Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

X509Chain build does not work for OCSP only certificate for .Net 3.1 on Linux #79212

Closed
t-bzhan opened this issue Dec 5, 2022 · 5 comments
Closed
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration

Comments

@t-bzhan
Copy link

t-bzhan commented Dec 5, 2022

Description

When using below code snippet to build the chain for a valid certificate:

        public static void BuildChain(X509Certificate2 x509Cert)
        {
            using (var chain = new X509Chain())
            {
                var success = chain.Build(x509Cert);

                Console.WriteLine("Success: {0}", success);

                Console.WriteLine("Statuses:");
                foreach (var status in chain.ChainStatus)
                {
                    Console.WriteLine("\t{0}:{1}", status.Status, status.StatusInformation);
                }

                Console.WriteLine("Elements:");
                foreach (var element in chain.ChainElements)
                {
                    Console.WriteLine("\t{0}", element.Certificate.Subject);
                }
            }
        }

It works as expected in Windows, however that returned below error on Linux

Success: False
Statuses:
RevocationStatusUnknown:unable to get certificate CRL
Elements:
CN=*.cdn.aprimo.com.cn, O=Aprimo US LLC, L=Indianapolis, S=Indiana, C=US
CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

The certificate did not have CRL but with OCSP:

X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018

        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.4146.1.20
              CPS: https://www.globalsign.com/repository/
            Policy: 2.23.140.1.2.2

        X509v3 Basic Constraints: 
            CA:FALSE
        X509v3 Subject Alternative Name: 
            DNS:*.cdn.aprimo.com.cn, DNS:cdn.aprimo.com.cn
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Authority Key Identifier: 
            keyid:F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB

        X509v3 Subject Key Identifier: 
            E0:D3:A9:E3:CE:2B:4B:49:56:C8:92:1C:F8:D6:5A:6F:57:E5:83:46
        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                            03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                Timestamp : Aug 12 18:54:48.607 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:5A:77:11:EA:2B:F3:D8:07:A5:67:46:B6:
                            C1:54:A4:99:1C:74:6A:19:27:C1:E1:14:EA:7E:C9:72:
                            24:D2:12:A6:02:21:00:BB:71:D0:25:63:C7:F8:59:F4:
                            92:A3:FA:DC:3E:5C:19:51:1D:23:32:CA:0B:1A:B2:B4:
                            98:66:0E:A1:BF:0B:EE
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                            15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                Timestamp : Aug 12 18:54:48.578 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:1D:07:D2:FF:2C:36:8C:C5:30:92:93:88:
                            D5:7B:5E:D5:7A:1E:5D:F8:CA:4A:4E:18:6C:00:91:5D:
                            61:68:44:D6:02:21:00:F3:3D:00:73:9F:DB:A5:0B:5A:
                            C1:B8:43:40:CE:8D:06:9D:59:66:E6:B7:D8:99:FB:8D:
                            F4:B1:A1:B2:6B:B8:9A
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
                            C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
                Timestamp : Aug 12 18:54:48.614 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:10:40:99:0A:4E:7C:67:2D:F6:00:20:94:
                            BB:E9:BB:44:02:AE:4C:D8:16:15:8C:5D:E0:58:35:85:
                            ED:E1:00:72:02:21:00:CA:FB:EF:6F:DC:70:A5:A7:12:
                            02:CB:4D:4E:F0:29:E8:F1:AF:24:1A:3F:2B:74:F9:63:
                            EB:8F:17:BF:56:25:EA

Reproduction Steps

Details included in the project zip file.
OcspOnlyX509ChainBuild.zip

Expected behavior

The chain build operation should return success.

Actual behavior

The chain build action returns below error:

RevocationStatusUnknown:unable to get certificate CRL

Regression?

