microsoft · elantiguamsft · Sep 23, 2024 · Sep 21, 2024 · Sep 23, 2024 · Sep 23, 2024
diff --git a/CoseHandler/CoseHandler.cs b/CoseHandler/CoseHandler.cs
@@ -330,15 +330,18 @@ payloadStream is not null ?
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     /// <exception cref="CoseValidationException">The exception thrown if validation failed</exception>
     public static ValidationResult Validate(
         byte[] signature,
         byte[]? payload,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
         string? requiredCommonName = null,
-        bool allowUntrusted = false)
-        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted), payload);
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
+        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated), payload);
 
     /// <summary>
     /// Validates a detached COSE signature in memory.
@@ -348,14 +351,17 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     public static ValidationResult Validate(
         byte[] signature,
         Stream payload,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
         string? requiredCommonName = null,
-        bool allowUntrusted = false)
-        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted), payload);
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
+        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated), payload);
 
     /// <summary>
     /// Validates a detached or embedded COSE signature in memory.
@@ -365,14 +371,17 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     public static ValidationResult Validate(
         Stream signature,
         byte[]? payload,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
         string? requiredCommonName = null,
-        bool allowUntrusted = false)
-        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted), payload);
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
+        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated), payload);
 
     /// <summary>
     /// Validates a COSE signature file.
@@ -382,16 +391,19 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     public static ValidationResult Validate(
         FileInfo signature,
         FileInfo? payload,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
         string? requiredCommonName = null,
-        bool allowUntrusted = false)
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
         => ValidateInternal(signatureBytes: null, signatureStream: null, signatureFile: signature,
             payloadBytes: null, payloadStream: null, payloadFile: payload, out _,
-            GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted));
+            GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated));
 
     /// <summary>
     /// Validates a detached COSE signature in memory.
@@ -401,14 +413,17 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     public static ValidationResult Validate(
         Stream signature,
         Stream? payload,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
         string? requiredCommonName = null,
-        bool allowUntrusted = false)
-        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted), payload);
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
+        => Validate(signature, GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated), payload);
 
     /// <summary>
     /// Validates a detached or embedded COSE signature in  memory.
@@ -484,15 +499,19 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to during validation, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     /// <returns>The decoded payload as a string.</returns>
     public static string? GetPayload(
         byte[] signature,
         out ValidationResult result,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
-        string? requiredCommonName = null)
+        string? requiredCommonName = null,
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
         => GetPayload(signature,
-            GetValidator(roots, revocationMode, requiredCommonName),
+            GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated),
             out result);
 
     /// <summary>
@@ -503,15 +522,19 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to during validation, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     /// <returns>The decoded payload as a string.</returns>
     public static string? GetPayload(
         Stream signature,
         out ValidationResult result,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
-        string? requiredCommonName = null)
+        string? requiredCommonName = null,
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
         => GetPayload(signature,
-            GetValidator(roots, revocationMode, requiredCommonName),
+            GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated),
             out result);
 
     /// <summary>
@@ -522,15 +545,19 @@ public static ValidationResult Validate(
     /// <param name="roots">Optional. A set of root certificates to try to chain the signing certificate to during validation, in addition to the certificates installed on the host machine.</param>
     /// <param name="revocationMode">Optional. Revocation mode to use when validating the certificate chain.</param>
     /// <param name="requiredCommonName">Optional. Requires the signing certificate to match the specified Common Name.</param>
+    /// <param name="allowUntrusted">True to allow untrusted certificates.</param>
+    /// <param name="allowOutdated">True to allow signatures with expired certificates to pass validation unless the expired certificate has a lifetime EKU.</param>
     /// <returns>The decoded payload as a string.</returns>
     public static string? GetPayload(
         FileInfo signature,
         out ValidationResult result,
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
-        string? requiredCommonName = null)
+        string? requiredCommonName = null,
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
         => GetPayloadInternal(signatureBytes: null, signatureStream: null, signatureFile: signature,
-            GetValidator(roots, revocationMode, requiredCommonName),
+            GetValidator(roots, revocationMode, requiredCommonName, allowUntrusted, allowOutdated),
             out result);
 
     /// <summary>
@@ -792,14 +819,16 @@ internal static CoseSign1MessageValidator GetValidator(
         List<X509Certificate2>? roots = null,
         X509RevocationMode revocationMode = X509RevocationMode.Online,
         string? requiredCommonName = null,
-        bool allowUntrusted = false)
+        bool allowUntrusted = false,
+        bool allowOutdated = false)
     {
         // Create a validator for the certificate trust chain.
         CoseSign1MessageValidator chainTrustValidator = new X509ChainTrustValidator(
                 roots,
                 revocationMode,
                 allowUnprotected: true,
-                allowUntrusted: allowUntrusted);
+                allowUntrusted: allowUntrusted,
+                allowOutdated: allowOutdated);
 
