CRL check: weird behaviour...

0 votes
asked Mar 7 by David BS (420 points)

Hi Team!

This question in not directly related to REBEX, but I hope you have a solution based on your libraries.

I created a certificate and, after, I created a CRL file, without any issue on both. I published the certificate into my STORE and put the CRL in the URL pointed by the Certificate.DistributionPoint.

But, when I tried to get information about its revocation (done minutes after), I have the status of IS_VALID and ChainStatus is empty, indicating the certificate is NOT revoked.

My code to check it is:

Using chain As New X509Chain
  chain.ChainPolicy.RevocationMode = X509RevocationMode.Online
  chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly
  chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority Or X509VerificationFlags.IgnoreCtlNotTimeValid Or X509VerificationFlags.IgnoreInvalidBasicConstraints Or X509VerificationFlags.IgnoreWrongUsage Or X509VerificationFlags.IgnoreNotTimeNested
  chain.ChainPolicy.UrlRetrievalTimeout = New TimeSpan(0, 0, 0, 30)
  chain.ChainPolicy.VerificationTime = Date.Now
  Dim elementValid = chain.Build(certificate)

  << here I have "elementValid = True" and ChainStatus.Length = 0 >>
End using

Interesting notice that:
- the URL is normally reachable;
- no error is raised during the process;
- the CRL DistributionPoint is reachable;
- the CRL DistributionPoint has no lexical error.

Do you know how can I check revocations using the online parameter?
I appreciate your spend time even if this question cannot be answered.

commented Mar 7 by David BS (420 points)
NOTE:  comparing a CRL file created yesterday in my VM Windows 10 with the newest one created today on my Windows 8.1, I saw that this last one has not a Thumbprint. I don't know why because it was created using the same routine.  Would be that absence the reason of the failure above?

The only difference is that on my Windows 8.1 I had set (and deleted) some CRL's, due to performing tests...
commented Mar 8 by Lukas Pokorny (120,490 points)
CRL thumbprint field is a Windows concept (it's a hash of the CLR), it's not actually part of the CRL, so I'm not quite sure what the lack of it might indicate. Does it appear OK otherwise?
commented Mar 8 by David BS (420 points)
Yes... It seems ok, although that difference between the two CRL files. Anyway, I will be searching for a solution to that behaviour after reading the below suggested texts. Thank you Lukas.

1 Answer

0 votes
answered Mar 8 by Lukas Pokorny (120,490 points)
selected Mar 8 by David BS
Best answer

I guess this might be caused by the complex CRL caching behavior in Windows. What result do you get if you use the certutil tools to check the certificate, as described here?

Also, this in-depth article on CRL caching in Windows might be relevant.

commented Mar 8 by David BS (420 points)
Wow... I had never supposed that Windows performs that kind of caching. Thank you!
commented Mar 8 by Lukas Pokorny (120,490 points)
Yes, it's actually surprisingly complex.
commented Mar 8 by David BS (420 points)
I'm reading all information you suggested before and it's really useful. Thanks a lot Lukas and all the REBEX team!