Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS (Xamarin): failure to build X509Chain #57630

Closed
rolfbjarne opened this issue Aug 18, 2021 · 12 comments · Fixed by xamarin/xamarin-macios#12658
Closed

macOS (Xamarin): failure to build X509Chain #57630

rolfbjarne opened this issue Aug 18, 2021 · 12 comments · Fixed by xamarin/xamarin-macios#12658
Labels
area-System.Security os-mac-os-x macOS aka OSX untriaged New issue has not been triaged by the area owner

Comments

@rolfbjarne
Copy link
Member

Description

  • X509Chain.Build fails when chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck (this works in legacy Xamarin.Mac).

I'm not sure if this is an actual bug or the expected behavior now, but it's a difference with regards to legacy Xamarin.Mac

Test case:
X509TestCase-76b9df9.zip

Download, extract, and run make to run on both legacy Xamarin.Mac and then .NET.

The legacy Xamarin.Mac version succeeds, the .NET version fails.

$ make           
/Applications/Xcode_13.0.0-beta5.app/Contents/Developer/usr/bin/make run-legacy
rm -Rf LegacyXamarinMac/bin LegacyXamarinMac/obj
cd LegacyXamarinMac && msbuild /r /bl /v:quiet /nologo
/Library/Frameworks/Mono.framework/Versions/6.12.0/lib/mono/msbuild/15.0/bin/MSBuild.dll /nologo /bl /r /v:quiet ./MyCocoaApp.sln
Building the projects in this solution one at a time. To enable parallel build, please add the "-m" switch.
LegacyXamarinMac/bin/Debug/MyCocoaApp.app/Contents/MacOS/MyCocoaApp

✅ Success!
/Applications/Xcode_13.0.0-beta5.app/Contents/Developer/usr/bin/make run-dotnet
rm -Rf macOS/bin macOS/obj
cd macOS && dotnet build /bl /v:quiet /nologo
/usr/local/share/dotnet/sdk/6.0.100-rc.1.21405.1/MSBuild.dll /nologo -consoleloggerparameters:Summary -distributedlogger:Microsoft.DotNet.Tools.MSBuild.MSBuildLogger,/usr/local/share/dotnet/sdk/6.0.100-rc.1.21405.1/dotnet.dll*Microsoft.DotNet.Tools.MSBuild.MSBuildForwardingLogger,/usr/local/share/dotnet/sdk/6.0.100-rc.1.21405.1/dotnet.dll -maxcpucount -restore -verbosity:m /v:quiet /bl ./MySimpleApp.csproj

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:21.79
macOS/bin/Debug/net6.0-macos/osx-x64/MySimpleApp.app/Contents/MacOS/MySimpleApp
2021-08-18 10:23:19.741 MySimpleApp[4007:3493418] Xamarin.Mac: Invalid IDE Port: -1
2021-08-18 10:23:19.741 MySimpleApp[4007:3493368] Xamarin.Mac: Debugger not loaded (disabled).
2021-08-18 10:23:19.741 MySimpleApp[4007:3493368] Xamarin.Mac: Profiler not loaded (disabled)

❌ Failure: System.Exception: Assertion failure: NoCheck
   at MySimpleApp.Assert.True(Boolean value, String message) in /Users/rolf/test/dotnet/X509TestCase/AppDelegate.cs:line 63
   at MySimpleApp.Program.Chain() in /Users/rolf/test/dotnet/X509TestCase/AppDelegate.cs:line 48
   at MySimpleApp.Program.Main(String[] args) in /Users/rolf/test/dotnet/X509TestCase/AppDelegate.cs:line 19

This is the code in question:

public static void Chain ()
{
	X509Store store = new X509Store ("Trust");
	store.Open (OpenFlags.ReadWrite);

	string certString = "MIIDGjCCAgKgAwIBAgICApowDQYJKoZIhvcNAQEFBQAwLjELMAkGA1UEBhMCQ1oxDjAMBgNVBAoTBVJlYmV4MQ8wDQYDVQQDEwZUZXN0Q0EwHhcNMDAwMTAxMDAwMDAwWhcNNDkxMjMxMDAwMDAwWjAuMQswCQYDVQQGEwJDWjEOMAwGA1UEChMFUmViZXgxDzANBgNVBAMTBlRlc3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgeRAcaNLTFaaBhFx8RDJ8b9K655dNUXmO11mbImDbPq4qVeZXDgAjnzPov8iBscwfqBvBpF38LsxBIPA2i1d0RMsQruOhJHttA9I0enElUXXj63sOEVNMSQeg1IMyvNeEotag+Gcx6SF+HYnariublETaZGzwAOD2SM49mfqUyfkgeTjdO6qp8xnoEr7dS5pEBHDg70byj/JEeZd3gFea9TiOXhbCrI89dKeWYBeoHFYhhkaSB7q9EOaUEzKo/BQ6PBHFu6odfGkOjXuwfPkY/wUy9U4uj75LmdhzvJf6ifsJS9BQZF4//JcUYSxiyzpxDYqSbTF3g9w5Ds2LOAscCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgB/MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD1v20tPgvHTEK/0eLO09j0rL2qXMA0GCSqGSIb3DQEBBQUAA4IBAQAZIjcdR3EZiFJ67gfCnPBrxVgFNvaRAMCYEYYIGDCAUeB4bLTu9dvun9KFhgVNqjgx+xTTpx9d/5mAZx5W3YAG6faQPCaHccLefB1M1hVPmo8md2uw1a44RHU9LlM0V5Lw8xTKRkQiZz3Ysu0sY27RvLrTptbbfkE4Rp9qAMguZT9cFrgPAzh+0zuo8NNj9Jz7/SSa83yIFmflCsHYSuNyKIy2iaX9TCVbTrwJmRIB65gqtTb6AKtFGIPzsb6nayHvgGHFchrFovcNrvRpE71F38oVG+eCjT23JfiIZim+yJLppSf56167u8etDcQ39j2b9kzWlHIVkVM0REpsKF7S";
	X509Certificate2 rootCert = new X509Certificate2 (Convert.FromBase64String (certString));
	if (!store.Certificates.Contains (rootCert))
		store.Add (rootCert);
	store.Close();

