X509Chain.Build is not working

[omghb]

Android application type

Android for .NET (net6.0-android, etc.)

Affected platform version

VS 2022 17.3.1

Description

I'm using an SslStream with a custom UserCertificateValidationCallback.

1. To get this working I had to use the workaround provided here: https://stackoverflow.com/a/71196389
   a. Note: Only the first part of the workaround was required: DangerousTrustProvider so that the UserCertificateValidationCallback gets called.
2. I'm using the X509Chain.Build method. But it returns false also for a valid certificate chain:

chain.ChainStatus = {System.Security.Cryptography.X509Certificates.X509ChainStatus[1]}
Status = System.Security.Cryptography.X509Certificates.X509ChainStatusFlags.PartialChain
StatusInformation = "unable to find valid certification path to requested target"

Note: On the Windows platform the same chain returned true without an issue.

By searching for the issue I found out that X509Chain.Build was removed from the X509TrustManagerWithValidationCallback class as it seems not to be working. See:

• 3637e2f#diff-3109d25592ee417bec61f3270f4a55818fae27e48575e40b207d5001e019276f
• Also mentioned here: Use custom validation callback for server certificates in HTTP handlers #6665

It turns out that X509Chain Build function doesn't work on Android, so I'm not calling it and I'm passing the chain to the callback directly.

Please, fix X509Chain.Build

Steps to Reproduce

Did you find any workaround?

No response

Relevant log output

No response

[simonrozsival]

Hi @omghb! Thanks for reporting this issue. This is a known problem tracked in dotnet/runtime#45741. Please add a comment to that issue with the details of your use case so that we keep this information in one place.

@jpobst please close this issue as it's a runtime issue (I don't have permissions to do it myself).

[jpobst]

Thanks for looking into this!

Closing as duplicate of dotnet/runtime#45741.

[omghb]

Hi @simonrozsival! Thanks for providing the dotnet/runtime#45741 link. The information helped me to solve my issue.

Here some details (maybe someone will find this information useful):

I have used the X509Chain in a way which is not supported by Android:

customChain.ChainPolicy.ExtraStore.AddRange(sslOptions.TrustedRootCertificates);
customChain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;

Solution: By replacing the lines from above with the following lines

customChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
customChain.ChainPolicy.CustomTrustStore.AddRange(sslOptions.TrustedRootCertificates);

solved my issue. However, the API used by the new code requires .NET 5 or newer.