EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElX509Certificatevalidator.Validate does not set vrCRLNotVerified?

Posted: 09/05/2013 03:45:35
by Peet Terluin (Standard support level)
Joined: 06/08/2007
Posts: 19

I've written an application which validates signatures of PDF-files using the TElX509CertificateValidator.
What we want is to always perform an CRL and OCSP check.
At least one of these checks needs to be successful.
The properties of the validator I use are:
CRLCheck - true
MandatoryCRLCheck - false
OCSPCheck - true
MandatoryOCSPCheck - false
MandatoryRevocationCheck - true
I hoped MandatoryRevocationCheck insures that at least one of CRL/OCSP must succeed for a signature to be valid.

However if I test a PDF signature with cert.managedpki.com ocsp.managedpki.com cert2.managedpki.com ocsp2.managedpki.com
in my hosts, CRL and OCSP fail, but the certificate still validates.

The on CRL error reports error 1003
The on OCSP error reports 2003, 2003, 20004
The vrOCSPNotVerified flag is set, but the vrCRLNotVerified flag is not set.

Have I misinterpreted the use of the "check"-properties of the validator or do I do something else wrong?

with regards,
Peet Terluin.
Posted: 09/05/2013 04:45:37
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

In your configuration when MandatoryCRLCheck is 'false' the validator will try to retrieve CRLs and if this step fails it will try to check OCSP. If CRL retrival is successfull but downloaded CRLs validation fails it will set vrCRLNotVerified.

If MandatoryCRLCheck is 'true' then it will stop after CRLs retrival failure and set vrCRLNotVerified flag.



Topic viewed 1374 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!