From b13cea9b8eef7a50bef74336db8791252e06910e Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Wed, 20 Jul 2022 15:36:21 -0700 Subject: [PATCH 1/4] x509chainpolicy verification time --- docs/core/compatibility/7.0.md | 1 + .../7.0/x509chainpolicy-verification-time.md | 65 +++++++++++++++++++ docs/core/compatibility/toc.yml | 4 ++ 3 files changed, 70 insertions(+) create mode 100644 docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md diff --git a/docs/core/compatibility/7.0.md b/docs/core/compatibility/7.0.md index 7d3e68fb2a26f..d1a47de263d08 100644 --- a/docs/core/compatibility/7.0.md +++ b/docs/core/compatibility/7.0.md @@ -46,6 +46,7 @@ If you're migrating an app to .NET 7, the breaking changes listed here might aff | Title | Binary compatible | Source compatible | Introduced | | - | :-: | :-: | - | | [Decrypting EnvelopedCms doesn't double unwrap](cryptography/7.0/decrypt-envelopedcms.md) | ❌ | ✔️ | Preview 5 | +| [Dynamic X509ChainPolicy verification time](cryptography/7.0/x509chainpolicy-verification-time.md) | ❌ | ✔️ | Preview 7 | | [X500DistinguishedName parsing of friendly names](cryptography/7.0/x500-distinguished-names.md) | ❌ | ✔️ | Preview 5 | ## Deployment diff --git a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md new file mode 100644 index 0000000000000..ddfe175250280 --- /dev/null +++ b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md @@ -0,0 +1,65 @@ +--- +title: "Breaking change: Dynamic X509ChainPolicy verification time" +description: Learn about the .NET 7 breaking change in cryptography where the X509ChainPolicy verification time is the time when Build is invoked. +ms.date: 07/20/2022 +--- +# Dynamic X509ChainPolicy verification time + +In previous versions of .NET, the value was assigned to when the object was constructed. Using the same `X509ChainPolicy` object for multiple calls to resulted in all chain builds using that same value of "now", no matter how much time had passed since the object was created. + +The new default behavior is to use the value of `DateTime.Now` as the verification time when `X509Chain.Build()` is invoked. This change doesn't affect chain builds that explicitly assign `X509ChainPolicy.VerificationTime`. + +## Previous behavior + +The value was assigned to when the `X509ChainPolicy` object was constructed. This value was used in all subsequent calls (unless or until the value was reassigned at a later time). + +## New behavior + +The value is assigned to when the `X509ChainPolicy` object is constructed, but the new `X509ChainPolicy.VerificationTimeIgnored` property defaults to `true`. When this property has a value of `true`, the method uses `DateTime.Now` instead of `X509ChainPolicy.VerificationTime` when building the chain. + +Assigning a value to the `X509ChainPolicy.VerificationTime` property automatically sets `VerificationTimeIgnored` to `false`. + +## Version introduced + +.NET 7 Preview 7 + +## Type of breaking change + +This change can affect [binary compatibility](../../categories.md#binary-compatibility). + +## Reason for change + +Callers who cache configured `X509ChainPolicy` objects were often surprised that their validation was slowly moving further back in time. This change makes long-lived `X509ChainPolicy` objects easier to work with and doesn't significantly impact short-lived objects. + +## Recommended action + +The following callers aren't impacted by the change: + +- Callers that don't have long-lived `X509ChainPolicy` objects. +- Callers that explicitly assign the `X509ChainPolicy.VerificationTime` property. + +Callers that have a long-lived `X509ChainPolicy` object that wish to use the previous behavior can either assign the new `X509ChainPolicy.VerificationTimeIgnored` property to `false` or assign the `X509ChainPolicy.VerificationTime` property to `DateTime.Now`. + +```csharp +X509ChainPolicy policy = new X509ChainPolicy +{ + ..., + VerificationTime = DateTime.Now, +}; +``` + +or + +```csharp +X509ChainPolicy policy = new X509ChainPolicy +{ + ... + VerificationTimeIgnored = false, +}; +``` + +## Affected APIs + +- +- +- `System.Security.Cryptography.X509Certificates.X509ChainPolicy.VerificationTimeIgnored` diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 60460e8e0ee26..fa1096b4f8351 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -63,6 +63,8 @@ items: href: core-libraries/7.0/compressionlevel-validation.md - name: Cryptography items: + - name: Dynamic X509ChainPolicy verification time + href: cryptography/7.0/x509chainpolicy-verification-time.md - name: EnvelopedCms.Decrypt doesn't double unwrap href: cryptography/7.0/decrypt-envelopedcms.md - name: X500DistinguishedName parsing of friendly names @@ -899,6 +901,8 @@ items: items: - name: .NET 7 items: + - name: Dynamic X509ChainPolicy verification time + href: cryptography/7.0/x509chainpolicy-verification-time.md - name: EnvelopedCms.Decrypt doesn't double unwrap href: cryptography/7.0/decrypt-envelopedcms.md - name: X500DistinguishedName parsing of friendly names From 033efe5ed1086ce41a5fcb80bfb2d05668f0c90b Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Wed, 20 Jul 2022 15:43:06 -0700 Subject: [PATCH 2/4] some tweaks --- .../cryptography/7.0/x509chainpolicy-verification-time.