[8.0] CryptographicException : An unknown chain building error occurred - Failing in test System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback

[carlossanlop]

Build Information

Build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=593479
Build error leg or test failing: System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback

Error Message

Fill the error message using step by step known issues guidance.

{
  "ErrorMessage": "System.Security.Cryptography.CryptographicException : An unknown chain building error occurred",
  "BuildRetry": false,
  "ExcludeConsoleLog": false
}

• Affected PR: [release/8.0][browser] Fix failures in CalendarTestBase affecting several globalization tests  #99407
• Queue: Libraries Test Run release coreclr windows x64 Debug
• Job result: &view=logs&j=cb131f87-d5af-5ecc-6e5f-6dc86994859c&t=76503e0a-8c41-542c-43da-63a4758a95b0&s=6884a131-87da-5381-61f3-d7acc3b91d76
• Log file: https://helixre107v0xd1eu3ibi6ka.blob.core.windows.net/dotnet-runtime-refs-pull-99407-merge-463928b535334e2bb2/System.Net.Security.Tests/3/console.6e5c5769.log?helixlogtype=result
• Output:

===========================================================================================================

C:\h\w\9CD108B8\w\BFEF0A95\e>"C:\h\w\9CD108B8\p\dotnet.exe" exec --runtimeconfig System.Net.Security.Tests.runtimeconfig.json --depsfile System.Net.Security.Tests.deps.json xunit.console.dll System.Net.Security.Tests.dll -xml testResults.xml -nologo -nocolor -notrait category=IgnoreForCI -notrait category=OuterLoop -notrait category=failing  
  Discovering: System.Net.Security.Tests (method display = ClassAndMethod, method display options = None)
  Discovered:  System.Net.Security.Tests (found 429 of 504 test cases)
  Starting:    System.Net.Security.Tests (parallel test collections = on, max threads = 2)
    System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback(checkRevocation: True) [FAIL]
      System.Security.Cryptography.CryptographicException : An unknown chain building error occurred.
      Stack Trace:
        /_/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs(192,0): at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
        /_/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs(91,0): at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(63,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust, Boolean noOcspFetch)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(32,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(27,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(262,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        --- End of stack trace from previous location ---
    System.Net.Security.Tests.NegotiatedCipherSuiteTest.CipherSuitesPolicy_OnlyTls13CipherSuiteAllowedButChosenProtocolsDoesNotAllowIt_Fails [SKIP]
      Condition(s) not met: "CipherSuitesPolicyAndTls13Supported"
    System.Net.Security.Tests.NegotiatedCipherSuiteTest.CipherSuitesPolicy_OnlyNonTls13CipherSuiteAllowedButOtherSideDoesNotAllowIt_Fails [SKIP]
      Condition(s) not met: "CipherSuitesPolicySupported"
    System.Net.Security.Tests.NegotiatedCipherSuiteTest.CipherSuitesPolicy_AllowSameTwoOnBothSidesLessPreferredIsTls13_Success [SKIP]
      Condition(s) not met: "CipherSuitesPolicySupported"
    System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback(checkRevocation: False) [FAIL]
      System.Security.Cryptography.CryptographicException : An unknown chain building error occurred.
      Stack Trace:
        /_/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs(192,0): at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
        /_/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs(91,0): at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(63,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust, Boolean noOcspFetch)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(32,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(27,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(262,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs(310,0): at System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback_Core(X509RevocationMode revocationMode, Nullable`1 offlineContext, Boolean noIntermediates)
        --- End of stack trace from previous location ---

Known issue validation

Build: 🔎 https://dev.azure.com/dnceng-public/public/_build/results?buildId=593479
Error message validated: [System.Security.Cryptography.CryptographicException : An unknown chain building error occurred]
Result validation: ✅ Known issue matched with the provided build.
Validation performed at: 3/7/2024 7:12:44 PM UTC

Report

Build	Definition	Test	Pull Request
609327	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
609324	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
606476	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99449
605539	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
604791	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99696
602571	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
602738	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
602568	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
602274	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99586
602023	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
601852	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99651
601886	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
600824	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
599827	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99607
599209	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
599197	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
599189	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99583
598852	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
598019	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99473
593199	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback
593479	dotnet/runtime	System.Net.Security.Tests.CertificateValidationRemoteServer.ConnectWithRevocation_WithCallback	#99407

