Bug 19 - SSL certificate parsing fails when accessing Google servers
Summary: SSL certificate parsing fails when accessing Google servers
Status: RESOLVED FIXED
Alias: None
Product: iOS
Classification: Xamarin
Component: Xamarin.iOS.dll ()
Version: 1.0
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Sebastien Pouliot
URL:
Depends on:
Blocks:
 
Reported: 2011-07-18 23:10 UTC by Frank Krueger
Modified: 2011-07-29 17:44 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description Frank Krueger 2011-07-18 23:10:56 UTC
When executing this code: https://github.com/praeclarum/GooglePlus

Hit "Account", then enter your Google+ credentials then hit "Sign in".

It does 2 gets:

GET http://plus.google.com

GET https://www.google.com/accounts/ServiceLogin?service=oz&continue=https://plus.google.com/?gpcaz%3DXXXXXXXX&ltmpl=es2st&hideNewAccountLink=1&hl=en-US

The second get results in a certificate error:

Logging in as frank.alva.krueger@gmail.com...
ERROR building certificate chain: System.NullReferenceException: Object reference not set to an instance of an object
  at Mono.Security.Cryptography.PKCS1.Encode_v15 (System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, Int32 emLength) [0x00000] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/Mono.Security.Cryptography/PKCS1.cs:336 
  at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature, Boolean tryNonStandardEncoding) [0x00020] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/Mono.Security.Cryptography/PKCS1.cs:308 
  at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature) [0x00000] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/Mono.Security.Cryptography/PKCS1.cs:298 
  at System.Security.Cryptography.RSAPKCS1Signat:-( GoogleAccountsLocale_session
:-( GAPS
ureDeformatter.VerifySignature (System.Byte[] rgbHash, System.Byte[] rgbSignature) [0x00058] in /Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Security.Cryptography/RSAPKCS1SignatureDeformatter.cs:80 
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x000ca] in /Developer/MonoTouch/Source/mono/mcs/class/Mono.Security/Mono.Security.X509/X509Certificate.cs:513 
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x0001c] in /Developer/MonoTouch/Source/mono/mcs/class/Mono.Security/Mono.Security.X509/X509Certificate.cs:522 
  at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x0000f] in /Developer/MonoTouch/Source/mono/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Chain.cs:701 
  at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00085] in /Developer/MonoTouch/Source/mono/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Chain.cs:529 
  at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatusFlags flag) [0x0002c] in /Developer/MonoTouch/Source/mono/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Chain.cs:465 
  at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x0001f] in /Developer/MonoTouch/Source/mono/mcs/class/System/System.Security.Cryptography.X509Certificates/X509Chain.cs:114 
  at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x0009d] in /Developer/MonoTouch/Source/mono/mcs/class/System/System.Net/ServicePointManager.cs:467 
Please, report this problem to the Mono team


There's a chance this was fixed in Mono 2.10?
Comment 1 Sebastien Pouliot 2011-07-19 07:54:17 UTC
I have seen similar cases in the past: a new hash algorithm being used to create certificates where no OID mapping was available in Mono. Several cases where fixed recently (someone used mono to run a web spider on the net and reported every failure). I'll check this specific case (and backport if required).
Comment 2 Sebastien Pouliot 2011-07-19 09:59:25 UTC
This is what I get using MT 4.0.x (which version are you using?)

:-( ULS
Logging in as sebastien.pouliot@gmail.com...
:-( GoogleAccountsLocale_session
:-( GAPS
System.Exception: Login service did not respond with the needed GALX value.
  at GooglePlus.Api.SignIn (System.String email, System.String password) [0x00067] in /Users/sebastienpouliot/git/GooglePlus/GooglePlus/GooglePlus.cs:86 
  at GooglePlus.Touch.AccountController+<TrySignin>c__AnonStorey1.<>m__14 (System.Object ) [0x00000] in /Users/sebastienpouliot/git/GooglePlus/GooglePlus.Touch/AccountController.cs:94 

I'll track down the latest fixes wrt https://bugzilla.novell.com/show_bug.cgi?id=682619 and see what was backported (or not).
Comment 3 Frank Krueger 2011-07-19 11:44:39 UTC
/Developer/MonoTouch/usr/bin/mtouch --version
mtouch 4.0.2.10327

You didn't get the cert parsing error?

