EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CRL not verified (revisited)

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#35617
Posted: 01/20/2016 03:00:08
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi,
While signing sample PDF document at customer I get following log:
Quote

Starting validation of the certificate: /C=**/O=***/L=***/CN=***/SN=*** / /C=**/O=**/OU=**
Starting certificate validation: /C=**/O=**/L=**/CN=**/ /C=**/O=**/OU=***
Will be retrieving CRL response for certificate: /C=**/O=***/L=***/CN=***/SN=*** / /C=**/O=**/OU=**, location: C=**,O=***,OU=**,CN=**
Will be retrieving CRL response for certificate: /C=**/O=**/L=**/CN=**/SN=** / /C=**/O=**/OU=**, location: ldap://demo-ldap.***/ou=***,o=***,c=**?certificateRevocationList%3Bbinary
Will be retrieving CRL response for certificate: /C=**/O=***/L=***/CN=***/SN=*** / /C=**/O=**/OU=***, location: http://demo-pki.***/crl/democa.crl
Will be retrieving CRL response for certificate: /C=**/O=***/L=***/CN=***/SN=*** / /C=**/O=***/OU=**, location: C=**,O=**,OU=**
CRL needed for certificate: /C=**/O=***/L=**/CN=***/SN=** / /C=**/O=**/OU=**
Encountered CRL error when validating certificate: /C=**/O=**/L=**/CN=***/SN=** / /C=**/O=**/OU=**, location: , error: 1004
Certificate validation completed for certificate: /C=**/O=***/L=**/CN=**/SN=*** / /C=**/O=**/OU=**. Validity: cvInvalid, Reason: 128
Starting certificate validation: /C=**/O=**/OU=** / /C=**/O=**/OU=*
Will be retrieving CRL response for certificate: /C=**/O=***/OU=DEMO / /C=**/O=***/OU=DEMO, location: C=**,O=***,OU=DEMO,CN=CRL1
Will be retrieving CRL response for certificate: /C=**/O=***/OU=DEMO / /C=**/O=***/OU=DEMO, location: C=**,O=***,OU=DEMO
CRL needed for certificate: /C=**/O=***/OU=DEMO / /C=**/O=***/OU=DEMO
Encountered CRL error when validating certificate: /C=**/O=***/OU=DEMO / /C=**/O=***/OU=DEMO, location: , error: 1004
Certificate validation completed for certificate: /C=**/O=***/OU=DEMO / /C=**/O=***/OU=DEMO. Validity: cvInvalid, Reason: 128
Exception thrown: 'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' in SecureBlackbox.PKIPDF.dll
Finished validation of the certificate: /C=**/O=***/L=**/CN=**/SN=*** / /C=**/O=***/OU=DEMO, validity: cvChainUnvalidated, reason: 256
Starting certificate validation (CN=***)
Certificate is explicitly trusted
Checking validity period
Checking CA certificate extensions
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=***) (at 7:41:23)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Retrieving CRL from C=**,O=***,OU=DEMO,CN=CRL15
Processing distribution point #2
Looking for the CRL in the cache
Retrieving CRL from ldap://demo-ldap.***/ou=DEMO,O=***,C=**?certificateRevocationList%3Bbinary
Looking for the CRL in the cache
Retrieving CRL from http://demo-pki.***/crl/democa.crl
Processing distribution point #3
Looking for the CRL in the cache
Retrieving CRL from C=**,O=***,OU=DEMO
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=***), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=***), general validity: INVALID, general reason: CRL not verified
Starting certificate validation (CN=)
Certificate is explicitly trusted
Checking validity period
Certificate is self-signed or trusted, no chain validation will be performed
Certificate is self-signed and is a CA for itself
Certificate signature is OK
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=) (at 7:41:23)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Retrieving CRL from C=**,O=***,OU=DEMO,CN=CRL1
Processing distribution point #2
Looking for the CRL in the cache
Retrieving CRL from C=**,O=***,OU=DEMO
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=), general validity: INVALID, general reason: CRL not verified

