X509Chain behaviour inconsistent on Windows and Linux

[toady]

We are running into a problem where the same chain is successfully built on Windows, populating ChainElements; yet fails with PartialChain on Linux, only having the leaf certificate in ChainElements;

Whole trust chain is loaded into ChainPolicy.ExtraStore prior to validating the leaf. Verification flags do not affect the resulting ChainStatus and ChainElements in any way.

It's reproducable on 2.2 runtime with the following basic code:

var collection = new[]
{
    "MIIFCzCCA3OgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQFExBiMmVkMTMwN2RlZDM5NjNkMB4XDTE2MDUyNjE3MTUxMFoXDTI2MDUyNDE3MTUxMFowHzEdMBsGA1UEAwwUQW5kcm9pZCBLZXlzdG9yZSBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCm60G5QQ/NpwR9CrWn2etjkb72z/haaTQzZmfMZeCp88AcWR22PyQhj7Pp4f2S5mHq9GETpiVAg4wSN72gTEjInVVHO5JYGlOXQTNLZ6tepkNeD6rTbVDYY72LCCeWl4KIMulpwWtrJruCXgxHzfTYExcz3EdZNXD/sGYySSLxtfC27SUGFmwmP0n1PYYCNUYFaVxjjlqfL6iz5ecQV2fdK4ABRPJ0XAvmoYeTwY3zoPRyl/ZmrZQYpBLinT9WgU0zKa9rX/6TMVZmCqHn43W/wmRtUG4DwP8vpU4G3Aw1nyJlGlPy7H/j89HL+6YCKpnoV31jlw/Nr7ZTgjHNIrHnAgMBAAGjggHUMIIB0DAfBgNVHSMEGDAWgBR3CcbscN4IGsrMUuNrG779rbfYDDCCAUgGCisGAQQB1nkCAREEggE4MIIBNAIBAQoBAQIBAgoBAQQgl2KD4EKLG9Kz6BuxTVj+I2HYIsOBg1qq/mB+kT67w0QEADB9v4MQCAIGAWnD/cjGv4MRCAIGAWnoCkzGv4MSCAIGAWnoCkzGv4U9CAIGAWnEopRLv4VFSQRHMEUxHzAdBBhjb20udGVjaG5vbW9zLmJldGEuZGVidWcCAQwxIgQgf/ToOLDg3XJhBUTS13LecngSw0WLr7ztrS2YV7kKFyQwgYKhDjEMAgEAAgEBAgECAgEDogMCAQGjBAICCAClBTEDAgEEpggxBgIBBAIBBb+BSAUCAwEAAb+DdwIFAL+FPgMCAQC/hUAqMCgEIDPZSE/VEuYQvPAMUCgn89VaQVCI8nbGUGZXIV5iL6dwAQH/CgEAv4VBBQIDAV+Qv4VCBQIDAxSuMDUGCysGAQQBgWwLAxcHBCYwJKAiEyCXYoPgQosb0rPoG7FNWP4jYdgiw4GDWqr+YH6RPrvDRDALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFNbGoSz+4EENSYjkbPqOdiXuN7nRMA0GCSqGSIb3DQEBCwUAA4IBgQBhi505NSW2+nMIA5EEkbrt1/U3BleAVcayDDCwWCkkWIRrTTlJ2jXaZHy4HyZxjehjdP45Q1P/WN5rzKt46uG9BzRBGwrQIbrONZEHhRAiCeFoJ8SqyhHNAjrU3fO/1qGIns0Mep94ue8ZIAo2bgmVP2Xt1LtVoKRAmBdZXR/6wW7Q27bbM2eAdeZpprsbXaKu9CRQBYsa7yVqXgdAL6