[xmlsec] add crls support



commit 42c1c90a0261ae623a679e11a5ab4f2d844a128a
Author: Aleksey Sanin <aleksey aleksey com>
Date:   Mon May 24 19:04:43 2010 -0700

    add crls support

 include/xmlsec/gnutls/x509.h |   11 ++
 src/gnutls/x509.c            |  308 ++++++++++++++++++++++++++++++++++++++--
 src/gnutls/x509utils.c       |  321 +++++++++++++++++++++++++++++++++++++++++-
 src/gnutls/x509utils.h       |   34 +++++-
 src/gnutls/x509vfy.c         |   49 ++++++-
 tests/testDSig.sh            |   18 ++--
 6 files changed, 715 insertions(+), 26 deletions(-)
---
diff --git a/include/xmlsec/gnutls/x509.h b/include/xmlsec/gnutls/x509.h
index f18a864..c5c811a 100644
--- a/include/xmlsec/gnutls/x509.h
+++ b/include/xmlsec/gnutls/x509.h
@@ -37,14 +37,24 @@ extern "C" {
         xmlSecGnuTLSKeyDataX509GetKlass()
 XMLSEC_CRYPTO_EXPORT xmlSecKeyDataId    xmlSecGnuTLSKeyDataX509GetKlass         (void);
 
+
 XMLSEC_CRYPTO_EXPORT gnutls_x509_crt_t  xmlSecGnuTLSKeyDataX509GetKeyCert       (xmlSecKeyDataPtr data);
 XMLSEC_CRYPTO_EXPORT int                xmlSecGnuTLSKeyDataX509AdoptKeyCert     (xmlSecKeyDataPtr data,
                                                                                  gnutls_x509_crt_t cert);
+
 XMLSEC_CRYPTO_EXPORT int                xmlSecGnuTLSKeyDataX509AdoptCert        (xmlSecKeyDataPtr data,
                                                                                  gnutls_x509_crt_t cert);
 XMLSEC_CRYPTO_EXPORT gnutls_x509_crt_t  xmlSecGnuTLSKeyDataX509GetCert          (xmlSecKeyDataPtr data,
                                                                                  xmlSecSize pos);
 XMLSEC_CRYPTO_EXPORT xmlSecSize         xmlSecGnuTLSKeyDataX509GetCertsSize     (xmlSecKeyDataPtr data);
+
+XMLSEC_CRYPTO_EXPORT int                xmlSecGnuTLSKeyDataX509AdoptCrl         (xmlSecKeyDataPtr data,
+                                                                                 gnutls_x509_crl_t crl);
+XMLSEC_CRYPTO_EXPORT gnutls_x509_crl_t  xmlSecGnuTLSKeyDataX509GetCrl           (xmlSecKeyDataPtr data,
+                                                                                 xmlSecSize pos);
+XMLSEC_CRYPTO_EXPORT xmlSecSize         xmlSecGnuTLSKeyDataX509GetCrlsSize      (xmlSecKeyDataPtr data);
+
+
 XMLSEC_CRYPTO_EXPORT xmlSecKeyDataPtr   xmlSecGnuTLSX509CertGetKey              (gnutls_x509_crt_t cert);
 
 /**************************************************************************
@@ -82,6 +92,7 @@ XMLSEC_CRYPTO_EXPORT gnutls_x509_crt_t  xmlSecGnuTLSX509StoreFindCert   (const x
                                                                          const xmlSecKeyInfoCtx* keyInfoCtx);
 XMLSEC_CRYPTO_EXPORT gnutls_x509_crt_t  xmlSecGnuTLSX509StoreVerify     (xmlSecKeyDataStorePtr store,
                                                                          xmlSecPtrListPtr certs,
+                                                                         xmlSecPtrListPtr crls,
                                                                          const xmlSecKeyInfoCtx* keyInfoCtx);
 XMLSEC_CRYPTO_EXPORT int                xmlSecGnuTLSX509StoreAdoptCert  (xmlSecKeyDataStorePtr store,
                                                                          gnutls_x509_crt_t cert,
diff --git a/src/gnutls/x509.c b/src/gnutls/x509.c
index 71e4a50..52d46ab 100644
--- a/src/gnutls/x509.c
+++ b/src/gnutls/x509.c
@@ -69,6 +69,12 @@ static int              xmlSecGnuTLSX509SKINodeRead             (xmlSecKeyDataPt
 static int              xmlSecGnuTLSX509SKINodeWrite            (gnutls_x509_crt_t cert,
                                                                  xmlNodePtr node,
                                                                  xmlSecKeyInfoCtxPtr keyInfoCtx);
+static int              xmlSecGnuTLSX509CRLNodeRead             (xmlSecKeyDataPtr data,
+                                                                 xmlNodePtr node,
+                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
+static int              xmlSecGnuTLSX509CRLNodeWrite            (gnutls_x509_crl_t crl,
+                                                                 xmlNodePtr node,
+                                                                 xmlSecKeyInfoCtxPtr keyInfoCtx);
 static int              xmlSecGnuTLSKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data,
                                                                  xmlSecKeyPtr key,
                                                                  xmlSecKeyInfoCtxPtr keyInfoCtx);
@@ -83,6 +89,7 @@ typedef struct _xmlSecGnuTLSX509DataCtx                         xmlSecGnuTLSX509
 struct _xmlSecGnuTLSX509DataCtx {
     gnutls_x509_crt_t   keyCert;
     xmlSecPtrList       certsList;
+    xmlSecPtrList       crlsList;
 };
 
