-----BEGIN X509 CRL-----
MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1jbHVzdGVyLmxv
Y2FsFw0yMzA3MDUxODA2MzBaFw0zMzA3MDIxODA2MzBaMCcwJQIUIf2Vv9QwxTJg
EJObGbJvHMthI2cXDTIzMDcwNTE4MDYzMFqgIzAhMB8GA1UdIwQYMBaAFPJgj82D
0mj8lifyRv1p/Ov4gUqlMA0GCSqGSIb3DQEBCwUAA4IBAQCjJAW4cTwqM7SoLa7F
w9TB2CMdKVx4GGKouGRC1FLFRQMx/8rCOXRtxw8CriLlyTqhkMHwt9Y+FCvBj0F6
ifski2z5XxCjdAxiVAuQM23cYgTm47jeiRvfGNMVkgdJ+neo+vO5lLoIaOh1W7H/

-----BEGIN X509 CRL-----
MIIBrzCBmAIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1jbHVzdGVyLmxv
Y2FsFw0yMzA3MDUxODA3MzVaFw0zMzA3MDIxODA3MzVaMCcwJQIURRGeazmADQ30
imTNVdo7eWHGYzcXDTIzMDcwNTE4MDczNVqgIzAhMB8GA1UdIwQYMBaAFPJgj82D
0mj8lifyRv1p/Ov4gUqlMA0GCSqGSIb3DQEBCwUAA4IBAQAkZdoqv7E1kQ1/lqdx
2qSnR6WQFNCrdiH5WCy09cEEVxvmPVByTUaZ8cL7V529iGBYDgBj1ZTw9cogWige
Jgbgmap7uKRABtNpncjNFTwTgym40YR86XWVXt9vQpXghCkvdGRa90DIMMCZpiXN

apiVersion: release-notes/v2
kind: feature
area: security
releaseNotes:
  - |
    **Added** Certificate Revocation List(CRL) support for peer certificate validation based on file paths specified in 

# revoke one of the server certificates for CRL testing purpose
openssl ca -config "${WD}/crl.conf" -revoke "${WD}/dns/cert-chain.pem"
openssl ca -gencrl -out "${WD}/ca.crl" -config "${WD}/crl.conf"

# remove the database entry for the previous revoked certificate, so that we can generate a new dummy CRL entry for an unused server cert,
# to be used for integration tests

# crlnumber must also be commented out to leave a V1 CRL.
crl_extensions = crl_ext

default_md      = sha256                # use SHA-256 by default
default_crl_days= 3650                  # how long before next CRL

[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
authorityKeyIdentifier=keyid:always
[req]
req_extensions = v3_req

kind: feature
area: security
docs:
  - https://docs.google.com/document/d/13LNbJnLHe_prlOg7sPr77PjLiIuGj452/edit?usp=sharing&ouid=105743966233121608166&rtpof=true&sd=true
releaseNotes:
  - |

type CertInfo struct {
	// The certificate chain
	Cert []byte
	// The private key
	Key []byte
	// The oscp staple
	Staple []byte
	// Certificate Revocation List information
	CRL []byte
}

type Controller interface {
	GetCertInfo(name, namespace string) (certInfo *CertInfo, err error)
	GetCaCert(name, namespace string) (certInfo *CertInfo, err error)

		TlsMinimumProtocolVersion: minTLSVersion,
		TlsMaximumProtocolVersion: tls.TlsParameters_TLSv1_3,
	}
	authn_model.ApplyToCommonTLSContext(ctx.CommonTlsContext, node, []string{}, /*subjectAltNames*/
		"", /*crl*/
		trustDomainAliases, ctx.RequireClientCertificate.Value)

	// Compliance for downstream mesh mTLS.
	authn_model.EnforceCompliance(ctx.CommonTlsContext)
	return ctx
}

ction-4.2.1.3\n\thttps://tools.ietf.org/html/rfc5280#section-4.2.1.12\n\nValid values are:\n \"signing\",\n \"digital signature\",\n \"content commitment\",\n \"key encipherment\",\n \"key agreement\",\n \"data encipherment\",\n \"cert sign\",\n \"crl sign\",\n \"encipher only\",\n \"decipher only\",\n \"any\",\n \"server auth\",\n \"client auth\",\n \"code signing\",\n \"email protection\",\n \"s/mime\",\n \"ipsec end system\",\n \"ipsec tunnel\",\n \"ipsec user\",\n \"timestamping\",\n \"ocsp signing\",\n...

  //
  // Valid values are:
  //  "signing",
  //  "digital signature",
  //  "content commitment",
  //  "key encipherment",
  //  "key agreement",
  //  "data encipherment",
  //  "cert sign",
  //  "crl sign",
  //  "encipher only",
  //  "decipher only",
  //  "any",
  //  "server auth",
  //  "client auth",
  //  "code signing",
  //  "email protection",
  //  "s/mime",
  //  "ipsec end system",