Bug 41648 - RemoteCertificateValidationCallback certificate is X509Certificate in Apple TLS xamarin.ios 9.8
Summary: RemoteCertificateValidationCallback certificate is X509Certificate in Apple T...
Status: RESOLVED ANSWERED
Alias: None
Product: iOS
Classification: Xamarin
Component: XI runtime ()
Version: unspecified
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Future Cycle (TBD)
Assignee: Bugzilla
URL:
Depends on:
Blocks:
 
Reported: 2016-06-09 11:35 UTC by Johan
Modified: 2016-06-10 13:35 UTC (History)
4 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED ANSWERED

Description Johan 2016-06-09 11:35:52 UTC
Bug in Xamarin.IOS SSLStream

Description of Problem:

In SSLStream constructor one can provide a RemoteCertificateValidationCallback. This callback 
has a X509Certificate as its third parameter. 

Since the intruduction of Apple TLS this parameter can no longer be casted to ha X509Certificate2. 

This is a big issue since in the validation callback I need to check the thumbprint of the certificate to make sure it is correct. I can no longer do that. 

IF in project settings I set the SSL/TLS implementation to Mono (TLS 1.0) then it works again. 

Steps to reproduce the problem:
1. Set SSL/TLS implementation to Apple TLS
2. Create new SSLStream from a tcp-stream. 
3. Provide a RemoteCertificateValidationCallback delegate

Actual Results:

certificate is a X509Certificate certificate in RemoteCertificateValidationCallback

Expected Results:

certificate is a X509Certificate2 certificate in RemoteCertificateValidationCallback

How often does this happen? 

Every time
Comment 1 Alex Soto [MSFT] 2016-06-09 16:49:02 UTC
Hello 

Please include all version informations and a test case if possible that demonstrates your issue.

The easiest way to get exact version information is to use the 
"Xamarin Studio" menu, "About Xamarin Studio" item, "Show Details" 
button and copy/paste the version informations (you can use the 
"Copy Information" button).
Comment 2 Johan 2016-06-10 06:28:15 UTC
Xamarin Studio Community
Version 6.0 (build 5174)
Installation UUID: 6ad335c5-270d-4a92-9e12-015e92f249de
Runtime:
	Mono 4.4.0 (mono-4.4.0-branch-c7-baseline/5995f74) (64-bit)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 404000182

Xamarin.Profiler
Version: 0.31.0
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

Xamarin.Android
Version: 6.1.0.71 (Xamarin Studio Community)
Android SDK: /Users/johannorberg/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		2.3   (API level 10)
		4.0.3 (API level 15)
		4.1   (API level 16)
		4.4   (API level 19)
		5.1   (API level 22)
		6.0   (API level 23)

SDK Tools Version: 24.4.1
SDK Platform Tools Version: 23.1
SDK Build Tools Version: 23.0.2

Java SDK: /usr
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)

Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Xamarin Android Player
Not Installed

Apple Developer Tools
Xcode 7.3.1 (10188.1)
Build 7D1014

Xamarin.iOS
Version: 9.8.0.323 (Xamarin Studio Community)
Hash: 39ebb77
Branch: cycle7
Build date: 2016-06-01 21:23:15-0400

Xamarin.Mac
Not Installed

Build Information
Release ID: 600005174
Git revision: 694a75f040b7f2309bc43d4f78a3a6572ca898bf
Build date: 2016-06-01 17:28:08-04
Xamarin addins: 33f406fa2dcf214012c78cb846585f062b2e1d24
Build lane: monodevelop-lion-cycle7-baseline

Operating System
Mac OS X 10.11.4
Darwin Johans-MBP-2.mydomain.example 15.4.0 Darwin Kernel Version 15.4.0
    Fri Feb 26 22:08:05 PST 2016
    root:xnu-3248.40.184~3/RELEASE_X86_64 x86_64

-------------------
Comment 3 Sebastien Pouliot 2016-06-10 13:33:12 UTC
@Johan you cannot assume a specific subclass will be provided by the delegate callback when it's called.

The .NET API [1] contract only guarantee a `X509Certificate`. The exact type is an implementation details and can change over time as we modify our implementation(s), like it just happened for AppleTLS support.

If you need an `X509Certificate2` instance then you must do the work yourself, e.g.

    // The following method is invoked by the RemoteCertificateValidationDelegate.
    public static bool ValidateServerCertificate(
      object sender,
      X509Certificate certificate,
      X509Chain chain,
      SslPolicyErrors sslPolicyErrors)
    {
        // quick check to see if we're provided with what we need
        X509Certificate2 x2 = (certificate as X509Certificate2);
        // if we're not then we must create the instance of the type we need
        if (x2 == null)
           x2 = new X509Certificate2 (certificate.GetRawData ());
        ...
    }

[1] https://msdn.microsoft.com/en-us/library/system.net.security.remotecertificatevalidationcallback(v=vs.110).aspx
Comment 4 Johan 2016-06-10 13:35:32 UTC
Ok great, not a bug then, just a difference in the implementation. Thank you.