 
@@ -374,6 +381,82 @@ xmlSecGnuTLSKeyDataX509GetCertsSize(xmlSecKeyDataPtr data) {
     return(xmlSecPtrListGetSize(&(ctx->certsList)));
 }
 
+/**
+ * xmlSecGnuTLSKeyDataX509AdoptCrl:
+ * @data:               the pointer to X509 key data.
+ * @crl:                the pointer to GnuTLS X509 crl.
+ *
+ * Adds crl to the X509 key data.
+ *
+ * Returns: 0 on success or a negative value if an error occurs.
+ */
+int
+xmlSecGnuTLSKeyDataX509AdoptCrl(xmlSecKeyDataPtr data, gnutls_x509_crl_t crl) {
+    xmlSecGnuTLSX509DataCtxPtr ctx;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecGnuTLSKeyDataX509Id), -1);
+    xmlSecAssert2(crl != NULL, -1);
+
+    ctx = xmlSecGnuTLSX509DataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, -1);
+
+    ret = xmlSecPtrListAdd(&(ctx->crlsList), crl);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                    "xmlSecPtrListAdd",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    return(0);
+}
+
+/**
+ * xmlSecGnuTLSKeyDataX509GetCrl:
+ * @data:               the pointer to X509 key data.
+ * @pos:                the desired crl position.
+ *
+ * Gets a crl from X509 key data.
+ *
+ * Returns: the pointer to crl or NULL if @pos is larger than the
+ * number of crls in @data or an error occurs.
+ */
+gnutls_x509_crl_t
+xmlSecGnuTLSKeyDataX509GetCrl(xmlSecKeyDataPtr data, xmlSecSize pos) {
+    xmlSecGnuTLSX509DataCtxPtr ctx;
+
+    xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecGnuTLSKeyDataX509Id), NULL);
+
+    ctx = xmlSecGnuTLSX509DataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, NULL);
+
+    return(xmlSecPtrListGetItem(&(ctx->crlsList), pos));
+}
+
+/**
+ * xmlSecGnuTLSKeyDataX509GetCrlsSize:
+ * @data:               the pointer to X509 key data.
+ *
+ * Gets the number of crls in @data.
+ *
+ * Returns: te number of crls in @data.
+ */
+xmlSecSize
+xmlSecGnuTLSKeyDataX509GetCrlsSize(xmlSecKeyDataPtr data) {
+    xmlSecGnuTLSX509DataCtxPtr ctx;
+
+    xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecGnuTLSKeyDataX509Id), 0);
+
+    ctx = xmlSecGnuTLSX509DataGetCtx(data);
+    xmlSecAssert2(ctx != NULL, 0);
+
+    return(xmlSecPtrListGetSize(&(ctx->crlsList)));
+}
+
+
 static int
 xmlSecGnuTLSKeyDataX509Initialize(xmlSecKeyDataPtr data) {
     xmlSecGnuTLSX509DataCtxPtr ctx;
@@ -396,6 +479,16 @@ xmlSecGnuTLSKeyDataX509Initialize(xmlSecKeyDataPtr data) {
         return(-1);
     }
 
+    ret = xmlSecPtrListInitialize(&(ctx->crlsList), xmlSecGnuTLSX509CrlListId);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                    "xmlSecPtrListInitialize",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    "crlsList");
+        return(-1);
+    }
+
     return(0);
 }
 
@@ -442,6 +535,17 @@ xmlSecGnuTLSKeyDataX509Duplicate(xmlSecKeyDataPtr dst, xmlSecKeyDataPtr src) {
         return(-1);
     }
 
+    /* copy crlsList if exists */
+    xmlSecPtrListEmpty(&(ctxDst->crlsList));
+    ret = xmlSecPtrListCopy(&(ctxDst->crlsList), &(ctxSrc->crlsList));
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(src)),
+                    "xmlSecPtrListCopy",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    "crlsList");
+        return(-1);
+    }
     /* done */
     return(0);
 }
@@ -455,6 +559,7 @@ xmlSecGnuTLSKeyDataX509Finalize(xmlSecKeyDataPtr data) {
     ctx = xmlSecGnuTLSX509DataGetCtx(data);
     xmlSecAssert(ctx != NULL);
 
+    xmlSecPtrListFinalize(&(ctx->crlsList));
     xmlSecPtrListFinalize(&(ctx->certsList));
     if(ctx->keyCert != NULL) {
         gnutls_x509_crt_deinit(ctx->keyCert);
@@ -512,6 +617,7 @@ xmlSecGnuTLSKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
                                 xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecKeyDataPtr data;
     gnutls_x509_crt_t cert;
+    gnutls_x509_crl_t crl;
     xmlSecSize size, pos;
     int content;
     int ret;
@@ -603,6 +709,33 @@ xmlSecGnuTLSKeyDataX509XmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
         }
     }
 