lrxRUoGkq+jkN2nr+ZoRizPE4JcNo27RCHvtSUlmHFjuPB1Z5zM9B3DaSuFvfgkVAliXR8WlD4Gs+4BBlEkGrHv2nAnMgIDmDtxmZymr8aKaUIbFSl2cLvRJJOiddVws3TGGxgrKCXAjDxuSqsDiH8Wo4oN6OX3IIwyVoBZ4M3bJpNLzajbpGAqNEyUwHt5ga/NNEn4K4BXCKubLsunp0R1Zn5YKO2z+M+ZaMJyBttVndJjQbCUItBChjxprLHtpTSyMiMvWy7fpD07jGC0PIDd8f4MoAqIJIzi0La0lX9Z0o=",
    "MIIFGDCCAwCgAwIBAgIKCFglI0cIcIAShjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQFExA4N2Y0NTE0NDc1YmEwYTJiMB4XDTE2MDUyNjE3MTUxMFoXDTI2MDUyNDE3MTUxMFowGzEZMBcGA1UEBRMQYjJlZDEzMDdkZWQzOTYzZDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMsgAyP+mV/J+A3DifMWf8E6bPnkv1uba2PEroASoPvv3YVPdvBattIaoxQxPelFX7OrbvsKG9JNWxOGbNiqt2m1A0SsswDqiiGCxVuV3nMRo5QPUDbNV0L+XVD0x5MnE9Y51uohHl/5YvqBgy4pVu9FWx2gTwlxmigLAAbOetN3efEdVjPCPFLThzERlQcMohKssjoZLGx+HLRYXNpEhbYmLRwdWGZUqazTHcmabAW8gRfrD6T69Y97v05G7rlYSxr7mO0hXZNjJCeVj8PF0EsUmgGoQ+kKMzsa5CKGqxGjpOylpEzL0nMIZzbyb7f+y5Ylbnqh1GqDWchy95FHMtsqFEGmKildDmAxyWEqkIo9SIPggOEF0O/UIyUD7pBBhhl0uFwOsq+4rUpT2Miyil23inRDgzWLBUcrByB7hnAXJ5aqoyKngqq/7aruZCn4pWQ5ZwsQLZ8hK6b0/CYsVEKDRWavEJnhF/pN1J0WprlsqLVmoxVibrP8hFukQSgHwQIDAQABo4HdMIHaMB0GA1UdDgQWBBR3CcbscN4IGsrMUuNrG779rbfYDDAfBgNVHSMEGDAWgBQOVW9G9Tt3Z+G5c9xV5q7qtP0n3TAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAkBgNVHR4EHTAboBkwF4IVaW52YWxpZDtlbWFpbDppbnZhbGlkMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHBzOi8vYW5kcm9pZC5nb29nbGVhcGlzLmNvbS9hdHRlc3RhdGlvbi9jcmwvMDg1ODI1MjM0NzA4NzA4MDEyODYwDQYJKoZIhvcNAQELBQADggIBAFcTjuJ9sU6UBiVYPWusTzxUr6PHCZBsukEW1nztUOzhlamBujzueGqbVJGmA+PnYgs+nUyTDKEhG+ryVOJMJvEih8NQFWbpzbJF2qL/Eq9c9PXXbQLJOJL5cgprTvyS5xojb6zYI3THsifXo8L62sC/xibQ4NlRDaWnisRuzdVS2ZX69jTonrnMCSM1x2eBnf/VG9ktpBPoJ22WggeHZqrcYMcXwW9T7Xw5ACSfrR858Q+pFUdF9670EmFR7IxEdphfo46rDkmdbivQgaO/AiC/dMI0jrki8dHZRz8QmkiPw1dMnZL0Q2hGbKsLGA8XnEfy+4jWF9jk3kcOF4FuyxqSbjjBY51fDKWp+8PwkUlHGGiEgLBYXUQ+6mFUXWEzklUb6WnYPtYIqNjZ+2P4x+CN4XDA4gu6cdS0izUnbaIi3ztIWwA6E410UcKjUPklpt5l2t8b4+RS8KJPO4UpE4vBocxdoIH0+g2JyquNtSosAqp0/6tOaSjZUhLEmbQ0CuWCIMbDnaqp5nhEJSBmpgtPPcQa0RNBYpAv21IHIR/HTVHNNOHL/+HO1gVwnH7Th7vovuCWkoR5cp/sbcyrJ5wSONDV8U8TBpkMpKgwHiFrjolibskWeubhwLqqf7ESkpBWfm2/EwFktjz+8scgZ5wpQASGwABj1GzQbla9PfTQ",
