Certificate revocation support is almost complete.

3 files changed, 422 insertions, 10 deletions

diff --git a/tests/test20.pem b/tests/test20.pem
new file mode 100644
index 0000000000..957832d1e9
--- /dev/null
+++ b/tests/test20.pem
@@ -0,0 +1,192 @@
+[ The intermediate certificate has been revoked ]
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 40 (0x28)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.01
+        Validity
+            Not Before: Jan  1 12:01:00 1998 GMT
+            Not After : Jan  1 12:01:00 2048 GMT
+        Subject: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=User1-CP.06.01
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:e8:7b:95:4c:0c:45:eb:7b:b7:f0:01:23:a9:a8:
+                    db:b0:ac:9d:1c:d0:eb:85:f1:ed:fd:5d:ab:1a:c9:
+                    36:eb:92:46:c9:55:4a:16:96:9f:08:86:1e:37:3e:
+                    e7:f4:d2:ed:4a:df:8f:d5:4e:d1:db:1e:04:2c:cf:
+                    b3:26:05:a0:85:f5:ab:b4:39:ce:50:2b:c3:2d:b8:
+                    aa:95:d3:18:c9:a5:a4:41:81:cb:38:bb:8e:45:ce:
+                    f3:0e:7e:c2:a8:77:fb:c4:45:ad:04:33:af:bd:73:
+                    2e:d0:15:57:fa:8f:53:29:5e:b8:5f:0c:f2:3c:e4:
+                    c1:f3:ef:6b:0b:a7:9b:07:4b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.101.3.1.48.1
+
+            X509v3 Subject Key Identifier: 
+                6B:20:B4:3C:F5:3D:CF:2B
+            X509v3 Authority Key Identifier: 
+                keyid:08:80:26:97:3E:BE:09:CD
+
+    Signature Algorithm: sha1WithRSAEncryption
+        3f:3e:db:52:f6:84:57:b3:32:8e:17:bc:2c:93:bf:b2:88:fc:
+        e1:7e:f5:ae:f5:4f:b4:13:eb:85:88:d6:4c:9e:a9:eb:d1:82:
+        7c:94:72:86:8d:ef:01:42:2d:f1:11:5a:97:51:85:6f:bd:9c:
+        e3:90:d0:1a:47:15:cc:b2:c9:c3:c7:03:3f:76:a3:b5:66:9c:
+        e4:76:7d:74:d3:c9:91:6f:8a:87:5d:a5:f6:0a:a3:9f:4e:b5:
+        5c:08:d0:e1:79:db:6f:04:03:60:2b:97:86:0b:8f:13:db:f7:
+        93:30:db:8a:6c:15:c0:81:0e:07:fe:12:01:15:f7:ef:2e:d3:
+        51:69
+-----BEGIN CERTIFICATE-----
+MIIChjCCAe+gAwIBAgIBKDANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY
+MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsT
+B1Rlc3RpbmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMTAeFw05ODAxMDExMjAxMDBa
+Fw00ODAxMDExMjAxMDBaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv
+dmVybm1lbnQxDDAKBgNVBAsTA0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UE
+AxMOVXNlcjEtQ1AuMDYuMDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOh7
+lUwMRet7t/ABI6mo27CsnRzQ64Xx7f1dqxrJNuuSRslVShaWnwiGHjc+5/TS7Urf
+j9VO0dseBCzPsyYFoIX1q7Q5zlArwy24qpXTGMmlpEGByzi7jkXO8w5+wqh3+8RF
+rQQzr71zLtAVV/qPUyleuF8M8jzkwfPvawunmwdLAgMBAAGjUjBQMA4GA1UdDwEB
+/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECgQIayC0PPU9