As far as I see problem is that CRL could not be downloaded.When I tried with:
Code
SBHTTPCRL.TElHTTPCRLRetriever httpRetriever = new SBHTTPCRL.TElHTTPCRLRetriever();
SBCRL.TElCertificateRevocationList crl = httpRetriever.GetCRL(cert, caCert, SBX509Ext.TSBGeneralName.gnUniformResourceIdentifier, "http://demo-pki.***/crl/democa.crl");

with http address got from log, I get crl is null (no exception thrown). When I try same address from IE CRL file is regular downloaded. All IgnoreCA are set to true in CertValidator and MandatoryCRL and OCSP check to false. Please help.
#35621
Posted: 01/20/2016 04:36:10
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After further analisys at the client side I have found out that they, for intenet access, are using configuration script in which they are defining proxy servers for addresses from local network. They gave me information for proxy servers and I have set following in CertValidator_OnBeforeCRLRetrieverUse:
Code
private static void CertValidator_OnBeforeCRLRetrieverUse(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, SBX509Ext.TSBGeneralName NameType, string Location, ref SBCRLStorage.TElCustomCRLRetriever Retriever)
        {
            if (Retriever is SBHTTPCRL.TElHTTPCRLRetriever)
            {
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.UseHTTPProxy = true;
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.HTTPProxyHost = "***.prod.***.local";
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.HTTPProxyPort = 8080;
            }
            System.Diagnostics.Debug.WriteLine("Will be retrieving CRL response for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + Location);
        }

but id did not help
#35623
Posted: 01/20/2016 04:56:08
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Please try to assign TElHTTPSClient.OnReceivingHeaders and TElHTTPSClient.OnPreparedHeaders event handlers for HTTP client inside CertValidator_OnBeforeCRLRetrieverUse to dump outgoing and incoming HTTP headers - this should give us more information about data exchange and may highlight the reason of the problem.
#35627
Posted: 01/20/2016 05:38:47
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi Ievgiienko
After dumping headers I saw following:
Quote

HTTPClient_OnPreparedHeaders:
GET http://demo-pki.*/crl/democa.crl HTTP/1.0
Host: demo-pki.*
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTPClient_OnReceivingHeaders:
HTTP/1.1 407 Proxy Authentication Required
Content-type: text/plain
Content-Length: 1935
Proxy-connection: keep-alive
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="* Web Gateway"

I guess I need to set HTTPProxyUsername and HTTPProxyPassword?
#35628
Posted: 01/20/2016 05:43:01
by Vsevolod Ievgiienko (EldoS Corp.)

Yes - exactly. You should also set HTTPProxyAuthentication to SBSocket.Unit.wtaNTLM values.
#35631
Posted: 01/20/2016 08:32:52
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Client told me that we must use credentials of currently logged on user. After setting following in BeforeCRLRetriever:
Code
if (Retriever is SBHTTPCRL.TElHTTPCRLRetriever)
            {
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.UseHTTPProxy = true;
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.HTTPProxyHost = "****.****.*****.local";
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.HTTPProxyPort = 8080;
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.HTTPProxyAuthentication = SBSocket.Unit.wtaNTLM;
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.OnPreparedHeaders += HTTPClient_OnPreparedHeaders;
                ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.OnReceivingHeaders += HTTPClient_OnReceivingHeaders;

            }
            System.Diagnostics.Debug.WriteLine("Will be retrieving CRL response for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + Location);
        }

