Skip to content

[Breaking change]: X509ChainPolicy's verification time now defaults to a dynamic notion of "now". #30182

New issue
New issue
Closed
#30296
Closed
[Breaking change]: X509ChainPolicy's verification time now defaults to a dynamic notion of "now".#30182
#30296
Assignees
gewarren
Labels
🏁 Release: .NET 7Work items for the .NET 7 releasebinary incompatibleExisting binaries may encounter a breaking change in behavior.breaking-changeIndicates a .NET Core breaking change
@bartonjs

Description

@bartonjs
bartonjs
opened on Jul 12, 2022

Description

In previous versions of .NET, the X509ChainPolicy.VerificationTime value was assigned to DateTime.Now when the X509ChainPolicy object was constructed. Using the same X509ChainPolicy object for multiple calls to X509Chain.Build would result in all chain builds using that same value of "now", no matter how long had passed since object creation.

The new default behavior is to use the value of DateTime.Now when X509Chain.Build is invoked. This change does not affect chain builds that explicitly assign X509ChainPolicy.VerificationTime.

Version

.NET 7 Preview 7

Previous behavior

The X509ChainPolicy.VerificationTime value was assigned to DateTime.Now when the X509ChainPolicy object was constructed, and this value was used in all subsequent X509Chain.Build calls (unless or until the value was reassigned at a later time).

New behavior

The X509ChainPolicy.VerificationTime value is assigned to DateTime.Now when the X509ChainPolicy object was constructed, but the new X509ChainPolicy.VerificationTimeIgnored property defaults to true. When this property has a value of true the X509Chain.Build method will use DateTime.Now instead of X509ChainPolicy.VerificationTime when building the chain.

Assigning a value to the X509ChainPolicy.VerificationTime property will automatically set VerificationTimeIgnored to false.

Type of breaking change

  • Binary incompatible: Existing binaries may encounter a breaking change in behavior, such as failure to load/execute or different run-time behavior.
  • Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.

Reason for change

Callers who cache configured X509ChainPolicy objects were often surprised that their validation was slowly applying to further and further back in time. This change makes long-lived X509ChainPolicy objects easier to work with, and does not significantly impact short-lived objects.

Recommended action

Callers which do not have long-lived X509ChainPolicy objects are not expected to be impacted.

Callers which explicitly assign the X509ChainPolicy.VerificationTime property are not impacted.

Callers which have a long-lived X509ChainPolicy object who wish to use the previous behavior can either assign the new X509ChainPolicy.VerificationTimeIgnored property to false, or assign the X509ChainPolicy.VerificationTime property to DateTime.Now.

X509ChainPolicy policy = new X509ChainPolicy
{
   ...,
   VerificationTime = DateTime.Now,
};

or

X509ChainPolicy policy = new X509ChainPolicy
{
    ...
    VerificationTimeIgnored = false,
};

Feature area

Cryptography

Affected APIs

T:System.Security.Cryptography.X509Certificates.X509ChainPolicy
P:System.Security.Cryptography.X509Certificates.X509ChainPolicy.VerificationTime
P:System.Security.Cryptography.X509Certificates.X509ChainPolicy.VerificationTimeIgnored

Metadata

Metadata

Assignees

Labels

🏁 Release: .NET 7Work items for the .NET 7 releasebinary incompatibleExisting binaries may encounter a breaking change in behavior.breaking-changeIndicates a .NET Core breaking change

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions