[release/3.0]Handle UnparseableExtension status code when building X509Chain on …

[buyaa-n]

Fixes #39988
Port of #40063

Description

Handle UnparseableExtension status code when building X509Chain on OSX 10.15

Impact

Allow building X509Chain to support UnparseableExtension status and gracefully fail on latest OSX

Regression?

No

Risk

Low

[krwq]

You might want to wait for @bartonjs's approval since he'll be back before preview9's cutoff date (around 8/20)

[buyaa-n]

You might want to wait for @bartonjs's approval since he'll be back before preview9's cutoff date (around 8/20)

Sure will wait

[danmoseley]

@krwq based on what I undrestand of this issue, it seems like the right fix and ideally we would put it in now rather than waiting, that gives more time for any possible issue to emerge upstack. Do you feel OK with doing that? If you think it's important to wait for @bartonjs that's fine.

[krwq]

@danmosemsft I'm good with that

[danmoseley]

K I’ll take to tactics

[bartonjs]

If this code is not reported by Windows then mapping it to nothing is a better fix.

Just because the code sounds like the right answer, if Windows isn't reporting it, we shouldn't from macOS either.

[bartonjs]

The InvalidAia test must be changed to show that this code is reported by both Windows and macOS (and, ideally, Linux),

[buyaa-n]

We tried to add assert that, but it failed on windows, didn't checked on Linux
Assert.Contains(chain.ChainStatus, (status) => status.Status.HasFlag(X509ChainStatusFlags.InvalidExtension));

[bartonjs]

Shouldn't be merged into release/3.0 without confirmation it's decreasing, vs increasing, Windows behavior deltas.

[danmoseley]

Thanks @bartonjs

[danmoseley]

Removing ask mode pending addressing @bartonjs feedback. @buyaa-n please when fixed set ask-mode label for tactics on Tuesday. (Eric E will be running it that week)

@buyaa-n you said this does not apply to 2.x right? if it does it will need a port there.

[buyaa-n]

If this code is not reported by Windows then mapping it to nothing is a better fix.
Just because the code sounds like the right answer, if Windows isn't reporting it, we shouldn't from macOS either.

You mean ignoring it better for now?

Shouldn't be merged into release/3.0 without confirmation it's decreasing, vs increasing, Windows behavior deltas.

I might didn't get this comment correctly. If we check this status in TestInvalidAia its failing for Windows. So i assume the requested change is to ignore this status

[buyaa-n]

Removing ask mode pending addressing @bartonjs feedback. @buyaa-n please when fixed set ask-mode label for tactics on Tuesday. (Eric E will be running it that week)

Sure i will put back the tag after getting approval from @bartonjs

@buyaa-n you said this does not apply to 2.x right? if it does it will need a port there.

Yes It is not failing in 2.x. no need to port

[krwq]

@buyaa-n are you sure it's not supported on Windows vs current implementation ignoring the code?

[buyaa-n]

@krwq I was not sure, thats why i asked about it from you at lunch, but haven't checked windows code yet

[krwq]

@buyaa-n Windows does this: https://github.com/dotnet/corefx/blob/master/src/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.Windows/ChainPal.BuildChain.cs#L75

so you will need to read https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain to figure out if there is some easy way to get the error

[buyaa-n]

@bartonjs I have compared X509ChainStatus-es produced from Windows and Mac with ignored solution. Windows produces:

PartialChain
RevocationStatusUnknown
OfflineRevocation

Mac produces:

RevocationStatusUnknown
PartialChain

And if i map new status UnparseableExtension into PAL_X509ChainOfflineRevocation i see same result. Now i understood what you meant by

Shouldn't be merged into release/3.0 without confirmation it's decreasing, vs increasing, Windows behavior deltas.

So the correct mapping must be PAL_X509ChainOfflineRevocation, but its just sound very different than UnparseableExtension. Anyways am gonna add this mapping and add test case asserting this value

[buyaa-n]

@bartonjs added test case is failing for Linux and old Mac OS, seems better remove the test case

[bartonjs]

So the correct mapping must be PAL_X509ChainOfflineRevocation, but its just sound very different than UnparseableExtension.

No, OfflineRevocation is a different code (and I'm surprised Windows is returning it). Windows might be returning it as a way of saying "due to inputs I couldn't complete this operation", but generally it means "you used X509RevocationMode.Offline and this value isn't in the cache". If it was an extension other than Authority Information Access we'd probably see different results.

Anyways am gonna add this mapping and add test case asserting this value

I don't see the test case as part of this PR.

---

Based on the data in this thread I believe the correct action is to map it to nothing.

It might make sense to just make the test say it doesn't care about revocation (since it doesn't):

    X509Chain chain = new X509Chain();
+   chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
    Assert.False(chain.Build(ee));

Then we'll reduce the red herring of OfflineRevocation, and we can then just add

    Assert.Equals(1, chain.ChainElements.Count);
+   Assert.Equals(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags());

[buyaa-n]

@bartonjs updated accordingly, please re review

[bartonjs]

LGTM (as long as the test run backs up my assertions).

[buyaa-n]

Tests passed, good to go, thank you @bartonjs @krwq

[stephentoub]

@buyaa-n, was this approved by shiproom for ask mode?
cc: @eerhardt

[krwq]

@buyaa-n also we need to merge this change back to master since there was some additional feedback from @bartonjs addressed here

[buyaa-n]

@buyaa-n, was this approved by shiproom for ask mode?

oops, sorry forgot that, added ask mode, even its too late now, in case its not approved maybe raise reverse PR?

@buyaa-n also we need to merge this change back to master since there was some additional feedback from @bartonjs addressed here

Yes i'm having that ready, just left all tests run again, will raise PR after this one got approved

[buyaa-n]

@krwq created backport as it is the correct update for master even no matter 3.0 approval #40313

[eerhardt]

was this approved by shiproom for ask mode?

Unfortunately, no it wasn't. I'll bring it up at the next shiproom to see if they wouldn't have approved it. And if so, if we should back it out.

But let's wait for shiproom approval for any future changes in 3.0.

[eerhardt]

This was approved in shiproom today since it affects macOS 10.15.

[buyaa-n]

Thank you @eerhardt