I've got following extended log:
Quote

Will be retrieving CRL response for certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO, location: C=**,O=**,OU=DEMO,CN=CRL15
Will be retrieving CRL response for certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO, location: ldap://demo-ldap.****.**/ou=DEMO,O=**,C=**?certificateRevocationList%3Bbinary
Will be retrieving CRL response for certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO, location: http://demo-pki.****.**/crl/democa.crl
HTTPClient_OnPreparedHeaders:
GET http://demo-pki.****.**/crl/democa.crl HTTP/1.0
Host: demo-pki.****.**
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTPClient_OnReceivingHeaders:
HTTP/1.1 407 Proxy Authentication Required
Content-type: text/plain
Content-Length: 1935
Proxy-connection: keep-alive
Proxy-Authenticate: NTLM
Proxy-Authenticate: Basic realm="APIS IT Web Gateway"
HTTPClient_OnPreparedHeaders:
GET http://demo-pki.****.**/crl/democa.crl HTTP/1.0
Host: demo-pki.****.**
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAA............................
HTTPClient_OnReceivingHeaders:
HTTP/1.1 407 Proxy Authentication Required
proxy-authenticate: NTLM TlRMTVNTUAACAAAACgAKADAAAAAVgonim4+MUi2b.........................
content-type: text/plain
proxy-connection: keep-alive
content-length: 15
HTTPClient_OnPreparedHeaders:
GET http://demo-pki.****.**/crl/democa.crl HTTP/1.0
Host: demo-pki.****.**
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Authorization: NTLM TlRMTVNTUAADAAAAAQABAGQAAAAAAAAAZQAAAAAAAABYAAAAAAAAAFgAAAAMAA..........................
HTTPClient_OnReceivingHeaders:
HTTP/1.1 407 Proxy Authentication Required
proxy-authenticate: NTLM
content-type: text/plain
proxy-connection: keep-alive
content-length: 15
HTTPClient_OnPreparedHeaders:
GET http://demo-pki.****.**/crl/democa.crl HTTP/1.0
Host: demo-pki.****.**
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: keep-alive
Proxy-Authorization: NTLM TlRMTVNTUAABAAAAl4II4gAA...................
HTTPClient_OnReceivingHeaders:
HTTP/1.1 407 Proxy Authentication Required
proxy-authenticate: NTLM TlRMTVNTUAACAAAACgAKADAAAAAVgoniXUTWQO7S5yMAAAAAAAAAADYANgA............
content-type: text/plain
proxy-connection: keep-alive
content-length: 15
Will be retrieving CRL response for certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO, location: C=**,O=**,OU=DEMO
CRL needed for certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO
Encountered CRL error when validating certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO, location: , error: 1004
Certificate validation completed for certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO. Validity: cvInvalid, Reason: 128
Starting certificate validation: /C=**/O=**/OU=DEMO / /C=**/O=**/OU=DEMO
Will be retrieving CRL response for certificate: /C=**/O=**/OU=DEMO / /C=**/O=**/OU=DEMO, location: C=**,O=**,OU=DEMO,CN=CRL1
Will be retrieving CRL response for certificate: /C=**/O=**/OU=DEMO / /C=**/O=**/OU=DEMO, location: C=**,O=**,OU=DEMO
CRL needed for certificate: /C=**/O=**/OU=DEMO / /C=**/O=**/OU=DEMO
Encountered CRL error when validating certificate: /C=**/O=**/OU=DEMO / /C=**/O=**/OU=DEMO, location: , error: 1004
Certificate validation completed for certificate: /C=**/O=**/OU=DEMO / /C=**/O=**/OU=DEMO. Validity: cvInvalid, Reason: 128
Exception thrown: 'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' in SecureBlackbox.PKIPDF.dll
Finished validation of the certificate: /C=**/O=****/L=***/CN=*** ***/SN=*** / /C=**/O=**/OU=DEMO, validity: cvChainUnvalidated, reason: 256
Starting certificate validation (CN=*** ***)
Certificate is explicitly trusted
Checking validity period
Checking CA certificate extensions
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=*** ***) (at 13:16:25)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Retrieving CRL from C=**,O=**,OU=DEMO,CN=CRL15
Processing distribution point #2
Looking for the CRL in the cache
Retrieving CRL from ldap://demo-ldap.****.**/ou=DEMO,O=**,C=**?certificateRevocationList%3Bbinary
Looking for the CRL in the cache
Retrieving CRL from http://demo-pki.****.**/crl/democa.crl
Processing distribution point #3
Looking for the CRL in the cache
Retrieving CRL from C=**,O=**,OU=DEMO
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=*** ***), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=*** ***), general validity: INVALID, general reason: CRL not verified
Starting certificate validation (CN=)
Certificate is explicitly trusted
Checking validity period
Certificate is self-signed or trusted, no chain validation will be performed
Certificate is self-signed and is a CA for itself
Certificate signature is OK
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=) (at 13:16:25)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Retrieving CRL from C=**,O=**,OU=DEMO,CN=CRL1
Processing distribution point #2
Looking for the CRL in the cache
Retrieving CRL from C=**,O=**,OU=DEMO
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=), general validity: INVALID, general reason: CRL not verified
#35634
Posted: 01/20/2016 10:17:46
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I also set
Code
httpRetriever.HTTPClient.UseNTLMAuth = true;

But that didn't helpe as well. What else could I do? Client's administrators said that my application have to use local user credentials.
#35639
Posted: 01/21/2016 07:30:52
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Any thouths?
#35640
Posted: 01/21/2016 07:38:24
by Vsevolod Ievgiienko (EldoS Corp.)

Please try to specify login and password explicitly via ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.RequestParameters.Username and ((SBHTTPCRL.TElHTTPCRLRetriever)Retriever).HTTPClient.RequestParameters.Password properties and check if this helps.
#35641
Posted: 01/21/2016 08:04:20
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi Ievgiienko
I tried really, but they don't want to give me any password. I know it is possible to use .NET HTTPClient over proxy without giving any passwords, even without setting which is the proxy. It just uses somehow system settings.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 8475 times

none




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!