[Mono-dev] [PATCH] Bug in X509Chain?

Vincent Cote-Roy vincentcr at netmosphere.net
Thu Dec 8 10:54:19 EST 2005

Bonjour Sebastien,

I'm not sure this has to do with anything particular with my cert. The 
way that I look at the loop, the only way that it will validate is if 
the root cert has been explicitely added to the chain (as opposed to 
being in the TrustAnchors list). Otherwise, the loop will end when x is 
null, which can only happen when tmp is itself null.

I've simplified the test case by adding the root cert directly to 
TrustAnchors, instead of adding to the TrustedRoots store.



Sebastien Pouliot wrote:

>Bonjour Vincent,
>On Wed, 2005-12-07 at 21:44 -0500, Vincent Cote-Roy wrote:
>>I'm using the Ssl*Stream classes in Mono.Security for a custom tls 
>>client/server. I want to force the client to supply a cert and have the 
>>server validate it. From what I can gather, X509Chain will validate a 
>>certificate if (among other things) it finds its root cert among the 
>>TrustAnchors list, which is initialized with 
>>X509StoreManager.TrustedRootCertificates. So before starting the server 
>>I will add my root CA to this list with 
>>X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add. But my client 
>>cert still fails validation with X509ChainStatusFlags.PartialChain. This 
>>is not supposed to happen, right?
>>When stepping into the X509Chain.Build method (as called by 
>>Mono.[bla].Server.TlsClientCertificate.checkCertificateUsage), I noticed 
>>that when:
>>_root = FindCertificateRoot (tmp);
>>is called, tmp is always null. I think that's wrong, no? When I run the 
>>code again with my patch (see attach.) applied, validation succeeds.
>There was a reason, that I totally forgot, for the original code. I'll
>track back SVN history to see if I can find out why. There was also a
>recent change in that code to fix another issue, so it may also be a
>However this isn't a generalized problem (i.e. chaining normally works)
>so you're hitting a special condition. Would it be possible to send me
>the chain of certificates leading to this ? as it would be helpful to
>create a (or some) test case(s) to avoid future regressions (this code
>is very likely to change/expand in the forthcoming 2.0 API updates in
>>plain text document attachment (X509Chain.cs.diff.txt)
>>Index: X509Chain.cs
>>--- X509Chain.cs	(revision 54018)
>>+++ X509Chain.cs	(working copy)
>>@@ -129,11 +129,9 @@
>> 				X509Certificate x = leaf;
>> 				X509Certificate tmp = x;
>> 				while ((x != null) && (!x.IsSelfSigned)) {
>>-					tmp = FindCertificateParent (x);
>>-					if (x != null) {
>>-						_chain.Add (x);
>>-						x = tmp;	// last valid
>>-					}
>>+					tmp = x; // last valid
>>+					_chain.Add (x);
>>+					x = FindCertificateParent (x);
>> 				}
>> 				// find a trusted root
>> 				_root = FindCertificateRoot (tmp);
>>Mono-devel-list mailing list
>>Mono-devel-list at lists.ximian.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20051208/3100b375/attachment.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: X509ChainTestCase.cs
Url: http://lists.ximian.com/pipermail/mono-devel-list/attachments/20051208/3100b375/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_tls_client.der.crt
Type: application/x-x509-ca-cert
Size: 727 bytes
Desc: not available
Url : http://lists.ximian.com/pipermail/mono-devel-list/attachments/20051208/3100b375/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca_test.der.crt
Type: application/x-x509-ca-cert
Size: 752 bytes
Desc: not available
Url : http://lists.ximian.com/pipermail/mono-devel-list/attachments/20051208/3100b375/attachment-0001.bin 

More information about the Mono-devel-list mailing list