EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Certificate validation trough CRL : problem...

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#36461
Posted: 04/13/2016 10:04:33
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi,

i need some help to understand what's happening...
I'm trying to validate a certificate with its CRL
So i added Root certificates to the TElMemoryCertStorage
Then created TElX509CertificateValidator
and added TElMemoryCertStorage throw addTrustedCertificates

But when use validate method, the beginning seems to work, but there is a 2nd step (don't know why), and this 2nd step fails.


Here are the Logs :
In BOLD, the CRL is running fine
In Italic, just after, another check (don't know why it's done) not properly running... Why try to check this ? Where it found that ? No in distribution points of the Certificate (only http://crlprimary.ref.standard.faurecia.com/CA/Faurecia_Internal_CA_Aut.crl, with additional empty lines).

13/04/2016 15:48:25.980 DEBUG> Loaded certificate [D:\RVR\dev\customize\vlocale\CA\CA-AutInternal.cer]
13/04/2016 15:48:25.984 DEBUG> Loaded certificate [D:\RVR\dev\customize\vlocale\CA\faurecia.cer]
13/04/2016 15:48:26.067 DEBUG> 13/04/2016 15:48:25.986 DEBUG> Checking validity period
13/04/2016 15:48:25.987 DEBUG> Checking CA certificate extensions
13/04/2016 15:48:25.996 DEBUG> Running revocation check
13/04/2016 15:48:25.997 DEBUG> Revocation check preference: CRL and OCSP
13/04/2016 15:48:25.997 DEBUG> We are configured to look for implicit DPs if no CRL distribution points are available
13/04/2016 15:48:25.997 DEBUG> Retrieving CRLs...
13/04/2016 15:48:25.997 DEBUG> Processing distribution point #1
13/04/2016 15:48:25.997 DEBUG> Looking for the CRL in the cache
13/04/2016 15:48:25.999 DEBUG> Retrieving CRL from http://crlprimary.ref.standard.faurecia.com/CA/Faurecia_Internal_CA_Aut.crl
13/04/2016 15:48:26.017 DEBUG> CRL obtained
13/04/2016 15:48:26.047 DEBUG> Processing distribution point #2
13/04/2016 15:48:26.047 DEBUG> Validating the CRLs we've downloaded (1)
13/04/2016 15:48:26.054 DEBUG> Validating CRL #1
13/04/2016 15:48:26.062 DEBUG> CRL signer is trusted, no further validation is needed
13/04/2016 15:48:26.062 DEBUG> CRL #1 validated successfully
13/04/2016 15:48:26.062 DEBUG> Revocation check completed

13/04/2016 15:48:26.063 DEBUG> Certificate is explicitly trusted
13/04/2016 15:48:26.064 DEBUG> Checking CA certificate extensions
13/04/2016 15:48:26.067 DEBUG> Running revocation check
13/04/2016 15:48:26.067 DEBUG> Revocation check preference: CRL and OCSP
13/04/2016 15:48:26.067 DEBUG> We are configured to look for implicit DPs if no CRL distribution points are available
13/04/2016 15:48:26.067 DEBUG> Retrieving CRLs...
13/04/2016 15:48:26.067 DEBUG> Processing distribution point #1
13/04/2016 15:48:26.067 DEBUG> Looking for the CRL in the cache
13/04/2016 15:48:26.067 DEBUG> Access point type not supported/disabled
13/04/2016 15:48:26.067 DEBUG> TSBCertificateValidatorCRLErrorEvent : C=FR,O=FAURECIA,CN=ROOT CA
13/04/2016 15:48:26.067 DEBUG> No CRLs have been successfully retrieved
13/04/2016 15:48:26.067 DEBUG> Revocation check completed


Could i have some help on that please ?
What's that 2nd check ? Why the CRL is attempting to check one of the CA certificate object : C=FR,O=FAURECIA,CN=ROOT CA ?????

C=FR,O=FAURECIA,CN=ROOT CA is one of my 2 added CA certificates

Thanks for your support

Regards,

Yann
#36462
Posted: 04/13/2016 10:28:01
by Ken Ivanov (EldoS Corp.)

Hi Yann,

It looks like one of your CRLs contains no information on distribution points. In this case the guidance instructs compliant verifying software to look for 'implicit' distribution points built on the basis of data contained in the certificate. Often such CRLs simply do not exist following relaxed generation rules employed by some CAs.

To address the issue, please set the validator's LookupCRLByNameIfDPNotPresent property to false and check if it helps.

Ken
#36464
Posted: 04/13/2016 10:42:26
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi Ken,

Thanks, i set LookupCRLByNameIfDPNotPresent to false, and it works..!
But is it normal that the validator try to search for CA certificates distribution points ? I only want to validate the user certificate against CRL and CA certificates.
The CA certificates don't have any distribution points, is it normal ? Your parameter is here to bypass check of certificate that have no distribution point ? even CA certificate ?

Thanks

Yann
#36465
Posted: 04/13/2016 11:08:24
by Ken Ivanov (EldoS Corp.)

Yann,

Here's what the standard (RFC5280) is saying:

Quote
If the revocation status has not been determined, repeat the process
above with any available CRLs not specified in a distribution point
but issued by the certificate issuer. For the processing of such a
CRL, assume a DP with both the reasons and the cRLIssuer fields
omitted and a distribution point name of the certificate issuer.
That is, the sequence of names in fullName is generated from the
certificate issuer field as well as the certificate issuerAltName
extension. After processing such CRLs, if the revocation status has
still not been determined, then return the cert_status UNDETERMINED.


As we want SecureBlackbox to be compliant in the first place, it follows the guidance in this regard. However, the reality is such that a lot of public key infrastructures violate this requirement, effectively making all certificates circulating in them non-verifiable. That's why a long time ago we introduced the option to override this requirement. Moreover, we will probably be switching this property off by default in upcoming version 15 due to compatibility issues it induces.

Essentially, by switching LookupCRLByNameIfDPNotPresent off you tell the validator not to look for any implicit CRLs if they are not found. This increases the tolerance and compatibility of the validator component, but at the same time makes it less secure by introducing a potential revocation miss flaw in 'legitimate' environments. Still, if you need to work with a large number of unknown environments, switching it off might be a reasonable trade-off.

Ken
#36466
Posted: 04/13/2016 12:00:59
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Okay

Thanks Ken for your good explanation

But is it applicable too (or do you mean/think it's normal) for the CA certificates ?


In one word : All the certificates (including CA ones) have to apply to the RFC5280 ?
#36467
Posted: 04/13/2016 14:31:50
by Ken Ivanov (EldoS Corp.)

Yes, this is applicable to all certificates.
#36471
Posted: 04/14/2016 01:47:31
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi Ken,

Thanks for all your answers !

Have a nice day

Yann
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 1754 times

Number of guests: 3, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!