From dce3f86d7a4194bb49e7f24e6fc773a21e1acafb Mon Sep 17 00:00:00 2001 From: Tom Deseyn Date: Mon, 23 May 2022 10:41:16 +0200 Subject: [PATCH 1/5] OpenSslX509ChainProcessor: ignore NotSignatureValid on last element. --- .../OpenSslX509ChainProcessor.cs | 54 +++++++++++++++++-- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs index 906f1edb8eb84f..057829298f2263 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs @@ -904,7 +904,7 @@ private X509ChainElement[] BuildChainElements( overallStatus = null; List? statusBuilder = null; - + bool overallHasNotSignatureValid = false; using (SafeX509StackHandle chainStack = Interop.Crypto.X509StoreCtxGetChain(_storeCtx)) { int chainSize = Interop.Crypto.GetX509StackFieldCount(chainStack); @@ -921,7 +921,20 @@ private X509ChainElement[] BuildChainElements( statusBuilder ??= new List(); overallStatus ??= new List(); - AddElementStatus(elementErrors.Value, statusBuilder, overallStatus); + bool hadSignatureNotValid = overallHasNotSignatureValid; + AddElementStatus(elementErrors.Value, statusBuilder, overallStatus, ref overallHasNotSignatureValid); + + // Clear NotSignatureValid for the last element when overall chain is not PartialChain or UntrustedRoot. + bool isLastElement = i == chainSize - 1; + if (isLastElement && !hadSignatureNotValid && overallHasNotSignatureValid) + { + if (!ContainsStatus(overallStatus, X509ChainStatusFlags.PartialChain) && + !ContainsStatus(overallStatus, X509ChainStatusFlags.UntrustedRoot)) + { + RemoveStatus(statusBuilder, X509ChainStatusFlags.NotSignatureValid); + RemoveStatus(overallStatus, X509ChainStatusFlags.NotSignatureValid); + } + } status = statusBuilder.ToArray(); statusBuilder.Clear(); } @@ -1013,11 +1026,12 @@ private static void ProcessPolicy( private static void AddElementStatus( ErrorCollection errorCodes, List elementStatus, - List overallStatus) + List overallStatus, + ref bool overallHasNotSignatureValid) { foreach (var errorCode in errorCodes) { - AddElementStatus(errorCode, elementStatus, overallStatus); + AddElementStatus(errorCode, elementStatus, overallStatus, ref overallHasNotSignatureValid); } foreach (X509ChainStatus element in elementStatus) @@ -1042,7 +1056,8 @@ private static void AddElementStatus( private static void AddElementStatus( Interop.Crypto.X509VerifyStatusCode errorCode, List elementStatus, - List overallStatus) + List overallStatus, + ref bool overallHasNotSignatureValid) { X509ChainStatusFlags statusFlag = MapVerifyErrorToChainStatus(errorCode); @@ -1069,6 +1084,10 @@ private static void AddElementStatus( elementStatus.Add(chainStatus); AddUniqueStatus(overallStatus, ref chainStatus); + if (statusFlag == X509ChainStatusFlags.NotSignatureValid) + { + overallHasNotSignatureValid = true; + } } private static void AddUniqueStatus(List list, ref X509ChainStatus status) @@ -1086,6 +1105,31 @@ private static void AddUniqueStatus(List list, ref X509ChainSta list.Add(status); } + private static bool ContainsStatus(List list, X509ChainStatusFlags statusCode) + { + for (int i = 0; i < list.Count; i++) + { + if (list[i].Status == statusCode) + { + return true; + } + } + + return false; + } + + private static void RemoveStatus(List list, X509ChainStatusFlags statusCode) + { + for (int i = 0; i < list.Count; i++) + { + if (list[i].Status == statusCode) + { + list.RemoveAt(i); + return; + } + } + } + private static X509ChainStatusFlags MapVerifyErrorToChainStatus(Interop.Crypto.X509VerifyStatusCode code) { switch (code.UniversalCode) From 056ca8d52bcfcdac8056dc3eb092cb36f773bb97 Mon Sep 17 00:00:00 2001 From: Tom Deseyn Date: Tue, 24 May 2022 09:32:04 +0200 Subject: [PATCH 2/5] Add test --- .../tests/ChainTests.cs | 66 +++++++++++++++++++ .../tests/DynamicChainTests.cs | 9 +-- .../tests/TestDataGenerator.cs | 7 ++ 3 files changed, 74 insertions(+), 8 deletions(-) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs index 614ae070496cc6..b1754cc6bfe1b0 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs @@ -66,6 +66,72 @@ public static void BuildChain() } } + public enum BuildChainWithNotSignatureValidTest : int + { + TrustedRoot, + UntrustedRoot, + PartialChain + } + + public static IEnumerable BuildChainWithNotSignatureValidData() + { + yield return new object[] { true, X509ChainStatusFlags.NoError, BuildChainWithNotSignatureValidTest.TrustedRoot }; + yield return new object[] { false, X509ChainStatusFlags.UntrustedRoot | X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.UntrustedRoot }; + yield return new object[] { false, X509ChainStatusFlags.PartialChain, BuildChainWithNotSignatureValidTest.PartialChain }; + } + + [Theory] + [MemberData(nameof(BuildChainWithNotSignatureValidData))] + [PlatformSpecific(TestPlatforms.Linux)] // NotSignatureValid gets ignored on the root certificate. + public static void BuildChainWithNotSignatureValid( + bool chainBuildsSuccessfully, + X509ChainStatusFlags chainFlags, + BuildChainWithNotSignatureValidTest test) + { + TestDataGenerator.MakeTestChain3( + out X509Certificate2 endCert, + out X509Certificate2 intermediateCert, + out X509Certificate2 rootCert, + testName: test.ToString()); + + // Make root cert signature invalid. + X509Certificate2 tampered = TestDataGenerator.TamperSignature(rootCert); + rootCert.Dispose(); + rootCert = tampered; + + using (endCert) + using (intermediateCert) + using (rootCert) + using (ChainHolder chainHolder = new ChainHolder()) + { + X509Chain chainTest = chainHolder.Chain; + chainTest.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + chainTest.ChainPolicy.VerificationTime = endCert.NotBefore.AddSeconds(1); + chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; + chainTest.ChainPolicy.ExtraStore.Add(endCert); + + switch (test) + { + case BuildChainWithNotSignatureValidTest.TrustedRoot: + chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); + chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); + break; + case BuildChainWithNotSignatureValidTest.PartialChain: + chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); + break; + case BuildChainWithNotSignatureValidTest.UntrustedRoot: + chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); + chainTest.ChainPolicy.ExtraStore.Add(rootCert); + break; + default: + throw new InvalidDataException(); + } + + Assert.Equal(chainBuildsSuccessfully, chainTest.Build(endCert)); + Assert.Equal(chainFlags, chainTest.AllStatusFlags()); + } + } + [PlatformSpecific(TestPlatforms.Windows)] [Fact] public static void VerifyChainFromHandle() diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs index 32d0ac6501d34b..dc7afa2af8a813 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs @@ -84,7 +84,7 @@ X509Certificate2 TamperIfNeeded(X509Certificate2 input, X509ChainStatusFlags fla { if ((flags & X509ChainStatusFlags.NotSignatureValid) != 0) { - X509Certificate2 tampered = TamperSignature(input); + X509Certificate2 tampered = TestDataGenerator.TamperSignature(input); input.Dispose(); return tampered; } @@ -948,13 +948,6 @@ private static void TestNameConstrainedChain( } } - private static X509Certificate2 TamperSignature(X509Certificate2 input) - { - byte[] cert = input.RawData; - cert[cert.Length - 1] ^= 0xFF; - return new X509Certificate2(cert); - } - private static X509Extension BuildPolicyConstraints( int? requireExplicitPolicySkipCerts = null, int? inhibitPolicyMappingSkipCerts = null) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs index 0e729c7661b088..815879930b69db 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs @@ -202,5 +202,12 @@ private static byte[] CreateSerial() RandomNumberGenerator.Fill(bytes); return bytes; } + + internal static X509Certificate2 TamperSignature(X509Certificate2 input) + { + byte[] cert = input.RawData; + cert[cert.Length - 1] ^= 0xFF; + return new X509Certificate2(cert); + } } } From c491aaaeab1db2989f3aad4c15b392857e3ee1c7 Mon Sep 17 00:00:00 2001 From: Tom Deseyn Date: Tue, 24 May 2022 10:20:22 +0200 Subject: [PATCH 3/5] Test: verify NotSignatureValid is not filtered from end cert. --- .../tests/ChainTests.cs | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs index b1754cc6bfe1b0..d8738ff69ebafc 