Decrypt my World

Cryptography, Security, Debugging and more!

"NotTimeNested" not detected when doing chain validation

"NotTimeNested" not detected when doing chain validation

  • Comments 1

Hi all,

When doing certificate chain validation with X509Chain class in .NET, you may realize that the ChainStatus property doesn't return NotTimeNested, even if the certificate validity period is not nested in the issuing certificate validity period.

.NET is just showing the results of calling CertGetCertificateChain API behind the scenes. This API should have returned CERT_TRUST_IS_NOT_TIME_NESTED in the resultant CERT_CHAIN_CONTEXT.CERT_TRUST_STATUS struct. But it doesn't.

The reason is that CERT_TRUST_IS_NOT_TIME_NESTED error status is not supported anymore. We discontinued that check about a decade ago. 

 

Note that CERT_TRUST_IS_NOT_TIME_NESTED has already been removed from this MSDN article: CERT_TRUST_STATUS Structure.

Also note we won't be able to remove NotTimeNested from X509ChainStatusFlags documentation because the flag is part of an existing enumeration. So we will add a note stating that the value will never be set on X509ChainStatusFlags Enumeration docs for NET Framework 4.0 & NET Framework 3.5. .NET 2.0 pages are not being updated anymore. So there won’t be any changes on X509ChainStatusFlags Enumeration docs for NET Framework 2.0.

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)

 

 

  • How about CERT_E_VALIDITYPERIODNESTING used in CERT_CHAIN_POLICY_STATUS?

    msdn.microsoft.com/.../aa377188(v=VS.85).aspx

    As I tried on some not_time_nested certificate chain, this error is not returned after calling CertVerifyCertificateChainPolicy. Maybe just need update MSDN.

Page 1 of 1 (1 items)
Leave a Comment
  • Please add 6 and 4 and type the answer here:
  • Post
Translate This Page