+    /* write crls if needed */
+    if((content & XMLSEC_X509DATA_CRL_NODE) != 0) {
+        size = xmlSecGnuTLSKeyDataX509GetCrlsSize(data);
+        for(pos = 0; pos < size; ++pos) {
+            crl = xmlSecGnuTLSKeyDataX509GetCrl(data, pos);
+            if(crl == NULL) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                            "xmlSecGnuTLSKeyDataX509GetCrl",
+                            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                            "pos=%d", pos);
+                return(-1);
+            }
+
+            ret = xmlSecGnuTLSX509CRLNodeWrite(crl, node, keyInfoCtx);
+            if(ret < 0) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                            xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
+                            "xmlSecGnuTLSX509CRLNodeWrite",
+                            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                            "pos=%d", pos);
+                return(-1);
+            }
+        }
+    }
+
+    /* done */
     return(0);
 }
 
@@ -625,21 +758,29 @@ xmlSecGnuTLSKeyDataX509GetIdentifier(xmlSecKeyDataPtr data) {
 
 static void
 xmlSecGnuTLSKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output) {
-    gnutls_x509_crt_t cert;
     xmlSecSize size, pos;
 
     xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecGnuTLSKeyDataX509Id));
     xmlSecAssert(output != NULL);
 
     fprintf(output, "=== X509 Data:\n");
-    cert = xmlSecGnuTLSKeyDataX509GetKeyCert(data);
-    if(cert != NULL) {
-        fprintf(output, "==== Key Certificate:\n");
-        xmlSecGnuTLSX509CertDebugDump(cert, output);
+
+    /* key cert */
+    {
+        gnutls_x509_crt_t cert;
+
+        cert = xmlSecGnuTLSKeyDataX509GetKeyCert(data);
+        if(cert != NULL) {
+            fprintf(output, "==== Key Certificate:\n");
+            xmlSecGnuTLSX509CertDebugDump(cert, output);
+        }
     }
 
+    /* other certs */
     size = xmlSecGnuTLSKeyDataX509GetCertsSize(data);
     for(pos = 0; pos < size; ++pos) {
+        gnutls_x509_crt_t cert;
+
         cert = xmlSecGnuTLSKeyDataX509GetCert(data, pos);
         if(cert == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
@@ -653,27 +794,51 @@ xmlSecGnuTLSKeyDataX509DebugDump(xmlSecKeyDataPtr data, FILE* output) {
         xmlSecGnuTLSX509CertDebugDump(cert, output);
     }
 
-    /* we don't print out crls */
+    /* crls */
+    size = xmlSecGnuTLSKeyDataX509GetCrlsSize(data);
+    for(pos = 0; pos < size; ++pos) {
+        gnutls_x509_crl_t crl;
+
+        crl = xmlSecGnuTLSKeyDataX509GetCrl(data, pos);
+        if(crl == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                        "xmlSecGnuTLSKeyDataX509GetCrl",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "pos=%d", pos);
+            return;
+        }
+        fprintf(output, "==== Crl:\n");
+        xmlSecGnuTLSX509CrlDebugDump(crl, output);
+    }
 }
 
 static void
 xmlSecGnuTLSKeyDataX509DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
-    gnutls_x509_crt_t cert;
     xmlSecSize size, pos;
 
     xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecGnuTLSKeyDataX509Id));
     xmlSecAssert(output != NULL);
 
     fprintf(output, "<X509Data>\n");
-    cert = xmlSecGnuTLSKeyDataX509GetKeyCert(data);
-    if(cert != NULL) {
-        fprintf(output, "<KeyCertificate>\n");
-        xmlSecGnuTLSX509CertDebugXmlDump(cert, output);
-        fprintf(output, "</KeyCertificate>\n");
+
+    /* key cert */
+    {
+        gnutls_x509_crt_t cert;
+
+        cert = xmlSecGnuTLSKeyDataX509GetKeyCert(data);
+        if(cert != NULL) {
+            fprintf(output, "<KeyCertificate>\n");
+            xmlSecGnuTLSX509CertDebugXmlDump(cert, output);
+            fprintf(output, "</KeyCertificate>\n");
+        }
     }
 
+    /* other certs */
     size = xmlSecGnuTLSKeyDataX509GetCertsSize(data);
     for(pos = 0; pos < size; ++pos) {
+        gnutls_x509_crt_t cert;
+
         cert = xmlSecGnuTLSKeyDataX509GetCert(data, pos);
         if(cert == NULL) {
             xmlSecError(XMLSEC_ERRORS_HERE,
@@ -688,6 +853,25 @@ xmlSecGnuTLSKeyDataX509DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) {
         fprintf(output, "</Certificate>\n");
     }
 
