Check X509 certificate revocation status in Spring-Security before authenticating

Question

Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html) but it doesn't mention anything about CRL.

Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!

Thanks!

Answer 1

I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).

More details here:

• http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
• http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
• http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking

Answer 2

The SSL handshake is performed by the servlet container, rather than Spring Security, so any CRL checking should probably occur at that point. Spring Security treats it as a "pre-authentication" scenario.

Spring Security just reads the (already SSL-authenticated) certificate and allows you to link it to a local user account.