	byte[] certData = new byte[] {0x30,0x82,0x02,0xFA,0x30,0x82,0x01,0xE2,0xA0,0x03,0x02,0x01,0x02,0x02,0x03,0x01,0x4F,0x55,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x54,0x65,0x73,0x74,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,0x34,0x32,0x32,0x31,0x38,0x33,0x31,0x35,0x33,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x37,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x03,0x13,0x0F,0x77,0x69,0x6E,0x30,0x31,0x2E,0x64,0x30,0x35,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xF1,0x4F,0xAC,0x71,0x70,0x8F,0x8A,0xFE,0x38,0x67,0xA7,0x21,0x56,0x8B,0x34,0xBC,0xF5,0xCD,0x48,0x1C,0x69,0xEB,0x83,0x98,0x69,0x3D,0x33,0x2A,0x7B,0x04,0xB1,0x0A,0xA9,0x2C,0x17,0xDD,0x41,0xEC,0x21,0x91,0xB8,0x12,0x95,0xB0,0x4C,0x2A,0x53,0xBF,0x06,0x47,0x72,0xBB,0x68,0xCA,0x49,0x34,0x15,0x7B,0x78,0x4F,0x42,0x03,0xD9,0x58,0xEE,0x9D,0x72,0x61,0xAD,0xAD,0x0C,0x28,0x65,0x61,0x48,0xF8,0x68,0xB5,0x16,0x19,0xD0,0xDD,0x47,0x44,0x86,0xE3,0xA6,0x93,0x81,0xD5,0xA1,0x70,0x23,0x05,0x74,0x33,0xD1,0xD2,0x21,0x17,0x68,0xAF,0x5F,0x25,0xD5,0x8C,0x72,0xF6,0x28,0xF4,0x1F,0x42,0x24,0xCF,0x18,0x7B,0x5D,0xCE,0x29,0x43,0xF2,0x10,0xB6,0x73,0x65,0x4C,0x0A,0x17,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x9B,0x30,0x81,0x98,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x14,0x00,0x58,0x48,0x55,0x6C,0x45,0xC6,0xCC,0x06,0x25,0x2D,0xD3,0xBA,0x0C,0x08,0x81,0x00,0x58,0xDF,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x3D,0x6F,0xDB,0x4B,0x4F,0x82,0xF1,0xD3,0x10,0xAF,0xF4,0x78,0xB3,0xB4,0xF6,0x3D,0x2B,0x2F,0x6A,0x97,0x30,0x31,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2A,0x30,0x28,0x30,0x26,0xA0,0x24,0xA0,0x22,0x86,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x22,0x48,0xC3,0x95,0x3A,0x51,0x72,0x15,0x41,0x5B,0x47,0xC4,0xC5,0x4E,0x2E,0x97,0xAC,0x1D,0x0B,0xD1,0xA4,0x38,0xF2,0xFB,0x6E,0x33,0x9D,0xC8,0x93,0x4C,0x88,0x34,0xA3,0x68,0xC7,0xC6,0x42,0x51,0x54,0x31,0x72,0x72,0xEB,0xEE,0x5C,0xF0,0x7D,0xC9,0xC8,0xAE,0x24,0x9F,0xA0,0x1D,0x2E,0xEE,0x84,0x55,0xC3,0x3A,0xC4,0xCE,0xE1,0xB3,0xA2,0xD2,0x1F,0x44,0xC8,0x81,0x0F,0x9C,0xED,0x5B,0x17,0xBB,0x2C,0xDA,0x4A,0x9D,0xF7,0x7D,0x5A,0x08,0x6C,0xA3,0xF4,0xCB,0x55,0xE6,0x1A,0xAA,0xC7,0x14,0x16,0x7D,0x46,0xD0,0x7C,0x71,0xA8,0xA7,0xEA,0xBF,0xA6,0x92,0xD4,0xC5,0x7A,0xB8,0x45,0x3A,0x00,0xB3,0xDC,0x76,0x2E,0xEB,0xB9,0xF4,0x6B,0xDC,0xF2,0xC4,0x7C,0x0C,0xD5,0x1C,0x73,0xE8,0xE1,0xBB,0xC1,0x5C,0xCC,0xD9,0xBE,0xDE,0x61,0x4D,0xEF,0x2B,0x23,0xFA,0xA6,0xF6,0xED,0x4F,0x5F,0x2C,0xCA,0x68,0x29,0x59,0x27,0x82,0x41,0x5E,0xAD,0xC8,0x93,0xBF,0x83,0x01,0x8F,0x32,0xCB,0x79,0xEE,0x93,0x4C,0xCB,0x87,0x48,0x62,0x0D,0x44,0xD7,0x80,0x31,0x87,0x41,0x72,0x2D,0x12,0xA0,0x2C,0x99,0x89,0x08,0x5F,0xE9,0xFE,0x5E,0xB4,0xEC,0xCB,0x6C,0x23,0xC1,0xB8,0xE4,0xD6,0x1E,0x4B,0x9C,0x88,0x0A,0x63,0x65,0x78,0xC0,0x37,0xAC,0x54,0xCB,0xDE,0xA9,0x0F,0x59,0x43,0x1E,0x41,0xF5,0x32,0xAC,0x85,0x69,0xE9,0xBA,0xA6,0x78,0x87,0x88,0x8B,0x71,0xFB,0xE4,0x51,0xC0,0xF5,0xB7,0x4C,0x1F,0xCF,0x6A,0x1C,0xF6,0x1B,0x27,0x50,0xE9,0xAC,0xBF,0xB7,0x4E};
	X509Certificate2 cert = new X509Certificate2 (certData);
	X509Chain chain = new X509Chain (false);
	Assert.False (chain.Build (cert), "Online");

	chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
	Assert.False (chain.Build (cert), "Offline");

	chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
	Assert.True (chain.Build (cert), "NoCheck");
}

It's the last call ("NoCheck") that fails in .NET.

Regression?

Yes, with regards to legacy Xamarin.Mac.

Other information

$ dotnet --version
6.0.100-rc.1.21405.1

Binlogs:
binlogs.zip
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Security untriaged New issue has not been triaged by the area owner labels Aug 18, 2021
@ghost
Copy link

ghost commented Aug 18, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

  • X509Chain.Build fails when chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck (this works in legacy Xamarin.Mac).

I'm not sure if this is an actual bug or the expected behavior now, but it's a difference with regards to legacy Xamarin.Mac

Test case:
X509TestCase-76b9df9.zip

Download, extract, and run make to run on both legacy Xamarin.Mac and then .NET.

The legacy Xamarin.Mac version succeeds, the .NET version fails.

