EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Passing the CRL to TElX509CertificateValidator

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#22715
Posted: 12/05/2012 02:59:24
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

Hello. I am trying to validate a certificate with your sample PKIBlackbox\CertValidator. When I mark this four checks:

-Check CRL
-Check validity period for trusted
-Complete chain validation for trusted
-Mandatory CRL check

at the same time, the log tells me that the certificate is invalid, because the CRL was not verified. I guess that the CRL is missing and I wonder how should I pass it to the TElX509CertificateValidator, so I can get valid response for my certificate when I check CRL. That is the point: How should I pass the CRL?

Thank you very much!
#22716
Posted: 12/05/2012 03:58:40
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Could you post validator's log here.

Also please refer to this article for details: http://www.eldos.com/security/articles/7545.php
#22719
Posted: 12/05/2012 04:15:41
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

This is the log with the following options checked:
Check CRL
Check OCSP
Check validity period for trusted
Complete chain validation for trusted
Ignore CA key usage
Mandatory CRL check
Mandatory OCSP check
Mandatory revocation check
Use system storages

05/12/2012 11:12:52 BeforeCertificateValidation:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY
05/12/2012 11:12:52 BeforeCRLRetrieverUse:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY, location=2.5.4.6=ES,2.5.4.10=FNMT,2.5.4.11=FNMT Clase 2 CA,2.5.4.3=CRL9545
05/12/2012 11:12:52 AfterCertificateValidation:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY, root CN=, validity=invalid, reason=CRL not verified

05/12/2012 11:12:52 RESULT:
CN=NOMNOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, validity=invalid, reason=CRL not verified
#22720
Posted: 12/05/2012 04:21:55
by Vsevolod Ievgiienko (EldoS Corp.)

You should try to set "Mandatory CRL check" to false. You certificate contains LDAP distribution point (location=2.5.4.6=ES,2.5.4.10=FNMT,2.5.4.11=FNMT Clase 2 CA,2.5.4.3=CRL9545) that is local and thats why our component fails to download it. When "Mandatory CRL check" is off the components will try all CRL distribution points included into the certificate and its possible that one of them will be a correct one.

If this doesn't help then you can pass a CRL manually using TElX509CertificateValidator.AddKnownCRLs method.

Reply

Statistics

Topic viewed 1327 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!