Summary

24-Hour Hit Count	7-Day Hit Count	1-Month Count
2	12	21

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[rzikm]

I am able to reproduce the failure on my machine, even on main, but I can't figure out what is wrong. The failure seems to originate from

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.Windows.BuildChain.cs

Line 68 in 125b73e

if (!Interop.Crypt32.CertGetCertificateChain(storeHandle.DangerousGetHandle(), certContext, &ft, extraStoreHandle, ref chainPara, flags, IntPtr.Zero, out chain))

and the Last error is 0x80090006, which is apparently Invalid Signature. @bartonjs, would you know what could be happening? We are generating the test certificates using the CertificateAuthority.BuildPrivatePki helper, and later call to SslStreamCertificateContext.Create fails.

runtime/src/libraries/System.Net.Security/tests/FunctionalTests/CertificateValidationRemoteServer.cs

Lines 198 to 265 in 524598a

	CertificateAuthority.BuildPrivatePki(
	PkiOptions.EndEntityRevocationViaOcsp | PkiOptions.CrlEverywhere,
	out RevocationResponder responder,
	out CertificateAuthority rootAuthority,
	out CertificateAuthority[] intermediateAuthorities,
	out X509Certificate2 serverCert,
	intermediateAuthorityCount: noIntermediates ? 0 : 1,
	subjectName: serverName,
	keySize: 2048,
	extensions: Configuration.Certificates.BuildTlsServerCertExtensions(serverName));
	CertificateAuthority issuingAuthority = noIntermediates ? rootAuthority : intermediateAuthorities[0];
	X509Certificate2 issuerCert = issuingAuthority.CloneIssuerCert();
	X509Certificate2 rootCert = rootAuthority.CloneIssuerCert();
	SslClientAuthenticationOptions clientOpts = new SslClientAuthenticationOptions
	{
	TargetHost = serverName,
	RemoteCertificateValidationCallback = CertificateValidationCallback,
	CertificateChainPolicy = new X509ChainPolicy
	{
	RevocationMode = revocationMode,
	TrustMode = X509ChainTrustMode.CustomRootTrust,
	// The offline test will not know about revocation for the intermediate,
	// so change the policy to only check the end certificate.
	RevocationFlag = X509RevocationFlag.EndCertificateOnly,
	ExtraStore =
	{
	issuerCert,
	},
	CustomTrustStore =
	{
	rootCert,
	},
	},
	};
	if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
	{
	X509Certificate2 temp = new X509Certificate2(serverCert.Export(X509ContentType.Pkcs12));
	serverCert.Dispose();
	serverCert = temp;
	}
	try
	{
	await using (clientStream)
	await using (serverStream)
	using (responder)
	using (rootAuthority)
	using (serverCert)
	using (issuerCert)
	using (rootCert)
	await using (SslStream tlsClient = new SslStream(clientStream))
	await using (SslStream tlsServer = new SslStream(serverStream))
	{
	issuingAuthority.Revoke(serverCert, serverCert.NotBefore);
	SslServerAuthenticationOptions serverOpts = new SslServerAuthenticationOptions();
	if (offlineContext.HasValue)
	{
	serverOpts.ServerCertificateContext = SslStreamCertificateContext.Create(
	serverCert,
	new X509Certificate2Collection(issuerCert),
	offlineContext.GetValueOrDefault());

[bartonjs]

@bartonjs, would you know what could be happening?

Nope :(. I haven't seen that coming out of the X509 tests, and they use that same helper a lot. I'm not sure if the invalid signature error is relevant to the overall failure, or just happens to be the last thing sitting in the error field.

My best instinct is something wonky like one of the inputs to the chain build getting parallel disposed.

[rzikm]

I tracked it down, the failure is triggered when, ... drum roll ... the testName parameter to BuildPrivatePki is empty, which leads to funny Subjects like CN=server.example, O="" on the end entity cert

[rzikm]

Fixed in main (9.0) in PR #99915 and in 8.0.x in PR #99950.