+    /* other crls */
+    size = xmlSecGnuTLSKeyDataX509GetCrlsSize(data);
+    for(pos = 0; pos < size; ++pos) {
+        gnutls_x509_crl_t crl;
+
+        crl = xmlSecGnuTLSKeyDataX509GetCrl(data, pos);
+        if(crl == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                        "xmlSecGnuTLSKeyDataX509GetCrl",
+                        XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                        "pos=%d", pos);
+            return;
+        }
+        fprintf(output, "<CRL>\n");
+        xmlSecGnuTLSX509CrlDebugXmlDump(crl, output);
+        fprintf(output, "</CRL>\n");
+    }
+
     /* we don't print out crls */
     fprintf(output, "</X509Data>\n");
 }
@@ -714,6 +898,8 @@ xmlSecGnuTLSX509DataNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyIn
             ret = xmlSecGnuTLSX509IssuerSerialNodeRead(data, cur, keyInfoCtx);
         } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509SKI, xmlSecDSigNs)) {
             ret = xmlSecGnuTLSX509SKINodeRead(data, cur, keyInfoCtx);
+        } else if(xmlSecCheckNodeName(cur, xmlSecNodeX509CRL, xmlSecDSigNs)) {
+            ret = xmlSecGnuTLSX509CRLNodeRead(data, cur, keyInfoCtx);
         } else if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_STOP_ON_UNKNOWN_CHILD) != 0) {
             /* laxi schema validation: ignore unknown nodes */
             xmlSecError(XMLSEC_ERRORS_HERE,
@@ -828,6 +1014,8 @@ xmlSecGnuTLSX509CertificateNodeWrite(gnutls_x509_crt_t cert, xmlNodePtr node, xm
     return(0);
 }
 
+
+
 #define XMLSEC_GNUTLS_IS_SPACE(ch) \
     (((ch) == ' ') || ((ch) == '\r') || ((ch) == '\n'))
 
@@ -1322,6 +1510,100 @@ xmlSecGnuTLSX509SKINodeWrite(gnutls_x509_crt_t cert, xmlNodePtr node, xmlSecKeyI
 }
 
 static int
+xmlSecGnuTLSX509CRLNodeRead(xmlSecKeyDataPtr data, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    xmlChar *content;
+    gnutls_x509_crl_t crl;
+    int ret;
+
+    xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecGnuTLSKeyDataX509Id), -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    content = xmlNodeGetContent(node);
+    if((content == NULL) || (xmlSecIsEmptyString(content) == 1)) {
+        if(content != NULL) {
+            xmlFree(content);
+        }
+        if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_STOP_ON_EMPTY_NODE) != 0) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                        xmlSecErrorsSafeString(xmlSecNodeGetName(node)),
+                        XMLSEC_ERRORS_R_INVALID_NODE_CONTENT,
+                        XMLSEC_ERRORS_NO_MESSAGE);
+            return(-1);
+        }
+        return(0);
+    }
+
+    crl = xmlSecGnuTLSX509CrlBase64DerRead(content);
+    if(crl == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                    "xmlSecGnuTLSX509CrlBase64DerRead",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        xmlFree(content);
+        return(-1);
+    }
+
+    ret = xmlSecGnuTLSKeyDataX509AdoptCrl(data, crl);
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)),
+                    "xmlSecGnuTLSKeyDataX509AdoptCrl",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        gnutls_x509_crl_deinit(crl);
+        xmlFree(content);
+        return(-1);
+    }
+
+    xmlFree(content);
+    return(0);
+}
+
+static int
+xmlSecGnuTLSX509CRLNodeWrite(gnutls_x509_crl_t crl, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
+    xmlChar* buf = NULL;
+    xmlNodePtr cur = NULL;
+
+    xmlSecAssert2(crl != NULL, -1);
+    xmlSecAssert2(node != NULL, -1);
+    xmlSecAssert2(keyInfoCtx != NULL, -1);
+
+    /* set base64 lines size from context */
+    buf = xmlSecGnuTLSX509CrlBase64DerWrite(crl, keyInfoCtx->base64LineSize);
+    if(buf == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlSecGnuTLSX509CrlBase64DerWrite",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        return(-1);
+    }
+
+    cur = xmlSecAddChild(node, xmlSecNodeX509CRL, xmlSecDSigNs);
+    if(cur == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlSecAddChild",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    "new_node=%s",
+                    xmlSecErrorsSafeString(xmlSecNodeX509CRL));
+        xmlFree(buf);
+        return(-1);
+    }
+    /* todo: add \n around base64 data - from context */
+    /* todo: add errors check */
+    xmlNodeSetContent(cur, xmlSecStringCR);
+    xmlNodeSetContent(cur, buf);
+    xmlFree(buf);
+
+    return(0);
+}
+
+
+static int
 xmlSecGnuTLSKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr key,
                                     xmlSecKeyInfoCtxPtr keyInfoCtx) {
     xmlSecGnuTLSX509DataCtxPtr ctx;
@@ -1349,7 +1631,7 @@ xmlSecGnuTLSKeyDataX509VerifyAndExtractKey(xmlSecKeyDataPtr data, xmlSecKeyPtr k
     if((ctx->keyCert == NULL) && (xmlSecPtrListGetSize(&(ctx->certsList)) > 0) && (xmlSecKeyGetValue(key) == NULL)) {
         gnutls_x509_crt_t cert;
 
