Unrecognized X509VerifyStatusCode:Interop+Crypto+X509VerifyStatusCode on RHEL 9/OpenSSL 3.0

[omajid]

Description

runtime tests for System.Security.Cryptography.X509Certificates are failing with an assertion on RHEL 9 using OpenSSL 3.0:

  Process terminated. Assertion failed.
  Unrecognized X509VerifyStatusCode:Interop+Crypto+X509VerifyStatusCode
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.MapOpenSsl30Code(X509VerifyStatusCode code) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1177
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.MapVerifyErrorToChainStatus(X509VerifyStatusCode code) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1166
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.AddElementStatus(X509VerifyStatusCode errorCode, List`1 elementStatus, List`1 overallStatus) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1039
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.AddElementStatus(ErrorCollection errorCodes, List`1 elementStatus, List`1 overallStatus) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1012
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.BuildChainElements(WorkingChain workingChain, List`1& overallStatus) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 916
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.Finish(OidCollection applicationPolicy, OidCollection certificatePolicy) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 684
     at System.Security.Cryptography.X509Certificates.ChainPal.BuildChainCore(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs:line 187
     at System.Security.Cryptography.X509Certificates.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs:line 49
     at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs:line 134
     at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs:line 107
     at System.Security.Cryptography.X509Certificates.Tests.DynamicChainTests.MismatchKeyIdentifiers() in /home/tester/runtime/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs:line 638
     at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
     at Xunit.Sdk.TestInvoker`1.<>c__DisplayClass48_0.<<InvokeTestMethodAsync>b__1>d.MoveNext() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestInvoker.cs:line 257
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestInvoker`1.<>c__DisplayClass48_0.<InvokeTestMethodAsync>b__1()
     at Xunit.Sdk.ExecutionTimer.AggregateAsync(Func`1 asyncAction) in /_/src/xunit.execution/Sdk/Frameworks/ExecutionTimer.cs:line 48
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExecutionTimer.AggregateAsync(Func`1 asyncAction)
     at Xunit.Sdk.ExceptionAggregator.RunAsync(Func`1 code) in /_/src/xunit.core/Sdk/ExceptionAggregator.cs:line 90
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExceptionAggregator.RunAsync(Func`1 code)
     at Xunit.Sdk.TestInvoker`1.InvokeTestMethodAsync(Object testClassInstance) in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestInvoker.cs:line 241
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestInvoker`1.InvokeTestMethodAsync(Object testClassInstance)
     at Xunit.Sdk.TestInvoker`1.<RunAsync>b__47_0() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestInvoker.cs:line 206
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestInvoker`1.<RunAsync>b__47_0()
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code) in /_/src/xunit.core/Sdk/ExceptionAggregator.cs:line 107
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code)
     at Xunit.Sdk.XunitTestRunner.InvokeTestAsync(ExceptionAggregator aggregator) in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestRunner.cs:line 67
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.XunitTestRunner.InvokeTestAsync(ExceptionAggregator aggregator)
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code) in /_/src/xunit.core/Sdk/ExceptionAggregator.cs:line 107
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code)
     at Xunit.Sdk.TestRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestRunner.cs:line 149
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestRunner`1.RunAsync()
     at Xunit.Sdk.TestCaseRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestCaseRunner.cs:line 82
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestCaseRunner`1.RunAsync()
     at Xunit.Sdk.TestMethodRunner`1.RunTestCasesAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestMethodRunner.cs:line 136
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestMethodRunner`1.RunTestCasesAsync()
     at Xunit.Sdk.TestMethodRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestMethodRunner.cs:line 106
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestMethodRunner`1.RunAsync()
     at Xunit.Sdk.TestClassRunner`1.RunTestMethodsAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestClassRunner.cs:line 213
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestClassRunner`1.RunTestMethodsAsync()
     at Xunit.Sdk.TestClassRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestClassRunner.cs:line 171
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestClassRunner`1.RunAsync()
     at Xunit.Sdk.XunitTestCollectionRunner.RunTestClassAsync(ITestClass testClass, IReflectionTypeInfo class, IEnumerable`1 testCases) in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestCollectionRunner.cs:line 158
     at Xunit.Sdk.TestCollectionRunner`1.RunTestClassesAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestCollectionRunner.cs:line 130
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestCollectionRunner`1.RunTestClassesAsync()
     at Xunit.Sdk.TestCollectionRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestCollectionRunner.cs:line 101
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestCollectionRunner`1.RunAsync()
     at Xunit.Sdk.XunitTestAssemblyRunner.RunTestCollectionAsync(IMessageBus messageBus, ITestCollection testCollection, IEnumerable`1 testCases, CancellationTokenSource cancellationTokenSource) in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestAssemblyRunner.cs:line 235
     at Xunit.Sdk.XunitTestAssemblyRunner.<>c__DisplayClass14_2.<RunTestCollectionsAsync>b__2() in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestAssemblyRunner.cs:line 184
     at System.Threading.Tasks.Task`1.InnerInvoke()
     at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
     at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
     at System.Threading.Tasks.Task.ExecuteEntry()
     at System.Threading.Tasks.SynchronizationContextTaskScheduler.<>c.<.cctor>b__8_0(Object s)
     at Xunit.Sdk.MaxConcurrencySyncContext.RunOnSyncContext(SendOrPostCallback callback, Object state) in /_/src/xunit.execution/Sdk/MaxConcurrencySyncContext.cs:line 106
     at Xunit.Sdk.MaxConcurrencySyncContext.<>c__DisplayClass11_0.<WorkerThreadProc>b__0(Object _) in /_/src/xunit.execution/Sdk/MaxConcurrencySyncContext.cs:line 96
     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
     at Xunit.Sdk.MaxConcurrencySyncContext.WorkerThreadProc() in /_/src/xunit.execution/Sdk/MaxConcurrencySyncContext.cs:line 96
     at Xunit.Sdk.XunitWorkerThread.<>c.<QueueUserWorkItem>b__5_0(Object _) in /_/src/common/XunitWorkerThread.cs:line 37
     at System.Threading.Tasks.Task.InnerInvoke()
     at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
     at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
     at System.Threading.Tasks.Task.ExecuteEntryUnsafe(Thread threadPoolThread)
     at System.Threading.Tasks.ThreadPoolTaskScheduler.<>c.<.cctor>b__10_0(Object s)
     at System.Threading.Thread.StartCallback()
  /home/tester/runtime/artifacts/bin/System.Security.Cryptography.X509Certificates.Tests/Debug/net7.0-unix/RunTests.sh: line 168: 113484 Aborted                 (core dumped) "$RUNTIME_PATH/dotnet" exec --runtimeconfig 

Reproduction Steps

I am still testing it, but hopefully this dockerfile should help reproduce the error:

FROM quay.io/centos/centos:stream9-development

RUN cat /etc/os-release && \
    dnf install -y dnf-plugins-core && \
    dnf repolist --all && \
    dnf config-manager --set-enabled crb && \
    dnf install -y \
        clang \
        cmake \
        coreutils \
        findutils \
        git \
        glibc-langpack-en \
        hostname \
        krb5-devel \
        libicu-devel \
        libunwind-devel \
        lld \
        llvm \
        lttng-ust-devel \
        make \
        openssl-devel \
        python3 \
        tar \
        util-linux \
        zlib-devel \


CMD git clone https://github.com/dotnet/runtime && \
    cd runtime && \
    git submodule update --init && \
    ./eng/build.sh -subset libs+libs.test --test

Expected behavior

Unit tests pass

Actual behavior

Unit tests fail

Regression?

Kind of... the same unit tests work against OpenSSL 1.1 on RHEL 8, for example.

Known Workarounds

No response

Configuration

• dotnet/runtime repo, main, commit 4019e83878a81465f6e42e8502b53bc5d1752f81
• RHEL 9, using openssl 3.0 package openssl-3.0.1-20.el9_0.x86_64.rpm
• x64
• Yes, most likely specific to OpenSSL 3.0

Other information

We should probably change OpenSslX509ChainProcessor.cs to show the actual code in the assertion error, something like this, maybe?

