Skip to content

Fix BuildChainCustomTrustStore test #117734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 17, 2025
Merged

Fix BuildChainCustomTrustStore test #117734

merged 5 commits into from
Jul 17, 2025

Conversation

vcsjones
Copy link
Member

The test BuildChainCustomTrustStore started failing in Alpine 3.22.

This is failing because the root certificate of the chain, "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root" expired May 12 23:59:00 2025. Since the root certificate is expired, it was completely removed from the trust store in an update to Alpine.

This unit test was relying on the certificate being in the system trust store, which is no longer true.

This pull request changes the "use the system trust store" case to permit an untrusted root. This is consistent with what we are doing in other tests that use this chain:

runtime/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs

Lines 46 to 49 in a436284

chain.ChainPolicy.ExtraStore.Add(unrelated);
chain.ChainPolicy.ExtraStore.Add(microsoftDotComRoot);
chain.ChainPolicy.ExtraStore.Add(microsoftDotComIssuer);
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;

Contributes to #117723

@Copilot Copilot AI review requested due to automatic review settings July 16, 2025 21:12
@vcsjones vcsjones added the test-bug Problem in test source code (most likely) label Jul 16, 2025
@github-actions github-actions bot added the needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners label Jul 16, 2025
Copilot
Copilot AI reviewed Jul 16, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes the BuildChainCustomTrustStore test that started failing in Alpine 3.22 due to the expiration of the Baltimore CyberTrust Root certificate on May 12, 2025. The certificate was subsequently removed from the system trust store, causing the test to fail when it expected the certificate to be available.

  • Modifies the system trust store test case to allow untrusted root certificates
  • Adds appropriate verification flags and chain status handling for expired certificates
  • Aligns the test behavior with other similar tests in the codebase

@vcsjones vcsjones added area-System.Security and removed needs-area-label An area label is needed to ensure this gets routed to the appropriate area owners labels Jul 16, 2025
@vcsjones vcsjones requested a review from bartonjs July 16, 2025 21:13
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@vcsjones vcsjones enabled auto-merge (squash) July 16, 2025 21:54
@build-analysis build-analysis bot mentioned this pull request Jul 17, 2025
Open
3 tasks
@vcsjones vcsjones merged commit 3f0d8d9 into dotnet:main Jul 17, 2025
89 of 91 checks passed
@build-analysis build-analysis bot mentioned this pull request Jul 17, 2025
Closed
@vcsjones vcsjones deleted the fix-failing-test branch July 17, 2025 05:21
@vcsjones
Copy link
Member Author

Passed on Alpine 3.22.

Screenshot 2025-07-17 at 10 11 18 AM

We should back port this.

@vcsjones
Copy link
Member Author

/backport to release/9.0-staging

@vcsjones
Copy link
Member Author

/backport to release/8.0-staging

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/8.0-staging: https://github.com/dotnet/runtime/actions/runs/16347511153

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/9.0-staging: https://github.com/dotnet/runtime/actions/runs/16347508992

This was referenced Jul 17, 2025
Merged
Merged
@vcsjones vcsjones added this to the 10.0.0 milestone Jul 24, 2025
@krwq krwq mentioned this pull request Aug 7, 2025
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Aug 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security test-bug Problem in test source code (most likely)

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@vcsjones @bartonjs