You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! This is a good question. It does make sense to have some way to not require enableCRLDP=true, but the [FIDO MDS spec](https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#metadata-blob-object-processing-rules) clearly states that CRLs MUST be used:
#617
Closed
Sltaaa3bergar opened this issue
May 29, 2024
· 0 comments
Hi! This is a good question. It does make sense to have some way to not require `enableCRLDP=true`, but the [FIDO MDS spec](https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#metadata-blob-object-processing-rules) clearly states that CRLs MUST be used:
To validate the digital certificates used in the digital signature, the certificate revocation information MUST be available in the form of CRLs at the respective MDS CRL location e.g. More information can be found at https://fidoalliance.org/metadata/
I also think it's rarely a good idea to solve these kinds of issues by disabling security checks. I think there's a likely better solution, I'll get back to that.
Let's start with a possible workaround you could try right away. As you noted, you can supply additional CRLs to the builder, so it is possible to pre-download the CRLs and inject those manually. This way the com.sun.security.enableCRLDP=true setting is not needed; I've verified experimentally that this works. The two certificates in the BLOB's current cert path have the CRL distribution points http:https://crl.globalsign.com/root-r3.crl and http:https://crl.globalsign.com/gs/gsextendvalsha2g3r3.crl, so you can pre-download those before calling the builder - no guarantee that these URLs won't change in the future, though. Testing that in the integration tests looks like this:
Details
With these changes you should see FidoMetadataDownloaderIntegrationTest fail, because it still relies on enableCRLDP=true, while FidoMetadataServiceIntegrationTest succeeds because it pre-downloads the CRLs instead:
Now back to the topic of a more permanent solution: maybe FidoMetadataDownloader should just adopt this workaround as an integrated feature (then we would of course read the CRLDP URLs from the certificates instead of hard-coding them). That way users shouldn't need to set com.sun.security.enableCRLDP=true globally, but can still have the revocation checks. It's nice that this also removes the pitfall of missing the enableCRLDP step in the usage guide.
Does that seem like a reasonable solution, and would the above workaround work for you in the meantime?
I also think it's rarely a good idea to solve these kinds of issues by disabling security checks. I think there's a likely better solution, I'll get back to that.
Let's start with a possible workaround you could try right away. As you noted, you can supply additional CRLs to the builder, so it is possible to pre-download the CRLs and inject those manually. This way the
com.sun.security.enableCRLDP=true
setting is not needed; I've verified experimentally that this works. The two certificates in the BLOB's current cert path have the CRL distribution pointshttp:https://crl.globalsign.com/root-r3.crl
andhttp:https://crl.globalsign.com/gs/gsextendvalsha2g3r3.crl
, so you can pre-download those before calling the builder - no guarantee that these URLs won't change in the future, though. Testing that in the integration tests looks like this:Details
With these changes you should see
FidoMetadataDownloaderIntegrationTest
fail, because it still relies onenableCRLDP=true
, whileFidoMetadataServiceIntegrationTest
succeeds because it pre-downloads the CRLs instead:Now back to the topic of a more permanent solution: maybe
FidoMetadataDownloader
should just adopt this workaround as an integrated feature (then we would of course read the CRLDP URLs from the certificates instead of hard-coding them). That way users shouldn't need to setcom.sun.security.enableCRLDP=true
globally, but can still have the revocation checks. It's nice that this also removes the pitfall of missing theenableCRLDP
step in the usage guide.Does that seem like a reasonable solution, and would the above workaround work for you in the meantime?
Originally posted by @emlun in Yubico/java-webauthn-server#355 (comment)
The text was updated successfully, but these errors were encountered: