Handle additional X509 chain statuses for macOS #35488
Merged
bartonjs merged 3 commits intodotnet:masterfrom Apr 27, 2020
Merged
Handle additional X509 chain statuses for macOS #35488bartonjs merged 3 commits intodotnet:masterfrom
bartonjs merged 3 commits intodotnet:masterfrom
Conversation
MacOS returns a different status string for certificates that are in a special database that are explicitly distrusted. Windows has similar behavior, which reports the certificates as PAL_X509ChainExplicitDistrust. This makes macOS do the same instead of throwing an exception.
Linux does not appear to have any special distrusting for these certificates.
stephentoub
reviewed
Apr 26, 2020
Member
stephentoub
left a comment
stephentoub
left a comment
There was a problem hiding this comment.
A few comments, but otherwise LGTM if @bartonjs signs off.
src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_x509chain.c
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs
Outdated
Show resolved
Hide resolved
filipnavara
approved these changes
Apr 27, 2020
bartonjs
approved these changes
Apr 27, 2020
This was referenced Apr 28, 2020
ghost
locked as resolved and limited conversation to collaborators
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This teaches macOS about two chain statuses, BlackListedLeaf and BlackListedKey.
The BlackListedLeaf status is for leaf certificates for incorrectly issued certificates for high value domains. The test included uses a notably misissued certificate for mail.google.com. Both macOS and Windows treat this certificate as explicitly distrusted. OpenSSL does not currently have such special treatment. It appears to use no special handling of this certificate, and instead relies on revocation. As such, the test is configured to not run on Linux since revocation is presumably tested elsewhere.
The BlackListedKey are reported for the intermediate when building a chain for a certificate that was signed by a disallowed signing key. The test uses the no-more CA DigiNotar as the intermediate. Both Windows and MacOS report this as explicitly distrusted. Linux again appears to have no special handling for this; it is instead reported as a Partial Chain since DigiNotar is no longer in the trust anchor store.
Fixes #35463