Certificate Revocation with CRL

Privacy & Security General
JoseManuel OP
Created Sep ’21
Replies 2
Boosts 0
Views 747
Participants 2

Hi,

I trying to enable certificate revocation checks using CRL

I have the following policies:

SecPolicyRef basicPolicy = SecPolicyCreateBasicX509()
SecPolicyRef revocationPolicy = SecPolicyCreateRevocation(
    kSecRevocationCRLMethod |
    kSecRevocationRequirePositiveResponse);

put both in an array that is used to call SecTrustCreateWithCertificates

I'm testing with a self-signed certificate that has both CRL/OCSP as in

       X509v3 CRL Distribution Points: 

        Full Name:
         URI:http://127.0.0.1:20001/ca1.crl.pem

      Authority Information Access: 
        CA Issuers - URI:http://127.0.0.1:20001/cacert1.pem
        OCSP - URI:http://127.0.0.1:20002

The call to SecTrustEvaluateWithError reports verification fails with errSecIncompleteCertRevocationCheck

I don't see any request to the CRL, isn't trust evaluation supposed to contact the CRL distribution point with the above policies?

I see a request to the OCSP responder

448	855.029464	127.0.0.1	127.0.0.1	HTTP	396	GET /ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFMB29vuaNrKAoP2BoNnyRXxbT4igBBThcxB1ZocKBQzvh5KaoSjx%2FutKiAIIKz78bS0Gnsk%3D HTTP/1.1

I'm using OpenSSL ocsp responder for my testing and it complains it is a malformed request.

Any idea about the malformed requests? why is an OCSP request when my policy specifies kSecRevocationCRLMethod?

Any help would be appreciated.

Cheers, Jose

Replies  2
Boosts  0
Views  747
Participants  2
Systems Engineer OP
Apple
Sep ’21

Not exactly sure if the certificate could not be verified because it is a self signed certificate and that is why revocation is failing, or if this is a specific revocation failure. If you are unable to make any progress here I would open a TSI and I can look deeper into this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
1
JoseManuel OP
Sep ’21

Hi Matt,

The certificate I'm using for my testing is signed by a custom CA, it can be verified using the CA, this works fine. I made some additional progress, by running a different OCSP responder from a more recent OpenSSL version and in this case I get the expected revocation error.

But I don't understand why OCSP is used when I set kSecRevocationCRLMethod, using Wireshark only shows the OCSP request being send, not attempts are made to contact the CRL distribution point.

I would look into open a TSI.

Cheers, Jose

0
Certificate Revocation with CRL
First post date Last post date
 
 
Q