Skip to content

WeakSignature is not handled by X509 PAL on macOS #35533

New issue
New issue
Closed
#35548
Closed
WeakSignature is not handled by X509 PAL on macOS#35533
#35548
@vcsjones

Description

@vcsjones
vcsjones
opened on Apr 27, 2020

If you use X509Chain.Build on a certificate with a weak signature algorithm (MD2/4/5), a CryptographicException is thrown on macOS. (repros on master)

macOS ignores the signature algorithm strength for self-signed / anchor certificates.

Repro:

X509Chain chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
var cert2 = new X509Certificate2(Convert.FromBase64String(@"
MIIEMzCCAxugAwIBAgIUe31SvlE0fSoEM/BAPgvuuCxp6H4wDQYJKoZIhvcNAQEE
BQAwZjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMRMwEQYDVQQHDApB
bGV4YW5kcmlhMQ4wDAYDVQQKDAVIb3VzZTEQMA4GA1UECwwHS2l0Y2hlbjENMAsG
A1UEAwwEUm9vdDAgFw0yMDA0MjcxODU0NDVaGA8yMTE2MDIyNDE4NTQ0NVowUTEL
MAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMQ4wDAYDVQQKDAVIb3VzZTEQ
MA4GA1UECwwHQ29va2llczENMAsGA1UEAwwETGVhZjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALxzR9VHXF6Dy6R4RhoDccMESYRzaYEEZDU4sbpOnmcJ
htkz8YFBC9b8Y1k+YH6tkNm5C8lklytcKHYE2LTWUGQnFlwxdDddKhp1BzcCXagi
ApTyDN/sbLz6u0nsHY6LBHQswnZu8/sb36gX+v4NQgZadSEawSTgZ34ktc4aqxgx
8BjCEpsxxs8O+A6TuErWgEFp/Gu/m4AcCN/ksPDUitHBgXqDYEUMkiliAhmHYbTK
CcpMAXrLCk5qBDz80V3gVS1h2MRbxeuFzHL21mm+u+PYS6sVqMlR8+wWyr1Sw4A0
JJ5KZ/K0f94ICs8oGNFuApEUZfHw5WER/t+ocyoTlwkCAwEAAaOB6zCB6DAJBgNV
HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZp
Y2F0ZTAdBgNVHQ4EFgQUDeLyxqHtgRjxy7TkthQayhJkIAUwgY0GA1UdIwSBhTCB
gqFqpGgwZjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCFZpcmdpbmlhMRMwEQYDVQQH
DApBbGV4YW5kcmlhMQ4wDAYDVQQKDAVIb3VzZTEQMA4GA1UECwwHS2l0Y2hlbjEN
MAsGA1UEAwwEUm9vdIIUUiA7vl0tmSfakdQsom0HjSsEjowwDQYJKoZIhvcNAQEE
BQADggEBACT2ELWtempaj2aPT4bx4fvlYqlq9NnbzXWaldtU8sKZzXwQ/olmoHFf
tvfuzDzcpMbL/cTQPiseUan/Sx1earKDGKt+k9YamK/2MiRcNnCOT22Jd/2YylDZ
n8c1Q1E3J784OicJQDbwQ/1GxgWlgmWYwiGaVQ5SS3R+LP3kywZono2VbA3Lggp5
oUQD2l4kNQyE15VfB5+RgHNTJ+jYYNjiSyOHo/ChkIYEesYCe+eVnN7Uy+VMp9d8
NnM+vWlLujxJ7JLCEhhw+hCdXoy6mQXPoDQbRhkUu7+jqmpOu1PjL4x5YR7u6PDS
98fHkzeWnPcX/sMJRpSA6WQ/NxnqwIw=
"));
chain.Build(cert2);

Debug output:

  Unknown Chain Status: WeakSignature

I suspect this is going to be ignored similarly to WeakKeySize, etc.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions