[Mono-dev] CRL Checking

Alex Mason Alex.Mason at DI-International.com
Wed Aug 19 09:07:13 EDT 2009 

I'm attempting to use the Mono store system to store CRL files as part of a manual implementation of online CRL checking with X509Chain.Build(). Whereas X509Crl is an open object, Mono.Security.X509.X509Store has no public constructor, and seemingly no way to instantiate it or access it directly from a user program. This class contains the Import function for CRLs, although as far as I can tell it isn't called anywhere else within Mono.

At the moment I've implemented the online check by generating a chain, walking the elements and manually fetching the certificates, writing them to the correct file name for the CRL so they can be picked up by X509Chain.FindCrl

Obviously it's be useful to have some way to access the Mono X509Store instead of relying on these hacks. I've not that familiar with the codebase, but if I'm not mistaken there's currently no way, and so I was thinking maybe it's possible to provide a public constructor for the store, or some system to allow importing and retrieval of CRLs?

On another note, I noticed X509Crl.Parse() assumes an unencoded format for CRLs, although upon downloading a few test ones I realised quite a few come base64 encoded, so I created the following function, based on Mono.Security.X509. X509Certificate.PEM

        private static byte[] _DecodeCrlBase64(byte[] data)
        {
            string crl = Encoding.ASCII.GetString(data);

            string header = String.Format("-----BEGIN {0}-----", "X509 CRL");
            int start = crl.IndexOf(header) + header.Length;

            if (start - header.Length == -1)
                return data;

            string footer = String.Format("-----END {0}-----", "X509 CRL");
            int end = crl.IndexOf(footer, start);

            string base64 = crl.Substring(start, (end - start));
            return Convert.FromBase64String(base64);
        }


I also had troubles with FindCrl, mainly:

        if ((ski.Length == 0) || (ski == GetAuthorityKeyIdentifier (crl)))
     return crl;

this line seems to impose a mandatory Authority Key Identifier (2.5.29.35) check. According to http://www.redhat.com/docs/manuals/cert-system/admin/7.1/app_ext.html this extension is non-critical and "If this extension is not present, then the issuer name alone is used to identify the issuer certificate.".

Hence, I believe the check should be optional, replacing the above line in both places with something along the lines of:

        string aki = GetAuthorityKeyIdentifier (crl);

        if ((ski.Length == 0) || (String.IsNullOrEmpty(aki) || ski == aki))
            return crl;

I haven't got any real functional knowledge of the theory behind the CRL checks, apart from checking the related RFCs, specs and general internet resources. However, I would like to contribute with this, and it'd be great to get online CRL checking working in a future release of Mono, as well as opening up the functionality for dealing with CRLs in the store. I know on top of just downloading if not found, there should be some checking to ensure CRls are updated should they be found to be out of date, although I don't know if this should occur in the X509Chain.Build method or not.

Hopefully someone more knowledge can give advice on how best to go about all of this.

Thanks,

Alex Mason





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20090819/a0d988b6/attachment.html

More information about the Mono-devel-list mailing list