I'm testing that an x509 certificate can be correctly determined to be revoked. I'm taking the cert from https://revoked.badssl.com and verifying it via certutil. When my system is online, it seems to pull the CRL and determine that it is revoked. I see an entry in the cerutil -urlcache
.
Here's the output of certutil -verify [revoked_cert.cer], when online:
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_REVOKED (0x4)
....
Full chain:
Chain: f3abff8a2fe49d17c13f351a4bfc8d10d86d5f59
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
NotBefore: 9/1/2016 7:00 PM
NotAfter: 9/11/2019 7:00 AM
Subject: CN=revoked.badssl.com, O=Lucas Garron, L=Walnut Creek, S=California, C=US
Serial: 01af1efbdd5eae0952320b24fe6b5568
SubjectAltName: DNS Name=revoked.badssl.com
Cert: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)
------------------------------------
Certificate is REVOKED
Cert is an End Entity certificate
Leaf certificate is REVOKED (Reason=0)
If I clear the cache via certutil -urlcache * delete
, take my system offline, certutil still says that the cert is revoked. Here's the output when offline:
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
...
Exclude leaf cert:
Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709
Full chain:
Chain: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
Missing Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
NotBefore: 9/1/2016 7:00 PM
NotAfter: 9/11/2019 7:00 AM
Subject: CN=revoked.badssl.com, O=Lucas Garron, L=Walnut Creek, S=California, C=US
Serial: 01af1efbdd5eae0952320b24fe6b5568
SubjectAltName: DNS Name=revoked.badssl.com
Cert: 3e8ab453b8cf62f0bd0240739aab815a170b08f0
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
Cert is an End Entity certificate
Leaf certificate is REVOKED (Reason=0)
CertUtil: -verify command completed successfully.
So, while it couldn't get the root CA when I was offline, it still somehow knew that the cert was revoked.
How does windows think this is true, if the CRL cache has been cleared. Where does it get this information?