[Mono-devel-list] two questions about Mono.Security.dll

Fri Jul 1 01:39:38 EDT 2005

Hi,
I am very interested in the SSL/TLS function of Novell.Directory.Ldap.dll and 
Mono.Security.dll. I have built the Novell CsharpLDAP's sample source 
StartTLS.cs with mono1.1.8's Novell.Directory.Ldap.dll Mono.Security.dll
on Windows to do some test. And i found two problems about Mono.Security.dll.

<1.> The sample code can't work correctly. it always output 91 error like follows.
So i downloaded the Mono.Security.dll's source from 
http://svn.myrealbox.com/viewcvs/trunk/mcs/class/Mono.Security/  to rebuild
the Mono.Security.dll. This sample code can work correctly with this
Mono.Security.dll. it seems that this problem was resolved in the new sources.

Will mono1.1.9 contain this change and when mono1.1.9 will be released ? 

----------------run result----------------
Connecting to:liub
Error:91
--------------sample StartTLS.cs's code--------
...
try{
   LdapConnection conn= new LdapConnection();
   Console.WriteLine("Connecting to:" + ldapHost);
   conn.Connect(ldapHost,ldapPort);
   conn.startTLS();
   conn.Bind(loginDN,password);
   Console.WriteLine("TLS Bind Completed Successfull");
   conn.Disconnect();
}
catch(Exception e)
{
   Console.WriteLine("Error:" + e.Message);
}
...
------------------------------------------

<2.> I made a new root certificate and a new server certificate, then did a test
using the above sample code, but i got -2146762494(CERT_E_VALIDITYPERIODNESTING)
error, but the next day, i used the same certificate to do the test, it successed.
I think it should be a bug about Valid time check. I debuged it and found the 
reason. the reason is that ValidFrom and ValidUntil were local time, and
current time was UTC time.

There are two method to fix this problem, the one is modify ASN1Convert::ToDateTime 
function, changing return value to UTC time, the other one is just moidify 
X509Certificate::Parse function, changing m_from and m_until to UTC time.
Which one it better? If there are same problem in other place where the 
ASN1Convert::ToDateTime be called, the first one maybe better, i think.

-----------Mono.Security/Mono.Security.X509/X509Certificate.cs------------------
 class X509Certificate {
  ...
  public bool IsCurrent {
   get { return WasCurrent (DateTime.UtcNow); } <== it's a UTC time
  }
  public bool WasCurrent (DateTime instant) 
  {
   return ((instant > ValidFrom) && (instant <= ValidUntil));
  }
  ...
-----------Mono.Security/Mono.Security.X509/X509Certificate.cs------------------
 class X509Certificate {
  private void Parse (byte[] data) 
  {
    ASN1 notBefore = validity [0];
    m_from = ASN1Convert.ToDateTime (notBefore);
    ASN1 notAfter = validity [1];
    m_until = ASN1Convert.ToDateTime (notAfter);
  ...

-----------Mono.Security/Mono.Security/ASN1Convert.cs------------------
 sealed class ASN1Convert {
  static public DateTime ToDateTime (ASN1 time) 
  {
  ...
   return DateTime.ParseExact (t, mask, null); <== it's a local time

Thanks.

Best Regards

Liubin

---------------------------------------------------------------------------
Liu Bin
Email: liub at necas.nec.com.cn
---------------------------------------------------------------------------