diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs index 0a2e8b78cffce9..88cf0c20b8c6ba 100644 --- a/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs +++ b/src/libraries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/AiaTests.cs @@ -29,22 +29,26 @@ public static void EmptyAiaResponseIsIgnored() using (CertificateAuthority intermediate1 = intermediates[0]) using (CertificateAuthority intermediate2 = intermediates[1]) using (endEntity) - using (ChainHolder holder = new ChainHolder()) using (X509Certificate2 intermediate2Cert = intermediate2.CloneIssuerCert()) { responder.RespondEmpty = true; - X509Chain chain = holder.Chain; - chain.ChainPolicy.ExtraStore.Add(intermediate2Cert); - chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; - chain.ChainPolicy.VerificationTime = endEntity.NotBefore.AddMinutes(1); - chain.ChainPolicy.UrlRetrievalTimeout = DynamicRevocationTests.s_urlRetrievalLimit; - chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; - - Assert.False(chain.Build(endEntity)); - X509ChainStatusFlags chainFlags = chain.AllStatusFlags(); - Assert.True(chainFlags.HasFlag(X509ChainStatusFlags.PartialChain), $"expected partial chain flags, got {chainFlags}"); - Assert.Equal(2, chain.ChainElements.Count); + RetryHelper.Execute(() => { + using (ChainHolder holder = new ChainHolder()) + { + X509Chain chain = holder.Chain; + chain.ChainPolicy.ExtraStore.Add(intermediate2Cert); + chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; + chain.ChainPolicy.VerificationTime = endEntity.NotBefore.AddMinutes(1); + chain.ChainPolicy.UrlRetrievalTimeout = DynamicRevocationTests.s_urlRetrievalLimit; + chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + + Assert.False(chain.Build(endEntity)); + X509ChainStatusFlags chainFlags = chain.AllStatusFlags(); + Assert.True(chainFlags.HasFlag(X509ChainStatusFlags.PartialChain), $"expected partial chain flags, got {chainFlags}"); + Assert.Equal(2, chain.ChainElements.Count); + } + }); } } @@ -65,72 +69,76 @@ public static void DisableAiaOptionWorks() using (root) using (intermediate) using (endEntity) - using (ChainHolder holder = new ChainHolder()) using (X509Certificate2 rootCert = root.CloneIssuerCert()) using (X509Certificate2 intermediateCert = intermediate.CloneIssuerCert()) - using (var cuCaStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser)) { - cuCaStore.Open(OpenFlags.ReadWrite); - - X509Chain chain = holder.Chain; + RetryHelper.Execute(() => { + using (ChainHolder holder = new ChainHolder()) + using (var cuCaStore = new X509Store(StoreName.CertificateAuthority, StoreLocation.CurrentUser)) + { + cuCaStore.Open(OpenFlags.ReadWrite); - // macOS combines revocation and AIA fetching in to a single flag. Both need to be disabled - // to prevent AIA fetches. - if (PlatformDetection.IsOSX) - { - chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; - } + X509Chain chain = holder.Chain; - chain.ChainPolicy.DisableCertificateDownloads = true; - chain.ChainPolicy.CustomTrustStore.Add(rootCert); - chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; - chain.ChainPolicy.VerificationTime = endEntity.NotBefore.AddMinutes(1); - chain.ChainPolicy.UrlRetrievalTimeout = DynamicRevocationTests.s_urlRetrievalLimit; + // macOS combines revocation and AIA fetching in to a single flag. Both need to be disabled + // to prevent AIA fetches. + if (PlatformDetection.IsOSX) + { + chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck; + } - Assert.False(chain.Build(endEntity), "Chain build with no intermediate, AIA