diff --git a/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs b/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs index 383b9ddc3011d8..7fd01594310732 100644 --- a/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs +++ b/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/SignerInfo.cs @@ -707,14 +707,26 @@ private void Verify( if (!verifySignatureOnly) { X509Chain chain = new X509Chain(); - chain.ChainPolicy.ExtraStore.AddRange(extraStore); - chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; - chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot; + try + { + chain.ChainPolicy.ExtraStore.AddRange(extraStore); + chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; + chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot; - if (!chain.Build(certificate)) + if (!chain.Build(certificate)) + { + X509ChainStatus status = chain.ChainStatus.FirstOrDefault(); + throw new CryptographicException(SR.Cryptography_Cms_TrustFailure, status.StatusInformation); + } + } + finally { - X509ChainStatus status = chain.ChainStatus.FirstOrDefault(); - throw new CryptographicException(SR.Cryptography_Cms_TrustFailure, status.StatusInformation); + for (int i = 0; i < chain.ChainElements.Count; i++) + { + chain.ChainElements[i].Certificate.Dispose(); + } + + chain.Dispose(); } // .NET Framework checks for either of these