No response

Known Workarounds

No response

Configuration

dotnet --info

.NET Core SDK (reflecting any global.json):
Version: 3.1.403
Commit: 9e895200cd

Runtime Environment:
OS Name: ubuntu
OS Version: 18.04
OS Platform: Linux
RID: ubuntu.18.04-x64
Base Path: /usr/share/dotnet/sdk/3.1.403/

Host (useful for support):
Version: 3.1.9
Commit: 774fc3d6a9

.NET Core SDKs installed:
3.1.403 [/usr/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.1.9 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.9 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Other information

No response

@ghost ghost added the untriaged New issue has not been triaged by the area owner label Dec 5, 2022
@ghost
Copy link

ghost commented Dec 5, 2022

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

When using below code snippet to build the chain for a valid certificate:

        public static void BuildChain(X509Certificate2 x509Cert)
        {
            using (var chain = new X509Chain())
            {
                chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
                var success = chain.Build(x509Cert);

                Console.WriteLine("Success: {0}", success);

                Console.WriteLine("Statuses:");
                foreach (var status in chain.ChainStatus)
                {
                    Console.WriteLine("\t{0}:{1}", status.Status, status.StatusInformation);
                }

                Console.WriteLine("Elements:");
                foreach (var element in chain.ChainElements)
                {
                    Console.WriteLine("\t{0}", element.Certificate.Subject);
                }
            }
        }

It works as expected in Windows, however that returned below error on Linux

Success: False
Statuses:
RevocationStatusUnknown:unable to get certificate CRL
Elements:
CN=*.cdn.aprimo.com.cn, O=Aprimo US LLC, L=Indianapolis, S=Indiana, C=US
CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

The certificate did not have CRL but with OCSP:

X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
Authority Information Access:
CA Issuers - URI:http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt
OCSP - URI:http://ocsp.globalsign.com/gsrsaovsslca2018

        X509v3 Certificate Policies: 
            Policy: 1.3.6.1.4.1.4146.1.20
              CPS: https://www.globalsign.com/repository/
            Policy: 2.23.140.1.2.2

        X509v3 Basic Constraints: 
            CA:FALSE
        X509v3 Subject Alternative Name: 
            DNS:*.cdn.aprimo.com.cn, DNS:cdn.aprimo.com.cn
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 Authority Key Identifier: 
            keyid:F8:EF:7F:F2:CD:78:67:A8:DE:6F:8F:24:8D:88:F1:87:03:02:B3:EB

        X509v3 Subject Key Identifier: 
            E0:D3:A9:E3:CE:2B:4B:49:56:C8:92:1C:F8:D6:5A:6F:57:E5:83:46
        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : E8:3E:D0:DA:3E:F5:06:35:32:E7:57:28:BC:89:6B:C9:
                            03:D3:CB:D1:11:6B:EC:EB:69:E1:77:7D:6D:06:BD:6E
                Timestamp : Aug 12 18:54:48.607 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:5A:77:11:EA:2B:F3:D8:07:A5:67:46:B6:
                            C1:54:A4:99:1C:74:6A:19:27:C1:E1:14:EA:7E:C9:72:
                            24:D2:12:A6:02:21:00:BB:71:D0:25:63:C7:F8:59:F4:
                            92:A3:FA:DC:3E:5C:19:51:1D:23:32:CA:0B:1A:B2:B4:
                            98:66:0E:A1:BF:0B:EE
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                            15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                Timestamp : Aug 12 18:54:48.578 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:1D:07:D2:FF:2C:36:8C:C5:30:92:93:88:
                            D5:7B:5E:D5:7A:1E:5D:F8:CA:4A:4E:18:6C:00:91:5D:
                            61:68:44:D6:02:21:00:F3:3D:00:73:9F:DB:A5:0B:5A:
                            C1:B8:43:40:CE:8D:06:9D:59:66:E6:B7:D8:99:FB:8D:
                            F4:B1:A1:B2:6B:B8:9A
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 55:81:D4:C2:16:90:36:01:4A:EA:0B:9B:57:3C:53:F0:
                            C0:E4:38:78:70:25:08:17:2F:A3:AA:1D:07:13:D3:0C
                Timestamp : Aug 12 18:54:48.614 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:10:40:99:0A:4E:7C:67:2D:F6:00:20:94:
                            BB:E9:BB:44:02:AE:4C:D8:16:15:8C:5D:E0:58:35:85:
                            ED:E1:00:72:02:21:00:CA:FB:EF:6F:DC:70:A5:A7:12:
                            02:CB:4D:4E:F0:29:E8:F1:AF:24:1A:3F:2B:74:F9:63:
                            EB:8F:17:BF:56:25:EA

Reproduction Steps

Details included in the project zip file.
OcspOnlyX509ChainBuild.zip

Expected behavior

The chain build operation should return success.