--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
@@ -1174,7 +1174,7 @@ private static X509ChainStatusFlags MapOpenSsl30Code(Interop.Crypto.X509VerifySt
                 case Interop.Crypto.X509VerifyStatusCode30.X509_V_ERR_INVALID_CA:
                     return X509ChainStatusFlags.InvalidBasicConstraints;
                 default:
-                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code);
+                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code30);
                     throw new CryptographicException();
             }
         }
@@ -1186,7 +1186,7 @@ private static X509ChainStatusFlags MapOpenSsl102Code(Interop.Crypto.X509VerifyS
                 case Interop.Crypto.X509VerifyStatusCode102.X509_V_ERR_INVALID_CA:
                     return X509ChainStatusFlags.InvalidBasicConstraints;
                 default:
-                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code);
+                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code102);
                     throw new CryptographicException();
             }
         }
@@ -1198,7 +1198,7 @@ private static X509ChainStatusFlags MapOpenSsl111Code(Interop.Crypto.X509VerifyS
                 case Interop.Crypto.X509VerifyStatusCode111.X509_V_ERR_INVALID_CA:
                     return X509ChainStatusFlags.InvalidBasicConstraints;
                 default:
-                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code);
+                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code111);
                     throw new CryptographicException();
             }
         }

Edit: filed #67306 to show the actual status code

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

runtime tests for System.Security.Cryptography.X509Certificates are failing with an assertion on RHEL 9 using OpenSSL 3.0:

