PkixCertPathValidator does not validate against PkixParameters.Date

bcgit / bc-csharp

BouncyCastle.NET Cryptography Library (Mirror)

https://www.bouncycastle.org/csharp

MIT License

1.61k stars 542 forks source link

PkixCertPathValidator does not validate against PkixParameters.Date #246

Open kyanha opened 4 years ago

kyanha commented 4 years ago

PkixCertPathValidator does not validate against PkixParameters.Date when PkixParameters.ValidityModel == ChainValidityModel. In fact, any processing where the date can be set is completely commented out. This appears to follow the Java implementation, where that kind of processing has been commented out since "first cut of code" on Feb 7, 2013.

This breaks an independent implementation of Authenticode processing with BC, among other things.

@peterdettman, would you know the history surrounding this? or maybe be able to ask around?

peterdettman commented 4 years ago

I'm not overly familiar with CertPath details. Please provide refs for the commented out Java and C# code you are referring to.

kyanha commented 4 years ago

bc-prov:org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi line 112 bc-csharp:Org.BouncyCastle.Pkix.PkixCertPathValidator line 69

Specifically, the portions that would implement part (b) of the PKIX "Inputs" section (6.1.1 of RFC3280/5280).

The date appears to be supported by the processing for RFC3281 (the attribute certificate profile).

peterdettman commented 4 years ago

Would you happen to have some test data that specifically covers the chain validity model?