Bug 592 - [Mono-Security]: Microsoft files' digital certificates can't be traced to a trusted root
Summary: [Mono-Security]: Microsoft files' digital certificates can't be traced to a t...
Status: ASSIGNED
Alias: None
Product: Class Libraries
Classification: Mono
Component: Mono.Security ()
Version: 2.10.x
Hardware: PC Windows
: --- minor
Target Milestone: Untriaged
Assignee: Sebastien Pouliot
URL:
Depends on:
Blocks:
 
Reported: 2011-09-01 21:31 UTC by jaysonp
Modified: 2015-11-26 20:21 UTC (History)
3 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report for Bug 592 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:
Status:
ASSIGNED

Description jaysonp 2011-09-01 21:31:59 UTC
As stated on the summary, Microsoft files' (i.e. Winword.exe, Powerpnt.exe, csc.exe) digital certificate can't be traced to a trusted root even if all MS-related certs are already imported/installed in Mono store (using both mozroots and a powershell script to import all certs on a particular machine to mono store)
This is validated using chktrust.

This bug is aligned with 2 posts in mono forum, which are:

1. [mozroots]: Microsoft Office files can't be traced to a trusted root
2. [mono][chktrust]: signature can't be traced back to a trusted root!
Comment 1 Sebastien Pouliot 2011-09-02 09:43:48 UTC
This looks more like a setup issue than a bug, even then it would not be a critical bug (downgrading to minor).

Some key points (to clear some confusion from the emails):

1) Mono provides the tools, not the data, when dealing with X.509 certificate-based technologies, like HTTPS and Authenticode(tm).

2) 'mozroots' is a tool to allow users to retrieve data. However you cannot use 'mozroots' to install "all" MS-related certificates because they are simply unrelated. 

Why ? Because 'mozroots' goal is to migrate the root certificates that *Mozilla* uses for *Firefox* into a user (or machine) trusted certificates store that Mono-based applications can use. 

That covers _most_ of the HTTPS cases but it does NOT guarantee compatibility with IE (or Windows since this is shared) for HTTPS - MS and Mozilla have different processes to accept CA. It's even less likely to work for something as totally different as Authenticode - code signing differs a lot more between MS and Mozilla.

3) Using a script to gather/import certificates is a good idea, conceptually similar to what 'mozroots' does. However it does not mean it provide everything that's required or that it will give you consistent results across several computers (because of the way MS updates it's roots). YMMV

I do not have MS Office to test this but I'll check the signature on CSC.exe.
Comment 2 jaysonp 2011-09-02 19:27:06 UTC
Thanks for the comment Sebastian.

Let me take this opportunity to ask questions regarding this issue.
Based on what you said, how will I be able or what is the correct way to install/migrate "all" or "most" of MS related certificates into a machine's trusted certificate store that Mono will be able to identify? For WINWORD, EXCEL and POWERPNT executables, it's really weird for its certificates not to be identified or traced by Mono given that (1)it is installed in the computer and (2)certificates of both digital and counter signatures are present in the trusted store.

Lastly, you've mentioned at the start of your reply that this is more of a setup issue. Can kindly elaborate? I mean, do IO have to do some necessary setup?

Again, thank you
Comment 3 Sebastien Pouliot 2011-09-02 20:33:23 UTC
(1) I cannot say if you're setup is correct, i.e. if you have everything, data-wise, installed correctly.

Mono does not provide* a [ie|win]roots tool because it would only be limited to Windows, while 'mozroots' works for every platform since we can download them from the web.

   * you are welcome to contribute such a tool :-)

That does mean it's less than ideal for 'chktrust' - but this is only one (of many) tools that mono provides and one that mono itself does not use/require (we did not knew that at the time the tool was written ;-) and of course MS provides it's own 'chktrust' tool in its SDK (that works with its own, cryptoapi-based, certificate store).


(2) The trusted store is meant for root certificates only. If you add non-root certificates in them then you might introduce problems when building the chain (GIGO). 

A [counter]signature can only be valid if it can be chained back to a trusted root (and that's not the only condition). If the chain is broken (e.g. missing root or intermediate certificate) then it's impossible to assert any trust to a signature.
Comment 4 jaysonp 2011-09-03 07:08:01 UTC
Thanks for the feedback again Sebastian.

"That does mean it's less than ideal for 'chktrust' - but this is only one (of
many) tools that mono provides and one that mono itself does not use/require
(we did not knew that at the time the tool was written ;-) and of course MS
provides it's own 'chktrust' tool in its SDK (that works with its own,
cryptoapi-based, certificate store)." 

[Jayson]: having this said, what tools do mono suggest or use to verify trust for MS files?

"(2) The trusted store is meant for root certificates only. If you add non-root
certificates in them then you might introduce problems when building the chain
(GIGO)."

[Jayson]: can you kindly clarify what do you mean by non-root certificates here?


Again, thank you! :)
Comment 5 Sebastien Pouliot 2011-09-03 09:07:47 UTC
[Jayson]: having this said, what tools do mono suggest or use to verify trust
for MS files?

See key point #1 from comment #1.

[Jayson]: can you kindly clarify what do you mean by non-root certificates
here?

* http://en.wikipedia.org/wiki/X.509
* http://tools.ietf.org/html/rfc5280
Comment 6 jaysonp 2011-09-07 19:06:15 UTC
Hi Sebastien,

    Will just make a follow-up on this. Have you checked csc.exe already?
    In addtion, I asked for the tools and you mentioned to look on your keypoint #1 on comment #1. Apologies for the confusion but are you pertaining to HTTPS and Authenticode as the tools? If yes, do they come in the mono installation (i.e. is it like mozroots and chktrust callable via commandline). If not, can you kindly specifically tell what are the tools included in mono that I can use to verify trust of MS files.

Lastly, regarding non-root certificates. How will I be able to verify them using mono?

Thank you
Comment 7 jaysonp 2011-09-08 21:52:52 UTC
Any updates on this bug? thank you
Comment 8 jaysonp 2011-09-11 23:53:04 UTC
Hi Sebastien,

    Following up again. Have you verified this already?
    Thank you :)
Comment 9 Sebastien Pouliot 2011-09-12 15:54:01 UTC
No. I'll test this when I have to boot up my Windows virtual machine and have time to install Mono and investigate the issue.
Comment 10 Hin-Tak Leung 2015-11-26 19:01:16 UTC
Having similar issues with tracing digital certificates inside microsoft fonts back to a trusted root. The signerChain doesn't want to lengthen to include the root certificates which I fed it. May or may not be related.
Comment 11 Hin-Tak Leung 2015-11-26 19:19:43 UTC
Argh, it looks like the issue my experienced with tracing certificates backwards through the chain is issue 1 in:
http://lists.ximian.com/pipermail/mono-bugs/2007-April/056578.html
Comment 12 Hin-Tak Leung 2015-11-26 20:21:44 UTC
okay, the thread on
http://lists.ximian.com/pipermail/mono-bugs/2007-April/056578.html
gave me enough to fix m problem - my problem is to do with the treatment of
self-signed certificates. Self-signed certificates are understandably treated as untrusted unless they are marked as being from a certificate root authority (which is what they should be in this context...).