    "MIIFcTCCA1mgAwIBAgIKA4gmZ2BliZaFdDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MB4XDTE2MDUyNjE3MDEzMloXDTI2MDUyNDE3MDEzMlowGzEZMBcGA1UEBRMQODdmNDUxNDQ3NWJhMGEyYjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANJg1kWF4+IjeVraRVen2FuvvZo3y/qXwGVEnTrGR/YNC6J0Esr3S7lf+7TsWivQFgHevuL+0nYNdcSxass6Zwch4NUZaMgbAaIkAv6tQNanmBYPopgup611NIRv+M+KoQ6QM0Ce0IYmV3HO/89S4fD5K35oYgPY/f0CUwMZrCge3rJ7YWIgBNKeNokKmtjMnJBm6nk6O7Vua/SOPQxx/2QHc+41qUN+Vcm+ahb08MjgUT0ytRhZJHnOu6HLd+lCJXogurVDgyheB5G5rFZmySMM+nEJvb5seMg/fNo4b+VeFxBshoLnUETo76+P755Ld2nWV7TOLMmW2fggLyl0TEYim2gRQ/T25pCivQbMNDhcmDeKrMX4n2u9elE6QjDdBhNBNIN5vcT0GdH2i278BqiaVkXw9fPohwl43XRmjeweor/991KOC/L1UhRMKt5jAacdfZ4r3HK5HBlYZJdy6gDO/y9KQB1sT332kewf4G1gyoY1jXv59noqL+41MpKikrWmvF/Sn2MPcWORyz1DMFpYJUbSEpSE5SgyejFVYIbjFBJ1kIIsPAChnrSlr3z2AFSKCyQuyJqbJUsKtBBXt6gyHyxE0JxRZ+4egBurNpiiv+K0m7ssTmrbffwaxJCkJd6phLgt3DcSflrG7sSKwOqsSB7wXuktjKnGMhh3tTibAgMBAAGjgbYwgbMwHQYDVR0OBBYEFA5Vb0b1O3dn4blz3FXmruq0/SfdMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHBzOi8vYW5kcm9pZC5nb29nbGVhcGlzLmNvbS9hdHRlc3RhdGlvbi9jcmwvRThGQTE5NjMxNEQyRkExODANBgkqhkiG9w0BAQsFAAOCAgEADg1xSogKWFO2MRR92iIxxgbW7zsiTdelwD+/xrRko/uSwsxn9GwkJUlu9ssI1qgNlAZ/jIw8sXfNwj/HXqOFbfellBPNWlzzmwoN4YJC9Mk/rfz7fKonBMwcEkUV6+ZwoGzed3dUmx8CBXYDpPxsB/TLu1n1y+1Y2DCbbjz3dsE+TDCYS0JpguFHg9v8KSPiyStdjODGxegFBpgk85suP+WlKvCbnt/XWGGeZP5yD8yw9iGKeCRIcPDWARhTYpf7522um89vXqLB0bs2iBj4a4KH+H0BIAu6pnzRDsNgqY5abpEOCHxJXgsCvhVqeE/fC+xo02HLJMFk4AUqvZ1zG6/7cDjDZDqFZmcdCuQ/+4YycR0DEQa8CsRQIZ9k4+BTvFfUgsSidyMfW8qghraMkOYNew0wDc1FGfOgdlauffbHXimykq18Ec8EGmSEtguM2wt88OtcYCG2thjNbOXws26TmLoJwGr2uKgFVfqylLExXAli4Py/Bb1GlYO4dYk5dcK0c1Tjaxp1trhBLLyGLAmJqcHICteHzFSUE6Vd3StQEw3EqCskdAwdZHSyZCCcjXAUulsNB76I//QzDIzX9M+dV4emCiwd3jFT8YTbQg2JBI+eDIfDZ3f3LUFQII6+nB0PTQrMNICgD9at+Ed5Daqb628Dxgmd6YkqNRVGIU0=",
    "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk"
};

