[Mono-dev] [PATCH] Bug in X509Chain?

Thu Dec 8 11:37:42 EST 2005

On Thu, 2005-12-08 at 10:54 -0500, Vincent Cote-Roy wrote:
> Bonjour Sebastien,
> 
> I'm not sure this has to do with anything particular with my cert. 

Neither do I ;-) but it may be easier if I can't replicate the issue.
OTOH from the look of it I don't think I'll have problem to duplicate
it.

> The way that I look at the loop, the only way that it will validate is
> if the root cert has been explicitely added to the chain (as opposed
> to being in the TrustAnchors list). Otherwise, the loop will end when
> x is null, which can only happen when tmp is itself null.

I'll revise that after lunch.

> I've simplified the test case by adding the root cert directly to
> TrustAnchors, instead of adding to the TrustedRoots store. 

Thanks

> Cheers,
> 
> Vincent
> 
> Sebastien Pouliot wrote: 
> > Bonjour Vincent,
> > 
> > On Wed, 2005-12-07 at 21:44 -0500, Vincent Cote-Roy wrote:
> >   
> > > Hi,
> > > 
> > > I'm using the Ssl*Stream classes in Mono.Security for a custom tls 
> > > client/server. I want to force the client to supply a cert and have the 
> > > server validate it. From what I can gather, X509Chain will validate a 
> > > certificate if (among other things) it finds its root cert among the 
> > > TrustAnchors list, which is initialized with 
> > > X509StoreManager.TrustedRootCertificates. So before starting the server 
> > > I will add my root CA to this list with 
> > > X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add. But my client 
> > > cert still fails validation with X509ChainStatusFlags.PartialChain. This 
> > > is not supposed to happen, right?
> > > 
> > > When stepping into the X509Chain.Build method (as called by 
> > > Mono.[bla].Server.TlsClientCertificate.checkCertificateUsage), I noticed 
> > > that when:
> > > 
> > > _root = FindCertificateRoot (tmp);
> > > 
> > > is called, tmp is always null. I think that's wrong, no? When I run the 
> > > code again with my patch (see attach.) applied, validation succeeds.
> > >     
> > 
> > There was a reason, that I totally forgot, for the original code. I'll
> > track back SVN history to see if I can find out why. There was also a
> > recent change in that code to fix another issue, so it may also be a
> > regression.
> > 
> > However this isn't a generalized problem (i.e. chaining normally works)
> > so you're hitting a special condition. Would it be possible to send me
> > the chain of certificates leading to this ? as it would be helpful to
> > create a (or some) test case(s) to avoid future regressions (this code
> > is very likely to change/expand in the forthcoming 2.0 API updates in
> > Mono).
> > 
> > Thanks.
> > 
> >   
> > > Cheers,
> > > 
> > > Vincent
> > > 
> > > plain text document attachment (X509Chain.cs.diff.txt)
> > > Index: X509Chain.cs
> > > ===================================================================
> > > --- X509Chain.cs	(revision 54018)
> > > +++ X509Chain.cs	(working copy)
> > > @@ -129,11 +129,9 @@
> > >  				X509Certificate x = leaf;
> > >  				X509Certificate tmp = x;
> > >  				while ((x != null) && (!x.IsSelfSigned)) {
> > > -					tmp = FindCertificateParent (x);
> > > -					if (x != null) {
> > > -						_chain.Add (x);
> > > -						x = tmp;	// last valid
> > > -					}
> > > +					tmp = x; // last valid
> > > +					_chain.Add (x);
> > > +					x = FindCertificateParent (x);
> > >  				}
> > >  				// find a trusted root
> > >  				_root = FindCertificateRoot (tmp);
> > > _______________________________________________
> > > Mono-devel-list mailing list
> > > Mono-devel-list at lists.ximian.com
> > > http://lists.ximian.com/mailman/listinfo/mono-devel-list
> > >     
> 
> plain text document attachment (X509ChainTestCase.cs)
> using System;
> using System.IO;
> using Mono.Security.X509;
> 
> namespace Test
> {
> 	public class X509ChainTestCase
> 	{
> 		public static void Main (string[] args)
> 		{
> 			Stream caStream = File.OpenRead ("ca_test.der.crt");
> 			byte[] caData = new byte[caStream.Length];
> 			caStream.Read (caData, 0, caData.Length);
> 			X509Certificate ca = new X509Certificate (caData);
> 
> 			Stream certStream = File.OpenRead ("test_tls_client.der.crt");
> 			byte[] certData = new byte[certStream.Length];
> 			certStream.Read (certData, 0, certData.Length);
> 			X509Certificate cert = new X509Certificate (certData);
> 
> 			//X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add (ca);
> 
> 			X509Chain chain = new X509Chain ();
> 			chain.TrustAnchors.Add (ca);
> 
> 			Console.WriteLine ("result: {0}; status: {1}", chain.Build (cert).ToString (), chain.Status);
> 		}
> 	}
> }