1

In the CAPI2 log, I'm seeing some CertVerifyRevocation events that have the location TvoCache and some that have the location UrlCache for the validation of the same certificate:

<Event>
  <UserData />
    <CertVerifyRevocation>
      <Certificate fileRef="AC815F8FCDE5524771442A0F619A04DA00C8728D.cer" subjectName="Kaiblinger Harald" />
      <IssuerCertificate fileRef="410DE74321872F90A43E4969C3224A987EDED648.cer" subjectName="Siemens Issuing CA EE Enc 2016" />
      <Flags value="4" CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG="true" />
      <AdditionalParameters timeToUse="2020-05-05T13:42:48.510Z" currentTime="2020-05-05T13:42:48.510Z" urlRetrievalTimeout="PT19.570S" />
      <RevocationStatus index="0" error="0" reason="0" actualFreshnessTime="P2DT3H33M56S" thirdPartyProviderUsed="C:\Windows\SysWOW64\cryptnet.dll" />
      <CertificateRevocationList location="TvoCache" url="http://ch.siemens.com/pki?ZZZZZZA3.crl" fileRef="A045197D2F9D422F5C163D1F420798D1DD4927C8.crl" issuerName="Siemens Issuing CA EE Enc 2016" />
      <EventAuxInfo ProcessName="OUTLOOK.EXE" />
      <CorrelationAuxInfo TaskId="{A7973502-62E3-4973-8DEE-519E95942DAD}" SeqNumber="16" />
      <Result value="0" />
    </CertVerifyRevocation>
  </UserData>
</Event>

and

<Event>
  <UserData>
    <CertVerifyRevocation>
      <Certificate fileRef="AC815F8FCDE5524771442A0F619A04DA00C8728D.cer" subjectName="Kaiblinger Harald" />
      <IssuerCertificate fileRef="0A9B014FA2E69AB97F6B54B8C07C07B66FA2AA64.cer" subjectName="Siemens Issuing CA EE Enc 2016" />
      <Flags value="4" CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG="true" />
      <AdditionalParameters timeToUse="2020-05-05T13:42:48.510Z" currentTime="2020-05-05T13:42:48.510Z" urlRetrievalTimeout="PT20S" />
      <RevocationStatus index="0" error="0" reason="0" actualFreshnessTime="P2DT3H33M56S" thirdPartyProviderUsed="C:\Windows\SysWOW64\cryptnet.dll" />
      <CertificateRevocationList location="UrlCache" url="http://ch.siemens.com/pki?ZZZZZZA3.crl" fileRef="A045197D2F9D422F5C163D1F420798D1DD4927C8.crl" issuerName="Siemens Issuing CA EE Enc 2016" />
      <EventAuxInfo ProcessName="OUTLOOK.EXE" />
      <CorrelationAuxInfo TaskId="{A7973502-62E3-4973-8DEE-519E95942DAD}" SeqNumber="8" />
      <Result value="0" />
    </CertVerifyRevocation>
  </UserData>
</Event>

I can't find any documentation about the difference. Can someone explain the difference?

Rufus Buschart
  • 111
  • 1

1 Answers1

0

Tvo here stands for Time Valid Object, we can find references about TVO on this documentation: CryptGetTimeValidObject (Wincrypt.h / Cryptnet.dll)

The CryptGetTimeValidObject function retrieves a CRL, an OCSP response, or CTL object that is valid within a given context and time.

The Cryptnet dynamic link library implements a time valid object (TVO) cache that is used to support the CryptGetTimeValidObject function. The cache is used by a process-global TVO agent [...]

The TVO agent supports retrieval of TVO objects on-demand or by auto-update.

While it's not a documentation about the events you mention, I think it's safe to assume that it simply means the CRL was found in the TVO Cache.

Swisstone
  • 6,725
  • 7
  • 22
  • 32
  • Thank you for answering. I have found this link too. What it doesn't explain, is what the difference between this TVO cache and the URL cache is. Do they have different priorities to be read? And is there somewhere more information about this "TVO Agent"? Can I manually trigger him to load the CRL? – Rufus Buschart May 05 '20 at 15:02