EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Save CRL to local file for later use

Posted: 09/25/2012 11:08:08
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

My client application needs to verify the server (https) certificate with a CRL.

Right now I use the TElX509CertificateValidator and this works fine: on the first encounter of the certificate the CRL is downloaded from the server and used.

It tuns out that the server is not always available so I am looking for a way to save to CRL to a file and load it the next time. I want to check the CRL age and allow the CRL to be x days old before requiring a new CRL. This is so that the client application can work, even when the server providing the CRL is not available.

I have looked through the various properties and methods of the TElX509CertificateValidator but I can not find a way to 'cache' the CRL to a local file. I also tried using OnCRLRetrieved and OnCRLNeeded to save the CRL after it was retreived, but I'm not sure if that will be the way to go.

Are there any methods that can be used in this scenario?
Posted: 09/25/2012 11:17:55
by Vsevolod Ievgiienko (Team)


You can use TElX509CertificateValidator.OnCRLRetrieved event handler to do this.
Posted: 09/25/2012 11:41:51
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

Is this assumption right:
If the CRL server can be reached then OnCRLRetrieved will be called. Here I will save the CRL to disk. Then OnCRLNeeded will be called but I don't need to do anything there.

If the CRL server cannot be reached then OnCRLRetreived will not be called, but OnCRLNeeded will be called and there I can load a previously saved CRL

Is this correct?
Posted: 09/25/2012 11:44:28
by Eugene Mayevski (Team)

Yes, this is correct.

Sincerely yours
Eugene Mayevski
Posted: 09/25/2012 11:44:33
by Vsevolod Ievgiienko (Team)

Yes its correct.
Posted: 09/25/2012 11:47:59
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

Ha, the whole team agrees! :-)

Posted: 09/25/2012 14:37:43
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

I'm encountering a problem while implementing this:

When I set MandatoryCRLCheck to True then RetrieveCRLs raises an exception when the CRL server cannot be reached. The CRLCheck fails and OnCRLNeeded is not called at all.

When I set MandatoryCRLCheck to False then OnCrlNeeded is called, but even when it doesn't add a CRL to the CRLs list the check passes (since the CRL check is not mandatory).

How can I enforce a CRL check with a CRL Server, and if that fails use OnCrlNeeded (or an other function) to check with a CRL that I saved locally?
Posted: 09/26/2012 03:56:51
by Vsevolod Ievgiienko (Team)

You can handle TElX509CertificateValidator.OnCRLError event and if its raised with ErrorCode equal to SB_VALIDATOR_CRL_ERROR_RETRIEVER_FAILED then you can set MandatoryCRLCheck to False and ensure that a CRL is passed via OnCRLNeeded event handler.
Posted: 09/26/2012 07:31:12
by Birger Jansen (Standard support level)
Joined: 07/19/2012
Posts: 80

Sadly that doen't work.
In SBCertValidator line 1528:
ACRL := CurrentCRLRetriever.GetCRL(Certificate, CACertificate, GeneralName.NameType, CurrentLocation);

does not raise an exception (I get an html 404 error because I changed the CRL's server to localhost in my host-file). Instead ARCL = nil and
TriggerCRLError(Certificate, CurrentLocation, CurrentCRLRetriever, SB_VALIDATOR_CRL_ERROR_RETRIEVER_FAILED);

is not called...

Any other suggestions?
Posted: 09/26/2012 11:06:40
by Vsevolod Ievgiienko (Team)

Sorry for the wrong suggestion. SB_VALIDATOR_CRL_ERROR_NO_CRLS_RETRIEVED should be reported via TriggerCRLError instead of SB_VALIDATOR_CRL_ERROR_RETRIEVER_FAILED.



Topic viewed 3124 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!