From 8b42dffa5f37762caddbe949ebc2fc348cca5121 Mon Sep 17 00:00:00 2001 From: Jeremy Barton Date: Tue, 22 Mar 2022 15:30:17 -0700 Subject: [PATCH] Fix revocation processing on expired chains. When adding tracing to the Linux X509Chain build, the "when do we process revocation" check got cleaned up to avoid doing wasteful work. But it got cleaned a bit too aggressively. With this change, fully-valid and valid-except-for-validity chains will both move into active revocation checks. --- .../Cryptography/X509Certificates/ChainPal.OpenSsl.cs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs index 72a691f0811..26489a24f8f 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs @@ -164,7 +164,12 @@ public static void FlushStores() { if (OpenSslX509ChainProcessor.IsCompleteChain(status)) { - if (status != Interop.Crypto.X509VerifyStatusCode.X509_V_OK) + // Checking the validity period for the certificates in the chain is done after the + // check for a trusted root, so accept expired (or not yet valid) as acceptable for + // processing revocation. + if (status != Interop.Crypto.X509VerifyStatusCode.X509_V_OK && + status != Interop.Crypto.X509VerifyStatusCodeUniversal.X509_V_ERR_CERT_NOT_YET_VALID && + status != Interop.Crypto.X509VerifyStatusCodeUniversal.X509_V_ERR_CERT_HAS_EXPIRED) { if (OpenSslX509ChainEventSource.Log.IsEnabled()) { -- GitLab