Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect certificate chain used in SslStream_UntrustedCaWithCustomTrust_OK test. #73295

Closed
rzikm opened this issue Aug 3, 2022 · 5 comments
Closed

Incorrect certificate chain used in SslStream_UntrustedCaWithCustomTrust_OK test. #73295

rzikm opened this issue Aug 3, 2022 · 5 comments
Assignees
@wfurt
Labels
area-System.Net.Security os-mac-os-x macOS aka OSX
Milestone
7.0.0

Comments

@rzikm
Copy link
Member

rzikm commented Aug 3, 2022

Discovered while working on #72873.

During the original implementation, there was a typo at

runtime/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs

Line 791 in cfa4f6f

serverOptions.ServerCertificateContext = SslStreamCertificateContext.Create(certificates.serverCert, certificates.serverChain);

From discussion with @wfurt, the second argument should be serverChain. However, the change breaks tests on Mac so more investigation is needed:

    System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_UntrustedCaWithCustomTrust_OK(usePartialChain: False) [FAIL]
      System.Security.Authentication.AuthenticationException : The remote certificate is invalid because of errors in the certificate chain: PartialChain
      Stack Trace:
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(477,0): at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(529,0): at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(332,0): at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(120,0): at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task)
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(90,0): at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks)
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(55,0): at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks, Int32 millisecondsTimeout)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs(805,0): at System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_UntrustedCaWithCustomTrust_OK(Boolean usePartialChain)
        --- End of stack trace from previous location ---
@ghost
Copy link

ghost commented Aug 3, 2022

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

Discovered while working on #72873.

During the original implementation, there was a typo at

runtime/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs

Line 791 in cfa4f6f

serverOptions.ServerCertificateContext = SslStreamCertificateContext.Create(certificates.serverCert, certificates.serverChain);

From discussion with @wfurt, the second argument should be serverChain. However, the change breaks tests on Mac so more investigation is needed:

    System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_UntrustedCaWithCustomTrust_OK(usePartialChain: False) [FAIL]
      System.Security.Authentication.AuthenticationException : The remote certificate is invalid because of errors in the certificate chain: PartialChain
      Stack Trace:
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(477,0): at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken message, ExceptionDispatchInfo exception)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(529,0): at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(332,0): at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(120,0): at System.Threading.Tasks.TaskTimeoutExtensions.GetRealException(Task task)
        --- End of stack trace from previous location ---
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(90,0): at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks)
        /_/src/libraries/Common/tests/System/Threading/Tasks/TaskTimeoutExtensions.cs(55,0): at System.Threading.Tasks.TaskTimeoutExtensions.WhenAllOrAnyFailed(Task[] tasks, Int32 millisecondsTimeout)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs(805,0): at System.Net.Security.Tests.SslStreamNetworkStreamTest.SslStream_UntrustedCaWithCustomTrust_OK(Boolean usePartialChain)
        --- End of stack trace from previous location ---
Author: rzikm
Assignees: -
Labels:

area-System.Net.Security, os-mac-os-x
Milestone: -

@ghost ghost added the untriaged New issue has not been triaged by the area owner label Aug 3, 2022
@wfurt
Copy link
Member

wfurt commented Aug 4, 2022

The test got broken by #47729 in 6.0. Originally introduced by #46664.

This was referenced Aug 8, 2022
Merged
Merged
@karelz
Copy link
Member

karelz commented Aug 9, 2022

Triage: @wfurt found couple of product problems in this area -- see the above PRs. It is not regression against 6.0, but we should try to fix it.
It is puntable if needed.

@karelz karelz added this to the 7.0.0 milestone Aug 9, 2022
@karelz karelz removed the untriaged New issue has not been triaged by the area owner label Aug 9, 2022
@karelz
Copy link
Member

karelz commented Aug 12, 2022

Moving to 8.0 due to lack of time as per above.

@karelz karelz modified the milestones: 7.0.0, 8.0.0 Aug 12, 2022
@wfurt
Copy link
Member

wfurt commented Aug 13, 2022

This was primarily fixed by #73577. I was waiting for #73745 to get more test coverage.
Remaining (test only ) issue is tracked by #73862

@wfurt wfurt closed this as completed Aug 13, 2022
@karelz karelz modified the milestones: 8.0.0, 7.0.0 Aug 15, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Sep 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@wfurt wfurt

Labels
area-System.Net.Security os-mac-os-x macOS aka OSX
Projects
None yet
Milestone
7.0.0
Development

No branches or pull requests
3 participants
@karelz @wfurt @rzikm