Search code examples
c#certificatex509certificatedigital-signaturex509certificate2

Issue with X509RevocationMode.Online in revoke certificate validation

I am validating the certificate revocation in online mode but the url mentioned in CRL Distribution Point is not getting hit if the CRL is already cached in memory. I am using fiddler to verify if the URL is accessed or not. I am following these steps.

  1. Run the fiddler.
  2. Start certificate validation in X509RevocationMode.Online
  3. Verify fiddler, the url mentioned in CRL Distribution Point is not caught.
  4. Clear the crl from memory by the command certutil -urlcache CRL delete
  5. Start certificate validation in X509RevocationMode.Online
  6. Now the Fiddler caught the URL mentioned in CRL Distribution Point.

From above steps it is clear that the CRL's url will be hit only if the CRL is not cached. Now my questions are:

  1. What are the scenarios when URL mention in CRL Distribution Point is accessed in online mode?
  2. If CRL is already cached, how X509Certificate validated that the CRL is updated or not without hitting the URL?
  3. Am I missing the concept of CRL?

Here is my code

    private void BuildCertificateChain(X509Certificate2 certificate)
    {
        string error = null;
        X509Chain certificateChain = new X509Chain();
        certificateChain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
        certificateChain.ChainPolicy.VerificationTime = DateTime.Now;

        certificateChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
        certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 15);

        try
        {
            if (certificateChain.Build(certificate))
            {
                foreach (X509ChainElement element in certificateChain.ChainElements)
                {
                    Trace.WriteLine(string.Format("Issuer = {0}\nSubject = {1}", element.Certificate.Issuer, element.Certificate.Subject));
                    element.Certificate.Verify();
                }
            }
            else
            {

                error = string.Format("File {0} digital signature seems to be not valid due to a certificate in certificate chain being revoked. Revocation reasons are:\n", filename);
                foreach (X509ChainStatus status in certificateChain.ChainStatus)
                {
                    error += status.StatusInformation;
                }
            }
        }
        catch (Exception ex)
        {
            error = string.Format("Exception building certificate chain for executing application {0}. The error is {1}", _executingAppFileName, ex.Message);
        }

        if (!string.IsNullOrEmpty(error))
        {
            //SetError(error);
        }
    }
}
Solution

  • Using a cached version and not re-retrieving the CRL is usually a feature, not a bug.

    What should happen:

    1. The CRL issuing website should be using proper caching instructions to the https client who is retrieving the CRL for verification.
    2. The cache on your machine should be implemented according to the instructions from the server. (By the way, disks are usually used for cached internet files, not memory.)

    But, neither of the above may be true. If you want to be paranoid, you could flush the internet doc cache in the OS.

    Re your questions:

    1. What are the scenarios when URL mention in CRL Distribution Point is accessed in online mode? [When the CRL is not in the cache]
    2. If CRL is already cached, how X509Certificate validated that the CRL is updated or not without hitting the URL? [The cache controls of https are used to assume that the cached version of the CRL is the same as the version on the remote server.]
    3. Am I missing the concept of CRL? [Perhaps. The CRL process is not meant to be a gonzo-realtime synchronized multi-machine system. The idea is that most of the time, certs naturally expire from their expiration date. The revocation / CRL process should not be a normal process, should be more of an exception process. Your questions imply that the CRL is being updated on a second by second basis--so quickly that normal web caching techniques are not acceptable. Why do you believe this? What are you trying to protect yourself against? Are humans making the decision to revoke the certs before their normal expiration time or machines?]

    To put it another way, if the CRL is being updated all the time, then it should be sent with the caching headers set accordingly. In that case, you should test that your OS is correctly not caching the result. If you're worried that the OS is wrong, then you should explicitly delete the cache.

    Added:

    A blog entry about examining malware's digital certificates.