Skip to content

Ignore the DuplicateExtension status from macOS 12. #58834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 9, 2021
Merged

Ignore the DuplicateExtension status from macOS 12. #58834

merged 1 commit into from
Sep 9, 2021

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Sep 8, 2021
edited
Loading

MacOS 12 introduces a new X.509 chain status, DuplicateExtension. As we do not report this in Windows and nor do we have a flag to map it to, we ignore it from macOS.

The existing test TimestampTokenTests.TwoEkuExtensions covers this scenario.

Closes #58833.

@vcsjones
Ignore the DuplicateExtension status from macOS 12.
e2f9fdf 
MacOS 12 introduces a new X.509 chain status, DuplicateExtension. As we do not report this in Windows and nor do we have a flag to map it to, we ignore it from macOS.
@ghost ghost added community-contribution Indicates that the PR has been added by a community member area-System.Security labels Sep 8, 2021
@ghost
Copy link

ghost commented Sep 8, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

MacOS 12 introduces a new X.509 chain status, DuplicateExtension. As we do not report this in Windows and nor do we have a flag to map it to, we ignore it from macOS.

An existing test in TimestampTokenTests.TwoEkuExtensions covers this scenario.

Author: vcsjones
Assignees: -
Labels:

area-System.Security, community-contribution
Milestone: -

@danmoseley
Copy link
Member

danmoseley commented Sep 8, 2021

6.0 port I assume...

@vcsjones
Copy link
Member Author

vcsjones commented Sep 8, 2021
edited
Loading

6.0 port I assume...

I don't have a strong feeling one way or the other, so I'll defer to the area owners. This is an edge case that I am 1. impressed there was test coverage for at all and 2. the certificate violates RFC 5280 section 4.2:

A certificate MUST NOT include more than one instance of a particular extension.

So, Apple is rightfully picky about a MUST. That said, because it is against the spec, I do not believe many certificates like this exist, certainly not a certificate issued by a public CA.

@bartonjs
Copy link
Member

bartonjs commented Sep 9, 2021

6.0 port I assume...

Yeah, I'll open the port PR. Mainly so that if/when we turn on macOS 12 testing in the 6.0 release branch we don't have a test failure.

@bartonjs bartonjs merged commit c21a701 into dotnet:main Sep 9, 2021
@vcsjones vcsjones deleted the dupext-macos12 branch September 9, 2021 17:22
@bartonjs
Copy link
Member

bartonjs commented Sep 9, 2021

/backport to release/6.0

@github-actions
Copy link
Contributor

github-actions bot commented Sep 9, 2021

Started backporting to release/6.0: https://github.com/dotnet/runtime/actions/runs/1218282457

@github-actions github-actions bot mentioned this pull request Sep 9, 2021
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Oct 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

No one assigned

Labels

area-System.Security community-contribution Indicates that the PR has been added by a community member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

New X509Chain status code "DuplicateExtension" in Monterey beta 8

3 participants

@vcsjones @danmoseley @bartonjs