Add revocation check over CRL to mobileid-sign.sh

FreddyKaiser commented 10 years ago

Beside revocation checks over OCSP add a check over CRL.

FreddyKaiser commented 10 years ago

http://www.openssl.org/docs/apps/verify.html openssl verify -crl_check_all ...

FreddyKaiser commented 10 years ago

Test with new issued Mobile ID on PrePROD:

./mobileid-sign.sh -v -d +41795402637 "Hello" en
#MSS_Signature OK with following details and checks:
 1) Transaction ID : AP.TEST.33613.6615 -> same as in request
    MSSP TransID   : hveaq
 2) Signed by      : +41795402637 -> same as in request
 3) Signer         : subject= serialNumber=MIDCHEP1YYDBMA59,CN=MIDCHEP1YYDBMA59:PN,C=CH
                     issuer= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom TEST Rubin CA 3
                     validity= notBefore=Mar 12 08:14:45 2014 GMT notAfter=Mar 11 08:14:45 2017 GMT
                     CRL check= OK
                     OCSP check= good
 4) Signed Data    : Hello -> Decode and verify: success and same as in request
 5) Status code    : 500 with exit 0
    Status details : SIGNATURE

Test with certificate revoked at PrePROD SDCS:

#MSS_Signature OK with following details and checks:
 1) Transaction ID : AP.TEST.34845.7847 -> same as in request
    MSSP TransID   : hvebk
 2) Signed by      : +41795402637 -> same as in request
 3) Signer         : subject= serialNumber=MIDCHEP1YYDBMA59,CN=MIDCHEP1YYDBMA59:PN,C=CH
                     issuer= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom TEST Rubin CA 3
                     validity= notBefore=Mar 12 08:14:45 2014 GMT notAfter=Mar 11 08:14:45 2017 GMT
                     CRL check= revoked
                     OCSP check= revoked
 4) Signed Data    : Hello -> Decode and verify: success and same as in request
 5) Status code    : 500 with exit 1
    Status details : SIGNATURE

SCS-CBU-CED-IAM / mobileid

Add revocation check over CRL to mobileid-sign.sh #56