Skip to content

Commit

Permalink
Update CRL revocation certificate check with information about CRL ha…
Browse files Browse the repository at this point in the history 
…ndling (#131)
  • Loading branch information
@lubomirw
lubomirw authored Feb 2, 2024
1 parent cb85b4a commit a8d5255
Showing 1 changed file with 31 additions and 11 deletions.
42 changes: 31 additions & 11 deletions docs/10-certificate-key/02-concept-design/04-core-components/12-certificate.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,15 +199,15 @@ Certificate validation algorithm consists of different validation check types. `

The following validation checks are performed for `Certificate`:

| # | Validation check | Description | Result |
|---|------------------------|--------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Certificate chain | Check the completeness of chain (certificate validation path) and validity of issuer certificate | <span class="badge badge--success">SUCCESS</span> if chain is complete.<br/><span class="badge badge--danger">FAILED</span> if certificate in validation path is missing or issuer certificate is invalid or revoked. |
| 2 | Signature verification | Check the signature of `Certificate` using public key of the issuer certificate. | <span class="badge badge--secondary">NOT CHECKED</span> if issuer is missing.<br/><span class="badge badge--success">SUCCESS</span> if signature verified.<br/><span class="badge badge--danger">FAILED</span> if verification fails. |
| 3 | Certificate validity | Check certificate validity based on `notBefore` and `notAfter` dates of the certificate. | <span class="badge badge--secondary">INACTIVE</span> in case `notBefore` >= current date.<br/><span class="badge badge--danger">EXPIRED</span> in case `notAfter` \<= current date.<br/><span class="badge badge--warning">EXPIRING</span> in case the `notAfter` is less than 30 days from current date.<br/><span class="badge badge--success">SUCCESS</span> if `notBefore` < current date. |
| 4 | OCSP check | Check status using OCSP URL available in the certificate extension `AuthorityInformationAccess`. | <span class="badge badge--secondary">NOT CHECKED</span> if issuer is missing.<br/><span class="badge badge--warning">WARNING</span> if OCSP URL is not available or failed to check status.<br/><span class="badge badge--success">SUCCESS</span> if OCSP returns `good`.<br/><span class="badge badge--danger">REVOKED</span> if the OCSP return `revoked`. |
| 5 | CRL check | Check status using CRL USL available in the certificate attribute `CRLDistributionPoints`. | <span class="badge badge--secondary">NOT CHECKED</span> if issuer is missing.<br/><span class="badge badge--warning">WARNING</span> if CRL URL is not available or failed to check status.<br/><span class="badge badge--success">SUCCESS</span> in case CRL is available, valid, and the certificate is not on the list.<br/><span class="badge badge--danger">REVOKED</span> in case CRL is available, valid, and the certificate is on the list. |
| 6 | Basic Constraints | Check the basic constraints if extension is present. | <span class="badge badge--danger">FAILED</span> if certificate is version 3, not end certificate and does not have CA flag set.<br/><span class="badge badge--warning">WARNING</span> if cannot check if certificate is CA or path length is greater than its issuer.<br/><span class="badge badge--success">SUCCESS</span> otherwise. |
| 7 | Certificate Key Usage | Check if certificate key can be used to verify signatures. Applicable for CA certificates. | <span class="badge badge--secondary">NOT CHECKED</span> if certificate is not CA.<br/><span class="badge badge--success">SUCCESS</span> if certificate has `keyCertSign` bit set in key usage extension.<br/><span class="badge badge--danger">FAILED</span> otherwise. |
| # | Validation check | Description | Result |
|---|------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Certificate chain | Check the completeness of chain (certificate validation path) and validity of issuer certificate | <span class="badge badge--success">VALID</span> if chain is complete.<br/><span class="badge badge--danger">INVALID</span> if certificate in validation path is missing or issuer certificate is invalid or revoked. |
| 2 | Signature verification | Check the signature of `Certificate` using public key of the issuer certificate. | <span class="badge badge--secondary">NOT CHECKED</span> if issuer is missing.<br/><span class="badge badge--success">VALID</span> if signature verified.<br/><span class="badge badge--danger">FAILED</span> if verification fails. |
| 3 | Certificate validity | Check certificate validity based on `notBefore` and `notAfter` dates of the certificate. | <span class="badge badge--secondary">INACTIVE</span> in case `notBefore` >= current date.<br/><span class="badge badge--danger">EXPIRED</span> in case `notAfter` \<= current date.<br/><span class="badge badge--warning">EXPIRING</span> in case the `notAfter` is less than 30 days from current date.<br/><span class="badge badge--success">VALID</span> if `notBefore` < current date. |
| 4 | OCSP check | Check status using OCSP URL available in the certificate extension `AuthorityInformationAccess`. | <span class="badge badge--secondary">NOT CHECKED</span> if issuer is missing or certificate does not contain AIA extension or OCSP URL is not present.<br/><span class="badge badge--danger">FAILED</span> if not possible to retrieve OCSP URL or valid content from URL.<br /><span class="badge badge--success">VALID</span> if OCSP returns `good`.<br/><span class="badge badge--danger">REVOKED</span> if the OCSP return `revoked`. |
| 5 | CRL check | Check status using CRL URL available in the certificate attribute `CRLDistributionPoints` or from CRL stored in database. | <span class="badge badge--secondary">NOT CHECKED</span> if issuer is missing or certificate does not contain its extension.<br/><span class="badge badge--success">VALID</span> in case CRL is available, valid, and the certificate is not on the list.<br/><span class="badge badge--danger">REVOKED</span> in case CRL is available, valid, and the certificate is on the list. |
| 6 | Basic Constraints | Check the basic constraints if extension is present. | <span class="badge badge--danger">INVALID</span> if certificate is version 3, not end certificate and does not have CA flag set or path length is greater than its issuer.<br/><span class="badge badge--danger">FAILED</span> if cannot check if certificate is CA (not version 3)<br/><span class="badge badge--success">VALID</span> otherwise. |
| 7 | Certificate Key Usage | Check if certificate key can be used to verify signatures. Applicable for CA certificates. | <span class="badge badge--secondary">NOT CHECKED</span> if certificate is not CA.<br/><span class="badge badge--success">VALID</span> if certificate has `keyCertSign` bit set in key usage extension.<br/><span class="badge badge--danger">INVALID</span> otherwise. |

