1

I'm testing that an x509 certificate can be correctly determined to be revoked. I'm taking the cert from https://revoked.badssl.com and verifying it via certutil. When my system is online, it seems to pull the CRL and determine that it is revoked. I see an entry in the cerutil -urlcache.

Here's the output of certutil -verify [revoked_cert.cer], when online:

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)

....
Full chain:
  Chain: f3abff8a2fe49d17c13f351a4bfc8d10d86d5f59
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  NotBefore: 9/1/2016 7:00 PM
  NotAfter: 9/11/2019 7:00 AM
  Subject: CN=revoked.badssl.com, O=Lucas Garron, L=Walnut Creek, S=California, C=US
  Serial: 01af1efbdd5eae0952320b24fe6b5568
  SubjectAltName: DNS Name=revoked.badssl.com
  Cert: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
------------------------------------
Certificate is REVOKED
Cert is an End Entity certificate
Leaf certificate is REVOKED (Reason=0)

If I clear the cache via certutil -urlcache * delete, take my system offline, certutil still says that the cert is revoked. Here's the output when offline:

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

...
Exclude leaf cert:
  Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
  Chain: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
Missing Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  NotBefore: 9/1/2016 7:00 PM
  NotAfter: 9/11/2019 7:00 AM
  Subject: CN=revoked.badssl.com, O=Lucas Garron, L=Walnut Creek, S=California, C=US
  Serial: 01af1efbdd5eae0952320b24fe6b5568
  SubjectAltName: DNS Name=revoked.badssl.com
  Cert: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Cert is an End Entity certificate
Leaf certificate is REVOKED (Reason=0)
CertUtil: -verify command completed successfully.

So, while it couldn't get the root CA when I was offline, it still somehow knew that the cert was revoked.

How does windows think this is true, if the CRL cache has been cleared. Where does it get this information?

Stealth Rabbi
  • 111
  • 4
  • If you open MMC, add snap-in, Certificates, Computer account and go to Intermediate Certiifcate Authorities\Certificate Revocation List is the list, perhaps, there? (I don't see a way to make certutil print that) – bartonjs Mar 08 '19 at 16:32
  • @bartonjs Thanks. I see only a VeriSign Revoke list there, and it has 3 entries. Their serial numbers don't match the one I'm testing with, and they're all revoked in the 2000 / 2001 timeframe – Stealth Rabbi Mar 08 '19 at 16:53
  • Weird. Maybe reboot and run the command with Process Monitor running, it might show some cache being spun up. (And if the reboot made it say "unknown" then there might be a shared memory cache somewhere). – bartonjs Mar 08 '19 at 17:48
  • THat was a good tip. I saw cerutil was looking in C:\Users\StealthRabbi\AppData\Local\Entrust\ESP\, and there's all sorts of OCSP and CRL caches in there, that don't show up by calling certutil -urlcache. I tried renaming/ removing them, but Entrust seems to maintain its own cache of some kind and inject it in to the OS processing. Sure enough, those revoked certs appear in the massive CRL it provides. – Stealth Rabbi Mar 08 '19 at 19:41

0 Answers0