Relax SystemTrustCertificateWithCustomRootTrust test

dotnet · Jul 11, 2021 · 83a4d3c · 83a4d3c
1 parent 21c2516
commit 83a4d3c
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs b/src/libraries/System.Security.Cryptography.X509Certificates/tests/ChainTests.cs
@@ -245,13 +245,15 @@ public static void BuildChainExtraStoreUntrustedRoot()
         public static void SystemTrustCertificateWithCustomRootTrust(bool addCertificateToCustomRootTrust)
         {
             using (var microsoftDotCom = new X509Certificate2(TestData.MicrosoftDotComSslCertBytes))
+            using (var microsoftDotComIssuer = new X509Certificate2(TestData.MicrosoftDotComIssuerBytes))
             using (var testCert = new X509Certificate2(TestFiles.ChainPfxFile, TestData.ChainPfxPassword))
             using (var chainHolder = new ChainHolder())
             {
                 X509Chain chain = chainHolder.Chain;
                 chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                 chain.ChainPolicy.VerificationTime = microsoftDotCom.NotBefore.AddSeconds(1);
                 chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                chain.ChainPolicy.ExtraStore.Add(microsoftDotComIssuer);
 
                 if (addCertificateToCustomRootTrust)
                 {
@@ -269,16 +271,29 @@ public static void SystemTrustCertificateWithCustomRootTrust(bool addCertificate
                 {
                     Assert.False(chain.Build(microsoftDotCom));
 
-                    // Linux and Windows do not search the default system root stores when CustomRootTrust is enabled
+                    // Historically, Windows has not searched system stores when CustomRootTrust is enabled.
+                    // That seems to have recently (as of 2021-07-09) changed.
+
+                    Assert.InRange(chain.ChainElements.Count, 2, 3);
+
+                    if (chain.ChainElements.Count < 3)
+                    {
+                        Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags());
+                    }
+                    else
+                    {
+                        Assert.Equal(X509ChainStatusFlags.UntrustedRoot, chain.AllStatusFlags());
+                    }
+
+                    // Check some known conditions.
+
                     if (PlatformDetection.UsesAppleCrypto)
                     {
                         Assert.Equal(3, chain.ChainElements.Count);
-                        Assert.Equal(X509ChainStatusFlags.UntrustedRoot, chain.AllStatusFlags());
                     }
-                    else
+                    else if (OperatingSystem.IsLinux())
                     {
                         Assert.Equal(2, chain.ChainElements.Count);
-                        Assert.Equal(X509ChainStatusFlags.PartialChain, chain.AllStatusFlags());
                     }
                 }
             }