var certificates = new X509Certificate2[collection.Length];
for (int i = 0; i < collection.Length; ++i)
{
    var bytes = Convert.FromBase64String(collection[i]);

    certificates[i] = new X509Certificate2(bytes);
}

using (var chain = new X509Chain())
{
    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;

    for (int i = 1; i < certificates.Length; ++i)
    {
        chain.ChainPolicy.ExtraStore.Add(certificates[i]);
    }

    var success = chain.Build(certificates[0]);

    Console.WriteLine("Success: {0}", success);

    Console.WriteLine("Statuses:");
    foreach (var status in chain.ChainStatus)
    {
        Console.WriteLine("\t{0}", status.Status);
    }

    Console.WriteLine("Elements:");
    foreach (var element in chain.ChainElements)
    {
        Console.WriteLine("\t{0}", element.Certificate.Subject);
    }
}

On windows output is:

Success: True
Statuses:
        UntrustedRoot
        NotValidForUsage
        InvalidBasicConstraints
Elements:
        CN=Android Keystore Key
        SERIALNUMBER=b2ed1307ded3963d
        SERIALNUMBER=87f4514475ba0a2b
        SERIALNUMBER=f92009e853b6b045

As expected, the whole chain is there.

Yet on Linux it fails to build:

Success: True
Statuses:
	PartialChain
Elements:
	CN=Android Keystore Key

I'm also attaching the example project with Dockerfile based dotnet:2.2-aspnetcore-runtime (and docker launch target).

X509ChainExample.zip

[toady]

This is probably the same issue as in #28314 (closed), except a valid certificate chain is already built and attached here. It seems like the ExtraStore is ignored on Linux.

[bartonjs]

It's not that ExtraStore isn't used, it's that OpenSSL says that the 2nd entry isn't a valid issuer for the first.

Windows is building the chain and reporting NotValidForUsage and InvalidBasicConstraints. OpenSSL says "this is clearly not an issuer I need to consider because it doesn't have the certSign key usage bit" (NotValidForUsage). It likely would have then noticed the basic constraints ca=false and ruled it out on those grounds, too.

While we do try to do work to make even invalid chains build the same way, ultimately we let the system X.509 libraries do the work, and I don't think there's any way we can really coerce OpenSSL into having a different opinion here.

[toady]

Another inconsistency is about revocation lists, for example this certificate:

MIIEqDCCAxKgAwIBAgIBATALBgkqhkiG9w0BAQswKTEZMBcGA1UEBRMQYTY3MzUxZjRkM2NjYzc5NTEMMAoGA1UEDAwDVEVFMB4XDTE5MDQwNTExNTMyOVoXDTE5MDQxMjExNTMyOVowHzEdMBsGA1UEAxMUQW5kcm9pZCBLZXlzdG9yZSBLZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLDCB4+prYRG0JV6UpDh0XajbszDNXEGnjoHQ0o6pk23/eXm1N+3Z/HSh8dw3+Umtig/wyNB/IrKXfvEQoiZTtNu476bX7mc+fd5U5vFY4/a5RIrRAnE7z5IlbSagoUjlv/MmHlhnuXxR9P3pbijCCbY+oxzYbUy+UqwlyO22oOFcH2EXnt6zO4EMFRX4IkijxZGtew37XcKIcXfpggXwq1YWBZ21Wvzm8KPuLrz+PC7MzrkVCtEPB4EbOCSpdn7k1QRUj4joHRZJuyZB/0ZB/k8Vhf0AWvLiV2XZSRPdxzLqjPJt/H+p/h33tjbJpO4PKmo5ESkqpjMeOJnSfLSsDAgMBAAGjggFnMIIBYzALBgNVHQ8EBAMCBLAwCAYDVR0fBAEAMIIBSAYKKwYBBAHWeQIBEQSCATgwggE0AgECCgEBAgEDCgEBBCD5tPKQ5Ro6TlJR+SMSMdKsO0PEWXH9ZdjM8yAUgCM7WgQAME2/hUVJBEcwRTEfMB0EGGNvbS50ZWNobm9tb3MuYmV0YS5kZWJ1ZwIBDDEiBCB/9Og4sODdcmEFRNLXct5yeBLDRYuvvO2tLZhXuQoXJDCBsqEOMQwCAQMCAQICAQECAQCiAwIBAaMEAgIIAKUFMQMCAQSmCDEGAgEFAgEEv4FIBQIDAQABv4MQCAIGAWntWL4Sv4MRCAIGAWoRZUISv4MSCAIGAWoRZUISv4N3AgUAv4U9CAIGAWnt/Sk+v4U+AwIBAL+FQCowKAQgU0HmsmRpeacOV2UwB6HzEBaUIeyb3Z8aVkj3Wt4AWvEBAf8KAQC/hUEFAgMBOOS/hUIFAgMDFK8wCwYJKoZIhvcNAQELA4IBgQBtMC26d82nPQk7XbdpYrnaikspnk2PJrkrnbr723L+n3c5fBpT1IzvMJJsLnwd+F2Qywgg1lMljLs+W0W+kL0PVmiR0XR6q8iAVMl7hiJuInmQfv04W76VryhShfxBjtUES9NCfI7yNI3Lef65+yW+z9KQWDEkQp7iJrGJzd+ltW7516j8N+OS/Vma/MpXz6124pSDtAqSUMH9AkfL17DzYQePNi49arwfzXAAZfMH64qt9VvQUtC473baWMT0RDM4UbJ3oki/LrR8rWssBtGiyMIoFcOqt0Qwyx4gXShc1b0aAz5YKLi4RoUhjfO84nuNyjfmbGmDsWbqkPGQ/ckaZQpCZ8cLtHRzdtPqITpPz67Y5JMoGc+MXH755hPNt0lLLIcHFC4CuBJ/ywr2BaEcnfaRpeeOyJIg61N6ICFMaxUp7V1p5PEzpTyrhINkExJ18U5DyI5XSW0fintd7GJ8DGMU8Sg6jvXtGRmB/EFG4LIl0mNxaxuuYj6kI6tRBgs=

