EldoS | Feel safer!

Software components for data protection, secure storage and transfer

[Java] Error while retrieving the CRL

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#34140
Posted: 07/29/2015 09:05:43
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Hello.

Some of our customers have issues while we perform the validation of their certificate. As indicated in the title of the topic, the application isn't abble to retrieve the CRL. So I changed the MandatoryCRLCheck value to FALSE (same for the MandatoryOCSPCheck) so that it wouldn't stop the application from running but it still does.

My certificate validation code :
Code
/**
* Paramètre le TElX509CertificateValidator avant la validation du certificat.
* @param   certValidator   le TElX509CertificateValidator à paramétrer
*/
public static void prepareCertificateValidator( TElX509CertificateValidator certValidator ) {
   // The following lines are required for HTTP retrieval of CRLs and OCSP in TElX509CertificateValidator to work
   SBHTTPCRL.RegisterHTTPCRLRetrieverFactory();
   SBLDAPCRL.RegisterLDAPCRLRetrieverFactory();
   SBHTTPOCSPClient.RegisterHTTPOCSPClientFactory();
   SBHTTPCertRetriever.RegisterHTTPCertificateRetrieverFactory();
   
   certValidator.ClearBlockedCertificates();
   certValidator.ClearKnownCertificates();
   certValidator.ClearKnownCRLs();
   certValidator.ClearKnownOCSPResponses();
   certValidator.ClearTrustedCertificates();
   
   certValidator.InitializeWinStorages();
   certValidator.SetUseSystemStorages( true );
   certValidator.SetIgnoreSystemTrust( false );
   certValidator.SetCheckCRL( true );
   certValidator.SetMandatoryCRLCheck( false );
   certValidator.SetCheckOCSP( true );
   certValidator.SetMandatoryOCSPCheck( false );
   certValidator.SetValidateInvalidCertificates( false );
   
   certValidator.SetOnAfterCertificateValidation( new TSBAfterCertificateValidationEvent(onAfterCertificateValidation) );
   certValidator.SetOnCRLError( new TSBCertificateValidatorCRLErrorEvent(onCRLError) );
   certValidator.SetOnOCSPError( new TSBCertificateValidatorOCSPErrorEvent(onOCSPError) );
}

/**
* Gère le déroulement des choses après la validation du certificat.
*/
private static TSBAfterCertificateValidationEvent.Callback onAfterCertificateValidation = new TSBAfterCertificateValidationEvent.Callback() {
   
   @Override
   public void TSBAfterCertificateValidationEventCallback( TObject arg0, TElX509Certificate cert, TElX509Certificate caCert, TElAfterCertificateValidationEventParams validationData ) {
      if ( validationData.Validity == TSBCertificateValidity.cvOk ) {
         System.out.println( "Certificate was validated successfully and is valid" );
      }
      else if ( validationData.Validity == TSBCertificateValidity.cvSelfSigned ) {
         System.out.println( "Certificate is self signed" );
      }
      else if ( validationData.Validity == TSBCertificateValidity.cvInvalid ) {
         System.out.println( "Certificate is invalid" );
      }
      else if ( validationData.Validity == TSBCertificateValidity.cvStorageError ) {
         System.out.println( "Certificate was not validated due to certificate storage error" );
      }
      else if ( validationData.Validity == TSBCertificateValidity.cvChainUnvalidated ) {
         System.out.println( "Certificate chain was not validated because while the certificate itself is valid, one or more of CA Certificates in the chain have validation problems" );
      }
   
      switch ( validationData.Reason ) {
         case SBX509.vrBadData:
            System.out.println( "Invalid certificate format or certificate is corrupted" );
         break;
         
         case SBX509.vrRevoked :
            System.out.println( "Certificate is revoked by Issuer" );
         break;
         
         case SBX509.vrNotYetValid :
            System.out.println( "Certificate is not valid yet" );
         break;
         
         case SBX509.vrExpired :
            System.out.println( "Certificate is expired" );
         break;
         
         case SBX509.vrInvalidSignature :
            System.out.println( "Certificate contains invalid digital signature, it could be corrupted" );
         break;
         
         case SBX509.vrUnknownCA :
            System.out.println( "Issuer (CA) certificate was not found." );
         break;
         
         case SBX509.vrCAUnauthorized :
            System.out.println( "Issuer (CA) certificate was found but it's key usage fields don't allow use of this certificate for signing other certificates." );
         break;
         
         case SBX509.vrCRLNotVerified :
            System.out.println( "Certificate Revocation List for this certificate could not be retrieved and/or validated." );
         break;
         
         case SBX509.vrOCSPNotVerified :
            System.out.println( "OCSP response for this certificate could not be retrieved and/or validated." );
         break;
         
         case SBX509.vrIdentityMismatch :
            System.out.println(
               "Provided certificate doesn't include the specified name and / or IP address. Either the remote side in TLS or sender in S/MIME is misconfigured," +
               "or the certificate is misused by the remote side or sender, or authenticity of the remote side or sender is forged."
            );
         break;
         
         case SBX509.vrNoKeyUsage :
            System.out.println( "Provided certificate may not be used for chosen activity (identifying TLS server or client or S/MIME message sender)" );
         break;
         
         case SBX509.vrBlocked:
            System.out.println( "Provided certificate has been found in the list of blocked certificates" );
         break;
      }
   }
   