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs @@ -70,7 +70,8 @@ public enum BuildChainWithNotSignatureValidTest : int { TrustedRoot, UntrustedRoot, - PartialChain + PartialChain, + EndCertNotSignatureValid } public static IEnumerable BuildChainWithNotSignatureValidData() @@ -78,6 +79,7 @@ public static IEnumerable BuildChainWithNotSignatureValidData() yield return new object[] { true, X509ChainStatusFlags.NoError, BuildChainWithNotSignatureValidTest.TrustedRoot }; yield return new object[] { false, X509ChainStatusFlags.UntrustedRoot | X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.UntrustedRoot }; yield return new object[] { false, X509ChainStatusFlags.PartialChain, BuildChainWithNotSignatureValidTest.PartialChain }; + yield return new object[] { false, X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.EndCertNotSignatureValid }; } [Theory] @@ -94,10 +96,21 @@ public static void BuildChainWithNotSignatureValid( out X509Certificate2 rootCert, testName: test.ToString()); - // Make root cert signature invalid. - X509Certificate2 tampered = TestDataGenerator.TamperSignature(rootCert); - rootCert.Dispose(); - rootCert = tampered; + X509Certificate2 tampered; + switch (test) + { + case BuildChainWithNotSignatureValidTest.EndCertNotSignatureValid: + tampered = TestDataGenerator.TamperSignature(endCert); + endCert.Dispose(); + endCert = tampered; + break; + default: + // Make root cert signature invalid. + tampered = TestDataGenerator.TamperSignature(rootCert); + rootCert.Dispose(); + rootCert = tampered; + break; + } using (endCert) using (intermediateCert) @@ -113,6 +126,7 @@ public static void BuildChainWithNotSignatureValid( switch (test) { case BuildChainWithNotSignatureValidTest.TrustedRoot: + case BuildChainWithNotSignatureValidTest.EndCertNotSignatureValid: chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); break; From 97156d27a19b9bb26254de3bf0c030b9355bf39f Mon Sep 17 00:00:00 2001 From: Tom Deseyn Date: Tue, 24 May 2022 17:13:05 +0200 Subject: [PATCH 4/5] PR feedback. --- .../Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs index 057829298f2263..0165f8f9a856bc 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs @@ -12,6 +12,7 @@ using System.Text; using Microsoft.Win32.SafeHandles; using Internal.Cryptography; +using Interop.Crypto; using X509VerifyStatusCodeUniversal = Interop.Crypto.X509VerifyStatusCodeUniversal; @@ -1029,7 +1030,7 @@ private static void AddElementStatus( List overallStatus, ref bool overallHasNotSignatureValid) { - foreach (var errorCode in errorCodes) + foreach (X509VerifyStatusCode errorCode in errorCodes) { AddElementStatus(errorCode, elementStatus, overallStatus, ref overallHasNotSignatureValid); } From 14337607ab00e22054524f1b4691ccc1f87e8c8c Mon Sep 17 00:00:00 2001 From: Tom Deseyn Date: Wed, 25 May 2022 09:14:38 +0200 Subject: [PATCH 5/5] PR feedback --- .../tests/ChainTests.cs | 80 ---------------- .../tests/DynamicChainTests.cs | 96 ++++++++++++++++++- .../tests/TestDataGenerator.cs | 7 -- .../OpenSslX509ChainProcessor.cs | 4 +- 4 files changed, 97 insertions(+), 90 deletions(-) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs index d8738ff69ebafc..614ae070496cc6 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs @@ -66,86 +66,6 @@ public static void BuildChain() } } - public enum BuildChainWithNotSignatureValidTest : int - { - TrustedRoot, - UntrustedRoot, - PartialChain, - EndCertNotSignatureValid - } - - public static IEnumerable BuildChainWithNotSignatureValidData() - { - yield return new object[] { true, X509ChainStatusFlags.NoError, BuildChainWithNotSignatureValidTest.TrustedRoot }; - yield return new object[] { false, X509ChainStatusFlags.UntrustedRoot | X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.UntrustedRoot }; - yield return new object[] { false, X509ChainStatusFlags.PartialChain, BuildChainWithNotSignatureValidTest.PartialChain }; - yield return new object[] { false, X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.EndCertNotSignatureValid }; - } - - [Theory] - [MemberData(nameof(BuildChainWithNotSignatureValidData))] - [PlatformSpecific(TestPlatforms.Linux)] // NotSignatureValid gets ignored on the root certificate. - public static void BuildChainWithNotSignatureValid( - bool chainBuildsSuccessfully, - X509ChainStatusFlags chainFlags, - BuildChainWithNotSignatureValidTest test) - { - TestDataGenerator.MakeTestChain3( - out X509Certificate2 endCert, - out X509Certificate2 intermediateCert, - out X509Certificate2 rootCert, - testName: test.ToString()); - - X509Certificate2 tampered; - switch (test) - { - case BuildChainWithNotSignatureValidTest.EndCertNotSignatureValid: - tampered = TestDataGenerator.TamperSignature(endCert); - endCert.Dispose(); - endCert = tampered; - break; - default: - // Make root cert signature invalid. - tampered = TestDataGenerator.TamperSignature(rootCert); - rootCert.Dispose(); - rootCert = tampered; - break; - } - - using (endCert) - using (intermediateCert) - using (rootCert) - using (ChainHolder chainHolder = new ChainHolder()) - { - X509Chain chainTest = chainHolder.Chain; - chainTest.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; - chainTest.ChainPolicy.VerificationTime = endCert.NotBefore.AddSeconds(1); - chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; - chainTest.ChainPolicy.ExtraStore.Add(endCert); - - switch (test) - { - case BuildChainWithNotSignatureValidTest.TrustedRoot: - case BuildChainWithNotSignatureValidTest.EndCertNotSignatureValid: - chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); - chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); - break; - case BuildChainWithNotSignatureValidTest.PartialChain: - chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); - break; - case BuildChainWithNotSignatureValidTest.UntrustedRoot: - chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); - chainTest.ChainPolicy.ExtraStore.Add(rootCert); - break; - default: - throw new InvalidDataException(); - } - - Assert.Equal(chainBuildsSuccessfully, chainTest.Build(endCert)); - Assert.Equal(chainFlags, chainTest.AllStatusFlags()); - } - } - [PlatformSpecific(TestPlatforms.Windows)] [Fact] public static void VerifyChainFromHandle() diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs index dc7afa2af8a813..c90b43d52435bd 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs @@ -1,7 +1,9 @@ // Licensed to the .NET Foundation under one or more agreements. // The .NET Foundation licenses this file to you under the MIT license. +using System.Collections.Generic; using System.Formats.Asn1; +using System.IO; using System.Linq; using System.Runtime.CompilerServices; using System.Runtime.InteropServices; @@ -84,7 +86,7 @@ X509Certificate2 TamperIfNeeded(X509Certificate2 input, X509ChainStatusFlags fla { if ((flags & X509ChainStatusFlags.NotSignatureValid) != 0) { - X509Certificate2 tampered = TestDataGenerator.TamperSignature(input); + X509Certificate2 tampered = TamperSignature(input); input.Dispose(); return tampered; } @@ -832,6 +834,91 @@ public static void PolicyConstraints_Mapped() } } + public enum BuildChainWithNotSignatureValidTest : int + { + TrustedRoot, + UntrustedRoot, + PartialChain, + TrustedRootEndCertNotSignatureValid, + PartialChainEndCertNotSignatureValid + } + + public static IEnumerable BuildChainWithNotSignatureValidData() + { + yield return new object[] { true, X509ChainStatusFlags.NoError, BuildChainWithNotSignatureValidTest.TrustedRoot }; + yield return new object[] { false, X509ChainStatusFlags.UntrustedRoot | X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.UntrustedRoot }; + yield return new object[] { false, X509ChainStatusFlags.PartialChain, BuildChainWithNotSignatureValidTest.PartialChain }; + yield return new object[] { false, X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.TrustedRootEndCertNotSignatureValid }; + yield return new object[] { false, X509ChainStatusFlags.PartialChain | X509ChainStatusFlags.NotSignatureValid, BuildChainWithNotSignatureValidTest.PartialChainEndCertNotSignatureValid }; + } + + [Theory] + [MemberData(nameof(BuildChainWithNotSignatureValidData))] + [PlatformSpecific(TestPlatforms.Linux)] // NotSignatureValid