From cd7b2be873e81ca4fd191900f34ae95e9ab53476 Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Mon, 1 Feb 2021 13:53:10 -0500
Subject: [PATCH 1/2] Allow macOS chain building to use network if revocation
 checking is online.

The DisableCertificateDownloads property on the chain policy controls all
network activity when building a chain on macOS, not just AIA fetching. If
set to true, the (default) revocation policy would fail because the network
would be treated as unavailable. On macOS, as a work around, permit the
network activity if revocation checking is explicitly enabled.
---
 .../Internal/Cryptography/Pal.OSX/ChainPal.cs |  8 ++++++-
 .../RevocationTests/DynamicRevocationTests.cs | 22 +++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
index 40c2cc60dece9..6c908ef8cce3a 100644
--- a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
+++ b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
@@ -611,6 +611,12 @@ public static IChainPal BuildChain(
 
             SecTrustChainPal chainPal = new SecTrustChainPal();
 
+            // The allowNetwork controls all network activity for macOS chain building.
+            // There is no way to independently enable or disable online revocation checking
+            // and AIA fetching. If the caller specifies they want Online revocation checking,
+            // then we need to allow network operations (including AIA fetching.)
+            bool revocationRequiresNetwork = revocationMode == X509RevocationMode.Online;
+
             try
             {
                 chainPal.OpenTrustHandle(
@@ -622,7 +628,7 @@ public static IChainPal BuildChain(
 
                 chainPal.Execute(
                     verificationTime,
-                    !disableAia,
+                    allowNetwork: !disableAia || revocationRequiresNetwork,
                     applicationPolicy,
                     certificatePolicy,
                     revocationFlag);
diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs
index ad652da11c6d8..d832cb91e33c3 100644
--- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs
+++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/DynamicRevocationTests.cs
@@ -139,6 +139,28 @@ public static void RevokeEndEntity(PkiOptions pkiOptions)
                 });
         }
 
+        [Theory]
+        [MemberData(nameof(AllViableRevocation))]
+        public static void RevokeLeafWithAiaFetchingDisabled(PkiOptions pkiOptions)
+        {
+            SimpleTest(
+                pkiOptions,
+                (root, intermediate, endEntity, holder, responder) =>
+                {
+                    DateTimeOffset now = DateTimeOffset.UtcNow;
+                    intermediate.Revoke(endEntity, now);
+                    holder.Chain.ChainPolicy.VerificationTime = now.AddSeconds(1).UtcDateTime;
+                    holder.Chain.ChainPolicy.DisableCertificateDownloads = true;
+
+                    SimpleRevocationBody(
+                        holder,
+                        endEntity,
+                        rootRevoked: false,
+                        issrRevoked: false,
+                        leafRevoked: true);
+                });
+        }
+
         [Theory]
         [MemberData(nameof(AllViableRevocation))]
         [ActiveIssue("https://github.com/dotnet/runtime/issues/31249", TestPlatforms.OSX)]

From 95caebd6e4094ecb9231ee309e6985fa638d8234 Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Mon, 1 Feb 2021 15:14:03 -0500
Subject: [PATCH 2/2] Treat Offline as Online.

NoCheck must be used to disable network.
---
 .../src/Internal/Cryptography/Pal.OSX/ChainPal.cs               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
index 6c908ef8cce3a..306cfbed4b9ec 100644
--- a/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
+++ b/src/libraries/System.Security.Cryptography.X509Certificates/src/Internal/Cryptography/Pal.OSX/ChainPal.cs
@@ -615,7 +615,7 @@ public static IChainPal BuildChain(
             // There is no way to independently enable or disable online revocation checking
             // and AIA fetching. If the caller specifies they want Online revocation checking,
             // then we need to allow network operations (including AIA fetching.)
-            bool revocationRequiresNetwork = revocationMode == X509RevocationMode.Online;
+            bool revocationRequiresNetwork = revocationMode != X509RevocationMode.NoCheck;
 
             try
             {