CoseSignTool icon indicating copy to clipboard operation
CoseSignTool copied to clipboard
verified publisher icon microsoft

Online Revocation and Root Trust Bugfix

Open elantiguamsft opened this issue 1 year ago • 0 comments

CoseSign1.Certificates.Local.Validators.X509ChainTrustValidator must remain in a .NET Standard 2.0 lib to maintain compatibility with several consumers of the library. Unfortunately this means we can't use the modern net core implementations of X509Chain and X509ChainPolicy, which offers support for custom trust providers, unlike the .NET Standard versions.

Because of this limitation, we have to do some amount of post-processing of the certificate trust chain results. This PR addresses a "bug" where custom roots of trust are passed in and the X509Chain.Build() library method erroneously attempts to check revocation status of self-signed roots that we are explicitly pinning trust to. The intended behavior of this method is actually to skip revocation for self-signed roots with the recognition that self-attestation of revocation status provides no value.

elantiguamsft avatar Sep 24 '24 08:09 elantiguamsft