[Mono-dev] [PATCH] Bug in X509Chain?

Yngve Zackrisson yngve.zackrisson at mobila-kontoret.se
Thu Dec 8 04:25:37 EST 2005 

Hi

This problem seems similar to an issue I have reported on Bugzilla 
(#76279 - CERT_E_CHAINING problem for server certificate).
The request is done through HTTPS.

Regards

Yngve Zackrisson

Mobila-Kontoret/CK Management AB 


On Thu, 2005-12-08 at 03:44, Vincent Cote-Roy wrote:
> Hi,
> 
> I'm using the Ssl*Stream classes in Mono.Security for a custom tls 
> client/server. I want to force the client to supply a cert and have the 
> server validate it. From what I can gather, X509Chain will validate a 
> certificate if (among other things) it finds its root cert among the 
> TrustAnchors list, which is initialized with 
> X509StoreManager.TrustedRootCertificates. So before starting the server 
> I will add my root CA to this list with 
> X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add. But my client 
> cert still fails validation with X509ChainStatusFlags.PartialChain. This 
> is not supposed to happen, right?
> 
> When stepping into the X509Chain.Build method (as called by 
> Mono.[bla].Server.TlsClientCertificate.checkCertificateUsage), I noticed 
> that when:
> 
> _root = FindCertificateRoot (tmp);
> 
> is called, tmp is always null. I think that's wrong, no? When I run the 
> code again with my patch (see attach.) applied, validation succeeds.
> 
> 
> Cheers,
> 
> Vincent
> 
> 
> ______________________________________________________________________
> Index: X509Chain.cs
> ===================================================================
> --- X509Chain.cs	(revision 54018)
> +++ X509Chain.cs	(working copy)
> @@ -129,11 +129,9 @@
>  				X509Certificate x = leaf;
>  				X509Certificate tmp = x;
>  				while ((x != null) && (!x.IsSelfSigned)) {
> -					tmp = FindCertificateParent (x);
> -					if (x != null) {
> -						_chain.Add (x);
> -						x = tmp;	// last valid
> -					}
> +					tmp = x; // last valid
> +					_chain.Add (x);
> +					x = FindCertificateParent (x);
>  				}
>  				// find a trusted root
>  				_root = FindCertificateRoot (tmp);
> 
> ______________________________________________________________________
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list