From 11a966eeb78974261c1e75f6ae2979608d5885e1 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Tue, 2 Feb 2021 10:02:04 -0500 Subject: [PATCH 1/2] Fix DisableAiaOptionWorks and remove ActiveIssue. --- .../tests/RevocationTests/AiaTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs index d9039f4bd8871..d8a4f482b1894 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs @@ -42,7 +42,6 @@ public static void EmptyAiaResponseIsIgnored() } [Fact] - [ActiveIssue("https://github.com/dotnet/runtime/issues/47492", TestPlatforms.OSX)] public static void DisableAiaOptionWorks() { CertificateAuthority.BuildPrivatePki( @@ -65,6 +64,7 @@ public static void DisableAiaOptionWorks() cuCaStore.Open(OpenFlags.ReadWrite); X509Chain chain = holder.Chain; + chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; chain.ChainPolicy.DisableCertificateDownloads = true; chain.ChainPolicy.CustomTrustStore.Add(rootCert); chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; From 38e43e143eb4a8ffa49dee5beee43163e7db8e97 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Tue, 2 Feb 2021 12:37:16 -0500 Subject: [PATCH 2/2] Code review feedback --- .../tests/RevocationTests/AiaTests.cs | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs index d8a4f482b1894..b45b24273199a 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs @@ -64,7 +64,14 @@ public static void DisableAiaOptionWorks() cuCaStore.Open(OpenFlags.ReadWrite); X509Chain chain = holder.Chain; - chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + + // macOS combines revocation and AIA fetching in to a single flag. Both need to be disabled + // to prevent AIA fetches. + if (PlatformDetection.IsOSX) + { + chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + } + chain.ChainPolicy.DisableCertificateDownloads = true; chain.ChainPolicy.CustomTrustStore.Add(rootCert); chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; @@ -102,12 +109,6 @@ public static void DisableAiaOptionWorks() Assert.Contains(X509ChainStatusFlags.PartialChain, chain.ChainStatus.Select(s => s.Status)); holder.DisposeChainElements(); - // macOS doesn't like our revocation responder, so disable revocation checks there. - if (PlatformDetection.IsOSX) - { - chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; - } - chain.ChainPolicy.ExtraStore.Add(intermediateCert); Assert.True(chain.Build(endEntity), "Chain build with intermediate, AIA disabled"); Assert.Equal(3, chain.ChainElements.Count);