The above is true for a single `Certificate`, but all certificates in the certificate chain are validated the same way.

Expand All @@ -223,8 +223,8 @@ Calculation of result status is as follows:
start
if (chain check SUCCESS?) then (yes)
if (signature check SUCCESS?) then (yes)
if (chain check VALID?) then (yes)
if (signature check VALID?) then (yes)
if (validity check INACTIVE or EXPIRED?) then (yes)
if (OCSP or CRL check REVOKED?) then (yes)
if (validity check EXPIRING?) then (yes)
Expand All @@ -250,6 +250,26 @@ stop
@enduml
```

### Certificate revocation lists handling

When validating certificate and checking for revocation by existence of certificate in authority CRL, whole CRL needs to be downloaded and processed.
To prevent downloading CRL each time when doing revocation validation check (even multiple times when certificates are issued by same authority), CRL and its entries are stored in database.

When certificate is checked for revocation:
- check if `cRLDistributionPoints` extension is set, if not we do not check CRL revocation and check result is <span class="badge badge--secondary">NOT CHECKED</span>
- check if exists CRL in database by certificate issuer DN and issuer serial number, if does not exist or current UTC time is past its `Next Update` timestamp, download it from CRL URL, process it and store its all entries in DB.
- update CRL information - CRL number, next update timestamp and last revocation date from last processed entry
- check if certificate has `freshestCRL` extension present and using delta CRL ([more info in RFC](https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.4)). If yes, process as follows:
- check in CRL if last processed delta is still valid by its `Next update` timestamp
- if not valid or not set, download delta CRL and check its validity (compare CRL issuer with issuer stored in CRL entity). If they are not same, revocation check is <span class="badge badge--danger">FAILED</span>.
- if DeltaCRLIndicator base CRL number is not equal to one from CRL entity, redownload full CRL (new one was probably published), if received again old one, revocation check is <span class="badge badge--danger">FAILED</span>.
- if delta CRL number is greater than one in DB entity, process its entries which revocation date is >= revocation date of last processed entry. Update entries in following manner:
- when entry by serial number is not present, add new one
- when entry by serial number is present, probably reason changed so update its revocation reason and date
- when entry by serial number is present and revocation reason is `REMOVE_FROM_CRL`, remove this entry
- update delta CRL information - CRL number, next update timestamp and last revocation date from last processed entry
- CRL is updated with newest entries and certificate can be searched in its entries by serial number

## Attributes

`Certificate` attributes hold information related to the platform. Once a certificate request is submitted platform creates the `Certificate` with a specific identification, defines certificate type, and assigns validity status. `Certificate` attributes also include connection to the other part of platform components.
Expand Down

0 comments on commit a8d5255

Please sign in to comment.