From ab8f966d6ef6a895650d20ce26c51af53aa3b971 Mon Sep 17 00:00:00 2001
From: Hao Kung <HaoK@users.noreply.github.com>
Date: Thu, 1 Apr 2021 12:16:45 -0700
Subject: [PATCH 1/2] Cert Auth: Cache validation for expired certs

---
 .../Certificate/src/CertificateValidationCache.cs         | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs b/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
index a7b82e53ee2e..e264b287874a 100644
--- a/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
+++ b/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
@@ -43,8 +43,12 @@ public CertificateValidationCache(IOptions<CertificateValidationCacheOptions> op
         /// <param name="certificate">The certificate.</param>
         /// <param name="result">the <see cref="AuthenticateResult"/></param>
         public void Put(HttpContext context, X509Certificate2 certificate, AuthenticateResult result)
-            => _cache.Set(ComputeKey(certificate), result.Clone(), new MemoryCacheEntryOptions()
-                .SetSize(1).SetSlidingExpiration(_options.CacheEntryExpiration).SetAbsoluteExpiration(certificate.NotAfter));
+        {
+            // Cache expired certs for little while too
+            var absExpiration = (certificate.NotAfter < DateTime.Now) ? DateTime.Now + _options.CacheEntryExpiration : certificate.NotAfter;
+            _cache.Set(ComputeKey(certificate), result.Clone(), new MemoryCacheEntryOptions()
+                .SetSize(1).SetSlidingExpiration(_options.CacheEntryExpiration).SetAbsoluteExpiration(absExpiration));
+        }
 
         private string ComputeKey(X509Certificate2 certificate)
             => certificate.GetCertHashString(HashAlgorithmName.SHA256);

From 7aafe37f2a6da61e94a8bb5c74ca91bad6e4d225 Mon Sep 17 00:00:00 2001
From: Hao Kung <HaoK@users.noreply.github.com>
Date: Thu, 1 Apr 2021 12:46:58 -0700
Subject: [PATCH 2/2] Update CertificateValidationCache.cs

---
 .../Authentication/Certificate/src/CertificateValidationCache.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs b/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
index e264b287874a..73568e6de001 100644
--- a/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
+++ b/src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
@@ -1,6 +1,7 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.AspNetCore.Http;