+zyswEwYDVR0jBAwwCoAICIAmlz6+Cc0wDQYJKoZIhvcNAQEFBQADgYEAPz7bUvaE
+V7Myjhe8LJO/soj84X71rvVPtBPrhYjWTJ6p69GCfJRyho3vAUIt8RFal1GFb72c
+45DQGkcVzLLJw8cDP3ajtWac5HZ9dNPJkW+Kh12l9gqjn061XAjQ4XnbbwQDYCuX
+hguPE9v3kzDbimwVwIEOB/4SARX37y7TUWk=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 39 (0x27)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=Trust Anchor
+        Validity
+            Not Before: Jan  1 12:01:00 1998 GMT
+            Not After : Jan  1 12:01:00 2048 GMT
+        Subject: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.01
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:c8:e0:c5:d9:07:4f:01:7d:41:f1:a3:ff:f8:45:
+                    ee:c0:c7:4a:96:90:78:32:ea:76:fe:fd:76:8b:43:
+                    61:70:3d:bb:e9:6f:99:a4:84:b8:6a:0d:90:52:5f:
+                    72:90:2f:46:22:27:ca:7c:d6:d9:9d:bd:14:07:fc:
+                    b6:c5:cd:7f:f7:38:a0:53:51:f5:79:8a:66:32:f7:
+                    bf:40:d8:d1:1b:e2:8b:45:a7:a1:03:4a:c9:19:86:
+                    db:58:dd:dd:88:cd:42:02:a0:25:94:5e:13:9b:9e:
+                    69:07:27:68:c4:73:cd:5b:82:01:64:2b:92:e2:af:
+                    59:bf:b4:aa:b6:20:e3:c5:25
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.101.3.1.48.1
+
+            X509v3 Subject Key Identifier: 
+                08:80:26:97:3E:BE:09:CD
+            X509v3 Authority Key Identifier: 
+                keyid:AB:9A:EB:F9:C2:E7:54:8F
+
+    Signature Algorithm: sha1WithRSAEncryption
+        d1:9b:c8:1b:67:27:93:7d:a9:ea:ec:6a:1b:0f:01:bb:8d:0d:
+        ad:f1:ee:f6:03:64:24:be:4c:84:31:c9:5c:0e:8e:c5:4e:41:
+        5f:96:d6:66:92:e7:29:72:e8:1e:2a:92:76:d1:1d:9b:2e:5c:
+        2d:9c:37:92:08:31:9d:dc:63:b2:74:45:33:20:9a:c1:a6:2e:
+        a4:90:61:96:0a:ae:15:bb:af:06:d0:3c:ac:cb:64:73:91:f8:
+        ce:e7:4f:65:c3:9c:bd:7b:bb:5f:0e:7c:2b:ed:5c:69:21:94:
+        44:bf:80:ea:e5:c5:3e:73:14:05:dd:7e:93:e7:a3:6e:d3:bc:
+        3e:da
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBJzANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY
+MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsT
+B1Rlc3RpbmcxFTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBa
+Fw00ODAxMDExMjAxMDBaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv
+dmVybm1lbnQxDDAKBgNVBAsTA0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UE
+AxMMQ0ExLUNQLjA2LjAxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI4MXZ
+B08BfUHxo//4Re7Ax0qWkHgy6nb+/XaLQ2FwPbvpb5mkhLhqDZBSX3KQL0YiJ8p8
+1tmdvRQH/LbFzX/3OKBTUfV5imYy979A2NEb4otFp6EDSskZhttY3d2IzUICoCWU
+XhObnmkHJ2jEc81bggFkK5Lir1m/tKq2IOPFJQIDAQABo2MwYTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATAR
+BgNVHQ4ECgQICIAmlz6+Cc0wEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN
