Add entire issuer chain to trusted X509_STORE when stapling OCSP_Response

[rzikm]

Fixes #96659.

When validating OCSP Staple retrieved in SslStreamCertificateContext, we create an X509_STORE to specify which certificates are to be considered trusted. Until now, we passed in only the immediate issuer of the validated certificate. If this was only an intermediate CA certificate and the OCSP was signed by a delegated signer, the signer verification process would fail because the signer could not be anchored in a trusted Root CA.

Since the CheckOcspGetExpiry function is used by other code paths, I believe the safer fix is to add also the rest of the certificate from the chain built as part of constructing the SslStreamCertificateContext instance, rather than using OCSP_PARTIAL_CHAIN to enable anchoring in trusted intermediate (only) CAs. See also discussion on the original issue.

This was not uncovered by existing tests because the current tests are exercising codepaths which call CheckOcspGetExpiry from different callstack (see #96659 (comment)). For now I tested the code via the repro code from the issue mentioned above. Automated tests are delegated to #96791.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Fixes #96659.

When validating OCSP Staple retrieved in SslStreamCertificateContext, we create an X509_STORE to specify which certificates are to be considered trusted. Until now, we passed in only the immediate issuer of the validated certificate. If this was only an intermediate CA certificate and the OCSP was signed by a delegated signer, the signer verification process would fail because the signer could not be anchored in a trusted Root CA.

Since the CheckOcspGetExpiry function is used by other code paths, I believe the safer fix is to add also the rest of the certificate from the chain built as part of constructing the SslStreamCertificateContext instance, rather than using OCSP_PARTIAL_CHAIN to enable anchoring in trusted intermediate (only) CAs. See also discussion on the original issue.

This was not uncovered by existing tests because the current tests are calling CheckOcspGetExpiry via different code path. For now I tested the code via the repro code from the issue mentioned above. Automated tests are delegated to #96791.

Author:	rzikm
Assignees:	-
Labels:	area-System.Net.Security
Milestone:	-

[wfurt]

LGTM

[rzikm]

looks like we actually always need to always keep the root from AddRootCertificate🤦

[bartonjs]

FWIW, you should be able to test this locally by just adding PkiOptions.IssuerAuthorityHasDesignatedOcspResponder in src\libraries\System.Net.Security\tests\FunctionalTests\CertificateValidationRemoteServer.cs line 199.

Longer term that probably needs to come from a parameter in that helper routine so that there are tests both with and without it; but that's the fastest "how do I test this?" that I can come up with.

[rzikm]

I have extracted the CertificateAuthority and RevocationResponder to a console app, so I am now running against that and was wondering why it was not working anymore. A fix is incoming.

[rzikm]

I tested latest version with openssl s_client .... -status and

• I am getting a delegated-signed response
• the response is updated if <5min to expiration.

PTAL to confirm there is nothing terribly wrong in the last commit.

[rzikm]

/azp run runtime-libraries-coreclr outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rzikm]

No related failures in the outerloop run.