-        cert = xmlSecGnuTLSX509StoreVerify(x509Store, &(ctx->certsList), keyInfoCtx);
+        cert = xmlSecGnuTLSX509StoreVerify(x509Store, &(ctx->certsList), &(ctx->crlsList), keyInfoCtx);
         if(cert != NULL) {
             xmlSecKeyDataPtr keyValue;
 
diff --git a/src/gnutls/x509utils.c b/src/gnutls/x509utils.c
index 6812e8a..0dc7000 100644
--- a/src/gnutls/x509utils.c
+++ b/src/gnutls/x509utils.c
@@ -100,9 +100,65 @@ xmlSecGnuTLSX509CrtListDebugXmlDumpItem(xmlSecPtr ptr, FILE* output) {
     xmlSecGnuTLSX509CertDebugXmlDump((gnutls_x509_crt_t)ptr, output);
 }
 
+/**************************************************************************
+ *
+ * X509 crl list
+ *
+ *****************************************************************************/
+static xmlSecPtr        xmlSecGnuTLSX509CrlListDuplicateItem    (xmlSecPtr ptr);
+static void             xmlSecGnuTLSX509CrlListDestroyItem      (xmlSecPtr ptr);
+static void             xmlSecGnuTLSX509CrlListDebugDumpItem    (xmlSecPtr ptr,
+                                                                 FILE* output);
+static void             xmlSecGnuTLSX509CrlListDebugXmlDumpItem (xmlSecPtr ptr,
+                                                                 FILE* output);
+
+static xmlSecPtrListKlass xmlSecGnuTLSX509CrlListKlass = {
+    BAD_CAST "gnutls-x509-crl-list",
+    xmlSecGnuTLSX509CrlListDuplicateItem,       /* xmlSecPtrDuplicateItemMethod duplicateItem; */
+    xmlSecGnuTLSX509CrlListDestroyItem,         /* xmlSecPtrDestroyItemMethod destroyItem; */
+    xmlSecGnuTLSX509CrlListDebugDumpItem,       /* xmlSecPtrDebugDumpItemMethod debugDumpItem; */
+    xmlSecGnuTLSX509CrlListDebugXmlDumpItem,    /* xmlSecPtrDebugDumpItemMethod debugXmlDumpItem; */
+};
+
+xmlSecPtrListId
+xmlSecGnuTLSX509CrlListGetKlass(void) {
+    return(&xmlSecGnuTLSX509CrlListKlass);
+}
+
+static xmlSecPtr
+xmlSecGnuTLSX509CrlListDuplicateItem(xmlSecPtr ptr) {
+    xmlSecAssert2(ptr != NULL, NULL);
+
+    return xmlSecGnuTLSX509CrlDup((gnutls_x509_crl_t)ptr);
+}
+
+static void
+xmlSecGnuTLSX509CrlListDestroyItem(xmlSecPtr ptr) {
+    xmlSecAssert(ptr != NULL);
+
+    gnutls_x509_crl_deinit((gnutls_x509_crl_t)ptr);
+}
+
+static void
+xmlSecGnuTLSX509CrlListDebugDumpItem(xmlSecPtr ptr, FILE* output) {
+    xmlSecAssert(ptr != NULL);
+    xmlSecAssert(output != NULL);
+
+    xmlSecGnuTLSX509CrlDebugDump((gnutls_x509_crl_t)ptr, output);
+}
+
+
+static void
+xmlSecGnuTLSX509CrlListDebugXmlDumpItem(xmlSecPtr ptr, FILE* output) {
+    xmlSecAssert(ptr != NULL);
+    xmlSecAssert(output != NULL);
+
+    xmlSecGnuTLSX509CrlDebugXmlDump((gnutls_x509_crl_t)ptr, output);
+}
+
 /*************************************************************************
  *
- * Utils/helpers
+ * x509 certs utils/helpers
  *
  ************************************************************************/
 
@@ -555,6 +611,266 @@ xmlSecGnuTLSX509CertDebugXmlDump(gnutls_x509_crt_t cert, FILE* output) {
     }
 }
 
