Skip to content

Handle additional X509 chain statuses for macOS #35488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bartonjs merged 3 commits into from
Apr 27, 2020
Merged

Handle additional X509 chain statuses for macOS #35488

bartonjs merged 3 commits into from
Apr 27, 2020

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Apr 26, 2020
edited
Loading

This teaches macOS about two chain statuses, BlackListedLeaf and BlackListedKey.

The BlackListedLeaf status is for leaf certificates for incorrectly issued certificates for high value domains. The test included uses a notably misissued certificate for mail.google.com. Both macOS and Windows treat this certificate as explicitly distrusted. OpenSSL does not currently have such special treatment. It appears to use no special handling of this certificate, and instead relies on revocation. As such, the test is configured to not run on Linux since revocation is presumably tested elsewhere.

The BlackListedKey are reported for the intermediate when building a chain for a certificate that was signed by a disallowed signing key. The test uses the no-more CA DigiNotar as the intermediate. Both Windows and MacOS report this as explicitly distrusted. Linux again appears to have no special handling for this; it is instead reported as a Partial Chain since DigiNotar is no longer in the trust anchor store.

Fixes #35463

vcsjones added 2 commits April 26, 2020 12:26
@vcsjones
Handle disallow-listed certificates on macOS.
c291180 
MacOS returns a different status string for certificates that are in a special
database that are explicitly distrusted. Windows has similar behavior, which
reports the certificates as PAL_X509ChainExplicitDistrust. This makes macOS
do the same instead of throwing an exception.
@vcsjones
Ignore tests for Linux.
0ce737b 
Linux does not appear to have any special distrusting for these
certificates.
@ghost
Copy link

ghost commented Apr 26, 2020

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
Notify danmosemsft if you want to be subscribed.

stephentoub
stephentoub reviewed Apr 26, 2020
View reviewed changes
Copy link
Member

@stephentoub stephentoub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few comments, but otherwise LGTM if @bartonjs signs off.

@vcsjones vcsjones mentioned this pull request Apr 27, 2020
Merged
@bartonjs bartonjs merged commit feddac7 into dotnet:master Apr 27, 2020
@vcsjones vcsjones deleted the 35463-fix branch April 27, 2020 21:27
This was referenced Apr 28, 2020
Merged
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Dec 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@stephentoub stephentoub stephentoub left review comments

@bartonjs bartonjs bartonjs approved these changes

+1 more reviewer

@filipnavara filipnavara filipnavara approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area-System.Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BlackListedLeaf is not handled by X509 PAL on macOS

5 participants

@vcsjones @filipnavara @stephentoub @bartonjs @Dotnet-GitSync-Bot