Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DisableCertificateDownloads on macOS disables online revocation checking #47713

Closed
vcsjones opened this issue Feb 1, 2021 · 3 comments · Fixed by #47718
Closed

DisableCertificateDownloads on macOS disables online revocation checking #47713

vcsjones opened this issue Feb 1, 2021 · 3 comments · Fixed by #47718
Labels
area-System.Security

Comments

@vcsjones
Copy link
Member

vcsjones commented Feb 1, 2021

DisableCertificateDownloads, which was introduced in .NET 5, will disable all network operations during chain building on macOS, including CRL and OCSP. On Linux and Windows, this property controls AIA fetching independently from revocation checking.

This appears to be the behavior of SecTrustSetNetworkFetchAllowed and it is my understanding that SecTrustSetNetworkFetchAllowed(..., FALSE) acts as a global on/off for network operations. The documentation isn't quite clear on this and mentions that it only controls AIA fetching, however, this does not seem to be the case. I don't see a way to independently control AIA fetching and online revocation checking.

Even with a complete chain, disabling AIA fetching will result in no revocation checks being performed.

A DynamicRevocationTests test that demonstrates the behavior I am seeing:

[Theory]
[MemberData(nameof(AllViableRevocation))]
public static void RevokeLeafWithAiaFetchingDisabled(PkiOptions pkiOptions)
{
    SimpleTest(
        pkiOptions,
        (root, intermediate, endEntity, holder, responder) =>
        {
            DateTimeOffset now = DateTimeOffset.UtcNow;
            intermediate.Revoke(endEntity, now);
            holder.Chain.ChainPolicy.VerificationTime = now.AddSeconds(1).UtcDateTime;
            holder.Chain.ChainPolicy.DisableCertificateDownloads = true;

            SimpleRevocationBody(
                holder,
                endEntity,
                rootRevoked: false,
                issrRevoked: false,
                leafRevoked: true);
        });
}

This will fail with

Expected: X509ChainStatusFlags[] [NoError, NoError, Revoked]
Actual:   X509ChainStatusFlags[] [NoError, NoError, RevocationStatusUnknown]

Options:

  1. Document the behavior of DisableCertificateDownloads on macOS and continue as-is.
  2. Change SecTrustChainPal to ignore DisableCertificateDownloads if X509RevocationMode is Online.

Split off from #47492
@dotnet-issue-labeler
Copy link

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

@dotnet-issue-labeler dotnet-issue-labeler bot added the untriaged New issue has not been triaged by the area owner label Feb 1, 2021
@vcsjones
Copy link
Member Author

vcsjones commented Feb 1, 2021

@bartonjs

@vcsjones vcsjones mentioned this issue Feb 1, 2021
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Feb 1, 2021
@bartonjs bartonjs added area-System.Security and removed untriaged New issue has not been triaged by the area owner labels Feb 1, 2021
@ghost
Copy link

ghost commented Feb 1, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
See info in area-owners.md if you want to be subscribed.

Issue Details

DisableCertificateDownloads, which was introduced in .NET 5, will disable all network operations during chain building on macOS, including CRL and OCSP. On Linux and Windows, this property controls AIA fetching independently from revocation checking.

This appears to be the behavior of SecTrustSetNetworkFetchAllowed and it is my understanding that SecTrustSetNetworkFetchAllowed(..., FALSE) acts as a global on/off for network operations. The documentation isn't quite clear on this and mentions that it only controls AIA fetching, however, this does not seem to be the case. I don't see a way to independently control AIA fetching and online revocation checking.

Even with a complete chain, disabling AIA fetching will result in no revocation checks being performed.

A DynamicRevocationTests test that demonstrates the behavior I am seeing:

[Theory]
[MemberData(nameof(AllViableRevocation))]
public static void RevokeLeafWithAiaFetchingDisabled(PkiOptions pkiOptions)
{
    SimpleTest(
        pkiOptions,
        (root, intermediate, endEntity, holder, responder) =>
        {
            DateTimeOffset now = DateTimeOffset.UtcNow;
            intermediate.Revoke(endEntity, now);
            holder.Chain.ChainPolicy.VerificationTime = now.AddSeconds(1).UtcDateTime;
            holder.Chain.ChainPolicy.DisableCertificateDownloads = true;

            SimpleRevocationBody(
                holder,
                endEntity,
                rootRevoked: false,
                issrRevoked: false,
                leafRevoked: true);
        });
}

This will fail with

Expected: X509ChainStatusFlags[] [NoError, NoError, Revoked]
Actual:   X509ChainStatusFlags[] [NoError, NoError, RevocationStatusUnknown]

Options:

  1. Document the behavior of DisableCertificateDownloads on macOS and continue as-is.
  2. Change SecTrustChainPal to ignore DisableCertificateDownloads if X509RevocationMode is Online.

Split off from #47492

Author: vcsjones
Assignees: -
Labels:

area-System.Security, in pr
Milestone: -

@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Feb 1, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Mar 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow macOS chain building to use network if revocation checking is online vcsjones/runtime
2 participants
@vcsjones @bartonjs