Allow macOS chain building to use network if revocation checking is r…

…equested The DisableCertificateDownloads property on the chain policy controls all network activity when building a chain on macOS, not just AIA fetching. If set to true, the (default) revocation policy would fail because the network would be treated as unavailable. On macOS, as a work around, permit the network activity if revocation checking is explicitly enabled.
dotnet · Feb 1, 2021 · 35f4dad · 35f4dad
1 parent 44ff5a6
commit 35f4dad
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/...stem.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs b/...stem.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
@@ -611,6 +611,12 @@ public static IChainPal BuildChain(
 
  SecTrustChainPal chainPal = new SecTrustChainPal();
 
+ // The allowNetwork controls all network activity for macOS chain building.
+ // There is no way to independently enable or disable online revocation checking
+ // and AIA fetching. If the caller specifies they want Online revocation checking,
+ // then we need to allow network operations (including AIA fetching.)
+ bool revocationRequiresNetwork = revocationMode != X509RevocationMode.NoCheck;
+
  try
  {
  chainPal.OpenTrustHandle(
@@ -622,7 +628,7 @@ public static IChainPal BuildChain(
 
  chainPal.Execute(
  verificationTime,
- !disableAia,
+ allowNetwork: !disableAia || revocationRequiresNetwork,
  applicationPolicy,
  certificatePolicy,
  revocationFlag);

diff --git a/...em.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs b/...em.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs
@@ -139,6 +139,28 @@ public static void RevokeEndEntity(PkiOptions pkiOptions)
  });
  }
 
+ [Theory]
+ [MemberData(nameof(AllViableRevocation))]
+ public static void RevokeLeafWithAiaFetchingDisabled(PkiOptions pkiOptions)
+ {
+ SimpleTest(
+ pkiOptions,
+ (root, intermediate, endEntity, holder, responder) =>
+ {
+ DateTimeOffset now = DateTimeOffset.UtcNow;
+ intermediate.Revoke(endEntity, now);
+ holder.Chain.ChainPolicy.VerificationTime = now.AddSeconds(1).UtcDateTime;
+ holder.Chain.ChainPolicy.DisableCertificateDownloads = true;
+
+ SimpleRevocationBody(
+ holder,
+ endEntity,
+ rootRevoked: false,
+ issrRevoked: false,
+ leafRevoked: true);
+ });
+ }
+
  [Theory]
  [MemberData(nameof(AllViableRevocation))]
  [ActiveIssue("https://github.com/dotnet/runtime/issues/31249", TestPlatforms.OSX)]