Offline revocation mode

Question

My question is similar to this question.

I am trying to check revocation list only using the local CRL.

I am using X509Chain.Build() with the following parameters:

    var chainMachine = new X509Chain(true);
            chainMachine.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
            chainMachine.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(30);
            chainMachine.ChainPolicy.VerificationFlags = X509VerificationFlags.NoFlag;
            chainMachine.ChainPolicy.VerificationTime = DateTime.Now;
            chainMachine.ChainPolicy.RevocationMode = X509RevocationMode.Offline;

But i get the following errors:

1. RevocationStatusUnknown => The revocation function is unable to check revocation for the certificate.
2. OfflineRevocation => The Revocation function was unable to check revocation for the certificate because the revocation server is offline.

The weird thing is that once I try to check the revocation list online (as a result the CRL will be updated), the issue is resolved. so it looks that once there is anything in the cache the issue cannot be reproduced anymore.

I thought that maybe the error message is incorrect and what actually happens is that when the cache is empty there is some exception that causes this message to pop up. another option is that maybe there is some flag that saying whether the cache has been updated sometime, and if it has never been updated it tries to get the info from an outside server

can anyone point out what is the reason for this issue?

Answer 1

X509RevocationMode.None: Do not check CRLs or OCSP.

X509RevocationMode.Offline: If a CRL is cached and still valid, use it for revocation. Otherwise, if the certificate should have had revocation checked (depending on EntireChain/ExcludeRoot/EndCertificateOnly), report OfflineVerification|RevocationStatusUnknown. (OCSP responses may also be cached if their nextUpdate value suggests to; but I'm not sure if it does or not).

X509RevocationMode.Online: If an OCSP endpoint is described in the certificate perform an OCSP check. If OCSP does not yield a conclusive answer and a CRL Distribution Point is defined, check the cache for the CRL. If it is valid, use it as the basis of revocation; otherwise download the CRL and cache it. If all attempts to find a revocation status fail, set RevocationStatusUnknown.

Offline mode is tricky, due to CRL expiration. Even if you just did an Online request an hour ago, it doesn't mean that Offline will work now. The best use I can think of for it is making the happy path fast; and if you get any errors other than RevocationStatusUnknown or OfflineRevocation then consider the chain failed... but either of those means ask again with Online mode.

(As can be determined via http://referencesource.microsoft.com, Offline corresponds to CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY, which is about as sparsely documented at https://msdn.microsoft.com/en-us/library/windows/desktop/aa376078(v=vs.85).aspx, but perhaps the "Check Cache Only" part is more enlightening)