bc-csharp icon indicating copy to clipboard operation
bc-csharp copied to clipboard
verified publisher icon bcgit

PkixCertPathValidator does not validate against PkixParameters.Date

Open kyanha opened this issue 5 years ago • 3 comments

PkixCertPathValidator does not validate against PkixParameters.Date when PkixParameters.ValidityModel == ChainValidityModel. In fact, any processing where the date can be set is completely commented out. This appears to follow the Java implementation, where that kind of processing has been commented out since "first cut of code" on Feb 7, 2013.

This breaks an independent implementation of Authenticode processing with BC, among other things.

@peterdettman, would you know the history surrounding this? or maybe be able to ask around?

kyanha avatar May 07 '20 01:05 kyanha

I'm not overly familiar with CertPath details. Please provide refs for the commented out Java and C# code you are referring to.

peterdettman avatar May 07 '20 04:05 peterdettman

bc-prov:org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi line 112 bc-csharp:Org.BouncyCastle.Pkix.PkixCertPathValidator line 69

Specifically, the portions that would implement part (b) of the PKIX "Inputs" section (6.1.1 of RFC3280/5280).

The date appears to be supported by the processing for RFC3281 (the attribute certificate profile).

kyanha avatar May 07 '20 06:05 kyanha

Would you happen to have some test data that specifically covers the chain validity model?

peterdettman avatar May 08 '20 11:05 peterdettman