+/*************************************************************************
+ *
+ * x509 crls utils/helpers
+ *
+ ************************************************************************/
+
+/* HACK: gnutls doesn't have crl duplicate function, so we simply 
+ write crl out and then read it back */
+gnutls_x509_crl_t
+xmlSecGnuTLSX509CrlDup(gnutls_x509_crl_t src) {
+    xmlChar * buf = NULL;
+    gnutls_x509_crl_t res = NULL;
+
+    xmlSecAssert2(src != NULL, NULL);
+
+    buf = xmlSecGnuTLSX509CrlBase64DerWrite(src, 0);
+    if(buf == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlSecGnuTLSX509CrlBase64DerWrite",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        return (NULL);
+    }
+
+    res = xmlSecGnuTLSX509CrlBase64DerRead(buf);
+    if(res == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlSecGnuTLSX509CrlBase64DerRead",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        xmlFree(buf);
+        return (NULL);
+    }
+
+    /* done */
+    xmlFree(buf);
+    return (res);
+}
+
+xmlChar *
+xmlSecGnuTLSX509CrlGetIssuerDN(gnutls_x509_crl_t crl) {
+    char* buf = NULL;
+    size_t bufSize = 0;
+    int err;
+
+    xmlSecAssert2(crl != NULL, NULL);
+
+    /* get issuer size */
+    err = gnutls_x509_crl_get_issuer_dn(crl, NULL, &bufSize);
+    if((err != GNUTLS_E_SHORT_MEMORY_BUFFER) || (bufSize <= 0)) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "gnutls_x509_crl_get_issuer_dn",
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                    XMLSEC_GNUTLS_REPORT_ERROR(err));
+        return(NULL);
+    }
+
+    /* allocate buffer */
+    buf = (char *)xmlMalloc(bufSize + 1);
+    if(buf == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlMalloc",
+                    XMLSEC_ERRORS_R_MALLOC_FAILED,
+                    "size=%d", (int)bufSize);
+        return(NULL);
+    }
+
+    /* finally write it out */
+    err = gnutls_x509_crl_get_issuer_dn(crl, buf, &bufSize);
+    if(err != GNUTLS_E_SUCCESS) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "gnutls_x509_crl_get_issuer_dn",
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                    XMLSEC_GNUTLS_REPORT_ERROR(err));
+        xmlFree(buf);
+        return(NULL);
+    }
+
+    /* done */
+    return(BAD_CAST buf);
+}
+
+gnutls_x509_crl_t
+xmlSecGnuTLSX509CrlBase64DerRead(xmlChar* buf) {
+    int ret;
+
+    xmlSecAssert2(buf != NULL, NULL);
+
+    /* usual trick with base64 decoding "in-place" */
+    ret = xmlSecBase64Decode(buf, (xmlSecByte*)buf, xmlStrlen(buf));
+    if(ret < 0) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlSecBase64Decode",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        return(NULL);
+    }
+
+    return(xmlSecGnuTLSX509CrlRead((const xmlSecByte*)buf, ret, xmlSecKeyDataFormatCertDer));
+}
+
+gnutls_x509_crl_t
+xmlSecGnuTLSX509CrlRead(const xmlSecByte* buf, xmlSecSize size, xmlSecKeyDataFormat format) {
+    gnutls_x509_crl_t crl = NULL;
+    gnutls_x509_crt_fmt_t fmt;
+    gnutls_datum_t data;
+    int err;
+
+    xmlSecAssert2(buf != NULL, NULL);
+    xmlSecAssert2(size > 0, NULL);
+
+    /* figure out format */
+    switch(format) {
+    case xmlSecKeyDataFormatPem:
+    case xmlSecKeyDataFormatCertPem:
+        fmt = GNUTLS_X509_FMT_PEM;
+        break;
+    case xmlSecKeyDataFormatDer:
+    case xmlSecKeyDataFormatCertDer:
+        fmt = GNUTLS_X509_FMT_DER;
+        break;
+    default:
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    NULL,
+                    XMLSEC_ERRORS_R_INVALID_FORMAT,
+                    "format=%d", format);
+        return(NULL);
+    }
+
+    /* read crl */
+    err = gnutls_x509_crl_init(&crl);
+    if(err != GNUTLS_E_SUCCESS) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "gnutls_x509_crl_init",
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                    XMLSEC_GNUTLS_REPORT_ERROR(err));
+        return(NULL);
+    }
+
+    data.data = (unsigned char*)buf;
+    data.size = size;
+    err = gnutls_x509_crl_import(crl, &data, fmt);
+    if(err != GNUTLS_E_SUCCESS) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "gnutls_x509_crl_import",
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                    XMLSEC_GNUTLS_REPORT_ERROR(err));
+        gnutls_x509_crl_deinit(crl);
+        return(NULL);
+    }
+
+    return(crl);
+}
+
+xmlChar*
+xmlSecGnuTLSX509CrlBase64DerWrite(gnutls_x509_crl_t crl, int base64LineWrap) {
+    xmlChar * res = NULL;
+    xmlSecByte* buf = NULL;
+    size_t bufSize = 0;
+    int err;
+
+    xmlSecAssert2(crl != NULL, NULL);
+
+    /* get size */
+    err = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_DER, NULL, &bufSize);
+    if((err != GNUTLS_E_SHORT_MEMORY_BUFFER) || (bufSize <= 0)) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "gnutls_x509_crl_export(GNUTLS_X509_FMT_DER)",
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                    XMLSEC_GNUTLS_REPORT_ERROR(err));
+        return(NULL);
+    }
+
+    /* allocate buffer */
+    buf = (xmlSecByte *)xmlMalloc(bufSize + 1);
+    if(buf == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlMalloc",
+                    XMLSEC_ERRORS_R_MALLOC_FAILED,
+                    "size=%d", (int)bufSize);
+        return(NULL);
+    }
+
+    /* write it out */
+    err = gnutls_x509_crl_export(crl, GNUTLS_X509_FMT_DER, buf, &bufSize);
+    if(err != GNUTLS_E_SUCCESS) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "gnutls_x509_crl_export(GNUTLS_X509_FMT_DER)",
+                    XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                    XMLSEC_GNUTLS_REPORT_ERROR(err));
+        xmlFree(buf);
+        return(NULL);
+    }
+
+    /* convert to string */
+    res = xmlSecBase64Encode(buf, bufSize, base64LineWrap);
+    if(res == NULL) {
+        xmlSecError(XMLSEC_ERRORS_HERE,
+                    NULL,
+                    "xmlSecBase64Encode",
+                    XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                    XMLSEC_ERRORS_NO_MESSAGE);
+        xmlFree(buf);
+        return(NULL);
+    }
+
+    /* done */
+    xmlFree(buf);
+    return(res);
+}
+
+void
+xmlSecGnuTLSX509CrlDebugDump(gnutls_x509_crl_t crl, FILE* output) {
+    xmlChar * buf;
+
+    xmlSecAssert(crl != NULL);
+    xmlSecAssert(output != NULL);
+
+    buf = xmlSecGnuTLSX509CrlGetIssuerDN(crl);
+    if(buf != NULL) {
+        fprintf(output, "==== Issuer Name: %s\n", buf);
+        xmlFree(buf);
+    } else {
+        fprintf(output, "==== Issuer Name: unknown\n");
+    }
+}
+
+void
+xmlSecGnuTLSX509CrlDebugXmlDump(gnutls_x509_crl_t crl, FILE* output) {
+    xmlChar * buf;
+
+    xmlSecAssert(crl != NULL);
+    xmlSecAssert(output != NULL);
+
+    buf = xmlSecGnuTLSX509CrlGetIssuerDN(crl);
+    if(buf != NULL) {
+        fprintf(output, "<IssuerName>%s</IssuerName>\n", buf);
+        xmlFree(buf);
+    } else {
+        fprintf(output, "<IssuerName>unknown</IssuerName>\n");
+    }
+}
+
+/*************************************************************************
+ *
+ * Misc. utils/helpers
+ *
+ ************************************************************************/
 xmlChar*
 xmlSecGnuTLSASN1IntegerWrite(const unsigned char * data, size_t len) {
     xmlChar *res = NULL;
@@ -1366,3 +1682,6 @@ done:
 
