From e2da3d72ca5e936aa0e0ec02028f2ceddda3af72 Mon Sep 17 00:00:00 2001 From: Stewart Adam Date: Wed, 21 Apr 2021 15:01:26 -0700 Subject: [PATCH 1/8] Detail observed behavior of AllowUnknownCertificateAuthority AllowUnknownCertificateAuthority not only ignores untrusted roots, but also partial chains. This updates the documentation to reflect this behavior. --- .../X509VerificationFlags.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 449eb86cd91..132f9c8858c 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -45,10 +45,10 @@ 16 - Ignore that the chain cannot be verified due to an unknown certificate authority (CA). + Ignore that the chain cannot be verified due to an unknown certificate authority (CA), or a partial chain. Note that ignoring partial chain skips verification that the signing authority of the certificate under validation was actually signed by one of the known CAs, so this must be performed separately if desired. From a99cb152fc857487fc3f14682e7f882093323689 Mon Sep 17 00:00:00 2001 From: Stewart Adam Date: Thu, 22 Apr 2021 23:55:46 -0700 Subject: [PATCH 2/8] Update docstrings for clarity Maintain a more concise warning about wincrypt basis and elaborates on the consequences of ignoring PartialChain. --- .../X509VerificationFlags.xml | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 132f9c8858c..af5e9df571a 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -42,20 +42,20 @@ Specifies conditions under which verification of certificates in the X509 chain should be conducted. - @@ -131,7 +131,9 @@ 16 - Ignore that the chain cannot be verified due to an unknown certificate authority (CA), or a partial chain. Note that ignoring partial chain skips verification that the signing authority of the certificate under validation was actually signed by one of the known CAs, so this must be performed separately if desired. + Ignore that the chain cannot be verified due to an unknown certificate authority (CA) and ignore partial chains. + + Ignoring partial chains effectively results in the method returning no matter if the signing CA for the certificate under validation is in a trust store or not. Validation of completed chains (with an unknown CA) should be performed by ensuring that is not returned in the chain , or validate the issuer fingerprint manually. From bf7d538233f775b4325ec2028d8f090d645130a4 Mon Sep 17 00:00:00 2001 From: "Stewart Adam (MSFT)" Date: Fri, 23 Apr 2021 00:17:39 -0700 Subject: [PATCH 3/8] Remove %2A from links per GitHub CI feedback --- .../X509VerificationFlags.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index af5e9df571a..3295ccf1138 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -133,7 +133,7 @@ Ignore that the chain cannot be verified due to an unknown certificate authority (CA) and ignore partial chains. - Ignoring partial chains effectively results in the method returning no matter if the signing CA for the certificate under validation is in a trust store or not. Validation of completed chains (with an unknown CA) should be performed by ensuring that is not returned in the chain , or validate the issuer fingerprint manually. + Ignoring partial chains effectively results in the . method returning no matter if the signing CA for the certificate under validation is in a trust store or not. Validation of completed chains (with an unknown CA) should be performed by ensuring that is not returned in the chain , or validate the issuer fingerprint manually. From 64ddee148ce927aba6c2f7271c3aa4864447cc48 Mon Sep 17 00:00:00 2001 From: "Stewart Adam (MSFT)" Date: Fri, 23 Apr 2021 00:29:26 -0700 Subject: [PATCH 4/8] Use see instead of xref --- .../X509VerificationFlags.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 3295ccf1138..1aa25181d19 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -133,7 +133,7 @@ Ignore that the chain cannot be verified due to an unknown certificate authority (CA) and ignore partial chains. - Ignoring partial chains effectively results in the . method returning no matter if the signing CA for the certificate under validation is in a trust store or not. Validation of completed chains (with an unknown CA) should be performed by ensuring that is not returned in the chain , or validate the issuer fingerprint manually. + Ignoring partial chains effectively results in the method of returning no matter if the signing CA for the certificate under validation is in a trust store or not. Validation of completed chains (with an unknown CA) should be performed by ensuring that is not returned in the chain , or validate the issuer fingerprint manually. From 439e88d1a09aff370c64027879cf4f99bb2378fe Mon Sep 17 00:00:00 2001 From: Stewart Adam Date: Mon, 26 Apr 2021 14:39:46 -0700 Subject: [PATCH 5/8] Remove note about wincrypt.h --- .../X509VerificationFlags.xml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 1aa25181d19..0b8bd791ddd 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -42,20 +42,20 @@ Specifies conditions under which verification of certificates in the X509 chain should be conducted. - From d6f8fbc56d9808b45c2b8a287783ed4777f5df9d Mon Sep 17 00:00:00 2001 From: "Stewart Adam (MSFT)" Date: Mon, 26 Apr 2021 15:06:09 -0700 Subject: [PATCH 6/8] Adjust wording to be more concise --- .../X509VerificationFlags.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 0b8bd791ddd..447213ffdc5 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -131,9 +131,9 @@ 16 - Ignore that the chain cannot be verified due to an unknown certificate authority (CA) and ignore partial chains. + Ignore that the chain cannot be verified due to an unknown certificate authority (CA) or partial chains. - Ignoring partial chains effectively results in the method of returning no matter if the signing CA for the certificate under validation is in a trust store or not. Validation of completed chains (with an unknown CA) should be performed by ensuring that is not returned in the chain , or validate the issuer fingerprint manually. + Ignoring partial chains implies the method of will return no matter the certificate under validation, or contents of the trust stores. If verification of a completed chain is desired, perform it manually by ensuring that is not returned in the chain , or by validating the issuer of the certificate(s) under verification manually. From da1c1f997a4401b63ef072674d1d9e7416a8d69e Mon Sep 17 00:00:00 2001 From: "Stewart Adam (MSFT)" Date: Tue, 27 Apr 2021 09:23:04 -0700 Subject: [PATCH 7/8] Remove elboration about self-signed roots --- .../X509VerificationFlags.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 447213ffdc5..013c43d448a 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -132,8 +132,6 @@ 16 Ignore that the chain cannot be verified due to an unknown certificate authority (CA) or partial chains. - - Ignoring partial chains implies the method of will return no matter the certificate under validation, or contents of the trust stores. If verification of a completed chain is desired, perform it manually by ensuring that is not returned in the chain , or by validating the issuer of the certificate(s) under verification manually. From 2d279d3578ea80d21ece4a866d0b7272d10a6020 Mon Sep 17 00:00:00 2001 From: Jeremy Barton Date: Tue, 27 Apr 2021 09:26:55 -0700 Subject: [PATCH 8/8] Update xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml --- .../X509VerificationFlags.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml index 013c43d448a..0d0b24efbcc 100644 --- a/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml +++ b/xml/System.Security.Cryptography.X509Certificates/X509VerificationFlags.xml @@ -131,7 +131,7 @@ 16 - Ignore that the chain cannot be verified due to an unknown certificate authority (CA) or partial chains. + Ignore that the chain cannot be verified due to an unknown certificate authority (CA) or partial chains.