Actual behavior

The chain build action returns below error:

RevocationStatusUnknown:unable to get certificate CRL

Regression?

No response

Known Workarounds

No response

Configuration

dotnet --info

.NET Core SDK (reflecting any global.json):
Version: 3.1.403
Commit: 9e895200cd

Runtime Environment:
OS Name: ubuntu
OS Version: 18.04
OS Platform: Linux
RID: ubuntu.18.04-x64
Base Path: /usr/share/dotnet/sdk/3.1.403/

Host (useful for support):
Version: 3.1.9
Commit: 774fc3d6a9

.NET Core SDKs installed:
3.1.403 [/usr/share/dotnet/sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.1.9 [/usr/share/dotnet/shared/Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.9 [/usr/share/dotnet/shared/Microsoft.NETCore.App]

Other information

No response

Author: t-bzhan
Assignees: -
Labels:

area-System.Security

Milestone: -

@vcsjones
Copy link
Member

vcsjones commented Dec 5, 2022

I cannot reproduce this with this line:

chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

But the zip project does not have that line, so I assume the steps to reproduce does not use the NoCheck for revocation checking.

I can reproduce this in .NET Core 3.1, but not 6.0 or 7.0.

.NET Core 3.1 should support OCSP.

I would however point out that .NET Core 3.1 is going out-of-support in 8 days, as of writing. So any possible fix identified is unlikely to be serviced in to .NET Core 3.1. The most straightforward way to address this is to move to .NET Core 6 or 7, depending on your preference for LTS or STS.

Can you confirm if the issue is resolved for you with .NET 6 or 7?

@bartonjs bartonjs added the needs-author-action An issue or pull request that requires more info or actions from the author. label Dec 5, 2022
@ghost
Copy link

ghost commented Dec 5, 2022

This issue has been marked needs-author-action and may be missing some important information.

@ghost ghost removed the untriaged New issue has not been triaged by the area owner label Dec 5, 2022
@t-bzhan
Copy link
Author

t-bzhan commented Dec 6, 2022

Thanks @vcsjones , confirmed that the issue is resolved in .NET 6

bzhan@bzhan-pc11  /mnt/d/MyTool/KeyVaultChecker/OcspOnlyX509ChainBuild  dotnet run

Welcome to .NET 6.0!

SDK Version: 6.0.403

Telemetry

The .NET tools collect usage data in order to help us improve your experience. It is collected by Microsoft and shared with the community. You can opt-out of telemetry by setting the DOTNET_CLI_TELEMETRY_OPTOUT environment variable to '1' or 'true' using your favorite shell.

Read more about .NET CLI Tools telemetry: https://aka.ms/dotnet-cli-telemetry


Installed an ASP.NET Core HTTPS development certificate.
To trust the certificate run 'dotnet dev-certs https --trust' (Windows and macOS only).
Learn about HTTPS: https://aka.ms/dotnet-https

Write your first app: https://aka.ms/dotnet-hello-world
Find out what's new: https://aka.ms/dotnet-whats-new
Explore documentation: https://aka.ms/dotnet-docs
Report issues and find source on GitHub: https://github.com/dotnet/core
Use 'dotnet --help' to see available commands or visit: https://aka.ms/dotnet-cli

Success: True
Statuses:
Elements:
CN=*.cdn.aprimo.com.cn, O=Aprimo US LLC, L=Indianapolis, S=Indiana, C=US
CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3

@ghost ghost added needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration and removed needs-author-action An issue or pull request that requires more info or actions from the author. labels Dec 6, 2022
@vcsjones
Copy link
Member

Given that .NET Core 3.1 went out of support today, and it's working as expected for .NET 6 and .NET 7, I think it makes sense to close this out.

Please re-open the issue, or create a new one, if you believe there is an issue with a supported version of .NET.

@vcsjones vcsjones closed this as not planned Won't fix, can't repro, duplicate, stale Dec 13, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Jan 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-System.Security needs-further-triage Issue has been initially triaged, but needs deeper consideration or reconsideration
Projects
None yet
Development

No branches or pull requests

3 participants