When all is right, then that GALX value comes through (no exception). You can see this if you run the CLI version of the app:. You need to rollback then run the GooglePlus.Cli app:

git checkout cee5706fa40f3294bbdbc323ee74f1f6ebeabe9c

(fix the call to new Api() in main to not take an arg. Sorry for the bad checkin.)

This is on my Mono 2.10:

/Library/Frameworks/Mono.framework/Versions/Current/bin/mono --version
Mono JIT compiler version 2.10.2 (tarball Mon Apr 18 09:14:01 MDT 2011)
Copyright (C) 2002-2011 Novell, Inc and Contributors. www.mono-project.com
	TLS:           normal
Comment 4 Sebastien Pouliot 2011-07-19 14:33:11 UTC
This is how things fails on my mac (both master and mono-2-10)

imac:GooglePlus sebastienpouliot$ /usr/bin/mono --debug GooglePlus.Cli/bin/Debug/GooglePlus.Cli.exe
Google+ command line interface by Frank Krueger (@praeclarum on Twitter)
Commands: 
  help
  stream
email: sebastien.pouliot@gmail.com
password: 
Logging in as sebastien.pouliot@gmail.com...

Unhandled Exception: System.NullReferenceException: Object reference not set to an instance of an object
  at GooglePlus.Cli.App.StreamCommand () [0x00000] in /Users/sebastienpouliot/git/GooglePlus/GooglePlus.Cli/Main.cs:60 
  at GooglePlus.Cli.App.SignIn () [0x00043] in /Users/sebastienpouliot/git/GooglePlus/GooglePlus.Cli/Main.cs:46 
  at GooglePlus.Cli.App.Main (System.String[] args) [0x0000c] in /Users/sebastienpouliot/git/GooglePlus/GooglePlus.Cli/Main.cs:108 


In both case the GALX cookie was present. I'll look at the diffs between MT and 2-10.
Comment 5 Sebastien Pouliot 2011-07-19 15:03:47 UTC
There could be other (mono/mt) changes that affects your code. E.g. your looking for 'gpcaz' like this:

var i = q.IndexOf ("gpcaz=");

where 'q' is:

?service=oz&continue=https://plus.google.com/?gpcaz%3D&ltmpl=es2st&hideNewAccountLink=1&hl=en-US

That is a miss because the '=' is encoded (on the simulator) so that check fails (it's not clear the empty value would help). For reference on my mac the variable 'q' looks like:

?continue=https://plus.google.com/&type=st&gpcaz=8f0f6dac
Comment 6 Sebastien Pouliot 2011-07-19 17:50:01 UTC
So beside my previous comment I should have been able to get the same error by connecting (differently) to Google servers. We could be reaching different server (but I doubt that since google share it's certificate across several domains). Otherwise I suspect a 4.0.3 patch could be doing a bit more than it's comment says (i.e. also fixing the issue you're seeing).

Do you have the -source package installed ? If so can you put a breakpoint on
/Developer/MonoTouch/Source/mono/mcs/class/corlib/System.Security.Cryptography/RSAPKCS1SignatureDeformatter.cs 
on the method VerifySignature and tell me the value(s) of 'hashName' ? (line 80)

Thanks
Comment 7 Sebastien Pouliot 2011-07-25 19:02:15 UTC
Hey Frank! Please let me know once you updated to a newer MonoTouch (or if you can get the above information).
Comment 8 Frank Krueger 2011-07-29 17:44:29 UTC
Yes, this issue seems to resolved in mtouch 4.0.4.1.0

Thank you for your patience while I got it installed and tested.