$ make           
/Applications/Xcode_13.0.0-beta5.app/Contents/Developer/usr/bin/make run-legacy
rm -Rf LegacyXamarinMac/bin LegacyXamarinMac/obj
cd LegacyXamarinMac && msbuild /r /bl /v:quiet /nologo
/Library/Frameworks/Mono.framework/Versions/6.12.0/lib/mono/msbuild/15.0/bin/MSBuild.dll /nologo /bl /r /v:quiet ./MyCocoaApp.sln
Building the projects in this solution one at a time. To enable parallel build, please add the "-m" switch.
LegacyXamarinMac/bin/Debug/MyCocoaApp.app/Contents/MacOS/MyCocoaApp

✅ Success!
/Applications/Xcode_13.0.0-beta5.app/Contents/Developer/usr/bin/make run-dotnet
rm -Rf macOS/bin macOS/obj
cd macOS && dotnet build /bl /v:quiet /nologo
/usr/local/share/dotnet/sdk/6.0.100-rc.1.21405.1/MSBuild.dll /nologo -consoleloggerparameters:Summary -distributedlogger:Microsoft.DotNet.Tools.MSBuild.MSBuildLogger,/usr/local/share/dotnet/sdk/6.0.100-rc.1.21405.1/dotnet.dll*Microsoft.DotNet.Tools.MSBuild.MSBuildForwardingLogger,/usr/local/share/dotnet/sdk/6.0.100-rc.1.21405.1/dotnet.dll -maxcpucount -restore -verbosity:m /v:quiet /bl ./MySimpleApp.csproj

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:21.79
macOS/bin/Debug/net6.0-macos/osx-x64/MySimpleApp.app/Contents/MacOS/MySimpleApp
2021-08-18 10:23:19.741 MySimpleApp[4007:3493418] Xamarin.Mac: Invalid IDE Port: -1
2021-08-18 10:23:19.741 MySimpleApp[4007:3493368] Xamarin.Mac: Debugger not loaded (disabled).
2021-08-18 10:23:19.741 MySimpleApp[4007:3493368] Xamarin.Mac: Profiler not loaded (disabled)

❌ Failure: System.Exception: Assertion failure: NoCheck
   at MySimpleApp.Assert.True(Boolean value, String message) in /Users/rolf/test/dotnet/X509TestCase/AppDelegate.cs:line 63
   at MySimpleApp.Program.Chain() in /Users/rolf/test/dotnet/X509TestCase/AppDelegate.cs:line 48
   at MySimpleApp.Program.Main(String[] args) in /Users/rolf/test/dotnet/X509TestCase/AppDelegate.cs:line 19

This is the code in question:

public static void Chain ()
{
	X509Store store = new X509Store ("Trust");
	store.Open (OpenFlags.ReadWrite);

	string certString = "MIIDGjCCAgKgAwIBAgICApowDQYJKoZIhvcNAQEFBQAwLjELMAkGA1UEBhMCQ1oxDjAMBgNVBAoTBVJlYmV4MQ8wDQYDVQQDEwZUZXN0Q0EwHhcNMDAwMTAxMDAwMDAwWhcNNDkxMjMxMDAwMDAwWjAuMQswCQYDVQQGEwJDWjEOMAwGA1UEChMFUmViZXgxDzANBgNVBAMTBlRlc3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgeRAcaNLTFaaBhFx8RDJ8b9K655dNUXmO11mbImDbPq4qVeZXDgAjnzPov8iBscwfqBvBpF38LsxBIPA2i1d0RMsQruOhJHttA9I0enElUXXj63sOEVNMSQeg1IMyvNeEotag+Gcx6SF+HYnariublETaZGzwAOD2SM49mfqUyfkgeTjdO6qp8xnoEr7dS5pEBHDg70byj/JEeZd3gFea9TiOXhbCrI89dKeWYBeoHFYhhkaSB7q9EOaUEzKo/BQ6PBHFu6odfGkOjXuwfPkY/wUy9U4uj75LmdhzvJf6ifsJS9BQZF4//JcUYSxiyzpxDYqSbTF3g9w5Ds2LOAscCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgB/MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD1v20tPgvHTEK/0eLO09j0rL2qXMA0GCSqGSIb3DQEBBQUAA4IBAQAZIjcdR3EZiFJ67gfCnPBrxVgFNvaRAMCYEYYIGDCAUeB4bLTu9dvun9KFhgVNqjgx+xTTpx9d/5mAZx5W3YAG6faQPCaHccLefB1M1hVPmo8md2uw1a44RHU9LlM0V5Lw8xTKRkQiZz3Ysu0sY27RvLrTptbbfkE4Rp9qAMguZT9cFrgPAzh+0zuo8NNj9Jz7/SSa83yIFmflCsHYSuNyKIy2iaX9TCVbTrwJmRIB65gqtTb6AKtFGIPzsb6nayHvgGHFchrFovcNrvRpE71F38oVG+eCjT23JfiIZim+yJLppSf56167u8etDcQ39j2b9kzWlHIVkVM0REpsKF7S";
	X509Certificate2 rootCert = new X509Certificate2 (Convert.FromBase64String (certString));
	if (!store.Certificates.Contains (rootCert))
		store.Add (rootCert);
	store.Close();

	byte[] certData = new byte[] {0x30,0x82,0x02,0xFA,0x30,0x82,0x01,0xE2,0xA0,0x03,0x02,0x01,0x02,0x02,0x03,0x01,0x4F,0x55,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x54,0x65,0x73,0x74,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,0x34,0x32,0x32,0x31,0x38,0x33,0x31,0x35,0x33,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x37,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x03,0x13,0x0F,0x77,0x69,0x6E,0x30,0x31,0x2E,0x64,0x30,0x35,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xF1,0x4F,0xAC,0x71,0x70,0x8F,0x8A,0xFE,0x38,0x67,0xA7,0x21,0x56,0x8B,0x34,0xBC,0xF5,0xCD,0x48,0x1C,0x69,0xEB,0x83,0x98,0x69,0x3D,0x33,0x2A,0x7B,0x04,0xB1,0x0A,0xA9,0x2C,0x17,0xDD,0x41,0xEC,0x21,0x91,0xB8,0x12,0x95,0xB0,0x4C,0x2A,0x53,0xBF,0x06,0x47,0x72,0xBB,0x68,0xCA,0x49,0x34,0x15,0x7B,0x78,0x4F,0x42,0x03,0xD9,0x58,0xEE,0x9D,0x72,0x61,0xAD,0xAD,0x0C,0x28,0x65,0x61,0x48,0xF8,0x68,0xB5,0x16,0x19,0xD0,0xDD,0x47,0x44,0x86,0xE3,0xA6,0x93,0x81,0xD5,0xA1,0x70,0x23,0x05,0x74,0x33,0xD1,0xD2,0x21,0x17,0x68,0xAF,0x5F,0x25,0xD5,0x8C,0x72,0xF6,0x28,0xF4,0x1F,0x42,0x24,0xCF,0x18,0x7B,0x5D,0xCE,0x29,0x43,0xF2,0x10,0xB6,0x73,0x65,0x4C,0x0A,0x17,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x9B,0x30,0x81,0x98,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x14,0x00,0x58,0x48,0x55,0x6C,0x45,0xC6,0xCC,0x06,0x25,0x2D,0xD3,0xBA,0x0C,0x08,0x81,0x00,0x58,0xDF,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x3D,0x6F,0xDB,0x4B,0x4F,0x82,0xF1,0xD3,0x10,0xAF,0xF4,0x78,0xB3,0xB4,0xF6,0x3D,0x2B,0x2F,0x6A,0x97,0x30,0x31,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2A,0x30,0x28,0x30,0x26,0xA0,0x24,0xA0,0x22,0x86,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x22,0x48,0xC3,0x95,0x3A,0x51,0x72,0x15,0x41,0x5B,0x47,0xC4,0xC5,0x4E,0x2E,0x97,0xAC,0x1D,0x0B,0xD1,0xA4,0x38,0xF2,0xFB,0x6E,0x33,0x9D,0xC8,0x93,0x4C,0x88,0x34,0xA3,0x68,0xC7,0xC6,0x42,0x51,0x54,0x31,0x72,0x72,0xEB,0xEE,0x5C,0xF0,0x7D,0xC9,0xC8,0xAE,0x24,0x9F,0xA0,0x1D,0x2E,0xEE,0x84,0x55,0xC3,0x3A,0xC4,0xCE,0xE1,0xB3,0xA2,0xD2,0x1F,0x44,0xC8,0x81,0x0F,0x9C,0xED,0x5B,0x17,0xBB,0x2C,0xDA,0x4A,0x9D,0xF7,0x7D,0x5A,0x08,0x6C,0xA3,0xF4,0xCB,0x55,0xE6,0x1A,0xAA,0xC7,0x14,0x16,0x7D,0x46,0xD0,0x7C,0x71,0xA8,0xA7,0xEA,0xBF,0xA6,0x92,0xD4,0xC5,0x7A,0xB8,0x45,0x3A,0x00,0xB3,0xDC,0x76,0x2E,0xEB,0xB9,0xF4,0x6B,0xDC,0xF2,0xC4,0x7C,0x0C,0xD5,0x1C,0x73,0xE8,0xE1,0xBB,0xC1,0x5C,0xCC,0xD9,0xBE,0xDE,0x61,0x4D,0xEF,0x2B,0x23,0xFA,0xA6,0xF6,0xED,0x4F,0x5F,0x2C,0xCA,0x68,0x29,0x59,0x27,0x82,0x41,0x5E,0xAD,0xC8,0x93,0xBF,0x83,0x01,0x8F,0x32,0xCB,0x79,0xEE,0x93,0x4C,0xCB,0x87,0x48,0x62,0x0D,0x44,0xD7,0x80,0x31,0x87,0x41,0x72,0x2D,0x12,0xA0,0x2C,0x99,0x89,0x08,0x5F,0xE9,0xFE,0x5E,0xB4,0xEC,0xCB,0x6C,0x23,0xC1,0xB8,0xE4,0xD6,0x1E,0x4B,0x9C,0x88,0x0A,0x63,0x65,0x78,0xC0,0x37,0xAC,0x54,0xCB,0xDE,0xA9,0x0F,0x59,0x43,0x1E,0x41,0xF5,0x32,0xAC,0x85,0x69,0xE9,0xBA,0xA6,0x78,0x87,0x88,0x8B,0x71,0xFB,0xE4,0x51,0xC0,0xF5,0xB7,0x4C,0x1F,0xCF,0x6A,0x1C,0xF6,0x1B,0x27,0x50,0xE9,0xAC,0xBF,0xB7,0x4E};
	X509Certificate2 cert = new X509Certificate2 (certData);
	X509Chain chain = new X509Chain (false);
	Assert.False (chain.Build (cert), "Online");

	chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
	Assert.False (chain.Build (cert), "Offline");

	chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
	Assert.True (chain.Build (cert), "NoCheck");
}

It's the last call ("NoCheck") that fails in .NET.

Regression?

Yes, with regards to legacy Xamarin.Mac.

Other information

$ dotnet --version
6.0.100-rc.1.21405.1

Binlogs:
binlogs.zip

Author: rolfbjarne
Assignees: -
Labels:

area-System.Security, untriaged
Milestone: -

@rolfbjarne rolfbjarne mentioned this issue Aug 18, 2021
Merged
@filipnavara
Copy link
Member

I'll have a look.

@filipnavara
Copy link
Member

The chain building fails with "One or more certificates required to validate this certificate cannot be found". Given that the issuer of the certificate is "CN=TestCA, O=Rebex, C=CZ", which is not present in the system certificate store, that is quite the expected outcome.

A more sensible check would be something like this (+ using System.Linq):

