[Mono-dev] [PATCH] Bug in X509Chain?

Sebastien Pouliot sebastien.pouliot at gmail.com
Thu Dec 8 07:59:18 EST 2005 

Bonjour Vincent,

On Wed, 2005-12-07 at 21:44 -0500, Vincent Cote-Roy wrote:
> Hi,
> 
> I'm using the Ssl*Stream classes in Mono.Security for a custom tls 
> client/server. I want to force the client to supply a cert and have the 
> server validate it. From what I can gather, X509Chain will validate a 
> certificate if (among other things) it finds its root cert among the 
> TrustAnchors list, which is initialized with 
> X509StoreManager.TrustedRootCertificates. So before starting the server 
> I will add my root CA to this list with 
> X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add. But my client 
> cert still fails validation with X509ChainStatusFlags.PartialChain. This 
> is not supposed to happen, right?
> 
> When stepping into the X509Chain.Build method (as called by 
> Mono.[bla].Server.TlsClientCertificate.checkCertificateUsage), I noticed 
> that when:
> 
> _root = FindCertificateRoot (tmp);
> 
> is called, tmp is always null. I think that's wrong, no? When I run the 
> code again with my patch (see attach.) applied, validation succeeds.

There was a reason, that I totally forgot, for the original code. I'll
track back SVN history to see if I can find out why. There was also a
recent change in that code to fix another issue, so it may also be a
regression.

However this isn't a generalized problem (i.e. chaining normally works)
so you're hitting a special condition. Would it be possible to send me
the chain of certificates leading to this ? as it would be helpful to
create a (or some) test case(s) to avoid future regressions (this code
is very likely to change/expand in the forthcoming 2.0 API updates in
Mono).

Thanks.

> Cheers,
> 
> Vincent
> 
> plain text document attachment (X509Chain.cs.diff.txt)
> Index: X509Chain.cs
> ===================================================================
> --- X509Chain.cs	(revision 54018)
> +++ X509Chain.cs	(working copy)
> @@ -129,11 +129,9 @@
>  				X509Certificate x = leaf;
>  				X509Certificate tmp = x;
>  				while ((x != null) && (!x.IsSelfSigned)) {
> -					tmp = FindCertificateParent (x);
> -					if (x != null) {
> -						_chain.Add (x);
> -						x = tmp;	// last valid
> -					}
> +					tmp = x; // last valid
> +					_chain.Add (x);
> +					x = FindCertificateParent (x);
>  				}
>  				// find a trusted root
>  				_root = FindCertificateRoot (tmp);
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list
-- 
Sebastien Pouliot
email: sebastien at ximian.com
blog: http://pages.infinit.net/ctech/

More information about the Mono-devel-list mailing list