+AQEFBQADgYEA0ZvIG2cnk32p6uxqGw8Bu40NrfHu9gNkJL5MhDHJXA6OxU5BX5bW
+ZpLnKXLoHiqSdtEdmy5cLZw3kggxndxjsnRFMyCawaYupJBhlgquFbuvBtA8rMtk
+c5H4zudPZcOcvXu7Xw58K+1caSGURL+A6uXFPnMUBd1+k+ejbtO8Pto=
+-----END CERTIFICATE-----
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: /C=US/O=U.S. Government/OU=Dod/OU=Testing/CN=CA1-CP.06.01
+        Last Update: Jan  1 12:01:00 1999 GMT
+        Next Update: Jan  1 12:01:00 2048 GMT
+        CRL extensions:
+            X509v3 CRL Number: 
+                1
+            X509v3 Authority Key Identifier: 
+                keyid:08:80:26:97:3E:BE:09:CD
+
+No Revoked Certificates.
+    Signature Algorithm: sha1WithRSAEncryption
+        6e:42:5e:8d:f7:35:af:3b:42:6e:d0:ba:c4:96:77:89:91:03:
+        0c:c5:b6:0b:11:6f:3a:f4:b0:86:60:a3:3e:a5:58:de:5a:c2:
+        3c:d4:90:cd:d8:e6:a9:ea:62:a0:29:ee:ee:89:e0:3f:e1:c0:
+        03:b8:4c:ed:b9:be:4a:83:7b:2b:35:ca:b9:f4:3b:0b:63:8d:
+        a0:0c:2f:a0:f6:60:9e:88:9d:83:b4:55:10:2c:54:07:20:fa:
+        00:9b:b4:e3:27:76:c0:22:d8:46:90:9f:4b:6b:43:b5:72:e1:
+        1c:40:e9:7b:e1:0b:c2:fd:f9:a5:b9:02:32:50:8e:da:ee:c9:
+        f9:37
+-----BEGIN X509 CRL-----
+MIIBSzCBtQIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UE
+ChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rp
+bmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMRcNOTkwMTAxMTIwMTAwWhcNNDgwMTAx
+MTIwMTAwWqAjMCEwCgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAICIAmlz6+Cc0wDQYJ
+KoZIhvcNAQEFBQADgYEAbkJejfc1rztCbtC6xJZ3iZEDDMW2CxFvOvSwhmCjPqVY
+3lrCPNSQzdjmqepioCnu7ongP+HAA7hM7bm+SoN7KzXKufQ7C2ONoAwvoPZgnoid
+g7RVECxUByD6AJu04yd2wCLYRpCfS2tDtXLhHEDpe+ELwv35pbkCMlCO2u7J+Tc=
+-----END X509 CRL-----
+
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: /C=US/O=U.S. Government/OU=DoD/OU=Testing/CN=Trust Anchor
+        Last Update: Jan  1 12:01:00 1999 GMT
+        Next Update: Jan  1 12:01:00 2048 GMT
+        CRL extensions:
+            X509v3 CRL Number: 
+                1
+            X509v3 Authority Key Identifier: 
+                keyid:AB:9A:EB:F9:C2:E7:54:8F
+
+Revoked Certificates:
+    Serial Number: 27
+        Revocation Date: Jan  1 12:00:00 1999 GMT
+            X509v3 CRL Reason Code: 
+                Key Compromise
+    Signature Algorithm: sha1WithRSAEncryption
+        0b:b9:6a:67:07:a3:25:15:bb:42:fc:c7:d7:5f:fb:71:87:0b:
+        de:b6:9c:80:cc:47:dc:f4:94:fe:e7:ef:c8:b9:3b:6a:14:7e:
+        f9:1b:47:6a:bc:bf:59:e0:af:45:dc:b3:9c:b8:88:38:0f:19:
+        06:28:2e:5a:d5:4f:aa:c3:72:b0:d9:fb:58:ba:1f:40:85:5a:
+        fb:f4:c3:dd:3f:a5:79:c7:b8:7b:53:70:19:0b:e3:e5:0f:9e:
+        db:04:6d:19:78:3e:80:2b:93:8d:32:94:15:f2:91:9d:6c:fb:
+        3b:b4:72:88:92:8a:8a:6d:23:b4:01:78:46:40:a9:2d:e6:cd:
