[Question] Certificate revocation status check

[joaco-espinosa]

Simple question: in order to check the revocation status of a certificate, is it necessary to perform some manual step, like overriding the OnValidateCertificate event to call some OCSP service? Or is this done automatically by the library/.NET Core?

[blowdart]

It's done automatically by Windows, unless you set the option in the options to turn it off.

[joaco-espinosa]

Thank you for your response. One more question: I'm evaluating using a Private CA through Amazon (ACM PCA). Do you know if Windows is smart enough to correctly verify the revocation status of a certificate through the AWS service?

I'm not very familiar with the process by which Windows performs these checks. If you have some docs, I would really appreciate it.

[blowdart]

I don't know enough about how that CA works, but if the root it chains to is trusted and there's a CRL or OCSP entry in the certificates it should work. If it's not a trusted root you'd have to install it in every machine you want to check on.

[joaco-espinosa]

Thanks, blowdart

[joaco-espinosa]

I'm currently trying to test the certificate revocation status check mechanism but I'm unable to succeed. The Digicert certificate I'm using has already been revoked, and the Digicert utility that checks revocation statuses correctly indicates so. However, the Authentication library is allowing the connection. As you would expect, the OnValidateCertificate() function is being called on every invocation, and the OnAuthenticationFailed() function is never reached.

This is what my Startup looks like:

var builder = services.AddAuthentication()
    .AddCertificate("x509", options =>
    {
        options.RevocationMode = X509RevocationMode.Online;
        options.ValidateValidityPeriod = true;
        options.ValidateCertificateUse = true;

        options.Events = new CertificateAuthenticationEvents
        {
            OnValidateCertificate = context =>
            {
                context.Principal = Principal.CreateFromCertificate(context.ClientCertificate, includeAllClaims: true);
                context.Success();

                return Task.CompletedTask;
            },
            OnAuthenticationFailed = context =>
            {
                Console.WriteLine($"Status code: {context.Response.StatusCode}");

                return Task.CompletedTask;
            }
        };
    });

Any suggestions?

Please let me know if I should open a different issue for this question. Thanks in advance.

[blowdart]

There are unit tests for revocation, so I know it works.

However it's never going to get to OnAuthenticationFailed, it bails before that.

AuthenticationFailed is basically for exceptions, not expected and handled failures.

[joaco-espinosa]

Thanks for the response.

Do I need to do something else in addition to options.RevocationMode = X509RevocationMode.Online;?
Is there any caching mechanism that might be causing this behavior?

[blowdart]

Windows caches CRL/OCSP results for a period of time. I think it's usually 20 minutes.

certutil allows you to mess around with the cache.

[joaco-espinosa]

For some reason, it wasn't working when using IIS Express. I'm using IIS full and it works correctly.

Thanks for the certutil suggestion, I'll take a look at it.

[blowdart]

Honestly the behaviour of windows and schannel is a blackbox to me, and I suggest everyone treats it like that and just assumes it eventually works :)