Bug 8788 - Unsupported hash for SSL certificate
Summary: Unsupported hash for SSL certificate
Status: NEEDINFO
Alias: None
Product: Class Libraries
Classification: Mono
Component: System (show other bugs)
Version: unspecified
Hardware: PC Mac OS
: --- normal
Target Milestone: Untriaged
Assignee: Martin Baulig
URL:
Depends on:
Blocks:
 
Reported: 2012-12-05 19:12 UTC by Jérémie Laval
Modified: 2017-04-04 13:19 UTC (History)
4 users (show)

See Also:
Tags:
Is this bug a regression?: ---
Last known good build:


Attachments
It fixes the problem described in the case (1.24 KB, patch)
2013-10-30 08:30 UTC, Roman Procopie
Details | Diff

Description Jérémie Laval 2012-12-05 19:12:01 UTC
ERROR building certificate chain: System.ArgumentException: certificate ---> System.Security.Cryptography.CryptographicException: Unsupported hash algorithm: 1.2.840.113549.1.1.11
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.RSA rsa) [0x00000] in <filename unknown>:0 
  at Mono.Security.X509.X509Certificate.VerifySignature (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith (System.Security.Cryptography.X509Certificates.X509Certificate2 signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.Process (Int32 n) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain (X509ChainStatusFlags flag) [0x00000] in <filename unknown>:0 
  at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0 
  --- End of inner exception stack trace ---
  at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0 
  at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in <filename unknown>:0 
Please, report this problem to the Mono team

Certificate is the one used on https://neteril.org
Comment 1 Sebastien Pouliot 2012-12-06 08:17:43 UTC
1.2.840.113549.1.1.11 is SHA-256 with RSA Encryption and that's been supported for a while (longer in master than 2.10).

Exactly which version or Mono and OS was used ?

Also OSX (stated above) does not use this (by default) code path (but there were some buggy versions of Mono that did for a while).


$ mono --version
Mono JIT compiler version 2.10.10 (mono-2-10/4d9ada6 Wed Nov 28 22:38:28 EST 2012)
Copyright (C) 2002-2012 Novell, Inc, Xamarin, Inc and Contributors. www.mono-project.com
	TLS:           normal
	SIGSEGV:       normal
	Notification:  kqueue
	Architecture:  x86
	Disabled:      none
	Misc:          softdebug 
	LLVM:          yes(2.9svn-mono)
	GC:            Included Boehm (with typed GC)
$ cat wc.cs
using System;
using System.Net;

class Test {
	public static void Main (string[] args)
	{
		foreach (string s in args) {
			Read (s);
		}
	}

	static void Read (string url)
	{
		WebClient wc = new WebClient ();
		Console.WriteLine (wc.DownloadString (url)); 
	}
}$ mcs wc.cs
$ mono wc.exe https://neteril.org
<!DOCTYPE html>
<html>
  <head>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>Neteril</title>
	<link href='http://fonts.googleapis.com/css?family=Sanchez' rel='stylesheet' type='text/css'>
	<link href="/css/bootstrap.css" rel="stylesheet" media="screen">
	<link href="/css/custom.css" rel="stylesheet" media="screen">
  </head>
  <body>
	<div class="container">
	  <h1 class="title">Neteril</h1>
	  <div class="menu">
		<ul>
		  <li>About.</li>
		  <li><a href="/work">Work</a></li>
		  <li><a href="/stuff">Stuff</a></li>
		  <li><a href="/blog">Blog</a></li>
		</ul>
	  </div>
	  <div class="content">
		<p class="lead">Welcome traveler,</p>

		<p>My name is <span itemprop="name">Jérémie Laval</span> (aka <span itemprop="nickname">garuma</span> on the interweb). I'm a 20-something French and hacker at <a href="http://www.xamarin.com"><span itemprop="affiliation">Xamarin</span></a> where I help shape the future of mobile development. Previously a <a href="http://www.utbm.fr"><span itemprop="affiliation">UTBM</span></a> student too.</p>
			
		<p>In my spare time, I'm a free and open-source <span itemprop="title">software developer</span> and enthusiast. I use and abuse of the <a href="http://en.wikipedia.org/wiki/CSharp">C#</a> programming language and <a href="http://www.mono-project.com/">Mono</a> platform.</p>

		<p>I'm also a penguin user and supporter, mainly gliding with <a href="http://www.archlinux.org/">Arch Linux</a>.</p>
	  </div>
	  <div class="bottom-line">
		<ul>
		  <li><a href="https://twitter.com/jeremie_laval"><img src="/img/twitter.png"></a></li>
		  <li><a href="http://www.linkedin.com/in/jeremielaval"><img src="/img/in.png"></a></li>
		  <li><a href="https://github.com/garuma"><img src="/img/github.png"></a></li>
		</ul>
	  </div>
	</div>
  </body>
</html>

$
Comment 2 Jérémie Laval 2012-12-06 09:24:48 UTC
My bad,this is a recent MfA with some flavor of 2.10
Comment 3 Jonathan Pryor 2012-12-06 11:04:25 UTC
@Jérémie I suspect this is a dupe of Bug #7771, though that's with OID 1.2.840.113549.1.1.2, not 1.2.840.113549.1.1.11...
Comment 4 Roman Procopie 2013-10-30 08:30:35 UTC
Created attachment 5275 [details]
It fixes the problem described in the case

I have been experiencing the same on Mono 2.10.9 built from source on Linux

The patch attached fixes it. Basically I have added SHA256 as a valid hash algorithm. Not sure if the patch is complete, so far my program did not fail

To use the patch

- cd into the directory with mono source
- patch mcs/class/Mono.Security/Mono.Security.X509/X509Certificate.cs /path/to/mono_sha256_rsa_ssl_patch
- build mono as usual : configure --options.... ; make ; make install
Comment 5 Jonathan Pryor 2013-10-30 15:17:22 UTC
@Roman: That patch shouldn't be needed with XA 4.8.0 and later, as X509Certificate.cs already checks for 1.2.840.113549.1.1.11:

https://github.com/mono/mono/blob/master/mcs/class/Mono.Security/Mono.Security.X509/X509Certificate.cs#L389
Comment 6 Roman Procopie 2013-10-31 03:36:20 UTC
Thanks, I thought it might be out of date with newer versions of Mono. However, in my case I cannot upgrade to the latest version of Mono due to other problems and people like me might appreciate it.

I can also see that my patch is incomplete, so for those that get to use it (on Mono 2.X), feel free to also add similarly.

1.2.840.113549.1.1.12 - SHA384 with RSA
1.2.840.113549.1.1.13 - SHA512 with RSA

Note You need to log in before you can comment on or make changes to this bug.