+        0a:16
+-----BEGIN X509 CRL-----
+MIIBbzCB2QIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UE
+ChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsTB1Rlc3Rp
+bmcxFTATBgNVBAMTDFRydXN0IEFuY2hvchcNOTkwMTAxMTIwMTAwWhcNNDgwMTAx
+MTIwMTAwWjAiMCACAScXDTk5MDEwMTEyMDAwMFowDDAKBgNVHRUEAwoBAaAjMCEw
+CgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcNAQEFBQAD
+gYEAC7lqZwejJRW7QvzH11/7cYcL3racgMxH3PSU/ufvyLk7ahR++RtHary/WeCv
+RdyznLiIOA8ZBiguWtVPqsNysNn7WLofQIVa+/TD3T+lece4e1NwGQvj5Q+e2wRt
+GXg+gCuTjTKUFfKRnWz7O7RyiJKKim0jtAF4RkCpLebNChY=
+-----END X509 CRL-----
diff --git a/tests/test21.pem b/tests/test21.pem
new file mode 100644
index 0000000000..2a3b253043
--- /dev/null
+++ b/tests/test21.pem
@@ -0,0 +1,163 @@
+[ The end certificate has been revoked ]
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 42 (0x2a)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.02
+        Validity
+            Not Before: Jan  1 12:01:00 1998 GMT
+            Not After : Jan  1 12:01:00 2048 GMT
+        Subject: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=User1-CP.06.02
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:ae:03:f4:7f:09:c5:e2:2b:16:e3:a6:c7:47:12:
+                    90:86:0d:4b:4a:7b:70:34:81:95:c7:39:ec:d6:b7:
+                    fb:59:3b:94:90:fb:98:4f:59:3f:af:f8:ed:8b:03:
+                    54:ad:9b:c1:ee:1a:4c:a0:93:5e:d3:e4:fe:41:90:
+                    e9:bb:0b:b3:02:57:6f:25:b8:93:8f:9f:e4:b7:80:
+                    62:85:e0:6e:66:57:8c:05:85:f8:12:88:97:cb:8a:
+                    7a:db:2a:0b:71:e4:09:ea:a1:05:a6:35:00:65:2a:
+                    79:fe:28:38:09:1a:90:43:fe:d6:36:05:ba:63:58:
+                    b4:c6:81:fb:dc:7f:d2:77:01
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.101.3.1.48.1
+
+            X509v3 Subject Key Identifier: 
+                0B:D3:22:24:D2:3B:D5:13
+            X509v3 Authority Key Identifier: 
+                keyid:68:7C:56:39:D1:EC:2D:B5
+
+    Signature Algorithm: sha1WithRSAEncryption
+        a3:f8:9b:98:8c:6d:7a:2b:72:8d:99:6c:ce:30:9c:fe:ce:f2:
+        33:fd:2c:9c:be:fc:a5:8a:4c:39:9d:cf:d9:33:ca:91:88:76:
+        4e:1e:3e:07:0f:09:a9:7d:74:f8:cf:f3:c0:50:63:e4:1c:3b:
+        22:6c:c2:21:17:d2:dc:61:6e:2a:67:15:73:21:c1:e0:e6:4b:
+        31:c4:19:b5:75:80:f0:63:99:f7:86:2f:5a:ae:53:04:83:65:
+        56:d4:e1:42:db:ac:42:3d:79:28:1a:b6:4c:93:4d:15:4c:83:
+        a4:17:6f:ca:8d:39:02:71:2c:45:8d:07:6c:84:2e:e9:98:4d:
+        43:8d
+-----BEGIN CERTIFICATE-----
+MIIChjCCAe+gAwIBAgIBKjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY
+MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsT
+B1Rlc3RpbmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMjAeFw05ODAxMDExMjAxMDBa