 
 #endif /* XMLSEC_NO_X509 */
+
+
+
diff --git a/src/gnutls/x509utils.h b/src/gnutls/x509utils.h
index e570e88..b939b24 100644
--- a/src/gnutls/x509utils.h
+++ b/src/gnutls/x509utils.h
@@ -31,10 +31,18 @@ extern "C" {
         xmlSecGnuTLSX509CrtListGetKlass()
 xmlSecPtrListId         xmlSecGnuTLSX509CrtListGetKlass         (void);
 
+/**************************************************************************
+ *
+ * X509 crls list
+ *
+ *****************************************************************************/
+#define xmlSecGnuTLSX509CrlListId   \
+        xmlSecGnuTLSX509CrlListGetKlass()
+xmlSecPtrListId         xmlSecGnuTLSX509CrlListGetKlass         (void);
 
 /*************************************************************************
  *
- * x509 utils/helpers
+ * x509 certs utils/helpers
  *
  ************************************************************************/
 gnutls_x509_crt_t       xmlSecGnuTLSX509CertDup                 (gnutls_x509_crt_t src);
@@ -52,6 +60,30 @@ void                    xmlSecGnuTLSX509CertDebugDump           (gnutls_x509_crt
                                                                  FILE* output);
 void                    xmlSecGnuTLSX509CertDebugXmlDump        (gnutls_x509_crt_t cert,
                                                                  FILE* output);
+
+/*************************************************************************
+ *
+ * x509 crls utils/helpers
+ *
+ ************************************************************************/
+gnutls_x509_crl_t       xmlSecGnuTLSX509CrlDup                  (gnutls_x509_crl_t src);
+xmlChar *               xmlSecGnuTLSX509CrLGetIssuerDN          (gnutls_x509_crl_t crl);
+gnutls_x509_crl_t       xmlSecGnuTLSX509CrlRead                 (const xmlSecByte* buf,
+                                                                 xmlSecSize size,
+                                                                 xmlSecKeyDataFormat format);
+gnutls_x509_crl_t       xmlSecGnuTLSX509CrlBase64DerRead        (xmlChar* buf);
+xmlChar*                xmlSecGnuTLSX509CrlBase64DerWrite       (gnutls_x509_crl_t crl,
+                                                                 int base64LineWrap);
+void                    xmlSecGnuTLSX509CrlDebugDump            (gnutls_x509_crl_t crl,
+                                                                 FILE* output);
+void                    xmlSecGnuTLSX509CrlDebugXmlDump         (gnutls_x509_crl_t crl,
+                                                                 FILE* output);
+
+/*************************************************************************
+ *
+ * Misc. utils/helpers
+ *
+ ************************************************************************/
 xmlChar*                xmlSecGnuTLSASN1IntegerWrite            (const unsigned char * data, 
                                                                  size_t len);
 
diff --git a/src/gnutls/x509vfy.c b/src/gnutls/x509vfy.c
index 27f83f0..fd15c5a 100644
--- a/src/gnutls/x509vfy.c
+++ b/src/gnutls/x509vfy.c
@@ -202,7 +202,8 @@ xmlSecGnuTLSX509CheckTime(const gnutls_x509_crt_t * cert_list,
 /**
  * xmlSecGnuTLSX509StoreVerify:
  * @store:              the pointer to X509 key data store klass.
- * @certs:              the untrusted certificates stack.
+ * @certs:              the untrusted certificates.
+ * @crls:               the crls.
  * @keyInfoCtx:         the pointer to <dsig:KeyInfo/> element processing context.
  *
  * Verifies @certs list.
@@ -212,12 +213,15 @@ xmlSecGnuTLSX509CheckTime(const gnutls_x509_crt_t * cert_list,
 gnutls_x509_crt_t
 xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
                             xmlSecPtrListPtr certs,
+                            xmlSecPtrListPtr crls,
                             const xmlSecKeyInfoCtx* keyInfoCtx) {
     xmlSecGnuTLSX509StoreCtxPtr ctx;
     gnutls_x509_crt_t res = NULL;
     xmlSecSize certs_size = 0;
     gnutls_x509_crt_t * cert_list = NULL;
     xmlSecSize cert_list_length;
+    gnutls_x509_crl_t * crl_list = NULL;
+    xmlSecSize crl_list_length;
     gnutls_x509_crt_t * ca_list = NULL;
     xmlSecSize ca_list_length;
     time_t verification_time;
@@ -228,6 +232,7 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
 