If ChainPolicy.RevocationMode is set to X509RevocationMode.Offline, on Windows we end up with RevocationStatusUnknown and OfflineRevocation, yet on Linux it's just RevocationStatusUnknown.

If ChainPolicy.RevocationMode is set to X509RevocationMode.Online, on Windows we once again end up with RevocationStatusUnknown and OfflineRevocation, while on Linux Build method throws CryptographicException:

   at System.Security.Cryptography.DerSequenceReader..ctor(DerTag tagToEat, Byte[] data, Int32 offset, Int32 length)
   at Internal.Cryptography.Pal.CrlCache.GetCdpUrl(X509Certificate2 cert)
   at Internal.Cryptography.Pal.CrlCache.DownloadAndAddCrl(X509Certificate2 cert, SafeX509StoreHandle store, TimeSpan& remainingDownloadTime)
   at Internal.Cryptography.Pal.CrlCache.AddCrlForCertificate(X509Certificate2 cert, SafeX509StoreHandle store, X509RevocationMode revocationMode, DateTime verificationTime, TimeSpan& remainingDownloadTime)
   at Internal.Cryptography.Pal.OpenSslX509ChainProcessor.BuildChain(X509Certificate2 leaf, HashSet`1 candidates, HashSet`1 systemTrusted, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, DateTime verificationTime, TimeSpan& remainingDownloadTime)
   at Internal.Cryptography.Pal.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, DateTime verificationTime, TimeSpan timeout)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate)
   at X509ChainExample.Program.Main() in C:\Users\stanislav.bobrov\Documents\Visual Studio 2017\Projects\X509ChainExample\Program.cs:line 40

This is due to the certificate apparently having cRL extension with value of octet string 00:

30 08 06 03 55 1D 1F 04 01 00

and the code trying to read an ASN.1 sequence.

Couldn't find any proof in RFC that it's a valid value, but should be more forgiving.

[bartonjs]

Not throwing during extension processing does seem sensible, and is something that we have control over.

[toady]

@bartonjs, regarding the chain problem, it looks like it's actually corefx code rejecting the certificates from the ExtraStore here, as it throws away any certificate for which Interop.Crypto.X509CheckIssued returned an error.

Interop.Crypto.X509CheckIssued maps to X509_check_issued in openssl, which returns X509_V_ERR_KEYUSAGE_NO_CERTSIGN in case one certificate is indeed signed by another, but key usage is wrong.

I suppose this could be used to actually build the chain with NotValidForUsage flag.

[bartonjs]

@lil-Toady Ah, then perhaps you should try with a 3.0 preview build, since that code has been entirely replaced with "here, OpenSSL, it's everything I know about everything, do your magic" (no prefilter).

[bartonjs]

@lil-Toady (That said, I feel like I tried the commandline openssl verify, and it said it couldn't build the chain from the middle to the root, or the leaf to the middle+root, meaning that their normal chain engine probably has the same != 0)

[smartpcr]

I am still facing the same problem on linux, however, mac/windows are working.

$PSVersionTable Name Value

---

PSVersion 6.2.2
PSEdition Core
GitCommitId 6.2.2
OS Linux 5.0.0-1022-azure dotnet/corefx#23~18.04.1-Ubuntu SMP Mon Sep 30 19:47:06 UTC 2019
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

[bartonjs]

@smartpcr As far as I know, PowerShell 6.2 is still based on .NET Core 2.1. Any changes would only really be visible once PowerShell moves to .NET Core 3.0.

But since multiple different problems were discussed in this issue, if you can clarify which problem you're having there might be advice that I can offer.