+Fw00ODAxMDExMjAxMDBaMGAxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv
+dmVybm1lbnQxDDAKBgNVBAsTA0RvRDEQMA4GA1UECxMHVGVzdGluZzEXMBUGA1UE
+AxMOVXNlcjEtQ1AuMDYuMDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK4D
+9H8JxeIrFuOmx0cSkIYNS0p7cDSBlcc57Na3+1k7lJD7mE9ZP6/47YsDVK2bwe4a
+TKCTXtPk/kGQ6bsLswJXbyW4k4+f5LeAYoXgbmZXjAWF+BKIl8uKetsqC3HkCeqh
+BaY1AGUqef4oOAkakEP+1jYFumNYtMaB+9x/0ncBAgMBAAGjUjBQMA4GA1UdDwEB
+/wQEAwIF4DAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATARBgNVHQ4ECgQIC9MiJNI7
+1RMwEwYDVR0jBAwwCoAIaHxWOdHsLbUwDQYJKoZIhvcNAQEFBQADgYEAo/ibmIxt
+eityjZlszjCc/s7yM/0snL78pYpMOZ3P2TPKkYh2Th4+Bw8JqX10+M/zwFBj5Bw7
+ImzCIRfS3GFuKmcVcyHB4OZLMcQZtXWA8GOZ94YvWq5TBINlVtThQtusQj15KBq2
+TJNNFUyDpBdvyo05AnEsRY0HbIQu6ZhNQ40=
+-----END CERTIFICATE-----
+
+
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 41 (0x29)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, O=U.S. Government, OU=DoD, OU=Testing, CN=Trust Anchor
+        Validity
+            Not Before: Jan  1 12:01:00 1998 GMT
+            Not After : Jan  1 12:01:00 2048 GMT
+        Subject: C=US, O=U.S. Government, OU=Dod, OU=Testing, CN=CA1-CP.06.02
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:bf:21:e8:d5:dc:39:9e:68:b5:bc:3b:03:1f:00:
+                    6c:ab:e7:ef:0d:3b:13:35:0b:e5:01:62:c9:5b:39:
+                    f5:a3:29:41:9d:86:55:fa:4f:11:5c:e4:03:89:54:
+                    90:69:4b:f4:23:78:0f:91:5a:85:02:c6:7c:4a:6f:
+                    d4:12:94:ea:c1:98:00:eb:72:71:b3:f3:35:74:fd:
+                    cd:09:0c:b6:94:de:84:a0:b1:51:16:64:4d:12:7b:
+                    10:55:5a:b2:9c:97:58:fb:c0:dd:11:bb:13:1e:02:
+                    9d:f8:db:f6:28:ca:f0:70:79:ad:d5:7a:a2:64:99:
+                    20:9c:ed:8d:93:8e:bb:96:11
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.101.3.1.48.1
+
+            X509v3 Subject Key Identifier: 
+                68:7C:56:39:D1:EC:2D:B5
+            X509v3 Authority Key Identifier: 
+                keyid:AB:9A:EB:F9:C2:E7:54:8F
+
+    Signature Algorithm: sha1WithRSAEncryption
+        bb:37:aa:fe:5a:a9:d2:ab:3a:da:4a:ca:e8:40:3c:d5:28:a5:
+        87:2e:36:97:f2:a6:ca:71:37:99:5b:bd:18:f0:60:41:2d:01:
+        50:38:bb:fa:b4:10:fa:6d:14:c5:81:25:ce:3d:92:34:ee:09:
+        e5:a0:58:78:2f:7c:95:52:45:08:75:fb:40:4f:32:54:ea:0f:
+        05:07:79:ac:0f:ab:af:3e:07:0f:d4:28:3f:b8:25:c5:3a:8b:
+        53:a4:dc:f5:51:5d:fa:26:85:a6:ab:15:b5:28:76:6f:11:f6:
+        06:d5:01:d8:04:60:79:b4:e4:95:a3:65:e5:53:db:bb:4f:b2:
+        73:62
+-----BEGIN CERTIFICATE-----
+MIIClTCCAf6gAwIBAgIBKTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEY
+MBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxEDAOBgNVBAsT
+B1Rlc3RpbmcxFTATBgNVBAMTDFRydXN0IEFuY2hvcjAeFw05ODAxMDExMjAxMDBa
