From 3d565656a826b38543b71d7ceecca2426931c6da Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Fri, 15 Aug 2025 09:26:58 -0400 Subject: [PATCH 1/2] Fix BuildChainForCertificateSignedWithDisallowedKey. On some systems, the expired root is still present, which is RSA+SHA-1 signed. This results in the chain flags also containing NotSignatureFlag. Relax the assert for Linux to be HasFlag. --- .../tests/X509Certificates/ChainTests.cs | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs index 38c36ec904d419..0d502f0f6b6ce4 100644 --- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs +++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs @@ -1177,14 +1177,19 @@ public static void BuildChainForCertificateSignedWithDisallowedKey() chain.ChainPolicy.ExtraStore.Add(intermediateCert); Assert.False(chain.Build(cert)); - if (PlatformDetection.IsAndroid || PlatformDetection.IsApplePlatform26OrLater || PlatformDetection.IsLinux) + if (PlatformDetection.IsAndroid || PlatformDetection.IsApplePlatform26OrLater) { // Android always validates trust as part of building a path, // so violations comes back as PartialChain with no elements // Apple 26 no longer block these SKIs since the roots are no longer trusted at all and are expired. - // Linux has no concept of a blocked key list, they just remove certificates from a trust store. Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags()); } + else if (PlatformDetection.IsLinux) + { + // Linux has no concept of a blocked key list, they just remove certificates from a trust store. + X509ChainStatusFlags actualFlags = chain.AllStatusFlags(); + AssertExtensions.TrueExpression(actualFlags.HasFlag(X509ChainStatusFlags.PartialChain)); + } else { X509ChainElement certElement = chain.ChainElements From db6ff18d9f90dc8be02f189ba77dac0aa6e70120 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Fri, 15 Aug 2025 14:52:59 -0400 Subject: [PATCH 2/2] Stop running BuildChainForCertificateSignedWithDisallowedKey on Linux for now --- .../tests/X509Certificates/ChainTests.cs | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs index 0d502f0f6b6ce4..99b9b3587532ef 100644 --- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs +++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs @@ -1112,6 +1112,7 @@ public static void BuildChainForFraudulentCertificate() } [Fact] + [SkipOnPlatform(TestPlatforms.Linux, "Not supported on Linux.")] public static void BuildChainForCertificateSignedWithDisallowedKey() { // The intermediate certificate is from the now defunct CA DigiNotar. @@ -1184,12 +1185,6 @@ public static void BuildChainForCertificateSignedWithDisallowedKey() // Apple 26 no longer block these SKIs since the roots are no longer trusted at all and are expired. Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags()); } - else if (PlatformDetection.IsLinux) - { - // Linux has no concept of a blocked key list, they just remove certificates from a trust store. - X509ChainStatusFlags actualFlags = chain.AllStatusFlags(); - AssertExtensions.TrueExpression(actualFlags.HasFlag(X509ChainStatusFlags.PartialChain)); - } else { X509ChainElement certElement = chain.ChainElements