         // If validating CommonName, we'll do that first, and set it to call for chain trust validation when it finishes.
         if (!string.IsNullOrWhiteSpace(requiredCommonName))

diff --git a/CoseSign1.Certificates.Tests/X509ChainTrustValidatorTests.cs b/CoseSign1.Certificates.Tests/X509ChainTrustValidatorTests.cs
@@ -221,9 +221,10 @@
         CoseSign1Message message = CreateCoseSign1MessageWithChainedCert();
 
         // Mock the ChainBuilder to always return success
-        Mock<ICertificateChainBuilder> mockBuilder = new(MockBehavior.Strict);
+        Mock<ICertificateChainBuilder> mockBuilder = new();
         mockBuilder.Setup(x => x.Build(It.IsAny<X509Certificate2>())).Returns(true);
         mockBuilder.Setup(x => x.ChainElements).Returns([.. DefaultTestChain]);
+        mockBuilder.Setup(x => x.ChainPolicy).Returns(new X509ChainPolicy());
 
         // Validate
         X509ChainTrustValidator Validator = new(mockBuilder.Object);
@@ -302,7 +303,7 @@
         results[0].Includes.Should().NotBeNull();
         results[0].Includes?.Count.Should().Be(1);
         X509ChainStatus? status = results[0].Includes?.Cast<X509ChainStatus>().FirstOrDefault();
-        status.Value.Status.Should().Be(X509ChainStatusFlags.PartialChain);
+        status.Value.Status.Should().Be(X509ChainStatusFlags.UntrustedRoot);
     }
 
     // Prove that an untrusted, self-signed cert passes only when the same cert is passed as a root or AllowUntrusted is ON
@@ -396,7 +397,7 @@
         results[0].Includes.Should().NotBeNull();
         results[0].Includes?.Count.Should().Be(1);
         X509ChainStatus? status = results[0].Includes?.Cast<X509ChainStatus>().FirstOrDefault();
-        status.Value.Status.Should().Be(X509ChainStatusFlags.PartialChain);
+        status.Value.Status.Should().Be(X509ChainStatusFlags.UntrustedRoot);
 
         // Revoked cert case //
         Mock<ICertificateChainBuilder> builder = new();

diff --git a/CoseSign1.Certificates/Local/Validators/X509ChainTrustValidator.cs b/CoseSign1.Certificates/Local/Validators/X509ChainTrustValidator.cs
@@ -101,7 +101,6 @@ protected override CoseSign1ValidationResult ValidateCertificate(
         List<X509Certificate2>? certChain,
         List<X509Certificate2>? extraCertificates)
     {
-
         // If there are user-supplied roots, add them to the ExtraCerts collection.
         bool hasRoots = false;
         if (Roots?.Count > 0)
@@ -111,6 +110,16 @@ protected override CoseSign1ValidationResult ValidateCertificate(
             Roots.ForEach(c => ChainBuilder.ChainPolicy.ExtraStore.Add(c));
         }
 
+        if (certChain?.Count > 0)
+        {
+            ChainBuilder.ChainPolicy.ExtraStore.AddRange(certChain.ToArray());
+        }
+
+        if (extraCertificates?.Count > 0)
+        {
+            ChainBuilder.ChainPolicy.ExtraStore.AddRange(extraCertificates.ToArray());
+        }
+
         // Build the cert chain. If Build succeeds, return success.
         if (ChainBuilder.Build(signingCertificate))
         {

diff --git a/CoseSign1.Tests.Common/TestCertificateUtils.cs b/CoseSign1.Tests.Common/TestCertificateUtils.cs
@@ -149,9 +149,10 @@ public static X509Certificate2Collection CreateTestChain(
         [CallerMemberName] string? testName = "none",
         bool useEcc = false,
         int? keySize = null,
-        bool leafFirst = false)
+        bool leafFirst = false,
+        TimeSpan? rootDuration = null)
     {
-        X509Certificate2 testRoot = CreateCertificate($"Test Root: {testName}", useEcc: useEcc, keySize: keySize);
+        X509Certificate2 testRoot = CreateCertificate($"Test Root: {testName}", useEcc: useEcc, keySize: keySize, duration: rootDuration);
         X509Certificate2 issuer = CreateCertificate($"Test Issuer: {testName}", testRoot, useEcc: useEcc, keySize: keySize);
         X509Certificate2 leaf = CreateCertificate($"Test Leaf: {testName}", issuer, useEcc: useEcc, keySize: keySize);