -rf /tmp/ca
+mkdir -p /tmp/ca
+touch /tmp/ca/index.txt
+touch /tmp/ca/index.txt.attr
+echo "01" > /tmp/ca/serial
+openssl req -new -nodes -batch -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 -config default.cnf
+
+openssl x509 -inform d -in cert-rsa.der -out cert-rsa.pem
+openssl ca -revoke cert-rsa.pem -keyfile cakey.pem -cert cacert.pem -config default.cnf
+openssl ca -gencrl -crlhours 70 -keyfile cakey.pem -cert cacert.pem -out crl-rsa.pem -config default.cnf
+openssl crl -in crl-rsa.pem -outform d -out crl-rsa.der
+
+openssl asn1parse -in crl-rsa.der -inform d -out crl-rsa-tbs.der -noout -strparse 4
+SIG_OFFSET=$(openssl asn1parse -in crl-rsa.der -inform d | tail -1 | cut -f1 -d:)
+openssl asn1parse -in crl-rsa.der -inform d -strparse ${SIG_OFFSET} -noout -out crl-rsa-sig.der
+
+openssl x509 -inform d -in cert-dsa.der -out cert-dsa.pem
+openssl ca -revoke cert-dsa.pem -keyfile cakey.pem -cert cacert.pem -crl_reason cessationOfOperation -extensions unsupported_cert -config default.cnf
+openssl ca -gencrl -crldays 30 -keyfile cakey.pem -cert cacert.pem -out crl-rsa-dsa.pem -config default.cnf
+openssl crl -in crl-rsa-dsa.pem -outform d -out crl-rsa-dsa.der
+
+# Unsupported extensions
+openssl ca -gencrl -crlexts unsupported_cert -keyfile cakey.pem -cert cacert.pem -out crl-unsupported.pem -config default.cnf
+openssl crl -in crl-unsupported.pem -outform d -out crl-unsupported.der
+
+openssl crl -inform d -in crl-rsa.der -noout -lastupdate -nextupdate > crl-rsa-dates.txt
+openssl crl -inform d -in crl-rsa-dsa.der -noout -lastupdate -nextupdate > crl-rsa-dsa-dates.txt
+
+rm -f cert-rsa.pem cert-dsa.pem cacert.pem cakey.pem crl-rsa.pem crl-rsa-dsa.pem crl-unsupported.pem
+rm -rf /tmp/ca
+
 rm -f privkey.pem
 rm -f dsapriv.pem
 rm -f ecpriv.pem
diff --git a/support/src/test/java/tests/resources/x509/crl-rsa-dates.txt b/support/src/test/java/tests/resources/x509/crl-rsa-dates.txt
new file mode 100644
index 0000000..50e48f2
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-rsa-dates.txt
@@ -0,0 +1,2 @@
+lastUpdate=Jan  2 00:03:13 2013 GMT
+nextUpdate=Jan  4 22:03:13 2013 GMT
diff --git a/support/src/test/java/tests/resources/x509/crl-rsa-dsa-dates.txt b/support/src/test/java/tests/resources/x509/crl-rsa-dsa-dates.txt
new file mode 100644
index 0000000..9976096
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-rsa-dsa-dates.txt
@@ -0,0 +1,2 @@
+lastUpdate=Jan  2 00:03:13 2013 GMT
+nextUpdate=Feb  1 00:03:13 2013 GMT
diff --git a/support/src/test/java/tests/resources/x509/crl-rsa-dsa.der b/support/src/test/java/tests/resources/x509/crl-rsa-dsa.der
new file mode 100644
index 0000000..9282b30
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-rsa-dsa.der
diff --git a/support/src/test/java/tests/resources/x509/crl-rsa-sig.der b/support/src/test/java/tests/resources/x509/crl-rsa-sig.der
new file mode 100644
index 0000000..f6ebf4f
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-rsa-sig.der
@@ -0,0 +1 @@
+:₀�f֢:�F���Gd��f!���591�|�q������rIY�1�h-��$<���!�a,�˫�y=��q�M�)�%:8��-����Y���v�w�ڊ�K�{c��p�_"*��6�u"`
\ No newline at end of file
diff --git a/support/src/test/java/tests/resources/x509/crl-rsa-tbs.der b/support/src/test/java/tests/resources/x509/crl-rsa-tbs.der
new file mode 100644
index 0000000..679427d
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-rsa-tbs.der
diff --git a/support/src/test/java/tests/resources/x509/crl-rsa.der b/support/src/test/java/tests/resources/x509/crl-rsa.der
new file mode 100644
index 0000000..994f1a8
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-rsa.der
diff --git a/support/src/test/java/tests/resources/x509/crl-unsupported.der b/support/src/test/java/tests/resources/x509/crl-unsupported.der
new file mode 100644
index 0000000..15eef95
--- /dev/null
+++ b/support/src/test/java/tests/resources/x509/crl-unsupported.der
diff --git a/support/src/test/java/tests/resources/x509/default.cnf b/support/src/test/java/tests/resources/x509/default.cnf
index d4b4c80..d7c53c5 100644
--- a/support/src/test/java/tests/resources/x509/default.cnf
+++ b/support/src/test/java/tests/resources/x509/default.cnf
@@ -82,7 +82,7 @@ default_ca    = CA_default        # The default ca section
 ####################################################################
 [ CA_default ]
 
-dir        = /root/certificates        # Where everything is kept
+dir        = /tmp/ca        # Where everything is kept
 certs        = $dir/certs        # Where the issued certs are kept
 crl_dir        = $dir/crl        # Where the issued crl are kept
 database    = $dir/index.txt    # database index file.
@@ -110,7 +110,7 @@ cert_opt     = ca_default        # Certificate field options
 
 default_days    = 365            # how long to certify for
 default_crl_days= 30            # how long before next CRL
-default_md    = md5            # which md to use.
+default_md    = sha1            # which md to use.
 preserve    = no            # keep passed DN ordering
 
 policy        = policy_anything