Open philsmart opened 3 months ago
Ah, we can not catch it, because the MetadataService will not build if revocation fails. So an option to disable it would be neat.
Hi! This is a good question. It does make sense to have some way to not require enableCRLDP=true
, but the FIDO MDS spec clearly states that CRLs MUST be used:
- To validate the digital certificates used in the digital signature, the certificate revocation information MUST be available in the form of CRLs at the respective MDS CRL location e.g. More information can be found at https://fidoalliance.org/metadata/
I also think it's rarely a good idea to solve these kinds of issues by disabling security checks. I think there's a likely better solution, I'll get back to that.
Let's start with a possible workaround you could try right away. As you noted, you can supply additional CRLs to the builder, so it is possible to pre-download the CRLs and inject those manually. This way the com.sun.security.enableCRLDP=true
setting is not needed; I've verified experimentally that this works. The two certificates in the BLOB's current cert path have the CRL distribution points http://crl.globalsign.com/root-r3.crl
and http://crl.globalsign.com/gs/gsextendvalsha2g3r3.crl
, so you can pre-download those before calling the builder - no guarantee that these URLs won't change in the future, though. Testing that in the integration tests looks like this:
Now back to the topic of a more permanent solution: maybe FidoMetadataDownloader
should just adopt this workaround as an integrated feature (then we would of course read the CRLDP URLs from the certificates instead of hard-coding them). That way users shouldn't need to set com.sun.security.enableCRLDP=true
globally, but can still have the revocation checks. It's nice that this also removes the pitfall of missing the enableCRLDP
step in the usage guide.
Does that seem like a reasonable solution, and would the above workaround work for you in the meantime?
Many thanks for this super detailed response (and for pointing out the spec) . You're right, disabling a security check was a bit of a dumb request, although the whole process of revocation checking seems hard and no method ideal.
The question should have been more like your solution: can we isolate this to the downloader. In which case your solution sounds great to me.
For now I will follow your workaround and wire up the required CRLs for our users to test with.
Thank you.
Currently, the metadata blob verification process creates a cert path validator with the default 'true' setting for the
PKIXParameters#revocationEnabled
parameter (inFidoMetadataDownloader#verifyBlob
) enabling theRevocationChecker
. This will fail unless the JVM argument-Dcom.sun.security.enableCRLDP=true
is set. However, setting this enables CRL checking for the entire service running on the JVM, which is undesirable in some cases. Would it be possible to add an option to the FidoMetadataDownloader builder to disable revocation checking?We could catch and ignore the
UNDETERMINED_REVOCATION_STATUS
from the thrownCertPathValidatorException
when we load the cached blob, but it seems more sensible to have the option to disable it when verifying the blob. I assume if the CRL DP is disabled, a supplied CRL list would still be used.