Skip to content

Handle CriticalExtensions and WeakSignature on 509Chain for macOS #35548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bartonjs merged 3 commits into from
Apr 28, 2020
Merged

Handle CriticalExtensions and WeakSignature on 509Chain for macOS #35548

bartonjs merged 3 commits into from
Apr 28, 2020

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Apr 28, 2020

This resolves two more unmapped chain status issues with macOS.

Fixes #35533
Fixes #35492

vcsjones added 2 commits April 27, 2020 20:06
@vcsjones
Support unknown critical extensions on macOS.
74098ff 
If a certificate contains an unprocessable critical extension
in a certificate, map the "CriticalExtensions" status to
HasNotSupportedCriticalExtension instead of throwing an exception.
@vcsjones
Ignore WeakSignature chain status on macOS.
5b81ee5 
X509Chain on Windows will not check for modern signatures, so we
will let macOS do the same thing.
@ghost
Copy link

ghost commented Apr 28, 2020

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
Notify danmosemsft if you want to be subscribed.

@vcsjones
Copy link
Member Author

vcsjones commented Apr 28, 2020

@bartonjs random thought: the unit tests written for these macOS cert building statuses make decent use of the CustomTrustStore, which is not in Core 3.1. The Basic Constraints PR kind of depends on it since OpenSSL doesn't check the path length for partial chains.

What's the best way to move forward with porting these fixes to corefx?

@bartonjs
Copy link
Member

bartonjs commented Apr 28, 2020

The tests that can't be backported because they require new features can just be left out; and that'll just be a comment in the servicing paperwork.

@bartonjs bartonjs merged commit e301ec1 into dotnet:master Apr 28, 2020
@vcsjones vcsjones deleted the fix-35533-35492 branch April 28, 2020 14:19
@vcsjones vcsjones mentioned this pull request Apr 28, 2020
Merged
@vcsjones vcsjones mentioned this pull request May 1, 2020
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Dec 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

No one assigned

Labels

area-System.Security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

WeakSignature is not handled by X509 PAL on macOS Unknown CriticalExtensions is not handled by X509 PAL on macOS

3 participants

@vcsjones @bartonjs @Dotnet-GitSync-Bot