Add support for OCSP on Linux, overhaul Linux X509Chain processing
This change moves a lot of the chain building work from managed code into the native shim, largely to cut down on the number of P/Invokes required to set up the chain builder.
Once a chain has been built to a point where only one issuer will be considered, if revocation was requested and a CRL is not available, attempt an OCSP request if the certificate indicates the CA has an OCSP endpoint.
Based on CA/Browser Forum's requirements this expects CRL for all intermediates and only attempts OCSP for the end-entity certificate.
"Conforming" OCSP requests are opportunistically cached on the basis that local filesystem re-reads are more reliable (and faster) than doing a live request to the CA.
Commit migrated from https://github.com/dotnet/corefx/commit/
0fbbb68a3f7be82d26e4b2dff5c25c192e3a2023
projects / platform / upstream / dotnet / runtime.git / commit