Bug 7245 - ServicepointManager.ServerCertificateValidationCallback X509Chain is null
Summary: ServicepointManager.ServerCertificateValidationCallback X509Chain is null
Status: RESOLVED FIXED
Alias: None
Product: iOS
Classification: Xamarin
Component: Xamarin.iOS.dll ()
Version: 5.4.x
Hardware: Macintosh Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Sebastien Pouliot
URL:
Depends on:
Blocks:
 
Reported: 2012-09-18 05:21 UTC by David
Modified: 2012-10-09 19:52 UTC (History)
2 users (show)

Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
assembly with partial X509Chain enabled (1.07 MB, application/octet-stream)
2012-09-27 10:29 UTC, Sebastien Pouliot
Details


Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED FIXED

Description David 2012-09-18 05:21:53 UTC
MonoTouch v5.4.0 keeps returning the X509Chain as null in the
ServicepointManager.ServerCertificateValidationCallback.

The bug-5546 already addresses this behaviour and provided a System.dll library to be used, but it is safe to use that library with the Monotouch release 5.4.0? 

Do you plan to include the solution provided in the library to the stable release of Monotouch?
Comment 1 Sebastien Pouliot 2012-09-18 08:45:42 UTC
I answered on 5546 befoire seeing this new bug. Copy/pasting for history....

There's a few reasons why the X509Chain is not created anymore:

* the Mono certificate stores do not exists (on MonoTouch) so it cannot be used
to "influence" the building of the chain (not that iOS would take it into
account for MonoTouch);

* there's no guarantee that the X509Chain content would match the one built
internally by the operating system (i.e. the one we act from). This means you
would override the OS decision based on different input data;

* they were never complete chains (since servers don't send the roots
certificates), i.e. it always returned (at least) one error;

* the chains are CPU/memory intensive to process - even more considering it's
not something that we can use / act on.

> but it is safe to use that library with the Monotouch release
> 5.4.0? 

No, the System.dll attahched to #5546 is much too old to be safely used with 5.4.

> Do you plan to include the solution provided in the library to the stable
> release of Monotouch?

#5546 is fixed in 5.4.x (stable). What you're looking for is different.

If you have a specific scenario in mind please describe what/how you're doing your validation. We will look to see if there are ways this could be better handled (without introducing a penality for every other usage).
Comment 2 David 2012-09-18 09:03:31 UTC
Basically the main approach is to override the specified functionality and validate the certificate along the certificate path (intermediate/s and root)using BouncyCastle library.

I know that the system already performs that functionality but the use of BouncyCastle library is a requirement. 

The missing functionality is to be able to get the certificate chain or be able to build the certificate chain from the consumed (entity) certificate.
Comment 3 Sebastien Pouliot 2012-09-25 18:00:42 UTC
I think we can create the X509Chain instance, with all the certificates (from the server), if the callback is assigned. However it won't be build (to save time/memory) but you can build it in the callback (if you even need this, since it won't add new certificates to lists and you can't trust most of the results).

If you think it's workable I'll try this, locally first, then attach an updated System.dll to the bug report so you can test it. If all goes well I'll commit this into the product itself.
Comment 4 David 2012-09-26 07:00:59 UTC
Hello Sebastien,
your suggestion makes sense and looks good in my opinion. I hope your testing is going good so I can test the dll and give you feedback.

Thanks a lot for your help on the matter.
Comment 5 Sebastien Pouliot 2012-09-27 10:29:57 UTC
Created attachment 2638 [details]
assembly with partial X509Chain enabled

To use the attached assembly (on top of MonoTouch 5.4.x) do:

1) backup your /Developer/MonoTouch/usr/lib/mono/2.1/System.dll and /Developer/MonoTouch/usr/lib/mono/2.1/System.dll.mdb files

2) copy the attached file to /Developer/MonoTouch/usr/lib/mono/2.1/System.dll

3) remove the /Developer/MonoTouch/usr/lib/mono/2.1/System.dll.mdb symbols (they won't match anymore)

4) clean, rebuild and test your application
Comment 6 Sebastien Pouliot 2012-09-27 10:32:57 UTC
As discussed you'll need to Build the chain yourself, otherwise the ChainElements collection will be empty. Let me know how it works (and I'll update future MonoTouch release to include this).

				ServicePointManager.ServerCertificateValidationCallback = delegate (object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors) {
	 				Assert.That (errors, Is.EqualTo (SslPolicyErrors.RemoteCertificateChainErrors), "certificateProblem");
					X509Certificate2 c2 = new X509Certificate2 (cert.GetRawCertData ());
					Assert.False (chain.Build (c2), "Build");
					Assert.AreSame (c2, chain.ChainElements [0].Certificate, "ChainElements");
					return true;
				};
Comment 7 David 2012-09-27 11:14:07 UTC
Thanks for the attachment Sebastien. I will try the solution and let you know,
I wont be able to answer you until Monday tho.
Comment 8 Sebastien Pouliot 2012-09-27 11:15:39 UTC
No rush :-) AFAIK you're the only one requiring this (at this time).
Comment 9 David 2012-10-08 04:01:26 UTC
Hello Sebastien,
sorry for the delay in the answer, I have been ill during the past week and could not test anything.

I have successfully built the certificate chain with your System.dll following your instructions.
I have one question tho. As you said the root certificate is not passed in the chain. The question is if the root certificate could be retrieved from the local Keystore.

I have been using SecRecord and SeckeyChain and I can retrieve passwords but not certificates. I saw a post in StackOverflow from Miguel De Icaza saying that the System Certificates cannot be accessed by the API but the root certificates are not in the System section of the Keystore. Do you have any suggestion how to retrieve one of the root certificates?

BTW Amazing job with the System.dll man, KUDOS
Comment 10 David 2012-10-09 09:45:41 UTC
Additional doubts and comments where cleared by email.

The incident can be closed from my side, I am marking the incident as Resolved-Fixed.

Thanks for all and hope the provided System.dll makes it into release with the next MonoTouch version.
Comment 11 Sebastien Pouliot 2012-10-09 19:52:17 UTC
Fix applied to:
mono/master: 0c644b5fcc0de88415f201db4d5b4ea9c2987efc
mono-2-10: 23692ff63d5bd890429844a54a07cf4988a6ca0b
mobile-master: b138dcebf18bd53d9031b1f1a86f02122ae99134
monotouch-6.0-series: e3c1af77bc1a19074e813add9812ed910a93ed3a