EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CRL not verified (revisited)

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#35687
Posted: 01/25/2016 13:24:24
by Eugene Mayevski (EldoS Corp.)

you need to implement your own CRL retriever class which would be a descendant of TElCustomCRLRetriever, and use system (.NET) HTTPWebRequest class.

CertValidator sample in SecureBlackbox\Samples\C#\PKIBlackbox directory contains an example class which can be used as a template for creating your custom retriever. This sample also shows how to plug such custom retriever to the certificate validator.


Sincerely yours
Eugene Mayevski
#35720
Posted: 01/27/2016 08:24:11
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I have made custom CRL HTTP retriever and it showed same behavior. Then I made some more tests and strange thing now I noticed.
Currently I am testing this in my company and we do not have any proxy for Internet. If I go only with default HTTP CRL retriever (or custom http retriever), signing process fails with message Chain validation failed. But If I use LDAP retriever then signing process passes well. What could be a reason?
#35721
Posted: 01/27/2016 08:31:00
by Vsevolod Ievgiienko (EldoS Corp.)

The reason could be that one of needed CRLs is available only via LDAP protocol, but not via HTTP.
#35724
Posted: 01/27/2016 09:16:52
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi Ievgiienko
But if I set IgnoreChainValidationErrors to true and set only HTTP CRL retriever, document is signed well. Adobe reader says that document is signed and all signatures are valid. Even in revocation information stays that
The selected certificate is considered valid because it does not appear in the Certificate Revocation List (CRL) that is embedded in the signature.

The CRL was signed by "***" on 2015/12/31 10:04:06 +01'00' and is valid until 2017/12/31 10:04:06 +01'00'.

Click Signer Details to get more information on the source of the revocation information.
#35729
Posted: 01/27/2016 10:35:43
by Ken Ivanov (EldoS Corp.)

Chain validation may fail for a number of reasons, and not necessarily due to that particular CRL. We came across scenarios where CRLs for the same certificate published via HTTP and LDAP were in fact issued by different CA certificates, with one's chain ending up with a trusted certificate and the other's not.

Validation results given by Adobe and TElX509CertificateValidator may also differ due to different trust settings. For example, the chain validation failed exception you are receiving from the validator might be thrown due to untrusted root certificate. Adobe, in turn, might have that very root certificate in its own trusted list.

We always suggest to start investigating validation issues with looking into the log created by the TElX509CertificateValidator object. It often helps to identify the exact problematic element and find out what's wrong with it.

Ken
#35732
Posted: 01/27/2016 13:39:59
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I saw one interesting row in extended logger log, when HTTP CRL Retriever was turned on:
Quote
Access point type not supported/disabled


Here is whole log:
Quote

Starting certificate validation (CN=*** ***)
Checking validity period
Checking CA certificate extensions
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=*** ***) (at 18.34.22)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Access point type not supported/disabled
Processing distribution point #2
Looking for the CRL in the cache
Access point type not supported/disabled
Looking for the CRL in the cache
Retrieving CRL from http://demo-pki.***.**/crl/democa.crl
Processing distribution point #3
Looking for the CRL in the cache
Access point type not supported/disabled
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=*********), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=*** ***), general validity: INVALID, general reason: CRL not verified
Starting certificate validation (CN=)
Certificate is explicitly trusted
Checking validity period
Certificate is self-signed or trusted, no chain validation will be performed
Certificate is self-signed and is a CA for itself
Certificate signature is OK
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=) (at 18.34.22)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Access point type not supported/disabled
Processing distribution point #2
Looking for the CRL in the cache
Access point type not supported/disabled
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=), general validity: INVALID, general reason: CRL not verified

What this means?
#35733
Posted: 01/27/2016 16:36:01
by Ken Ivanov (EldoS Corp.)

First of all, please set the validator's LookupCRLByNameIfDPNotPresent property to false. It may affect certain incorrectly maintained certificate infrastructures.

A log message 'Access point type not supported/disabled' means that the validator can't obtain the CRL from a certain location as it doesn't know how to handle it (for example if location points to an ldap:// service and the LDAP retriever has not been registered). Often you may ignore this message if your validator is configured to only retrieve reasonable amount of validation elements and not all available:

MandatoryCRLCheck = false;
MandatoryOCSPCheck = false;
MandatoryRevocationCheck = true;

Ken
#35737
Posted: 01/28/2016 03:37:09
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi
After setting following for validator, still I have a problem:
Code
CertValidator.CheckCRL = true;
CertValidator.CheckOCSP = false;

CertValidator.IgnoreCAKeyUsage = true;
CertValidator.IgnoreCABasicConstraints = true;
CertValidator.IgnoreCANameConstraints = true;

CertValidator.MandatoryCRLCheck = false;
CertValidator.MandatoryOCSPCheck = false;
CertValidator.MandatoryRevocationCheck = true;
CertValidator.UseSystemStorages = true;
CertValidator.IgnoreSystemTrust = false;
CertValidator.LookupCRLByNameIfDPNotPresent = false;