gets ignored on the root certificate. + public static void BuildChainWithNotSignatureValid( + bool chainBuildsSuccessfully, + X509ChainStatusFlags chainFlags, + BuildChainWithNotSignatureValidTest test) + { + TestDataGenerator.MakeTestChain3( + out X509Certificate2 endCert, + out X509Certificate2 intermediateCert, + out X509Certificate2 rootCert, + testName: test.ToString()); + + X509Certificate2 tampered; + switch (test) + { + case BuildChainWithNotSignatureValidTest.TrustedRootEndCertNotSignatureValid: + case BuildChainWithNotSignatureValidTest.PartialChainEndCertNotSignatureValid: + tampered = TamperSignature(endCert); + endCert.Dispose(); + endCert = tampered; + break; + default: + // Make root cert signature invalid. + tampered = TamperSignature(rootCert); + rootCert.Dispose(); + rootCert = tampered; + break; + } + + using (endCert) + using (intermediateCert) + using (rootCert) + using (ChainHolder chainHolder = new ChainHolder()) + { + X509Chain chainTest = chainHolder.Chain; + chainTest.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + chainTest.ChainPolicy.VerificationTime = endCert.NotBefore.AddSeconds(1); + chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; + + switch (test) + { + case BuildChainWithNotSignatureValidTest.TrustedRoot: + case BuildChainWithNotSignatureValidTest.TrustedRootEndCertNotSignatureValid: + chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); + chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); + break; + case BuildChainWithNotSignatureValidTest.PartialChain: + chainTest.ChainPolicy.CustomTrustStore.Add(rootCert); + break; + case BuildChainWithNotSignatureValidTest.PartialChainEndCertNotSignatureValid: + chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); + break; + case BuildChainWithNotSignatureValidTest.UntrustedRoot: + chainTest.ChainPolicy.ExtraStore.Add(intermediateCert); + chainTest.ChainPolicy.ExtraStore.Add(rootCert); + break; + default: + throw new InvalidDataException(); + } + + Assert.Equal(chainBuildsSuccessfully, chainTest.Build(endCert)); + Assert.Equal(chainFlags, chainTest.AllStatusFlags()); + } + } + private static X509ChainStatusFlags PlatformBasicConstraints(X509ChainStatusFlags flags) { if (OperatingSystem.IsAndroid()) @@ -948,6 +1035,13 @@ private static void TestNameConstrainedChain( } } + private static X509Certificate2 TamperSignature(X509Certificate2 input) + { + byte[] cert = input.RawData; + cert[cert.Length - 1] ^= 0xFF; + return new X509Certificate2(cert); + } + private static X509Extension BuildPolicyConstraints( int? requireExplicitPolicySkipCerts = null, int? inhibitPolicyMappingSkipCerts = null) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs index 815879930b69db..0e729c7661b088 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/TestDataGenerator.cs @@ -202,12 +202,5 @@ private static byte[] CreateSerial() RandomNumberGenerator.Fill(bytes); return bytes; } - - internal static X509Certificate2 TamperSignature(X509Certificate2 input) - { - byte[] cert = input.RawData; - cert[cert.Length - 1] ^= 0xFF; - return new X509Certificate2(cert); - } } } diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs index 0165f8f9a856bc..8d61518b29d019 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs @@ -12,7 +12,6 @@ using System.Text; using Microsoft.Win32.SafeHandles; using Internal.Cryptography; -using Interop.Crypto; using X509VerifyStatusCodeUniversal = Interop.Crypto.X509VerifyStatusCodeUniversal; @@ -1030,7 +1029,7 @@ private static void AddElementStatus( List overallStatus, ref bool overallHasNotSignatureValid) { - foreach (X509VerifyStatusCode errorCode in errorCodes) + foreach (Interop.Crypto.X509VerifyStatusCode errorCode in errorCodes) { AddElementStatus(errorCode, elementStatus, overallStatus, ref overallHasNotSignatureValid); } @@ -1085,6 +1084,7 @@ private static void AddElementStatus( elementStatus.Add(chainStatus); AddUniqueStatus(overallStatus, ref chainStatus); + if (statusFlag == X509ChainStatusFlags.NotSignatureValid) { overallHasNotSignatureValid = true;