			byte[] certData = new byte[] {0x30,0x82,0x02,0xFA,0x30,0x82,0x01,0xE2,0xA0,0x03,0x02,0x01,0x02,0x02,0x03,0x01,0x4F,0x55,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x54,0x65,0x73,0x74,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,0x34,0x32,0x32,0x31,0x38,0x33,0x31,0x35,0x33,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x37,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x03,0x13,0x0F,0x77,0x69,0x6E,0x30,0x31,0x2E,0x64,0x30,0x35,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xF1,0x4F,0xAC,0x71,0x70,0x8F,0x8A,0xFE,0x38,0x67,0xA7,0x21,0x56,0x8B,0x34,0xBC,0xF5,0xCD,0x48,0x1C,0x69,0xEB,0x83,0x98,0x69,0x3D,0x33,0x2A,0x7B,0x04,0xB1,0x0A,0xA9,0x2C,0x17,0xDD,0x41,0xEC,0x21,0x91,0xB8,0x12,0x95,0xB0,0x4C,0x2A,0x53,0xBF,0x06,0x47,0x72,0xBB,0x68,0xCA,0x49,0x34,0x15,0x7B,0x78,0x4F,0x42,0x03,0xD9,0x58,0xEE,0x9D,0x72,0x61,0xAD,0xAD,0x0C,0x28,0x65,0x61,0x48,0xF8,0x68,0xB5,0x16,0x19,0xD0,0xDD,0x47,0x44,0x86,0xE3,0xA6,0x93,0x81,0xD5,0xA1,0x70,0x23,0x05,0x74,0x33,0xD1,0xD2,0x21,0x17,0x68,0xAF,0x5F,0x25,0xD5,0x8C,0x72,0xF6,0x28,0xF4,0x1F,0x42,0x24,0xCF,0x18,0x7B,0x5D,0xCE,0x29,0x43,0xF2,0x10,0xB6,0x73,0x65,0x4C,0x0A,0x17,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x9B,0x30,0x81,0x98,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x14,0x00,0x58,0x48,0x55,0x6C,0x45,0xC6,0xCC,0x06,0x25,0x2D,0xD3,0xBA,0x0C,0x08,0x81,0x00,0x58,0xDF,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x3D,0x6F,0xDB,0x4B,0x4F,0x82,0xF1,0xD3,0x10,0xAF,0xF4,0x78,0xB3,0xB4,0xF6,0x3D,0x2B,0x2F,0x6A,0x97,0x30,0x31,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2A,0x30,0x28,0x30,0x26,0xA0,0x24,0xA0,0x22,0x86,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x22,0x48,0xC3,0x95,0x3A,0x51,0x72,0x15,0x41,0x5B,0x47,0xC4,0xC5,0x4E,0x2E,0x97,0xAC,0x1D,0x0B,0xD1,0xA4,0x38,0xF2,0xFB,0x6E,0x33,0x9D,0xC8,0x93,0x4C,0x88,0x34,0xA3,0x68,0xC7,0xC6,0x42,0x51,0x54,0x31,0x72,0x72,0xEB,0xEE,0x5C,0xF0,0x7D,0xC9,0xC8,0xAE,0x24,0x9F,0xA0,0x1D,0x2E,0xEE,0x84,0x55,0xC3,0x3A,0xC4,0xCE,0xE1,0xB3,0xA2,0xD2,0x1F,0x44,0xC8,0x81,0x0F,0x9C,0xED,0x5B,0x17,0xBB,0x2C,0xDA,0x4A,0x9D,0xF7,0x7D,0x5A,0x08,0x6C,0xA3,0xF4,0xCB,0x55,0xE6,0x1A,0xAA,0xC7,0x14,0x16,0x7D,0x46,0xD0,0x7C,0x71,0xA8,0xA7,0xEA,0xBF,0xA6,0x92,0xD4,0xC5,0x7A,0xB8,0x45,0x3A,0x00,0xB3,0xDC,0x76,0x2E,0xEB,0xB9,0xF4,0x6B,0xDC,0xF2,0xC4,0x7C,0x0C,0xD5,0x1C,0x73,0xE8,0xE1,0xBB,0xC1,0x5C,0xCC,0xD9,0xBE,0xDE,0x61,0x4D,0xEF,0x2B,0x23,0xFA,0xA6,0xF6,0xED,0x4F,0x5F,0x2C,0xCA,0x68,0x29,0x59,0x27,0x82,0x41,0x5E,0xAD,0xC8,0x93,0xBF,0x83,0x01,0x8F,0x32,0xCB,0x79,0xEE,0x93,0x4C,0xCB,0x87,0x48,0x62,0x0D,0x44,0xD7,0x80,0x31,0x87,0x41,0x72,0x2D,0x12,0xA0,0x2C,0x99,0x89,0x08,0x5F,0xE9,0xFE,0x5E,0xB4,0xEC,0xCB,0x6C,0x23,0xC1,0xB8,0xE4,0xD6,0x1E,0x4B,0x9C,0x88,0x0A,0x63,0x65,0x78,0xC0,0x37,0xAC,0x54,0xCB,0xDE,0xA9,0x0F,0x59,0x43,0x1E,0x41,0xF5,0x32,0xAC,0x85,0x69,0xE9,0xBA,0xA6,0x78,0x87,0x88,0x8B,0x71,0xFB,0xE4,0x51,0xC0,0xF5,0xB7,0x4C,0x1F,0xCF,0x6A,0x1C,0xF6,0x1B,0x27,0x50,0xE9,0xAC,0xBF,0xB7,0x4E};
			X509Certificate2 cert = new X509Certificate2 (certData);
			X509Chain chain = new X509Chain (false);
			Assert.False (chain.Build (cert), "Online");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "Online");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.PartialChain)), "Online");

			chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
			Assert.False (chain.Build (cert), "Offline");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "Offline");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.PartialChain)), "Offline");

			chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
			Assert.False (chain.Build (cert), "NoCheck");
			Assert.False (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "NoCheck");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.PartialChain)), "NoCheck");

@rolfbjarne
Copy link
Member Author

CC @spouliot

@filipnavara
Copy link
Member

Btw, I tried to track down why it would succeed on Mono. Turns out it probably didn't succeed either. The test in Xamarin has the last check defined as

#if __MACOS__
			// Not sure if this is expected on macOS, or if it's a bug somewhere in our code.
			Assert.False (chain.Build (cert), "NoCheck");
#else
			Assert.True (chain.Build (cert), "NoCheck");
#endif

@rolfbjarne
Copy link
Member Author

@filipnavara I added that #if __MACOS__ for .NET/macOS; this particular test case was never executed with legacy Xamarin.Mac (but once I tried, it turned out to work).

@rolfbjarne
Copy link
Member Author

Ref: xamarin/xamarin-macios#12462 (comment)

@filipnavara
Copy link
Member

Ah, I see now. The root certificate is actually the first one in the base64 string. There's no special case handling of a "Trust" store in dotnet/runtime though so it basically creates a user store with a custom name that does not participate in the certificate validation. Normally one would use something like chain.ChainPolicy.ExtraStore.Add (rootCert); to add the certificate to the chain but it still fails for me. I'll continue investigating.

