What is the difference between the TVOCache and the URLCache in Microsoft CAPI2?

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about What is the difference between the TVOCache and the URLCache in Microsoft CAPI2? was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, cryptography, , , .

In the CAPI2 log, I’m seeing some CertVerifyRevocation events that have the location TvoCache and some that have the location UrlCache for the validation of the same certificate:

<Event>
  <UserData />
    <CertVerifyRevocation>
      <Certificate fileRef="AC815F8FCDE5524771442A0F619A04DA00C8728D.cer" subjectName="Kaiblinger Harald" />
      <IssuerCertificate fileRef="410DE74321872F90A43E4969C3224A987EDED648.cer" subjectName="Siemens Issuing CA EE Enc 2016" />
      <Flags value="4" CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG="true" />
      <AdditionalParameters timeToUse="2020-05-05T13:42:48.510Z" currentTime="2020-05-05T13:42:48.510Z" urlRetrievalTimeout="PT19.570S" />
      <RevocationStatus index="0" error="0" reason="0" actualFreshnessTime="P2DT3H33M56S" thirdPartyProviderUsed="C:WindowsSysWOW64cryptnet.dll" />
      <CertificateRevocationList location="TvoCache" url="http://ch.siemens.com/pki?ZZZZZZA3.crl" fileRef="A045197D2F9D422F5C163D1F420798D1DD4927C8.crl" issuerName="Siemens Issuing CA EE Enc 2016" />
      <EventAuxInfo ProcessName="OUTLOOK.EXE" />
      <CorrelationAuxInfo TaskId="{A7973502-62E3-4973-8DEE-519E95942DAD}" SeqNumber="16" />
      <Result value="0" />
    </CertVerifyRevocation>
  </UserData>
</Event>

and

<Event>
  <UserData>
    <CertVerifyRevocation>
      <Certificate fileRef="AC815F8FCDE5524771442A0F619A04DA00C8728D.cer" subjectName="Kaiblinger Harald" />
      <IssuerCertificate fileRef="0A9B014FA2E69AB97F6B54B8C07C07B66FA2AA64.cer" subjectName="Siemens Issuing CA EE Enc 2016" />
      <Flags value="4" CERT_VERIFY_REV_ACCUMULATIVE_TIMEOUT_FLAG="true" />
      <AdditionalParameters timeToUse="2020-05-05T13:42:48.510Z" currentTime="2020-05-05T13:42:48.510Z" urlRetrievalTimeout="PT20S" />
      <RevocationStatus index="0" error="0" reason="0" actualFreshnessTime="P2DT3H33M56S" thirdPartyProviderUsed="C:WindowsSysWOW64cryptnet.dll" />
      <CertificateRevocationList location="UrlCache" url="http://ch.siemens.com/pki?ZZZZZZA3.crl" fileRef="A045197D2F9D422F5C163D1F420798D1DD4927C8.crl" issuerName="Siemens Issuing CA EE Enc 2016" />
      <EventAuxInfo ProcessName="OUTLOOK.EXE" />
      <CorrelationAuxInfo TaskId="{A7973502-62E3-4973-8DEE-519E95942DAD}" SeqNumber="8" />
      <Result value="0" />
    </CertVerifyRevocation>
  </UserData>
</Event>

I can’t find any documentation about the difference. Can someone explain the difference?

Tvo here stands for Time Valid Object, we can find references about TVO on this documentation: CryptGetTimeValidObject (Wincrypt.h / Cryptnet.dll)

The CryptGetTimeValidObject function retrieves a CRL, an OCSP
response, or CTL object that is valid within a given context and time.

The Cryptnet dynamic link library implements a time valid object (TVO)
cache that is used to support the CryptGetTimeValidObject function.
The cache is used by a process-global TVO agent […]

The TVO agent supports retrieval of TVO objects on-demand or by auto-update.

While it’s not a documentation about the events you mention, I think it’s safe to assume that it simply means the CRL was found in the TVO Cache.

Leave a Reply

Your email address will not be published. Required fields are marked *