Revoked certificate not validated for inbound documents

[MLieftink]

Hello Everyone, Recently we've done some tests with sending and receiving documents to and from another access point with a revoked certificate. When sending we got the expected error message and were not able to do so. But when receiving a document we did not see any error messages and the document was successfully received.

We're running Oxalis-as4 5.5.0 with the following configuration for both the inbound and the outbound component

oxalis.pki.version=V3
oxalis.sml.hostname=acc.edelivery.tech.ec.europa.eu
oxalis.path.plugin = plugin
oxalis.path.inbound = "/storage/input"
oxalis.operation.mode = TEST
oxalis.transformer.detector = legacy

Looking through the code we've found the CertificateValidator that's set by the security.validator.class setting, but this is only used by the as2-inbound component and the outbound component as far as we can tell. So it seems unlikely to us that this setting is the issue because for the outbound component the validation was done correctly.

Are we misunderstanding how the certificates are validated or are we missing some other configuration that the inbound component needs to validate the certificate?

[dladlk]

As far as I see it, revokation certificate check is done via peppol-security validator policies:

https://github.com/OxalisCommunity/vefa-peppol/blob/master/peppol-security/src/main/resources/pki/peppol-test.xml#L31-L40

and referenced in https://github.com/OxalisCommunity/vefa-peppol/blob/cbb693dbe182dfd3103c8dad58c3e4983d51efed/peppol-security/src/main/resources/reference.conf#L14

But your configuration sets operation mode directly via oxalis.operation.mode (usually it is detected basing on configured certificate), maybe that is the reason...

[MLieftink]

We've tried removing the oxalis.operation.mode from the configuration and we can't see any difference in the logging. We can try to receive a new message from the access point with the revoked certificate to see if anything has changed. This will probably take at least a few days as we don't have direct access to the access point with the revoked certificate.

We did find that this property was removed in the upgrade to 4.0, so it seems unlikely that this setting still does anything https://github.com/OxalisCommunity/oxalis/blob/cd5c7e86ccbe1f03c7b63f6da1ef37a187392eae/doc/configuration.adoc#upgrading-to-40

Startup logging before changing the configuration:

2023-08-09 09:59:47,487 INFO [network.oxalis.commons.security.CertificateModule] [] Certificate issuer: CN=PEPPOL ACCESS POINT TEST CA - G2, OU=FOR TEST ONLY, O=OpenPEPPOL AISBL, C=BE
2023-08-09 09:59:49,062 INFO [network.oxalis.vefa.peppol.security.ModeDetector] [] Detected mode: TEST
2023-08-09 09:59:50,005 INFO [network.oxalis.commons.filesystem.FileSystemModule] [] Inbound folder: /storage/input

Startup logging after changing the configuration:

2023-08-28 11:22:48,638 INFO [network.oxalis.commons.security.CertificateModule] [] Certificate issuer: CN=PEPPOL ACCESS POINT TEST CA - G2, OU=FOR TEST ONLY, O=OpenPEPPOL AISBL, C=BE
2023-08-28 11:22:49,468 INFO [network.oxalis.vefa.peppol.security.ModeDetector] [] Detected mode: TEST
2023-08-28 11:22:49,776 INFO [network.oxalis.commons.filesystem.FileSystemModule] [] Inbound folder: /storage/input

[dladlk]

Strange - but I also cannot find any sign of CRL/OCSP validation for AS4 inbound messaging... In AS2 it is invoked directly SignedMessage.validate, but I cannot find which interceptor checks that sender's certificate is not revoked. @aaron-kumar can you look into this?

[sdeheer]

Is there any progress on this issue to report?

[tjeb]

IMO this issue warrants an immediate hotfix for all active release branches. Certificates are revoked for a reason, and not verifying revocation status is a security issue, not something to leave as a known 'bug' for 3 months, let alone putting it on the roadmap for some future release in a major version.

[aaron-kumar]

Fixed as part of https://github.com/OxalisCommunity/Oxalis-AS4/releases/tag/v6.5.0