[Mono-dev] [PATCH] Bug in X509Chain?
Sebastien Pouliot
sebastien.pouliot at gmail.com
Thu Dec 8 11:37:42 EST 2005
On Thu, 2005-12-08 at 10:54 -0500, Vincent Cote-Roy wrote:
> Bonjour Sebastien,
>
> I'm not sure this has to do with anything particular with my cert.
Neither do I ;-) but it may be easier if I can't replicate the issue.
OTOH from the look of it I don't think I'll have problem to duplicate
it.
> The way that I look at the loop, the only way that it will validate is
> if the root cert has been explicitely added to the chain (as opposed
> to being in the TrustAnchors list). Otherwise, the loop will end when
> x is null, which can only happen when tmp is itself null.
I'll revise that after lunch.
> I've simplified the test case by adding the root cert directly to
> TrustAnchors, instead of adding to the TrustedRoots store.
Thanks
> Cheers,
>
> Vincent
>
> Sebastien Pouliot wrote:
> > Bonjour Vincent,
> >
> > On Wed, 2005-12-07 at 21:44 -0500, Vincent Cote-Roy wrote:
> >
> > > Hi,
> > >
> > > I'm using the Ssl*Stream classes in Mono.Security for a custom tls
> > > client/server. I want to force the client to supply a cert and have the
> > > server validate it. From what I can gather, X509Chain will validate a
> > > certificate if (among other things) it finds its root cert among the
> > > TrustAnchors list, which is initialized with
> > > X509StoreManager.TrustedRootCertificates. So before starting the server
> > > I will add my root CA to this list with
> > > X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add. But my client
> > > cert still fails validation with X509ChainStatusFlags.PartialChain. This
> > > is not supposed to happen, right?
> > >
> > > When stepping into the X509Chain.Build method (as called by
> > > Mono.[bla].Server.TlsClientCertificate.checkCertificateUsage), I noticed
> > > that when:
> > >
> > > _root = FindCertificateRoot (tmp);
> > >
> > > is called, tmp is always null. I think that's wrong, no? When I run the
> > > code again with my patch (see attach.) applied, validation succeeds.
> > >
> >
> > There was a reason, that I totally forgot, for the original code. I'll
> > track back SVN history to see if I can find out why. There was also a
> > recent change in that code to fix another issue, so it may also be a
> > regression.
> >
> > However this isn't a generalized problem (i.e. chaining normally works)
> > so you're hitting a special condition. Would it be possible to send me
> > the chain of certificates leading to this ? as it would be helpful to
> > create a (or some) test case(s) to avoid future regressions (this code
> > is very likely to change/expand in the forthcoming 2.0 API updates in
> > Mono).
> >
> > Thanks.
> >
> >
> > > Cheers,
> > >
> > > Vincent
> > >
> > > plain text document attachment (X509Chain.cs.diff.txt)
> > > Index: X509Chain.cs
> > > ===================================================================
> > > --- X509Chain.cs (revision 54018)
> > > +++ X509Chain.cs (working copy)
> > > @@ -129,11 +129,9 @@
> > > X509Certificate x = leaf;
> > > X509Certificate tmp = x;
> > > while ((x != null) && (!x.IsSelfSigned)) {
> > > - tmp = FindCertificateParent (x);
> > > - if (x != null) {
> > > - _chain.Add (x);
> > > - x = tmp; // last valid
> > > - }
> > > + tmp = x; // last valid
> > > + _chain.Add (x);
> > > + x = FindCertificateParent (x);
> > > }
> > > // find a trusted root
> > > _root = FindCertificateRoot (tmp);
> > > _______________________________________________
> > > Mono-devel-list mailing list
> > > Mono-devel-list at lists.ximian.com
> > > http://lists.ximian.com/mailman/listinfo/mono-devel-list
> > >
>
> plain text document attachment (X509ChainTestCase.cs)
> using System;
> using System.IO;
> using Mono.Security.X509;
>
> namespace Test
> {
> public class X509ChainTestCase
> {
> public static void Main (string[] args)
> {
> Stream caStream = File.OpenRead ("ca_test.der.crt");
> byte[] caData = new byte[caStream.Length];
> caStream.Read (caData, 0, caData.Length);
> X509Certificate ca = new X509Certificate (caData);
>
> Stream certStream = File.OpenRead ("test_tls_client.der.crt");
> byte[] certData = new byte[certStream.Length];
> certStream.Read (certData, 0, certData.Length);
> X509Certificate cert = new X509Certificate (certData);
>
> //X509StoreManager.CurrentUser.TrustedRoot.Certificates.Add (ca);
>
> X509Chain chain = new X509Chain ();
> chain.TrustAnchors.Add (ca);
>
> Console.WriteLine ("result: {0}; status: {1}", chain.Build (cert).ToString (), chain.Status);
> }
> }
> }
More information about the Mono-devel-list
mailing list