disabled"); + chain.ChainPolicy.DisableCertificateDownloads = true; + chain.ChainPolicy.CustomTrustStore.Add(rootCert); + chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; + chain.ChainPolicy.VerificationTime = endEntity.NotBefore.AddMinutes(1); + chain.ChainPolicy.UrlRetrievalTimeout = DynamicRevocationTests.s_urlRetrievalLimit; - // If a previous run of this test leaves contamination in the CU\CA store on Windows - // the Windows chain engine will match the bad issuer and report NotSignatureValid instead - // of PartialChain. - X509ChainStatusFlags chainFlags = chain.AllStatusFlags(); + Assert.False(chain.Build(endEntity), "Chain build with no intermediate, AIA disabled"); - if (chainFlags.HasFlag(X509ChainStatusFlags.NotSignatureValid)) - { - Assert.Equal(3, chain.ChainElements.Count); + // If a previous run of this test leaves contamination in the CU\CA store on Windows + // the Windows chain engine will match the bad issuer and report NotSignatureValid instead + // of PartialChain. + X509ChainStatusFlags chainFlags = chain.AllStatusFlags(); - foreach (X509Certificate2 storeCert in cuCaStore.Certificates) - { - if (storeCert.Subject.Equals(intermediateCert.Subject)) + if (chainFlags.HasFlag(X509ChainStatusFlags.NotSignatureValid)) { - cuCaStore.Remove(storeCert); - } + Assert.Equal(3, chain.ChainElements.Count); - storeCert.Dispose(); - } + foreach (X509Certificate2 storeCert in cuCaStore.Certificates) + { + if (storeCert.Subject.Equals(intermediateCert.Subject)) + { + cuCaStore.Remove(storeCert); + } - holder.DisposeChainElements(); + storeCert.Dispose(); + } - // Try again, with no caching side effect. - Assert.False(chain.Build(endEntity), "Chain build 2 with no intermediate, AIA disabled"); - } + holder.DisposeChainElements(); - Assert.Equal(1, chain.ChainElements.Count); - Assert.Contains(X509ChainStatusFlags.PartialChain, chain.ChainStatus.Select(s => s.Status)); - holder.DisposeChainElements(); + // Try again, with no caching side effect. + Assert.False(chain.Build(endEntity), "Chain build 2 with no intermediate, AIA disabled"); + } + + Assert.Equal(1, chain.ChainElements.Count); + Assert.Contains(X509ChainStatusFlags.PartialChain, chain.ChainStatus.Select(s => s.Status)); + holder.DisposeChainElements(); - chain.ChainPolicy.ExtraStore.Add(intermediateCert); - Assert.True(chain.Build(endEntity), "Chain build with intermediate, AIA disabled"); - Assert.Equal(3, chain.ChainElements.Count); - Assert.Equal(X509ChainStatusFlags.NoError, chain.AllStatusFlags()); - holder.DisposeChainElements(); + chain.ChainPolicy.ExtraStore.Add(intermediateCert); + Assert.True(chain.Build(endEntity), "Chain build with intermediate, AIA disabled"); + Assert.Equal(3, chain.ChainElements.Count); + Assert.Equal(X509ChainStatusFlags.NoError, chain.AllStatusFlags()); + holder.DisposeChainElements(); - chain.ChainPolicy.DisableCertificateDownloads = false; - chain.ChainPolicy.ExtraStore.Clear(); - Assert.True(chain.Build(endEntity), "Chain build with no intermediate, AIA enabled"); - Assert.Equal(3, chain.ChainElements.Count); - Assert.Equal(X509ChainStatusFlags.NoError, chain.AllStatusFlags()); + chain.ChainPolicy.DisableCertificateDownloads = false; + chain.ChainPolicy.ExtraStore.Clear(); + Assert.True(chain.Build(endEntity), "Chain build with no intermediate, AIA enabled"); + Assert.Equal(3, chain.ChainElements.Count); + Assert.Equal(X509ChainStatusFlags.NoError, chain.AllStatusFlags()); - cuCaStore.Remove(intermediateCert); + cuCaStore.Remove(intermediateCert); + } + }); } } }