@filipnavara
Copy link
Member

Here's a version with using the ExtraStore:

			string certString = "MIIDGjCCAgKgAwIBAgICApowDQYJKoZIhvcNAQEFBQAwLjELMAkGA1UEBhMCQ1oxDjAMBgNVBAoTBVJlYmV4MQ8wDQYDVQQDEwZUZXN0Q0EwHhcNMDAwMTAxMDAwMDAwWhcNNDkxMjMxMDAwMDAwWjAuMQswCQYDVQQGEwJDWjEOMAwGA1UEChMFUmViZXgxDzANBgNVBAMTBlRlc3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgeRAcaNLTFaaBhFx8RDJ8b9K655dNUXmO11mbImDbPq4qVeZXDgAjnzPov8iBscwfqBvBpF38LsxBIPA2i1d0RMsQruOhJHttA9I0enElUXXj63sOEVNMSQeg1IMyvNeEotag+Gcx6SF+HYnariublETaZGzwAOD2SM49mfqUyfkgeTjdO6qp8xnoEr7dS5pEBHDg70byj/JEeZd3gFea9TiOXhbCrI89dKeWYBeoHFYhhkaSB7q9EOaUEzKo/BQ6PBHFu6odfGkOjXuwfPkY/wUy9U4uj75LmdhzvJf6ifsJS9BQZF4//JcUYSxiyzpxDYqSbTF3g9w5Ds2LOAscCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgB/MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD1v20tPgvHTEK/0eLO09j0rL2qXMA0GCSqGSIb3DQEBBQUAA4IBAQAZIjcdR3EZiFJ67gfCnPBrxVgFNvaRAMCYEYYIGDCAUeB4bLTu9dvun9KFhgVNqjgx+xTTpx9d/5mAZx5W3YAG6faQPCaHccLefB1M1hVPmo8md2uw1a44RHU9LlM0V5Lw8xTKRkQiZz3Ysu0sY27RvLrTptbbfkE4Rp9qAMguZT9cFrgPAzh+0zuo8NNj9Jz7/SSa83yIFmflCsHYSuNyKIy2iaX9TCVbTrwJmRIB65gqtTb6AKtFGIPzsb6nayHvgGHFchrFovcNrvRpE71F38oVG+eCjT23JfiIZim+yJLppSf56167u8etDcQ39j2b9kzWlHIVkVM0REpsKF7S";
			X509Certificate2 rootCert = new X509Certificate2 (Convert.FromBase64String (certString));

			byte[] certData = new byte[] {0x30,0x82,0x02,0xFA,0x30,0x82,0x01,0xE2,0xA0,0x03,0x02,0x01,0x02,0x02,0x03,0x01,0x4F,0x55,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x54,0x65,0x73,0x74,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,0x34,0x32,0x32,0x31,0x38,0x33,0x31,0x35,0x33,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x37,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x03,0x13,0x0F,0x77,0x69,0x6E,0x30,0x31,0x2E,0x64,0x30,0x35,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xF1,0x4F,0xAC,0x71,0x70,0x8F,0x8A,0xFE,0x38,0x67,0xA7,0x21,0x56,0x8B,0x34,0xBC,0xF5,0xCD,0x48,0x1C,0x69,0xEB,0x83,0x98,0x69,0x3D,0x33,0x2A,0x7B,0x04,0xB1,0x0A,0xA9,0x2C,0x17,0xDD,0x41,0xEC,0x21,0x91,0xB8,0x12,0x95,0xB0,0x4C,0x2A,0x53,0xBF,0x06,0x47,0x72,0xBB,0x68,0xCA,0x49,0x34,0x15,0x7B,0x78,0x4F,0x42,0x03,0xD9,0x58,0xEE,0x9D,0x72,0x61,0xAD,0xAD,0x0C,0x28,0x65,0x61,0x48,0xF8,0x68,0xB5,0x16,0x19,0xD0,0xDD,0x47,0x44,0x86,0xE3,0xA6,0x93,0x81,0xD5,0xA1,0x70,0x23,0x05,0x74,0x33,0xD1,0xD2,0x21,0x17,0x68,0xAF,0x5F,0x25,0xD5,0x8C,0x72,0xF6,0x28,0xF4,0x1F,0x42,0x24,0xCF,0x18,0x7B,0x5D,0xCE,0x29,0x43,0xF2,0x10,0xB6,0x73,0x65,0x4C,0x0A,0x17,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x9B,0x30,0x81,0x98,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x14,0x00,0x58,0x48,0x55,0x6C,0x45,0xC6,0xCC,0x06,0x25,0x2D,0xD3,0xBA,0x0C,0x08,0x81,0x00,0x58,0xDF,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x3D,0x6F,0xDB,0x4B,0x4F,0x82,0xF1,0xD3,0x10,0xAF,0xF4,0x78,0xB3,0xB4,0xF6,0x3D,0x2B,0x2F,0x6A,0x97,0x30,0x31,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2A,0x30,0x28,0x30,0x26,0xA0,0x24,0xA0,0x22,0x86,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x22,0x48,0xC3,0x95,0x3A,0x51,0x72,0x15,0x41,0x5B,0x47,0xC4,0xC5,0x4E,0x2E,0x97,0xAC,0x1D,0x0B,0xD1,0xA4,0x38,0xF2,0xFB,0x6E,0x33,0x9D,0xC8,0x93,0x4C,0x88,0x34,0xA3,0x68,0xC7,0xC6,0x42,0x51,0x54,0x31,0x72,0x72,0xEB,0xEE,0x5C,0xF0,0x7D,0xC9,0xC8,0xAE,0x24,0x9F,0xA0,0x1D,0x2E,0xEE,0x84,0x55,0xC3,0x3A,0xC4,0xCE,0xE1,0xB3,0xA2,0xD2,0x1F,0x44,0xC8,0x81,0x0F,0x9C,0xED,0x5B,0x17,0xBB,0x2C,0xDA,0x4A,0x9D,0xF7,0x7D,0x5A,0x08,0x6C,0xA3,0xF4,0xCB,0x55,0xE6,0x1A,0xAA,0xC7,0x14,0x16,0x7D,0x46,0xD0,0x7C,0x71,0xA8,0xA7,0xEA,0xBF,0xA6,0x92,0xD4,0xC5,0x7A,0xB8,0x45,0x3A,0x00,0xB3,0xDC,0x76,0x2E,0xEB,0xB9,0xF4,0x6B,0xDC,0xF2,0xC4,0x7C,0x0C,0xD5,0x1C,0x73,0xE8,0xE1,0xBB,0xC1,0x5C,0xCC,0xD9,0xBE,0xDE,0x61,0x4D,0xEF,0x2B,0x23,0xFA,0xA6,0xF6,0xED,0x4F,0x5F,0x2C,0xCA,0x68,0x29,0x59,0x27,0x82,0x41,0x5E,0xAD,0xC8,0x93,0xBF,0x83,0x01,0x8F,0x32,0xCB,0x79,0xEE,0x93,0x4C,0xCB,0x87,0x48,0x62,0x0D,0x44,0xD7,0x80,0x31,0x87,0x41,0x72,0x2D,0x12,0xA0,0x2C,0x99,0x89,0x08,0x5F,0xE9,0xFE,0x5E,0xB4,0xEC,0xCB,0x6C,0x23,0xC1,0xB8,0xE4,0xD6,0x1E,0x4B,0x9C,0x88,0x0A,0x63,0x65,0x78,0xC0,0x37,0xAC,0x54,0xCB,0xDE,0xA9,0x0F,0x59,0x43,0x1E,0x41,0xF5,0x32,0xAC,0x85,0x69,0xE9,0xBA,0xA6,0x78,0x87,0x88,0x8B,0x71,0xFB,0xE4,0x51,0xC0,0xF5,0xB7,0x4C,0x1F,0xCF,0x6A,0x1C,0xF6,0x1B,0x27,0x50,0xE9,0xAC,0xBF,0xB7,0x4E};
			X509Certificate2 cert = new X509Certificate2 (certData);
			X509Chain chain = new X509Chain (false);
			chain.ChainPolicy.ExtraStore.Add (rootCert);
			Assert.False (chain.Build (cert), "Online");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "Online");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.UntrustedRoot)), "Online");

			chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
			Assert.False (chain.Build (cert), "Offline");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "Offline");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.UntrustedRoot)), "Offline");

			chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
			Assert.False (chain.Build (cert), "NoCheck");
			Assert.False (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "NoCheck");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.UntrustedRoot)), "NoCheck");

It still fails the build but this time with UntrustedRoot status. That is consistent between classic Mono and .NET 6. I don't think there's currently a way to emulate the behavior of the special "Trust" store.

@vcsjones
Copy link
Member

I don't think there's currently a way to emulate the behavior of the special "Trust" store.

.NET 5+ has CustomTrustStore and TrustMode. It's not really a trust store in the same sense of an X509Store though.

@filipnavara
Copy link
Member

@vcsjones Thanks. I must have missed when it was added.

@filipnavara
Copy link
Member

So, here's a version with CustomTrustStore:

			string certString = "MIIDGjCCAgKgAwIBAgICApowDQYJKoZIhvcNAQEFBQAwLjELMAkGA1UEBhMCQ1oxDjAMBgNVBAoTBVJlYmV4MQ8wDQYDVQQDEwZUZXN0Q0EwHhcNMDAwMTAxMDAwMDAwWhcNNDkxMjMxMDAwMDAwWjAuMQswCQYDVQQGEwJDWjEOMAwGA1UEChMFUmViZXgxDzANBgNVBAMTBlRlc3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMgeRAcaNLTFaaBhFx8RDJ8b9K655dNUXmO11mbImDbPq4qVeZXDgAjnzPov8iBscwfqBvBpF38LsxBIPA2i1d0RMsQruOhJHttA9I0enElUXXj63sOEVNMSQeg1IMyvNeEotag+Gcx6SF+HYnariublETaZGzwAOD2SM49mfqUyfkgeTjdO6qp8xnoEr7dS5pEBHDg70byj/JEeZd3gFea9TiOXhbCrI89dKeWYBeoHFYhhkaSB7q9EOaUEzKo/BQ6PBHFu6odfGkOjXuwfPkY/wUy9U4uj75LmdhzvJf6ifsJS9BQZF4//JcUYSxiyzpxDYqSbTF3g9w5Ds2LOAscCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgB/MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD1v20tPgvHTEK/0eLO09j0rL2qXMA0GCSqGSIb3DQEBBQUAA4IBAQAZIjcdR3EZiFJ67gfCnPBrxVgFNvaRAMCYEYYIGDCAUeB4bLTu9dvun9KFhgVNqjgx+xTTpx9d/5mAZx5W3YAG6faQPCaHccLefB1M1hVPmo8md2uw1a44RHU9LlM0V5Lw8xTKRkQiZz3Ysu0sY27RvLrTptbbfkE4Rp9qAMguZT9cFrgPAzh+0zuo8NNj9Jz7/SSa83yIFmflCsHYSuNyKIy2iaX9TCVbTrwJmRIB65gqtTb6AKtFGIPzsb6nayHvgGHFchrFovcNrvRpE71F38oVG+eCjT23JfiIZim+yJLppSf56167u8etDcQ39j2b9kzWlHIVkVM0REpsKF7S";
			X509Certificate2 rootCert = new X509Certificate2 (Convert.FromBase64String (certString));

