From 5734c304bcee2034f731d03e4b13c5da2c91db6e Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Wed, 16 Jul 2025 17:00:50 -0400
Subject: [PATCH 1/5] Fix BuildChainCustomTrustStore

---
 .../tests/X509Certificates/ChainTests.cs                 | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
index de1d0b55bf2f62..abd3eb37383474 100644
--- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
+++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
@@ -344,6 +344,8 @@ public static void BuildChainCustomTrustStore(
                 chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
                 chainTest.ChainPolicy.ExtraStore.Add(issuerCert);
 
+                X509ChainStatusFlags allowedFlags = X509ChainStatusFlags.NoError;
+
                 switch (testArguments)
                 {
                     case BuildChainCustomTrustStoreTestArguments.TrustedIntermediateUntrustedRoot:
@@ -361,6 +363,7 @@ public static void BuildChainCustomTrustStore(
                         chainHolder.DisposeChainElements();
                         chainTest.ChainPolicy.CustomTrustStore.Remove(rootCert);
                         chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.System;
+                        allowedFlags |= X509ChainStatusFlags.PartialChain;
                         break;
                     default:
                         throw new InvalidDataException();
@@ -368,7 +371,11 @@ public static void BuildChainCustomTrustStore(
 
                 Assert.Equal(chainBuildsSuccessfully, chainTest.Build(endCert));
                 Assert.Equal(3, chainTest.ChainElements.Count);
-                Assert.Equal(chainFlags, chainTest.AllStatusFlags());
+
+                X509ChainStatusFlags actualFlags = chainTest.AllStatusFlags();
+                actualFlags &= ~allowedFlags;
+
+                Assert.Equal(chainFlags, actualFlags);
             }
         }
 

From befe563abdfe2ed56745c6936cf8a9862bce6276 Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Wed, 16 Jul 2025 17:03:06 -0400
Subject: [PATCH 2/5] Allow partial chains

---
 .../tests/X509Certificates/ChainTests.cs                       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
index abd3eb37383474..c17c26b9d2e3d7 100644
--- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
+++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
@@ -363,6 +363,7 @@ public static void BuildChainCustomTrustStore(
                         chainHolder.DisposeChainElements();
                         chainTest.ChainPolicy.CustomTrustStore.Remove(rootCert);
                         chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.System;
+                        chainTest.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
                         allowedFlags |= X509ChainStatusFlags.PartialChain;
                         break;
                     default:
@@ -370,7 +371,7 @@ public static void BuildChainCustomTrustStore(
                 }
 
                 Assert.Equal(chainBuildsSuccessfully, chainTest.Build(endCert));
-                Assert.Equal(3, chainTest.ChainElements.Count);
+                Assert.InRange(chainTest.ChainElements.Count, 2, 3);
 
                 X509ChainStatusFlags actualFlags = chainTest.AllStatusFlags();
                 actualFlags &= ~allowedFlags;

From 60348d33a4ef74e6b86c74b64733bcc2c4d78cc5 Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Wed, 16 Jul 2025 17:08:42 -0400
Subject: [PATCH 3/5] Try using the extra store

---
 .../tests/X509Certificates/ChainTests.cs                      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
index c17c26b9d2e3d7..ac027df297dcf2 100644
--- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
+++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
@@ -364,14 +364,14 @@ public static void BuildChainCustomTrustStore(
                         chainTest.ChainPolicy.CustomTrustStore.Remove(rootCert);
                         chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.System;
                         chainTest.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
-                        allowedFlags |= X509ChainStatusFlags.PartialChain;
+                        cahinTest.ChainPolicy.ExtraStore.Add(rootCert);
                         break;
                     default:
                         throw new InvalidDataException();
                 }
 
                 Assert.Equal(chainBuildsSuccessfully, chainTest.Build(endCert));
-                Assert.InRange(chainTest.ChainElements.Count, 2, 3);
+                Assert.Equal(3, chainTest.ChainElements.Count);
 
                 X509ChainStatusFlags actualFlags = chainTest.AllStatusFlags();
                 actualFlags &= ~allowedFlags;

From bbf4f5bc023e3e38d760b79e331773aef8bb496e Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Wed, 16 Jul 2025 17:09:24 -0400
Subject: [PATCH 4/5] Fix typo

---
 .../tests/X509Certificates/ChainTests.cs                        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
index ac027df297dcf2..70cdfd058b19cd 100644
--- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
+++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
@@ -364,7 +364,7 @@ public static void BuildChainCustomTrustStore(
                         chainTest.ChainPolicy.CustomTrustStore.Remove(rootCert);
                         chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.System;
                         chainTest.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
-                        cahinTest.ChainPolicy.ExtraStore.Add(rootCert);
+                        chainTest.ChainPolicy.ExtraStore.Add(rootCert);
                         break;
                     default:
                         throw new InvalidDataException();

From cff3fcee1a306df2e38ceaba4fc72adb9f2457db Mon Sep 17 00:00:00 2001
From: Kevin Jones <kevin@vcsjones.com>
Date: Wed, 16 Jul 2025 17:10:32 -0400
Subject: [PATCH 5/5] Allow untrusted root

---
 .../tests/X509Certificates/ChainTests.cs                         | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
index 70cdfd058b19cd..34ce9021b14b51 100644
--- a/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
+++ b/src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
@@ -365,6 +365,7 @@ public static void BuildChainCustomTrustStore(
                         chainTest.ChainPolicy.TrustMode = X509ChainTrustMode.System;
                         chainTest.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
                         chainTest.ChainPolicy.ExtraStore.Add(rootCert);
+                        allowedFlags |= X509ChainStatusFlags.UntrustedRoot;
                         break;
                     default:
                         throw new InvalidDataException();