  Process terminated. Assertion failed.
  Unrecognized X509VerifyStatusCode:Interop+Crypto+X509VerifyStatusCode
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.MapOpenSsl30Code(X509VerifyStatusCode code) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1177
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.MapVerifyErrorToChainStatus(X509VerifyStatusCode code) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1166
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.AddElementStatus(X509VerifyStatusCode errorCode, List`1 elementStatus, List`1 overallStatus) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1039
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.AddElementStatus(ErrorCollection errorCodes, List`1 elementStatus, List`1 overallStatus) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 1012
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.BuildChainElements(WorkingChain workingChain, List`1& overallStatus) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 916
     at System.Security.Cryptography.X509Certificates.OpenSslX509ChainProcessor.Finish(OidCollection applicationPolicy, OidCollection certificatePolicy) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs:line 684
     at System.Security.Cryptography.X509Certificates.ChainPal.BuildChainCore(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs:line 187
     at System.Security.Cryptography.X509Certificates.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/ChainPal.OpenSsl.cs:line 49
     at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs:line 134
     at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate) in /home/tester/runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs:line 107
     at System.Security.Cryptography.X509Certificates.Tests.DynamicChainTests.MismatchKeyIdentifiers() in /home/tester/runtime/src/libraries/System.Security.Cryptography.X509Certificates/tests/DynamicChainTests.cs:line 638
     at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
     at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
     at Xunit.Sdk.TestInvoker`1.<>c__DisplayClass48_0.<<InvokeTestMethodAsync>b__1>d.MoveNext() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestInvoker.cs:line 257
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestInvoker`1.<>c__DisplayClass48_0.<InvokeTestMethodAsync>b__1()
     at Xunit.Sdk.ExecutionTimer.AggregateAsync(Func`1 asyncAction) in /_/src/xunit.execution/Sdk/Frameworks/ExecutionTimer.cs:line 48
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExecutionTimer.AggregateAsync(Func`1 asyncAction)
     at Xunit.Sdk.ExceptionAggregator.RunAsync(Func`1 code) in /_/src/xunit.core/Sdk/ExceptionAggregator.cs:line 90
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExceptionAggregator.RunAsync(Func`1 code)
     at Xunit.Sdk.TestInvoker`1.InvokeTestMethodAsync(Object testClassInstance) in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestInvoker.cs:line 241
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestInvoker`1.InvokeTestMethodAsync(Object testClassInstance)
     at Xunit.Sdk.TestInvoker`1.<RunAsync>b__47_0() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestInvoker.cs:line 206
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestInvoker`1.<RunAsync>b__47_0()
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code) in /_/src/xunit.core/Sdk/ExceptionAggregator.cs:line 107
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code)
     at Xunit.Sdk.XunitTestRunner.InvokeTestAsync(ExceptionAggregator aggregator) in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestRunner.cs:line 67
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.XunitTestRunner.InvokeTestAsync(ExceptionAggregator aggregator)
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code) in /_/src/xunit.core/Sdk/ExceptionAggregator.cs:line 107
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.ExceptionAggregator.RunAsync[T](Func`1 code)
     at Xunit.Sdk.TestRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestRunner.cs:line 149
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestRunner`1.RunAsync()
     at Xunit.Sdk.TestCaseRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestCaseRunner.cs:line 82
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestCaseRunner`1.RunAsync()
     at Xunit.Sdk.TestMethodRunner`1.RunTestCasesAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestMethodRunner.cs:line 136
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestMethodRunner`1.RunTestCasesAsync()
     at Xunit.Sdk.TestMethodRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestMethodRunner.cs:line 106
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestMethodRunner`1.RunAsync()
     at Xunit.Sdk.TestClassRunner`1.RunTestMethodsAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestClassRunner.cs:line 213
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestClassRunner`1.RunTestMethodsAsync()
     at Xunit.Sdk.TestClassRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestClassRunner.cs:line 171
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestClassRunner`1.RunAsync()
     at Xunit.Sdk.XunitTestCollectionRunner.RunTestClassAsync(ITestClass testClass, IReflectionTypeInfo class, IEnumerable`1 testCases) in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestCollectionRunner.cs:line 158
     at Xunit.Sdk.TestCollectionRunner`1.RunTestClassesAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestCollectionRunner.cs:line 130
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestCollectionRunner`1.RunTestClassesAsync()
     at Xunit.Sdk.TestCollectionRunner`1.RunAsync() in /_/src/xunit.execution/Sdk/Frameworks/Runners/TestCollectionRunner.cs:line 101
     at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine)
     at Xunit.Sdk.TestCollectionRunner`1.RunAsync()
     at Xunit.Sdk.XunitTestAssemblyRunner.RunTestCollectionAsync(IMessageBus messageBus, ITestCollection testCollection, IEnumerable`1 testCases, CancellationTokenSource cancellationTokenSource) in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestAssemblyRunner.cs:line 235
     at Xunit.Sdk.XunitTestAssemblyRunner.<>c__DisplayClass14_2.<RunTestCollectionsAsync>b__2() in /_/src/xunit.execution/Sdk/Frameworks/Runners/XunitTestAssemblyRunner.cs:line 184
     at System.Threading.Tasks.Task`1.InnerInvoke()
     at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
     at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
     at System.Threading.Tasks.Task.ExecuteEntry()
     at System.Threading.Tasks.SynchronizationContextTaskScheduler.<>c.<.cctor>b__8_0(Object s)
     at Xunit.Sdk.MaxConcurrencySyncContext.RunOnSyncContext(SendOrPostCallback callback, Object state) in /_/src/xunit.execution/Sdk/MaxConcurrencySyncContext.cs:line 106
     at Xunit.Sdk.MaxConcurrencySyncContext.<>c__DisplayClass11_0.<WorkerThreadProc>b__0(Object _) in /_/src/xunit.execution/Sdk/MaxConcurrencySyncContext.cs:line 96
     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
     at Xunit.Sdk.MaxConcurrencySyncContext.WorkerThreadProc() in /_/src/xunit.execution/Sdk/MaxConcurrencySyncContext.cs:line 96
     at Xunit.Sdk.XunitWorkerThread.<>c.<QueueUserWorkItem>b__5_0(Object _) in /_/src/common/XunitWorkerThread.cs:line 37
     at System.Threading.Tasks.Task.InnerInvoke()
     at System.Threading.Tasks.Task.<>c.<.cctor>b__272_0(Object obj)
     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
     at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
     at System.Threading.Tasks.Task.ExecuteEntryUnsafe(Thread threadPoolThread)
     at System.Threading.Tasks.ThreadPoolTaskScheduler.<>c.<.cctor>b__10_0(Object s)
     at System.Threading.Thread.StartCallback()
  /home/tester/runtime/artifacts/bin/System.Security.Cryptography.X509Certificates.Tests/Debug/net7.0-unix/RunTests.sh: line 168: 113484 Aborted                 (core dumped) "$RUNTIME_PATH/dotnet" exec --runtimeconfig 

