Edit

Share via

Dynamic X509ChainPolicy verification time

  • Article

In previous versions of .NET, the X509ChainPolicy.VerificationTime value was assigned to DateTime.Now when the X509ChainPolicy object was constructed. Using the same X509ChainPolicy object for multiple calls to X509Chain.Build(X509Certificate2) resulted in all chain builds using that same value as the verification time, no matter how much time had passed since the object was created.

The new default behavior is to use the value of DateTime.Now when X509Chain.Build() is invoked as the verification time. This change doesn't affect chain builds that explicitly assign X509ChainPolicy.VerificationTime.

Previous behavior

The X509ChainPolicy.VerificationTime value was assigned to DateTime.Now when the X509ChainPolicy object was constructed. This value was used in all subsequent X509Chain.Build(X509Certificate2) calls (unless or until the value was reassigned at a later time).

New behavior

The X509ChainPolicy.VerificationTime value is assigned to DateTime.Now when the X509ChainPolicy object is constructed, but the new X509ChainPolicy.VerificationTimeIgnored property defaults to true. When this property has a value of true, the X509Chain.Build(X509Certificate2) method uses DateTime.Now as the verification time instead of X509ChainPolicy.VerificationTime when building the chain.

Assigning a value to the X509ChainPolicy.VerificationTime property automatically sets VerificationTimeIgnored to false.

Version introduced

.NET 7

Type of breaking change

This change can affect binary compatibility.

Reason for change

Callers who cache configured X509ChainPolicy objects were often surprised that their validation was slowly moving further back in time. This change makes long-lived X509ChainPolicy objects easier to work with and doesn't significantly impact short-lived objects.

The following callers aren't impacted by the change:

  • Callers that don't have long-lived X509ChainPolicy objects.
  • Callers that explicitly assign the X509ChainPolicy.VerificationTime property.

Callers that have a long-lived X509ChainPolicy object that wish to use the previous behavior can either assign the new X509ChainPolicy.VerificationTimeIgnored property to false or assign the X509ChainPolicy.VerificationTime property to DateTime.Now.

var policy = new X509ChainPolicy
{
   // ...
   VerificationTime = DateTime.Now,
};

or

var policy = new X509ChainPolicy
{
    // ...
    VerificationTimeIgnored = false,
};

Affected APIs