ROAs, MFTs and CAs created with revoked certs are valids

[TheRedTrainer]

If an issuer revokes a CA or an EE cert from a repository, the corresponding CAs, ROAs and MFTs are processed as valid ones. According to RFC 6487 , these CAs, ROAs and MFTs from a revoked cert should be ignored:

Certificate validation entails verifying that all of the following conditions hold, in addition to the certification path validation criteria specified in Section 6 of [RFC5280]: ...

5. The issuer has not revoked the certificate. A revoked certificate is identified by the certificate's serial number being listed on the issuer's current CRL, as identified by the CRLDP of the certificate, the CRL is itself valid, and the public key used to verify the signature on the CRL is the same public key used to verify the certificate itself. ...

[pcarana]

Fixed at fb30fcc. An OpenSSL function was being used (X509_STORE_CTX_set0_crls) but not in the right way; this function still needs some flags (_X509_V_FLAG_CRLCHECK) sent as parameters to use the CRLs that were set.

That option was the first one to use, but some other errors happened; so instead of that the validation is done "manually" (look for the serial number of the certificate in the corresponding CRL).

[TheRedTrainer]

Verified. If any element from the repository (CA cert, ROA, MFT, GBR) was revoked by its CA, the element is not considered by the repository validation, throwing the following error: ERR: rsync://localhost/repository/testnic-mft.mft: Certificate validation failed: certificate revoked