Bug 7771 - ERROR building certificate chain: System.NullReferenceException: Object reference not set to an instance of an object
Summary: ERROR building certificate chain: System.NullReferenceException: Object refer...
Status: RESOLVED NOT_REPRODUCIBLE
Alias: None
Product: Android
Classification: Xamarin
Component: Mono runtime / AOT Compiler ()
Version: 4.2.x
Hardware: Macintosh Mac OS
: High normal
Target Milestone: ---
Assignee: Marek Habersack
URL:
: 11043 ()
Depends on:
Blocks:
 
Reported: 2012-10-10 07:48 UTC by Chris Hardy [MSFT]
Modified: 2017-06-27 02:18 UTC (History)
6 users (show)

Tags: bb
Is this bug a regression?: ---
Last known good build:

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.


Please create a new report on Developer Community or GitHub with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:
Status:
RESOLVED NOT_REPRODUCIBLE

Description Chris Hardy [MSFT] 2012-10-10 07:48:06 UTC
Attached MonoTouch/Mono for Android repro: Issue only shows up on the Android version.

We've been building an iOS with MonoTouch and are now evaluating adding an Android version using Mono for Android.

I read the docs on code sharing, and since it is not desirable to add file to two solutions I tried the PCL method.

Converting my MonoTouch library to a PCL went somewhat fine, after I applied this trick:
http://stackoverflow.com/a/12062589/856403

This references to System.XXX are still marked with warnings, but it works fine on iOS (simulator tested only).

Adding the project and reference to my Mono for Android solution worked equally well, but building the solution I get a warning that the PCL project has been build against the MonoTouch framework (probably due to the changes made from the SO post?).

Still it will build the Android app fine and run it on the device, the first problem occurs when I try to communicate with a HTTPS-REST-API.

Error is here: https://gist.github.com/8bbbd40bbd872bf3b24a
and below

ERROR building certificate chain: System.NullReferenceException: Object reference not set to an instance of an objectERROR building certificate chain: System.NullReferenceException: Object reference not set to an instance of an object
at Mono.Security.Cryptography.PKCS1.Encode_v15 (System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, Int32 emLength) [0x00000] in <filename unknown>:0
at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature, Boolean tryNonStandardEncoding) [0x00000] in <filename unknown>:0
at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature (System.Byte[] rgbHash, System.Byte[] rgbSignature) [0x00000] in <filename unknown>:0

at Mono.Security.Cryptography.PKCS1.Encode_v15 (System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, Int32 emLength) [0x00000] in <filename unknown>:0
at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature, Boolean tryNonStandardEncoding) [0x00000] in <filename unknown>:0
at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature (System.Byte[] rgbHash, System.Byte[] rgbSignature) [0x00000] in <filename unknown>:0 at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x00000] in <filename unknown>:0
at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in <filename unknown>:0

at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x00000] in <filename unknown>:0
at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in <filename unknown>:0 at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatusFlags flag) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0
at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatusFlags flag) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0
at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in <filename unknown>:0
Please, report this problem to the Mono team
Comment 3 Jonathan Pryor 2012-11-16 23:52:47 UTC
A more readable stack trace:

> I/mono-stderr(  588): ERROR building certificate chain: System.NullReferenceException: Object reference not set to an instance of an object
> I/mono-stderr(  588):   at Mono.Security.Cryptography.PKCS1.Encode_v15 (System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, Int32 emLength) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature, Boolean tryNonStandardEncoding) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at Mono.Security.Cryptography.PKCS1.Verify_v15 (System.Security.Cryptography.RSA rsa, System.Security.Cryptography.HashAlgorithm hash, System.Byte[] hashValue, System.Byte[] signature) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at System.Security.Cryptography.RSAPKCS1SignatureDeformatter.VerifySignature (System.Byte[] rgbHash, System.Byte[] rgbSignature) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatusFlags flag) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588):   at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in <filename unknown>:0 
> I/mono-stderr(  588): Please, report this problem to the Mono team

The ValidateChain() method:

https://github.com/mono/mono/blob/mono-2-10/mcs/class/System/System.Net/ServicePointManager.cs#L436

The X509Chain.Build() invocation:

https://github.com/mono/mono/blob/mono-2-10/mcs/class/System/System.Net/ServicePointManager.cs#L472
Comment 4 Jonathan Pryor 2012-11-16 23:55:20 UTC
Sebastian: Could this NRE be caused because there are no builtin certificates that Mono.Security.Cryptography would be using, e.g. as per the comment at:

https://github.com/mono/mono/blob/mono-2-10/mcs/class/System/System.Net/ServicePointManager.cs#L522
Comment 5 Sebastien Pouliot 2012-11-17 10:58:27 UTC
No, it looks like a linker bug. Easy to test - does it works without linking ?

