Topic
  • 6 replies
  • Latest Post - ‏2012-10-31T07:49:12Z by SystemAdmin
SystemAdmin
SystemAdmin
6772 Posts

Pinned topic Is it possible parse a crl (certificate revokation list) file in datapower

‏2012-10-27T12:13:45Z |
Hi ,

Is there a way to parse the CRL files in datapower ? We are trying to validate the certificates using crl of signer dynamically.
Since we do not know CA's upfront , so we are not going with CRL retrieval policy route.

Use case is to download the crl ( location of crl is present in incoming certificate ) and then look for serial number of incoming cert in CRL file.

Thanks in advance.

Regards
Noopur
Updated on 2012-10-31T07:49:12Z at 2012-10-31T07:49:12Z by SystemAdmin
  • inestlerode
    inestlerode
    166 Posts

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-28T15:06:08Z  
    Currently the only support for CRLs is to configure the fetch points statically under CRL retrieval. Dynamic fetching and/or parsing of CRLs is not supported currently.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-29T05:23:12Z  
    Currently the only support for CRLs is to configure the fetch points statically under CRL retrieval. Dynamic fetching and/or parsing of CRLs is not supported currently.
    Hi Ivan,

    How about building ffd file or WTX map file to use as workaround.
    Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
    I guess CRL file structure is pretty much standard.

    Please do let me know your thoughts on this.
  • HermannSW
    HermannSW
    4874 Posts

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-29T18:47:07Z  
    Hi Ivan,

    How about building ffd file or WTX map file to use as workaround.
    Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
    I guess CRL file structure is pretty much standard.

    Please do let me know your thoughts on this.
    Hi,
    >
    > How about building ffd file or WTX map file to use as workaround.
    > Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
    > I guess CRL file structure is pretty much standard.
    >
    the apendices of the spec show that CRL is encoded as ASN.1 structures:
    http://www.ietf.org/rfc/rfc3280.txt

    XSLT is Turing complete, mentioned in Examples section.
    Therefore you can program anything in XSLT.
    But from what I see in the spec it will not an easy task ...

     
    Hermann<myXsltBlog/> <myXsltTweets/>
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-30T05:42:14Z  
    • HermannSW
    • ‏2012-10-29T18:47:07Z
    Hi,
    >
    > How about building ffd file or WTX map file to use as workaround.
    > Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
    > I guess CRL file structure is pretty much standard.
    >
    the apendices of the spec show that CRL is encoded as ASN.1 structures:
    http://www.ietf.org/rfc/rfc3280.txt

    XSLT is Turing complete, mentioned in Examples section.
    Therefore you can program anything in XSLT.
    But from what I see in the spec it will not an easy task ...

     
    Hermann<myXsltBlog/> <myXsltTweets/>
    Thanks a lot Hermann, Let me give it a try to build the xsl for this. I will keep this forum updated with my findings.
  • inestlerode
    inestlerode
    166 Posts

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-30T15:29:27Z  
    Hi Ivan,

    How about building ffd file or WTX map file to use as workaround.
    Is that path would be very complex to go or can be manageable . Have any one tried this in Past ?
    I guess CRL file structure is pretty much standard.

    Please do let me know your thoughts on this.
    Regardless of whether the CRL format is standard (it is) you are not going to be able to do anything useful with it via FFD or WTX. Ultimately you will have to verify a digital signature on it before it can be used which is not possible from FFD or WTX (our crypto capability is only callable from XSLT). Also, the valcred certificate validation code only knows to use the standard CRL cache (from the statically configured CRL retrieval points), and it would not know to use some hand-parsed CRL from FFD or WTX.

    This use case is probably insecure. If you do not know at config time which CRL sources you are using, you probably don't know which CAs are involved either. Adding trusted root CA certificates dynamically opens you up to attack.
  • SystemAdmin
    SystemAdmin
    6772 Posts

    Re: Is it possible parse a crl (certificate revokation list) file in datapower

    ‏2012-10-31T07:49:12Z  
    Regardless of whether the CRL format is standard (it is) you are not going to be able to do anything useful with it via FFD or WTX. Ultimately you will have to verify a digital signature on it before it can be used which is not possible from FFD or WTX (our crypto capability is only callable from XSLT). Also, the valcred certificate validation code only knows to use the standard CRL cache (from the statically configured CRL retrieval points), and it would not know to use some hand-parsed CRL from FFD or WTX.

    This use case is probably insecure. If you do not know at config time which CRL sources you are using, you probably don't know which CAs are involved either. Adding trusted root CA certificates dynamically opens you up to attack.
    Hi Ivan,

    You are absolutely correct.

    Let me explain my end to end Use case.

    there is existing ESB application (Java Based). This app will receive signed(Custom Signature) request and will ONLY validate the Certificate status and then forwards the message to downstream application. Back end Apps will take care of data processing and Signature verification.
    There is Performance bottle neck in the current ESB implementation.Its taking pretty long time during peak hours. So we were looking for alternatives here.

    As datapower processing is wire speed , so we are exploring if we can achieve this in DataPower to overcome the Performance bottle neck in ESB app.