     xmlSecAssert2(xmlSecKeyDataStoreCheckId(store, xmlSecGnuTLSX509StoreId), NULL);
     xmlSecAssert2(certs != NULL, NULL);
+    xmlSecAssert2(crls != NULL, NULL);
     xmlSecAssert2(keyInfoCtx != NULL, NULL);
 
     certs_size = xmlSecPtrListGetSize(certs);
@@ -252,6 +257,30 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
             goto done;
         }
     }
+    crl_list_length = xmlSecPtrListGetSize(crls);
+    if(crl_list_length > 0) {
+        crl_list = (gnutls_x509_crl_t *)xmlMalloc(sizeof(gnutls_x509_crl_t) * crl_list_length);
+        if(crl_list == NULL) {
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                        "xmlMalloc",
+                        XMLSEC_ERRORS_R_MALLOC_FAILED,
+                        "size=%d", (int)(sizeof(gnutls_x509_crl_t) * crl_list_length));
+            goto done;
+        }
+        for(ii = 0; ii < crl_list_length; ++ii) {
+            crl_list[ii] = xmlSecPtrListGetItem(crls, ii);
+            if(crl_list[ii] == NULL) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                            xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+                            "xmlSecPtrListGetItem(crls)",
+                            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                            XMLSEC_ERRORS_NO_MESSAGE);
+                goto done;
+            }
+        }
+    }
+
     ca_list_length = xmlSecPtrListGetSize(&(ctx->certsTrusted));
     if(ca_list_length > 0) {
         ca_list = (gnutls_x509_crt_t *)xmlMalloc(sizeof(gnutls_x509_crt_t) * ca_list_length);
@@ -283,6 +312,11 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
                         time(0);
     flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
 
+    if((keyInfoCtx->flags & XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_STRICT_CHECKS) != 0) {
+        flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2;
+        flags |= GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5;
+    }
+
     /* We are going to build all possible cert chains and try to verify them */
     for(ii = 0; (ii < certs_size) && (res == NULL); ++ii) {
         gnutls_x509_crt_t cert, cert2;
@@ -326,7 +360,7 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
         err = gnutls_x509_crt_list_verify(
                 cert_list, (int)cert_list_cur_length, /* certs chain */
                 ca_list, (int)ca_list_length, /* trusted cas */
-                NULL, 0, /* crls */
+                crl_list, (int)crl_list_length, /* crls */
                 flags, /* flags */
                 &verify);
         if(err != GNUTLS_E_SUCCESS) {
@@ -337,6 +371,14 @@ xmlSecGnuTLSX509StoreVerify(xmlSecKeyDataStorePtr store,
                         XMLSEC_GNUTLS_REPORT_ERROR(err));
             /* don't stop, continue! */
             continue;
+        } else if(verify != 0){
+            xmlSecError(XMLSEC_ERRORS_HERE,
+                        NULL,
+                        "gnutls_x509_crt_list_verify",
+                        XMLSEC_ERRORS_R_CRYPTO_FAILED,
+                        "Verification failed: verify=%u", verify);
+            /* don't stop, continue! */
+            continue;
         }
 
         /* gnutls doesn't allow to specify "verification" timestamp so
@@ -361,6 +403,9 @@ done:
     if(ca_list != NULL) {
         xmlFree(ca_list);
     }
+    if(crl_list != NULL) {
+        xmlFree(crl_list);
+    }
     if(cert_list != NULL) {
         xmlFree(cert_list);
     }
diff --git a/tests/testDSig.sh b/tests/testDSig.sh
index 0e8707b..2af870a 100755
--- a/tests/testDSig.sh
+++ b/tests/testDSig.sh
@@ -689,63 +689,63 @@ execDSigTest $res_success \
     "signature-rsa-detached-b64-transform" \
     "base64 sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-detached" \
     "sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-detached-xpath-transform" \
     "xpath sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-detached-xslt-transform-retrieval-method" \
     "xslt sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-detached-xslt-transform" \
     "xslt sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-enveloped" \
     "enveloped-signature sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-enveloping" \
     "sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-manifest-x509-data-cert-chain" \
     "sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \
     "signature-rsa-manifest-x509-data-cert" \
     "sha1 rsa-sha1" \
     "rsa x509" \
-    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format"
+    "--trusted-$cert_format certs/rsa-ca-cert.$cert_format --X509-skip-strict-checks"
 
 execDSigTest $res_success \
     "phaos-xmldsig-three" \



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]