Is it possible to accept a CRL after its next update date?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is it possible to accept a CRL after its next update date?

Markus Adelsberger
Hi,

I'm trying to validate X509 certificates offline with bouncy castle in Java and have run into a problem with older CRLs. I haven't found a possibility yet to accept CRLs which are expired, in our setup it can happen that a CRL can't be updated regularly, so the old one should stay valid until anything newer comes along.

Just to clarify, this would be the use case:

1. Create certificate in 2015, valid 2015-2020
2. Revoke the certificate with a CRL in 2017, key was stolen, only create CRL for 1 year because I make a mistake or plan on rolling over and never get around to it
3. Check the certificate in 2019, the CRL is expired, bouncy castle complains there is no CRL to be found and my validation fails - which is not the same as a revocation result

Currently I'm just deactivating CRL checking and performing the check myself, but I'd prefer to do it via bouncy castle.

I asked what to do over at StackOverflow and I was referred to this mailing list, I hope this was correct, if not I'm sorry.
https://stackoverflow.com/questions/50410203/accepting-expired-crl-with-bouncycastle

I'm attaching my code below, thanks for any input in this matter.

Markus

final X509CertSelector endConstraints = new X509CertSelector();
endConstraints.setSerialNumber(signer.getSID().getSerialNumber());

final PKIXBuilderParameters buildParams = new PKIXBuilderParameters(trustAnchors, endConstraints);
//a CertStore object with Certificates and CRLs
buildParams.addCertStore(certificates);
//currently deactivated
buildParams.setRevocationEnabled(false);

final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
final CertPathBuilderResult result = builder.build(buildParams);

//here I manually check the CRLs, which I don't want to do
checkRevocation(result.getCertPath().getCertificates(), certificates, trustAnchors);

//if this passes I return the found certificate
return (X509Certificate) result.getCertPath().getCertificates().get(0);
Reply | Threaded
Open this post in threaded view
|

Re: Is it possible to accept a CRL after its next update date?

David Hook-3

I've a feeling this would also work if you use the setDate() method on buildParams to a date prior to the "next update" date. It's such an odd case - in some respects I think you've probably got the correct solution already (other than fixing the CRL).

Regards,

David

On 22/05/18 17:02, Markus Adelsberger wrote:
Hi,

I'm trying to validate X509 certificates offline with bouncy castle in Java and have run into a problem with older CRLs. I haven't found a possibility yet to accept CRLs which are expired, in our setup it can happen that a CRL can't be updated regularly, so the old one should stay valid until anything newer comes along.

Just to clarify, this would be the use case:

1. Create certificate in 2015, valid 2015-2020
2. Revoke the certificate with a CRL in 2017, key was stolen, only create CRL for 1 year because I make a mistake or plan on rolling over and never get around to it
3. Check the certificate in 2019, the CRL is expired, bouncy castle complains there is no CRL to be found and my validation fails - which is not the same as a revocation result

Currently I'm just deactivating CRL checking and performing the check myself, but I'd prefer to do it via bouncy castle.

I asked what to do over at StackOverflow and I was referred to this mailing list, I hope this was correct, if not I'm sorry.
https://stackoverflow.com/questions/50410203/accepting-expired-crl-with-bouncycastle

I'm attaching my code below, thanks for any input in this matter.

Markus

final X509CertSelector endConstraints = new X509CertSelector();
endConstraints.setSerialNumber(signer.getSID().getSerialNumber());

final PKIXBuilderParameters buildParams = new PKIXBuilderParameters(trustAnchors, endConstraints);
//a CertStore object with Certificates and CRLs
buildParams.addCertStore(certificates);
//currently deactivated
buildParams.setRevocationEnabled(false);

final CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");
final CertPathBuilderResult result = builder.build(buildParams);

//here I manually check the CRLs, which I don't want to do
checkRevocation(result.getCertPath().getCertificates(), certificates, trustAnchors);

//if this passes I return the found certificate
return (X509Certificate) result.getCertPath().getCertificates().get(0);