Add test cases for CRL with future revocation dates

[jvdprng]

Context

RFC 5280 specifies that each revoked certificate entry in a CRL contains a revocationDate field indicating when the certificate was revoked. An interesting edge case is when the revocationDate is set to a future time relative to the validation time.

Semantic question: Should a certificate with a future revocation date be considered:

• Revoked (the revocation entry exists, regardless of date)?
• Valid until the revocation date (revocation is scheduled but not yet effective)?

RFC 5280 doesn't explicitly address this scenario. Different validators may implement different semantics.

Why this matters:

• Clarifies revocation semantics and timing
• Tests implementation handling of unusual but potentially valid CRL entries
• May reveal differences in validator behavior
• Could relate to scheduled/planned revocations

Test Case Description

Create test scenarios with future revocation dates:

Future Revocation Date:

1. Certificate revoked on CRL with revocationDate 1 day in the future

   • Validation time: now
   • Revocation date: now + 1 day
   • Expected behavior: To be determined (likely ACCEPT - not yet revoked)

2. Certificate revoked on CRL with revocationDate 1 hour in the future

   • More immediate future revocation
   • Expected behavior: To be determined

Comparison Cases:

3. Certificate revoked on CRL with revocationDate in the past

   • Standard revocation (should REJECT)

4. Certificate revoked on CRL with revocationDate exactly at validation time

   • Boundary case (likely REJECT)

Expected validation results: Need to survey implementations to determine expected behavior

Implementation Requirements

CRL Builder Modifications:

• Add ability to set specific revocationDate values
• Support future dates relative to validation time
• Support precise timestamp control for boundary testing

Test Harness:

• Test cases need precise validation time control
• Compare results with past revocation dates
• Document implementation-specific behaviors

Test Case Examples:

• crl::revocation-date-future-1-day
• crl::revocation-date-future-1-hour
• crl::revocation-date-past
• crl::revocation-date-exact-validation-time

References

• RFC 5280 Section 5.1.2.6: revokedCertificates field
• RFC 5280 Section 5.3: CRL validation
• RFC 5280 Section 6.3: CRL processing in path validation

Acceptance Criteria

• CRLs created with future revocation dates
• Test cases validate against x509-limbo schema
• Survey major implementations to determine expected behavior
• Document consensus or divergent behaviors
• Test cases cover boundary conditions (exact validation time)
• Documentation clarifies semantic interpretation