			byte[] certData = new byte[] {0x30,0x82,0x02,0xFA,0x30,0x82,0x01,0xE2,0xA0,0x03,0x02,0x01,0x02,0x02,0x03,0x01,0x4F,0x55,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x30,0x2E,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x0F,0x30,0x0D,0x06,0x03,0x55,0x04,0x03,0x13,0x06,0x54,0x65,0x73,0x74,0x43,0x41,0x30,0x1E,0x17,0x0D,0x31,0x32,0x30,0x34,0x32,0x32,0x31,0x38,0x33,0x31,0x35,0x33,0x5A,0x17,0x0D,0x34,0x39,0x31,0x32,0x33,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x30,0x37,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x5A,0x31,0x0E,0x30,0x0C,0x06,0x03,0x55,0x04,0x0A,0x13,0x05,0x52,0x65,0x62,0x65,0x78,0x31,0x18,0x30,0x16,0x06,0x03,0x55,0x04,0x03,0x13,0x0F,0x77,0x69,0x6E,0x30,0x31,0x2E,0x64,0x30,0x35,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x30,0x81,0x9F,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8D,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xF1,0x4F,0xAC,0x71,0x70,0x8F,0x8A,0xFE,0x38,0x67,0xA7,0x21,0x56,0x8B,0x34,0xBC,0xF5,0xCD,0x48,0x1C,0x69,0xEB,0x83,0x98,0x69,0x3D,0x33,0x2A,0x7B,0x04,0xB1,0x0A,0xA9,0x2C,0x17,0xDD,0x41,0xEC,0x21,0x91,0xB8,0x12,0x95,0xB0,0x4C,0x2A,0x53,0xBF,0x06,0x47,0x72,0xBB,0x68,0xCA,0x49,0x34,0x15,0x7B,0x78,0x4F,0x42,0x03,0xD9,0x58,0xEE,0x9D,0x72,0x61,0xAD,0xAD,0x0C,0x28,0x65,0x61,0x48,0xF8,0x68,0xB5,0x16,0x19,0xD0,0xDD,0x47,0x44,0x86,0xE3,0xA6,0x93,0x81,0xD5,0xA1,0x70,0x23,0x05,0x74,0x33,0xD1,0xD2,0x21,0x17,0x68,0xAF,0x5F,0x25,0xD5,0x8C,0x72,0xF6,0x28,0xF4,0x1F,0x42,0x24,0xCF,0x18,0x7B,0x5D,0xCE,0x29,0x43,0xF2,0x10,0xB6,0x73,0x65,0x4C,0x0A,0x17,0x02,0x03,0x01,0x00,0x01,0xA3,0x81,0x9B,0x30,0x81,0x98,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x14,0x00,0x58,0x48,0x55,0x6C,0x45,0xC6,0xCC,0x06,0x25,0x2D,0xD3,0xBA,0x0C,0x08,0x81,0x00,0x58,0xDF,0x30,0x13,0x06,0x03,0x55,0x1D,0x25,0x04,0x0C,0x30,0x0A,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x3D,0x6F,0xDB,0x4B,0x4F,0x82,0xF1,0xD3,0x10,0xAF,0xF4,0x78,0xB3,0xB4,0xF6,0x3D,0x2B,0x2F,0x6A,0x97,0x30,0x31,0x06,0x03,0x55,0x1D,0x1F,0x04,0x2A,0x30,0x28,0x30,0x26,0xA0,0x24,0xA0,0x22,0x86,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x6C,0x6F,0x63,0x61,0x6C,0x2F,0x74,0x65,0x73,0x74,0x2D,0x63,0x61,0x2E,0x63,0x72,0x6C,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x22,0x48,0xC3,0x95,0x3A,0x51,0x72,0x15,0x41,0x5B,0x47,0xC4,0xC5,0x4E,0x2E,0x97,0xAC,0x1D,0x0B,0xD1,0xA4,0x38,0xF2,0xFB,0x6E,0x33,0x9D,0xC8,0x93,0x4C,0x88,0x34,0xA3,0x68,0xC7,0xC6,0x42,0x51,0x54,0x31,0x72,0x72,0xEB,0xEE,0x5C,0xF0,0x7D,0xC9,0xC8,0xAE,0x24,0x9F,0xA0,0x1D,0x2E,0xEE,0x84,0x55,0xC3,0x3A,0xC4,0xCE,0xE1,0xB3,0xA2,0xD2,0x1F,0x44,0xC8,0x81,0x0F,0x9C,0xED,0x5B,0x17,0xBB,0x2C,0xDA,0x4A,0x9D,0xF7,0x7D,0x5A,0x08,0x6C,0xA3,0xF4,0xCB,0x55,0xE6,0x1A,0xAA,0xC7,0x14,0x16,0x7D,0x46,0xD0,0x7C,0x71,0xA8,0xA7,0xEA,0xBF,0xA6,0x92,0xD4,0xC5,0x7A,0xB8,0x45,0x3A,0x00,0xB3,0xDC,0x76,0x2E,0xEB,0xB9,0xF4,0x6B,0xDC,0xF2,0xC4,0x7C,0x0C,0xD5,0x1C,0x73,0xE8,0xE1,0xBB,0xC1,0x5C,0xCC,0xD9,0xBE,0xDE,0x61,0x4D,0xEF,0x2B,0x23,0xFA,0xA6,0xF6,0xED,0x4F,0x5F,0x2C,0xCA,0x68,0x29,0x59,0x27,0x82,0x41,0x5E,0xAD,0xC8,0x93,0xBF,0x83,0x01,0x8F,0x32,0xCB,0x79,0xEE,0x93,0x4C,0xCB,0x87,0x48,0x62,0x0D,0x44,0xD7,0x80,0x31,0x87,0x41,0x72,0x2D,0x12,0xA0,0x2C,0x99,0x89,0x08,0x5F,0xE9,0xFE,0x5E,0xB4,0xEC,0xCB,0x6C,0x23,0xC1,0xB8,0xE4,0xD6,0x1E,0x4B,0x9C,0x88,0x0A,0x63,0x65,0x78,0xC0,0x37,0xAC,0x54,0xCB,0xDE,0xA9,0x0F,0x59,0x43,0x1E,0x41,0xF5,0x32,0xAC,0x85,0x69,0xE9,0xBA,0xA6,0x78,0x87,0x88,0x8B,0x71,0xFB,0xE4,0x51,0xC0,0xF5,0xB7,0x4C,0x1F,0xCF,0x6A,0x1C,0xF6,0x1B,0x27,0x50,0xE9,0xAC,0xBF,0xB7,0x4E};
			X509Certificate2 cert = new X509Certificate2 (certData);
			X509Chain chain = new X509Chain (false);
			chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
			chain.ChainPolicy.CustomTrustStore.Add (rootCert);
			Assert.False (chain.Build (cert), "Online");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "Online");

			chain.ChainPolicy.RevocationMode = X509RevocationMode.Offline;
			Assert.False (chain.Build (cert), "Offline");
			Assert.True (chain.ChainStatus.Any (s => s.Status.HasFlag (X509ChainStatusFlags.RevocationStatusUnknown)), "Offline");

			chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
			Assert.True (chain.Build (cert), "NoCheck");
			Assert.True (chain.ChainStatus.Length == 0, "NoCheck");

The asserts should work on classic Mono too, just the initial setup is different.

@rolfbjarne rolfbjarne mentioned this issue Aug 25, 2021
Closed
61 tasks
@marek-safar marek-safar added the os-mac-os-x macOS aka OSX label Aug 27, 2021
@filipnavara filipnavara mentioned this issue Sep 8, 2021
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Oct 9, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-System.Security os-mac-os-x macOS aka OSX untriaged New issue has not been triaged by the area owner
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update CryptoTest for .NET 6 filipnavara/xamarin-macios
4 participants
@rolfbjarne @marek-safar @vcsjones @filipnavara