+Fw00ODAxMDExMjAxMDBaMF4xCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdv
+dmVybm1lbnQxDDAKBgNVBAsTA0RvZDEQMA4GA1UECxMHVGVzdGluZzEVMBMGA1UE
+AxMMQ0ExLUNQLjA2LjAyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/IejV
+3DmeaLW8OwMfAGyr5+8NOxM1C+UBYslbOfWjKUGdhlX6TxFc5AOJVJBpS/QjeA+R
+WoUCxnxKb9QSlOrBmADrcnGz8zV0/c0JDLaU3oSgsVEWZE0SexBVWrKcl1j7wN0R
+uxMeAp342/YoyvBwea3VeqJkmSCc7Y2TjruWEQIDAQABo2MwYTAPBgNVHRMBAf8E
+BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAWBgNVHSAEDzANMAsGCWCGSAFlAwEwATAR
+BgNVHQ4ECgQIaHxWOdHsLbUwEwYDVR0jBAwwCoAIq5rr+cLnVI8wDQYJKoZIhvcN
+AQEFBQADgYEAuzeq/lqp0qs62krK6EA81Silhy42l/KmynE3mVu9GPBgQS0BUDi7
++rQQ+m0UxYElzj2SNO4J5aBYeC98lVJFCHX7QE8yVOoPBQd5rA+rrz4HD9QoP7gl
+xTqLU6Tc9VFd+iaFpqsVtSh2bxH2BtUB2ARgebTklaNl5VPbu0+yc2I=
+-----END CERTIFICATE-----
+
+Certificate Revocation List (CRL):
+        Version 2 (0x1)
+        Signature Algorithm: sha1WithRSAEncryption
+        Issuer: /C=US/O=U.S. Government/OU=Dod/OU=Testing/CN=CA1-CP.06.02
+        Last Update: Jan  1 12:01:00 1999 GMT
+        Next Update: Jan  1 12:01:00 2048 GMT
+        CRL extensions:
+            X509v3 CRL Number: 
+                1
+            X509v3 Authority Key Identifier: 
+                keyid:68:7C:56:39:D1:EC:2D:B5
+
+Revoked Certificates:
+    Serial Number: 2A
+        Revocation Date: Jan  1 12:00:00 1999 GMT
+            X509v3 CRL Reason Code: 
+                Key Compromise
+    Signature Algorithm: sha1WithRSAEncryption
+        60:66:80:cd:5a:14:76:54:99:de:e1:8a:89:13:df:1c:01:48:
+        a0:a4:fb:f6:13:4e:be:d3:b1:68:60:34:68:87:a4:f4:ec:a9:
+        0e:b0:ea:60:08:7f:b3:68:ec:5d:28:5e:2f:4a:6b:fe:ff:56:
+        44:81:ef:b4:2b:7b:ca:d5:c3:c5:5c:a7:e0:dc:63:a5:fb:fb:
+        06:40:0c:32:27:1c:75:4c:75:38:7d:55:12:54:d1:92:69:ad:
+        31:ee:d1:3b:35:1e:1d:41:b3:5c:93:4f:7b:1d:41:73:d0:6f:
+        48:28:47:d7:c6:d6:61:c9:32:39:97:58:24:18:dc:b4:22:89:
+        16:0c
+-----BEGIN X509 CRL-----
+MIIBbzCB2QIBATANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEYMBYGA1UE
+ChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb2QxEDAOBgNVBAsTB1Rlc3Rp
+bmcxFTATBgNVBAMTDENBMS1DUC4wNi4wMhcNOTkwMTAxMTIwMTAwWhcNNDgwMTAx
+MTIwMTAwWjAiMCACASoXDTk5MDEwMTEyMDAwMFowDDAKBgNVHRUEAwoBAaAjMCEw
+CgYDVR0UBAMCAQEwEwYDVR0jBAwwCoAIaHxWOdHsLbUwDQYJKoZIhvcNAQEFBQAD
+gYEAYGaAzVoUdlSZ3uGKiRPfHAFIoKT79hNOvtOxaGA0aIek9OypDrDqYAh/s2js
+XSheL0pr/v9WRIHvtCt7ytXDxVyn4Nxjpfv7BkAMMiccdUx1OH1VElTRkmmtMe7R
+OzUeHUGzXJNPex1Bc9BvSChH18bWYckyOZdYJBjctCKJFgw=
+-----END X509 CRL-----
diff --git a/tests/x509_test.c b/tests/x509_test.c
index 7df91202ba..f093387243 100644
--- a/tests/x509_test.c
+++ b/tests/x509_test.c
@@ -3,8 +3,6 @@
 #include <string.h>
 #include <gnutls/x509.h>
 