};

/**
* Gère les erreurs de validation des CRL.
*/
private static TSBCertificateValidatorCRLErrorEvent.Callback onCRLError = new TSBCertificateValidatorCRLErrorEvent.Callback() {
   
   @Override
   public void TSBCertificateValidatorCRLErrorEventCallback( TObject arg0, TElX509Certificate certToVal, String location, TElCustomCRLRetriever retriever, int errorCode ) {
      switch ( errorCode ) {
         case SBCertValidator.SB_VALIDATOR_CRL_ERROR_BASE :
            System.out.println( "Base value for certificate validator CRL error codes" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_CRL_ERROR_VALIDATION_FAILED :
            System.out.println( "Validation of CRL's signature failed" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_CRL_ERROR_NO_RETRIEVER :
            System.out.println( "Retriever class could not be created or found" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_CRL_ERROR_RETRIEVER_FAILED :
            System.out.println( "Error while retrieving the CRL" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_CRL_ERROR_NO_CRLS_RETRIEVED :
            System.out.println( "Due to some reasons CRLs were not retrieved" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_CRL_ERROR_CERT_REVOKED :
            System.out.println( "Certificate has been found in the CRL as revoked" );
         break;
      }
   }
   
};

/**
* Gère les erreurs de validation des OCSP.
*/
public static TSBCertificateValidatorOCSPErrorEvent.Callback onOCSPError = new TSBCertificateValidatorOCSPErrorEvent.Callback() {
   
   @Override
   public void TSBCertificateValidatorOCSPErrorEventCallback( TObject arg0, TElX509Certificate certToVal, String location, TElOCSPClient client, int errorCode ) {
      switch ( errorCode ) {
         case SBCertValidator.SB_VALIDATOR_OCSP_ERROR_BASE :
            System.out.println( "Base value for certificate validator OCSP error codes" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_OCSP_ERROR_VALIDATION_FAILED :
            System.out.println( "Validation of OCSP response signature failed" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_OCSP_ERROR_NO_CLIENT :
            System.out.println( "OCSP client could not be created or found" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_OCSP_ERROR_CLIENT_FAILED :
            System.out.println( "Error while retrieving the OCSP response" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_OCSP_ERROR_INVALID_RESPONSE :
            System.out.println( "Error parsing the response or response contained an error code" );
         break;
         
         case SBCertValidator.SB_VALIDATOR_OCSP_ERROR_CERT_REVOKED :
            System.out.println( "Certificate has been found in the OCSP response as revoked" );
         break;
      }
   }
   
};


Is it me that don't handle errors properly or did I miss something about MandatoryCRLCheck and MandatoryOCSPCheck which are supposed to prevent error reporting in case of non CRL & OCSP validations ?

Thanks.
#34145
Posted: 07/29/2015 09:56:57
by Eugene Mayevski (EldoS Corp.)

What exactly errors are you getting? Is it the onCRLError being triggered or the certificate is reported as invalid?


Sincerely yours
Eugene Mayevski
#34147
Posted: 07/29/2015 10:25:13
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

Sorry, shoud have specified. The onCRLError is triggered and it says "Error while retrieving the CRL".
Then, for an unknown reason, the application stops (doesn't bug, just stops) ans doesn't continue to check the other signatures/files.
#34148
Posted: 07/29/2015 10:42:30
by Eugene Mayevski (EldoS Corp.)

The error is reported right.

MandatoryCRLCheck = false tells the component to not set the Validity to cvInvalid when CRL could not be retrieved or was broken. This property doesn't tell the component not to trigger the event.

Now you need to figure out, what exactly happens further.

In general, you can emulate the error by creating a fake CRL retriever class which will return junk instead of providing a CRL. The class is retrieved by the validator using OnBeforeCRLRetrieverUse event - you can return your own instance and it will be used for retrieval. You can do this for specific locations only (if you suspect some particular certificate or location to fail).

Then you'll be able to debug the code and see what happens if the CRL retrieval fails.


Sincerely yours
Eugene Mayevski
#34149
Posted: 07/29/2015 10:52:54
by Mickaël Bénès (Standard support level)
Joined: 02/26/2013
Posts: 74

OK I misunderstood the mandatory story. Thanks for the explanation and for the solution to test my issue.
Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.

Reply

Statistics

Topic viewed 1534 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!