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md index ddfe175250280..3ebed50291b04 100644 --- a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md +++ b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md @@ -5,9 +5,9 @@ ms.date: 07/20/2022 --- # Dynamic X509ChainPolicy verification time -In previous versions of .NET, the value was assigned to when the object was constructed. Using the same `X509ChainPolicy` object for multiple calls to resulted in all chain builds using that same value of "now", no matter how much time had passed since the object was created. +In previous versions of .NET, the value was assigned to when the object was constructed. Using the same `X509ChainPolicy` object for multiple calls to resulted in all chain builds using that same value as the verification time, no matter how much time had passed since the object was created. -The new default behavior is to use the value of `DateTime.Now` as the verification time when `X509Chain.Build()` is invoked. This change doesn't affect chain builds that explicitly assign `X509ChainPolicy.VerificationTime`. +The new default behavior is to use the value of `DateTime.Now` when `X509Chain.Build()` is invoked as the verification time. This change doesn't affect chain builds that explicitly assign `X509ChainPolicy.VerificationTime`. ## Previous behavior @@ -15,7 +15,7 @@ The value is assigned to when the `X509ChainPolicy` object is constructed, but the new `X509ChainPolicy.VerificationTimeIgnored` property defaults to `true`. When this property has a value of `true`, the method uses `DateTime.Now` instead of `X509ChainPolicy.VerificationTime` when building the chain. +The value is assigned to when the `X509ChainPolicy` object is constructed, but the new `X509ChainPolicy.VerificationTimeIgnored` property defaults to `true`. When this property has a value of `true`, the method uses `DateTime.Now` as the verification time instead of `X509ChainPolicy.VerificationTime` when building the chain. Assigning a value to the `X509ChainPolicy.VerificationTime` property automatically sets `VerificationTimeIgnored` to `false`. From d6242cba72aabcd91f4ae3a5e6d4299ce2ce7d37 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Thu, 21 Jul 2022 13:01:32 -0700 Subject: [PATCH 3/4] Apply suggestions from code review --- .../cryptography/7.0/x509chainpolicy-verification-time.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md index 3ebed50291b04..a9db447373faa 100644 --- a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md +++ b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md @@ -43,7 +43,7 @@ Callers that have a long-lived `X509ChainPolicy` object that wish to use the pre ```csharp X509ChainPolicy policy = new X509ChainPolicy { - ..., + // ... VerificationTime = DateTime.Now, }; ``` @@ -53,7 +53,7 @@ or ```csharp X509ChainPolicy policy = new X509ChainPolicy { - ... + // ... VerificationTimeIgnored = false, }; ``` From 64b1f2f6b07bfcbe92eeab8a958d9539f66ac034 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Mon, 25 Jul 2022 13:20:06 -0700 Subject: [PATCH 4/4] Apply suggestions from code review --- .../cryptography/7.0/x509chainpolicy-verification-time.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md index a9db447373faa..6de9f580fe531 100644 --- a/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md +++ b/docs/core/compatibility/cryptography/7.0/x509chainpolicy-verification-time.md @@ -41,7 +41,7 @@ The following callers aren't impacted by the change: Callers that have a long-lived `X509ChainPolicy` object that wish to use the previous behavior can either assign the new `X509ChainPolicy.VerificationTimeIgnored` property to `false` or assign the `X509ChainPolicy.VerificationTime` property to `DateTime.Now`. ```csharp -X509ChainPolicy policy = new X509ChainPolicy +var policy = new X509ChainPolicy { // ... VerificationTime = DateTime.Now, @@ -51,7 +51,7 @@ X509ChainPolicy policy = new X509ChainPolicy or ```csharp -X509ChainPolicy policy = new X509ChainPolicy +var policy = new X509ChainPolicy { // ... VerificationTimeIgnored = false,