-#include <dmalloc.h>
-
 #define MAX_FILE_SIZE 16*1024
 
 struct file_res {
@@ -18,6 +16,8 @@ static struct file_res test_files[] = {
 	{ "test3.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED },
 	{ "test10.pem", 0 },
 	{ "test13.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED },
+	{ "test20.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED },
+	{ "test21.pem", GNUTLS_CERT_REVOKED | GNUTLS_CERT_NOT_TRUSTED },
 	{ "test22.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED },
 	{ "test23.pem", GNUTLS_CERT_INVALID | GNUTLS_CERT_NOT_TRUSTED },
 	{ "test24.pem", 0 },
@@ -41,8 +41,13 @@ static void print_res( int x)
 		printf("- certificate is NOT trusted\n");
 	else
 		printf("- certificate is trusted\n");
+
 	if (x&GNUTLS_CERT_CORRUPTED)
 		printf("- Found a corrupted certificate.\n");
+
+	if (x&GNUTLS_CERT_REVOKED)
+		printf("- certificate is revoked.\n");
+
 	return;
 }
 
@@ -92,13 +97,13 @@ int i = 0, exp_result;
 
 }
 
-#define PEM_SEP "-----BEGIN CERT"
-#define PEM_SEP_SIZE (sizeof(PEM_SEP)-1)
+#define CERT_SEP "-----BEGIN CERT"
+#define CRL_SEP "-----BEGIN X509 CRL"
 
 /* Verifies a base64 encoded certificate list from memory 
  */
 int _verify_x509_mem( const char* cert, int cert_size,
-	const char *ca, int ca_size)
+	const char *ca, int ca_size, const char* crl, int crl_size)
 {
 	int siz, i;
 	const char *ptr;
@@ -107,7 +112,8 @@ int _verify_x509_mem( const char* cert, int cert_size,
 	gnutls_datum tmp;
 	gnutls_x509_certificate *x509_cert_list = NULL;
 	gnutls_x509_certificate x509_ca;
-	int x509_ncerts;
+	gnutls_x509_crl *x509_crl_list = NULL;
+	int x509_ncerts, x509_ncrls;
 
 	/* Decode the CA certificate
 	 */
@@ -127,6 +133,50 @@ int _verify_x509_mem( const char* cert, int cert_size,
 		exit(1);
 	}
 
+	/* Decode the CRL list
+	 */
+	siz = crl_size;
+	ptr = crl;
+
+	i = 1;
+
+	if (strstr(ptr, CRL_SEP)!=NULL) /* if CRLs exist */
+	do {
+		x509_crl_list =
+		    (gnutls_x509_crl *) realloc( x509_crl_list,
+						   i *
+						   sizeof(gnutls_x509_crl));
+		if (x509_crl_list == NULL) {
+			fprintf(stderr, "memory error\n");
+			exit(1);
+		}
+
+		tmp.data = (char*)ptr;
+		tmp.size = siz;
+
+		ret = gnutls_x509_crl_init( &x509_crl_list[i-1]);
+		if (ret < 0) {
+			fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, gnutls_strerror(ret));
+			exit(1);
+		}
+	
+		ret = gnutls_x509_crl_import( x509_crl_list[i-1], &tmp, GNUTLS_X509_FMT_PEM);
+		if (ret < 0) {
+			fprintf(stderr, "Error parsing the CRL[%d]: %s\n", i, gnutls_strerror(ret));
+			exit(1);
+		}
+
+		/* now we move ptr after the pem header */
+		ptr = strstr(ptr, CRL_SEP);
+		if (ptr!=NULL)
+			ptr++;
+
+		i++;
+	} while ((ptr = strstr(ptr, CRL_SEP)) != NULL);
+
+	x509_ncrls = i - 1;
+
+
 	/* Decode the certificate chain. 
 	 */
 	siz = cert_size;
@@ -160,23 +210,30 @@ int _verify_x509_mem( const char* cert, int cert_size,
 		}
 
 		/* now we move ptr after the pem header */
-		ptr = strstr(ptr, PEM_SEP);
+		ptr = strstr(ptr, CERT_SEP);
 		if (ptr!=NULL)
 			ptr++;
 
 		i++;
-	} while ((ptr = strstr(ptr, PEM_SEP)) != NULL);
+	} while ((ptr = strstr(ptr, CERT_SEP)) != NULL);
 
 	x509_ncerts = i - 1;
 
 	ret  = gnutls_x509_certificate_list_verify( x509_cert_list, x509_ncerts,
-		&x509_ca, 1, NULL, 0, &output);
+		&x509_ca, 1, x509_crl_list, x509_ncrls, 0, &output);
 
 	gnutls_x509_certificate_deinit( x509_ca);
+
 	for (i=0;i<x509_ncerts;i++) {
 		gnutls_x509_certificate_deinit( x509_cert_list[i]);
 	}
+
+	for (i=0;i<x509_ncrls;i++) {
+		gnutls_x509_crl_deinit( x509_crl_list[i]);
+	}
+
 	free( x509_cert_list);
+	free( x509_crl_list);
 
 	if ( ret < 0) {
 		fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret));
@@ -220,6 +277,6 @@ int _verify_x509_file( const char* certfile, const char *cafile)
 	
 	ca[ca_size] = 0;
 
-	return _verify_x509_mem( cert, cert_size, ca, ca_size);
+	return _verify_x509_mem( cert, cert_size, ca, ca_size, cert, cert_size);
 }