Jump to navigation

Poupou's Corner of the Web

Looking for perfect security? Try a wireless brick.
Otherwise you may find some unperfect stuff here...

Weblog

in chains: The Ugly

and then there's the ugly stuff. Things like having a X500DistinguishedName class able to decode (convert to string) DN using 10 different flags defined in X500DistinguishedNameFlags. Combine flags as you wish, even add String.Compare for case insensitiveness, you can't compare DN with them - it just doesn't deal with whitespaces correctly.

With respect to RFC3280 interoperability, X509Chain never checks for matching (end entity) issuer name versus (ca) subject name, nor can it correctly build a chain that includes self-issued certificates (unless they are the root certificate).

Ugly results (out of 16 sections)

SectionTest CasesRFC3280MS[1]Mono 
4.6.3Verifying Name Constraints11511[2]
4.6.5Verifying Path With Self-Issued Certs814[3]

It's not just Microsoft's fault. X.509, even profiled in RFC3280, is a complex beast. In many ways too complex for what it offer back. A good proof is that SSL/TLS, the most visible use of X.509, works without supporting a lot of it. Anyone remotely interested in this should read, the old but still true, X509 Style Guide by Peter Gutmann. Read it completely (if you're crazy) or just read it's quotes :-)

Notes

[1] Tested under Windows XP service pack 2 - YMMV

[2] MS doesn't seems to compare Issuer/Subject names in the chain. The working tests are "valid" test cases.

[3] Mono doesn't support using a different CA to produce CRL. MS has problems building chains with non-root self-issued certificates.

The source code, and unit tests, are now in SVN for C3Y people (like me ;-)


12/7/2006 17:02:37 | Comments

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.