Here is the complete log:
Quote

Start signing process for **** ****...
Starting validation of the certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO
Starting certificate validation: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO
Will be retrieving CRL response for certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, location: C=HR,O=FINA,OU=DEMO,CN=CRL15
Encountered CRL error when validating certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, location: C=HR,O=FINA,OU=DEMO,CN=CRL15, error: 1002
Will be retrieving CRL response for certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, location: ldap://demo-ldap.fina.hr/ou=DEMO,o=FINA,c=HR?certificateRevocationList%3Bbinary
Encountered CRL error when validating certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, location: ldap://demo-ldap.fina.hr/ou=DEMO,o=FINA,c=HR?certificateRevocationList%3Bbinary, error: 1002
Will be retrieving CRL response for certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, location: http://demo-pki.fina.hr/crl/democa.crl
HTTPClient_OnPreparedHeaders:
GET http://demo-pki.fina.hr/crl/democa.crl HTTP/1.0
Host: demo-pki.fina.hr
User-Agent: SecureBlackbox
Accept-Encoding: gzip, deflate
Connection: keep-alive
CRL needed for certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO
Encountered CRL error when validating certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, location: , error: 1004
Certificate validation completed for certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO. Validity: cvInvalid, Reason: 128
Starting certificate validation: /C=HR/O=FINA/OU=DEMO / /C=HR/O=FINA/OU=DEMO
Will be retrieving CRL response for certificate: /C=HR/O=FINA/OU=DEMO / /C=HR/O=FINA/OU=DEMO, location: C=HR,O=FINA,OU=DEMO,CN=CRL1
Encountered CRL error when validating certificate: /C=HR/O=FINA/OU=DEMO / /C=HR/O=FINA/OU=DEMO, location: C=HR,O=FINA,OU=DEMO,CN=CRL1, error: 1002
CRL needed for certificate: /C=HR/O=FINA/OU=DEMO / /C=HR/O=FINA/OU=DEMO
Encountered CRL error when validating certificate: /C=HR/O=FINA/OU=DEMO / /C=HR/O=FINA/OU=DEMO, location: , error: 1004
Certificate validation completed for certificate: /C=HR/O=FINA/OU=DEMO / /C=HR/O=FINA/OU=DEMO. Validity: cvInvalid, Reason: 128
Exception thrown: 'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' in SecureBlackbox.PKIPDF.dll
Finished validation of the certificate: /C=HR/O=**** ** HR02994650199/L=ZAGREB/CN=**** ****/SN=HR00782464817.1.1 / /C=HR/O=FINA/OU=DEMO, validity: cvChainUnvalidated, reason: 256
Starting certificate validation (CN=**** ****)
Checking validity period
Checking CA certificate extensions
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=**** ****) (at 08.21.57)
There does exist a CRL for the current certificate
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Access point type not supported/disabled
Processing distribution point #2
Looking for the CRL in the cache
Access point type not supported/disabled
Looking for the CRL in the cache
Retrieving CRL from http://demo-pki.fina.hr/crl/democa.crl
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=**** ****), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=**** ****), general validity: INVALID, general reason: CRL not verified
Starting certificate validation (CN=)
Certificate is explicitly trusted
Checking validity period
Certificate is self-signed or trusted, no chain validation will be performed
Certificate is self-signed and is a CA for itself
Certificate signature is OK
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=) (at 08.21.57)
There does exist a CRL for the current certificate
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Access point type not supported/disabled
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=), general validity: INVALID, general reason: CRL not verified
ERROR: SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError: Chain validation failed
at SBPAdES.TElPDFAdvancedPublicKeySecurityHandler.ValidateChainAndCollectRevocationInfo@0(TElSignedCMSMessage CMS, TElX509Certificate Cert)
at SBPAdES.TElPDFAdvancedPublicKeySecurityHandler.ValidateChainAndCollectRevocationInfo(TElX509Certificate SigningCert)
at SBPAdES.TElPDFAdvancedPublicKeySecurityHandler.GetEstimatedSignatureSize(Boolean AsyncMode)
at SBPDF.TElPDFDocument.PreCalculateSignatures@3(TElPDFSignature Sig, TElPDFDictionary V)
at SBPDF.TElPDFDocument.PreCalculateSignatures(Boolean IncrementalUpdate)
at SBPDF.TElPDFDocument.Close(Boolean Save)
at TestSign.Program.SignPDF(String filePath, String certificateCommonName) in D:\2016Projects\Eldos\TestSign\TestSign\Program.cs:line 139
#35739
Posted: 01/28/2016 04:32:52
by Eugene Mayevski (EldoS Corp.)

The CRL could not be retrieved from LDAP location. Did you register LDAP retriever class?


Sincerely yours
Eugene Mayevski
#35743
Posted: 01/28/2016 06:09:33
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

No, I wanted specifically to download CRL from HTTP location. The reason for that is, in real scenario Internet access is limited by proxy and on the other hand I know how to download CRL in such environment using .NET classes.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 8452 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!