Bug 13732 - X509Chain is empty after upgrade
Summary: X509Chain is empty after upgrade
Status: RESOLVED NOT_ON_ROADMAP
Alias: None
Product: iOS
Classification: Xamarin
Component: General ()
Version: 6.9.5.x
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2013-08-02 19:00 UTC by Mark Swiatek
Modified: 2014-02-26 08:36 UTC (History)
4 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
Working on Mono for Android (20.96 KB, image/png)
2013-08-02 19:00 UTC, Mark Swiatek
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED NOT_ON_ROADMAP

Description Mark Swiatek 2013-08-02 19:00:00 UTC
Created attachment 4533 [details]
Working on Mono for Android

The following code works on the latest Mono for Android as well as an earlier version of MonoTouch:

            _tcpClient = new TcpClient(address, port);
            _networkStream = _tcpClient.GetStream();

            _sslStream = new SslStream(_networkStream, false, ValidateSslAsSender, null);
            _sslStream.AuthenticateAsClient("xxxx.com"); //throws exception

    public bool ValidateSslAsSender(object sender, X509Certificate serverCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
            return true;

        bool selfSignedCertificate = false;
        for (int i = 0; i < chain.ChainStatus.Length; i++)
        {
            if (chain.ChainStatus[i].Status != X509ChainStatusFlags.PartialChain &&
                chain.ChainStatus[i].Status != X509ChainStatusFlags.UntrustedRoot) continue;

            selfSignedCertificate = true;
            break;
        }
        var valid = false;
        if (selfSignedCertificate && serverCertificate != null)
        {
            var serverCertificate2 = new X509Certificate2(serverCertificate);
            valid = _thumbprints.Exists(t => t == serverCertificate2.Thumbprint);
        }
        return valid;
    }

The issue is that chain.ChainStatus is now an empty list. This seems to have broken when I updated to 4.0.10 (build 7).

Here is the version info from the broken and working versions:

Here is the info of the version that does not work:
=== Xamarin Studio ===

Version 4.0.10 (build 7) Installation UUID: 16dc71c9-9504-4b7d-b266-0a44700e6a3e Runtime: Mono 3.2.0 ((no/7c7fcc7) GTK 2.24.20 GTK# (2.12.0.0) Package version: 302000000

=== Xamarin.Android ===

Not Installed

=== Apple Developer Tools ===

Xcode 4.6.3 (2068) Build 4H1503

=== Xamarin.Mac ===

Xamarin.Mac: Not Installed

=== Xamarin.iOS ===

Version: 6.4.0.2 (Business Edition) Hash: c9f7659 Branch: Build date: 2013-18-07 21:36:03-0400

=== Build Information ===

Release ID: 400100007 Git revision: f324e2154ee86ae1b6b8483392eddbf418e6381b Build date: 2013-07-20 06:23:58+0000 Xamarin addins: fe4f180e2386eafc00087ef68c3a580cff4a2592

=== Operating System ===

Mac OS X 10.8.3

And here's the info on the one that does: === Xamarin Studio ===

Version 4.0.8 (build 2) Installation UUID: d2988c92-bae0-4459-a945-038924e341f9 Runtime: Mono 2.10.12 (mono-2-10/c9b270d) GTK 2.24.16 GTK# (2.12.0.0) Package version: 210120000

=== Xamarin.Android ===

Not Installed

=== Apple Developer Tools ===

Xcode 4.6.2 (2067.2) Build 4H1003

=== Xamarin.Mac ===

Xamarin.Mac: Not Installed

=== Xamarin.iOS ===

Version: 6.2.7.1 (Business Edition) Hash: 947e664 Branch: Build date: 2013-30-05 18:02:40-0400

=== Build Information ===

Release ID: 400080002 Git revision: 0a09117dec1aed78c735ac46f7a50ae7d12f7a7a Build date: 2013-05-16 19:36:29+0000 Xamarin addins: 78d0437c3f92ae13042f81e5fd9487e2c28d5fbc

=== Operating System ===

Mac OS X 10.8.4
Comment 1 Mark Swiatek 2013-08-14 15:06:33 UTC
I upgraded to latest version (6.4.1). Still broken. Downgraded to 6.2.7 and the code works
Comment 2 alexey 2013-11-14 10:25:35 UTC
It seems it's still broken. Testing on Alpha channel.

Xamarin.iOS
Version: 7.0.4.209 (Business Edition)

Xamarin Studio
Version 4.1.13 (build 17)
Comment 3 Sebastien Pouliot 2014-02-26 08:36:45 UTC
It's not broken, it just not built (by default) anymore.

The *managed* X509Chain is not what's being used (and has not been for a while) to trust, or not, a certificate. The decision is delegated to iOS itself (or OSX on Mac).

You can still build it (using the Build method) inside your certificate delegate check. However be aware that it's result might not match the one from Apple (different logic and stores are being used). E.g.

    public bool ValidateSslAsSender(object sender, X509Certificate
serverCertificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
            return true;

        if (chain.Build ()) {
            // do your own logic
        }
    }