Skip to content

Commit

Permalink
Verify that OCSP and CRL checks fall back.
Browse files Browse the repository at this point in the history 
Test that a CRL timeout chain build will use OCSP, and that an OCSP timeout chain build will use CRL.
  • Loading branch information
@vcsjones
vcsjones authored Nov 19, 2020
1 parent 044ee8c commit 0cb3cfd
Show file tree
Hide file tree
Showing 2 changed files with 63 additions and 16 deletions.
26 changes: 16 additions & 10 deletions ...braries/Common/tests/System/Security/Cryptography/X509Certificates/RevocationResponder.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ internal void HandleRequest()

if (context != null)
{
HandleRequest(context);
ThreadPool.QueueUserWorkItem(
state => HandleRequest(state),
context,
true);
}
}

Expand All @@ -108,7 +111,10 @@ internal async Task HandleRequestAsync()

if (context != null)
{
HandleRequest(context);
ThreadPool.QueueUserWorkItem(
state => HandleRequest(state),
context,
true);
}
}

Expand Down Expand Up @@ -375,14 +381,14 @@ private static void Trace(string trace)
Console.WriteLine(trace);
}
}
}

internal enum DelayedActionsFlag : byte
{
None = 0,
Ocsp = 0b1,
Crl = 0b10,
Aia = 0b100,
All = 0b11111111
}
public enum DelayedActionsFlag : byte
{
None = 0,
Ocsp = 0b1,
Crl = 0b10,
Aia = 0b100,
All = 0b11111111
}
}
53 changes: 47 additions & 6 deletions ...aries/System.Security.Cryptography.X509Certificates/tests/RevocationTests/TimeoutTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ public static void RevocationCheckingDelayed(PkiOptions pkiOptions)

X509Chain chain = holder.Chain;
responder.ResponseDelay = delay;
responder.DelayedActions = RevocationResponder.DelayedActionsFlag.All;
responder.DelayedActions = DelayedActionsFlag.All;

// This needs to be greater than delay, but less than 2x delay to ensure
// that the time is a timeout for individual fetches, not a running total.
Expand Down Expand Up @@ -90,7 +90,7 @@ public static void RevocationCheckingTimeout(PkiOptions pkiOptions)

X509Chain chain = holder.Chain;
responder.ResponseDelay = delay;
responder.DelayedActions = RevocationResponder.DelayedActionsFlag.All;
responder.DelayedActions = DelayedActionsFlag.All;

chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(1);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
Expand Down Expand Up @@ -148,7 +148,7 @@ public static void RevocationCheckingMaximum(PkiOptions pkiOptions)

X509Chain chain = holder.Chain;
responder.ResponseDelay = delay;
responder.DelayedActions = RevocationResponder.DelayedActionsFlag.All;
responder.DelayedActions = DelayedActionsFlag.All;

chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromMinutes(2);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
Expand Down Expand Up @@ -200,7 +200,7 @@ public static void RevocationCheckingNegativeTimeout(PkiOptions pkiOptions)

X509Chain chain = holder.Chain;
responder.ResponseDelay = delay;
responder.DelayedActions = RevocationResponder.DelayedActionsFlag.All;
responder.DelayedActions = DelayedActionsFlag.All;

chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromMinutes(-1);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
Expand All @@ -216,6 +216,47 @@ public static void RevocationCheckingNegativeTimeout(PkiOptions pkiOptions)
});
}

[Theory]
[InlineData(DelayedActionsFlag.Ocsp)]
[InlineData(DelayedActionsFlag.Crl)]
[PlatformSpecific(TestPlatforms.Windows | TestPlatforms.Linux)]
public static void RevocationCheckingTimeoutFallbackToOther(DelayedActionsFlag delayFlags)
{
RetryHelper.Execute(() => {
CertificateAuthority.BuildPrivatePki(
PkiOptions.AllRevocation,
out RevocationResponder responder,
out CertificateAuthority rootAuthority,
out CertificateAuthority intermediateAuthority,
out X509Certificate2 endEntityCert,
nameof(RevocationCheckingTimeoutFallbackToOther));

using (responder)
using (rootAuthority)
using (intermediateAuthority)
using (endEntityCert)
using (ChainHolder holder = new ChainHolder())
using (X509Certificate2 rootCert = rootAuthority.CloneIssuerCert())
using (X509Certificate2 intermediateCert = intermediateAuthority.CloneIssuerCert())
{
X509Chain chain = holder.Chain;
responder.ResponseDelay = TimeSpan.FromSeconds(8);
responder.DelayedActions = delayFlags;

chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(4);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
chain.ChainPolicy.CustomTrustStore.Add(rootCert);
chain.ChainPolicy.ExtraStore.Add(intermediateCert);
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EndCertificateOnly;

chain.ChainPolicy.DisableCertificateDownloads = true;

Assert.True(chain.Build(endEntityCert), $"chain.Build; Chain status: {chain.AllStatusFlags()}");
}
});
}

[Fact]
[PlatformSpecific(TestPlatforms.Linux)]
public static void AiaFetchDelayed()
Expand All @@ -241,7 +282,7 @@ public static void AiaFetchDelayed()

X509Chain chain = holder.Chain;
responder.ResponseDelay = delay;
responder.DelayedActions = RevocationResponder.DelayedActionsFlag.All;
responder.DelayedActions = DelayedActionsFlag.All;

chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(15);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
Expand Down Expand Up @@ -281,7 +322,7 @@ public static void AiaFetchTimeout()

X509Chain chain = holder.Chain;
responder.ResponseDelay = delay;
responder.DelayedActions = RevocationResponder.DelayedActionsFlag.All;
responder.DelayedActions = DelayedActionsFlag.All;

chain.ChainPolicy.UrlRetrievalTimeout = TimeSpan.FromSeconds(2);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
Expand Down

0 comments on commit 0cb3cfd

Please sign in to comment.