Topic
6 replies Latest Post - ‏2012-10-31T07:49:12Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts
ACCEPTED ANSWER

Pinned topic Is it possible parse a crl (certificate revokation list) file in datapower

‏2012-10-27T12:13:45Z |
Hi ,

Is there a way to parse the CRL files in datapower ? We are trying to validate the certificates using crl of signer dynamically.
Since we do not know CA's upfront , so we are not going with CRL retrieval policy route.

Use case is to download the crl ( location of crl is present in incoming certificate ) and then look for serial number of incoming cert in CRL file.

Thanks in advance.

Regards
Noopur
Updated on 2012-10-31T07:49:12Z at 2012-10-31T07:49:12Z by SystemAdmin
  • inestlerode
    inestlerode
    166 Posts
    ACCEPTED ANSWER

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-28T15:06:08Z  in response to SystemAdmin
    Currently the only support for CRLs is to configure the fetch points statically under CRL retrieval. Dynamic fetching and/or parsing of CRLs is not supported currently.
    • SystemAdmin
      SystemAdmin
      6772 Posts
      ACCEPTED ANSWER

      Re: Is it possible parse a crl (certificate revokation list) file in datapower

      ‏2012-10-29T05:23:12Z  in response to inestlerode
      Hi Ivan,

      How about building ffd file or WTX map file to use as workaround.
      Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
      I guess CRL file structure is pretty much standard.

      Please do let me know your thoughts on this.
      • HermannSW
        HermannSW
        4320 Posts
        ACCEPTED ANSWER

        Re: Is it possible parse a crl (certificate revokation list) file in datapower

        ‏2012-10-29T18:47:07Z  in response to SystemAdmin
        Hi,
        >
        > How about building ffd file or WTX map file to use as workaround.
        > Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
        > I guess CRL file structure is pretty much standard.
        >
        the apendices of the spec show that CRL is encoded as ASN.1 structures:
        http://www.ietf.org/rfc/rfc3280.txt

        XSLT is Turing complete, mentioned in Examples section.
        Therefore you can program anything in XSLT.
        But from what I see in the spec it will not an easy task ...

         
        Hermann<myXsltBlog/> <myXsltTweets/>
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Is it possible parse a crl (certificate revokation list) file in datapower

          ‏2012-10-30T05:42:14Z  in response to HermannSW
          Thanks a lot Hermann, Let me give it a try to build the xsl for this. I will keep this forum updated with my findings.
      • inestlerode
        inestlerode
        166 Posts
        ACCEPTED ANSWER

        Re: Is it possible parse a crl (certificate revokation list) file in datapower

        ‏2012-10-30T15:29:27Z  in response to SystemAdmin
        Regardless of whether the CRL format is standard (it is) you are not going to be able to do anything useful with it via FFD or WTX. Ultimately you will have to verify a digital signature on it before it can be used which is not possible from FFD or WTX (our crypto capability is only callable from XSLT). Also, the valcred certificate validation code only knows to use the standard CRL cache (from the statically configured CRL retrieval points), and it would not know to use some hand-parsed CRL from FFD or WTX.

        This use case is probably insecure. If you do not know at config time which CRL sources you are using, you probably don't know which CAs are involved either. Adding trusted root CA certificates dynamically opens you up to attack.
        • SystemAdmin
          SystemAdmin
          6772 Posts
          ACCEPTED ANSWER

          Re: Is it possible parse a crl (certificate revokation list) file in datapower

          ‏2012-10-31T07:49:12Z  in response to inestlerode
          Hi Ivan,

          You are absolutely correct.

          Let me explain my end to end Use case.

          there is existing ESB application (Java Based). This app will receive signed(Custom Signature) request and will ONLY validate the Certificate status and then forwards the message to downstream application. Back end Apps will take care of data processing and Signature verification.
          There is Performance bottle neck in the current ESB implementation.Its taking pretty long time during peak hours. So we were looking for alternatives here.

          As datapower processing is wire speed , so we are exploring if we can achieve this in DataPower to overcome the Performance bottle neck in ESB app.