In order to build the chain the certificate must be validated. Part of this validation requires to check their signature. My guess is that certificate is signed with a hash algorithm that was linked out. That's because the code needs to turn an OID into an HashAlgorithm instance - and that's done using reflection (using CryptoConfig).

Most certificate uses SHA1 and that one is hard to link out (if you uses SSL or certificates). OTOH some certificates might be using SHA256|384|512 and those won't be included "automagically" because the application uses SSL.

This works on MonoTouch because it uses a CryptoConfig that is more "static" than "dynamic" due to fact it cannot load code dynamically at runtime (full AOT limitation). AFAIK M4A uses the standard CryptoConfig.
Comment 6 Sebastien Pouliot 2012-11-17 11:48:43 UTC
The sample is not linked (but I can't test M4A right now) but I did access the same URL and it shows the OID 1.2.840.113549.1.1.2 being used.

That OID maps to the (very old) MD2. That algorithm is not in the standard framework. Mono provides it (and others) inside Mono.Security.dll and the machine.config has mapping for that OID to find back it's way to the "right" class (that's how CryptoConfig works).

The issue is that, for M4A, the call to

   HashAlgorithm.Create (hashName)

returns null.

On the desktop Mono the same Create call would return an MD2Managed instance that could validate the digest.
Comment 7 Jonathan Pryor 2012-11-17 12:27:57 UTC
> No, it looks like a linker bug. Easy to test - does it works without linking ?

This isn't a linker bug, as I'm seeing this on a Debug (non-linking) build.

I'll need to investigate machine.config. I do see an entry in there for MD2, but perhaps something else is wrong?

  <mscorlib>                                                                    
    <cryptographySettings>                                                      
      <cryptoNameMapping>                                                       
        <cryptoClasses>                                                         
          <cryptoClass monoMD2="Mono.Security.Cryptography.MD2Managed, Mono.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756" />
        </cryptoClasses>                                                        
        <nameEntry name="MD2" class="monoMD2" />                                
      </cryptoNameMapping>                                                      
      <oidMap>                                                                  
        <oidEntry OID="1.2.840.113549.2.2" name="MD2" />                        
        <oidEntry OID="1.2.840.113549.2.2" name="Mono.Security.Cryptography.MD2Managed" />
      </oidMap>                                                                 
    </cryptographySettings>                                                     
  </mscorlib>
Comment 8 Sebastien Pouliot 2012-11-17 12:38:53 UTC
> This isn't a linker bug, as I'm seeing this on a Debug (non-linking) build.

Yep, I saw the sample was not linked (comment #6). OTOH you might want to test it (once working) with the linker enabled - because the linker could very well remove it (that's the case I got a long time ago).

> Mono.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=0738eb9f132ed756

You're shipping 2.1.0.0 versions right ? not 2.0.0.0

Try creating the class (Activator) using the above string (and adjust until you get it non-null).
Comment 9 Jonathan Pryor 2014-01-14 16:02:48 UTC
*** Bug 11043 has been marked as a duplicate of this bug. ***
Comment 10 Marek Habersack 2014-11-26 06:43:33 UTC
I can't build the sample using XS/master and XA/master with Mono 3.10.0 - PCL Profile1 is missing and I can't find any other profile which has System.Net.WebClient - any idea where it might be?
Comment 11 Chris Hardy [MSFT] 2017-06-27 02:09:00 UTC
Unfortunately, we’re unable to reproduce this report. If this issue is still occurring for you, please reopen this issue and attach a reproduction to the bug by starting with a clean Xamarin.Android project adding just the code necessary to demonstrate the issue.