locked
CryptoAPI pre-fetching crl details RRS feed

  • Question

  • My question is that I can’t see crl pre-fetching working the way it is described as working. It could also be I am misunderstanding the description, or I have something wrong in my set-up.

    If I force a crl retrieval via certuil –verify (I have also tried CertGetCertificateChain), I can see new cache files generated at the location specified for the disk cache on Windows 7: c:\users\<username>\AppData\LocalLow\Microsoft\CryptnetUrlCache. I can see the required crl in there, which has a 4 hour lifetime and nextPublish about 1 hour before certificate expiry. So far, so good.

    The thing is, I never see an attempt to retrieve that crl again if I take no more action and just watch the cache. From reading the documentation my understanding is that pre-fetch should retrieve the crl before it is needed. Then, if the crl isn’t used after the initial pre-fetch cycle, it won’t be pre-fetched again. Also from what I could make out, I thought some sort of background retrieval mechanism periodically iterates over all items in the Cryptnet cache to see if pre-fetching needs to be performed.  BTW I’m not clear what actually would do this retrieval, the docs for CRYPTNET_URL_CACHE_PRE_FETCH_INFO structure docs hint that it might be “the Cryptnet URL Cache (CUC) service”, whatever that is (or was)- can't find any info on it or how often this might happen.

    I have to specifically attempt to make another CertGetCertificateChain/certutil –verify type call before I can see a crl retrieval attempted (http request and local cache update). With CertGetCertificateChain, I get a dwErrorStatus of 0, and dwInfoStatus of 0x00000100/cert_trust_has_preferred_issuer, so I don’t see any problems with my verification. My crl has no AIA, only CDP listing a http location (no delta crls).

    As mentioned, first retrieval I see the cache files and http request, but never see updates in the local store or attempts over the network after that initial retrieval. I was expecting  an automagic background HTTP request with conditional GET to occur sometime after nextPublish time - am I misunderstanding the concept of pre-fetch?

    Lastly, I did post this originally under Win 7 security, but got suggested to post here. Essentially, I'd first like to focus on the certutil.exe usage as it is simplest case - why don't I see prefetch happen after using just certutil.exe -verify.

    Thanks!
    Jeff

    • Moved by Marvin_Guo Wednesday, September 17, 2014 5:21 AM Security
    Tuesday, September 16, 2014 11:47 AM