Reproduction Steps

I am still testing it, but hopefully this dockerfile should help reproduce the error:

FROM quay.io/centos/centos:stream9-development

RUN cat /etc/os-release && \
    dnf install -y dnf-plugins-core && \
    dnf repolist --all && \
    dnf config-manager --set-enabled crb && \
    dnf install -y \
        clang \
        cmake \
        coreutils \
        findutils \
        git \
        glibc-langpack-en \
        hostname \
        krb5-devel \
        libicu-devel \
        libunwind-devel \
        lld \
        llvm \
        lttng-ust-devel \
        make \
        openssl-devel \
        python3 \
        tar \
        util-linux \
        zlib-devel \


CMD git clone https://github.com/dotnet/runtime && \
    cd runtime && \
    git submodule update --init && \
    ./eng/build.sh -subset libs+libs.test --test

Expected behavior

Unit tests pass

Actual behavior

Unit tests fail

Regression?

Kind of... the same unit tests work against OpenSSL 1.1 on RHEL 8, for example.

Known Workarounds

No response

Configuration

• dotnet/runtime repo, main, commit 4019e83878a81465f6e42e8502b53bc5d1752f81
• RHEL 9
• x64
• Yes, most likely specific to OpenSSL 3.0

Other information

We should probably change OpenSslX509ChainProcessor.cs to show the actual code in the assertion error, something like this, maybe?

--- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
+++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslX509ChainProcessor.cs
@@ -1174,7 +1174,7 @@ private static X509ChainStatusFlags MapOpenSsl30Code(Interop.Crypto.X509VerifySt
                 case Interop.Crypto.X509VerifyStatusCode30.X509_V_ERR_INVALID_CA:
                     return X509ChainStatusFlags.InvalidBasicConstraints;
                 default:
-                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code);
+                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code30);
                     throw new CryptographicException();
             }
         }
@@ -1186,7 +1186,7 @@ private static X509ChainStatusFlags MapOpenSsl102Code(Interop.Crypto.X509VerifyS
                 case Interop.Crypto.X509VerifyStatusCode102.X509_V_ERR_INVALID_CA:
                     return X509ChainStatusFlags.InvalidBasicConstraints;
                 default:
-                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code);
+                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code102);
                     throw new CryptographicException();
             }
         }
@@ -1198,7 +1198,7 @@ private static X509ChainStatusFlags MapOpenSsl111Code(Interop.Crypto.X509VerifyS
                 case Interop.Crypto.X509VerifyStatusCode111.X509_V_ERR_INVALID_CA:
                     return X509ChainStatusFlags.InvalidBasicConstraints;
                 default:
-                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code);
+                    Debug.Fail("Unrecognized X509VerifyStatusCode:" + code.Code111);
                     throw new CryptographicException();
             }
         }

Author:	omajid
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[vcsjones]

I'm having trouble with that Dockerfile, but I'll see if I can get past it. In the mean time, any chance you can run that again with a patch of your PR? Something like

curl -sSL https://patch-diff.githubusercontent.com/raw/dotnet/runtime/pull/67306.patch | git apply

[vcsjones]

Interestingly, I am hitting NotSignatureValid in RHEL9 when trying to talk to pkgs.dev.azure.com.

[vcsjones]

Okay, back to the original issue: It reproduces with Ubuntu 22.04. Using @omajid's patch, MismatchKeyIdentifiers fails with:

'Unrecognized X509VerifyStatusCode:30

30 is X509_V_ERR_AKID_SKID_MISMATCH:

https://github.com/openssl/openssl/blob/1483b37e7a2c952eed5f6c7f5c0be9635aa3a6ea/include/openssl/x509_vfy.h.in#L238

That makes sense, given that is exactly what that test is testing.

[vcsjones]

Mapping X509_V_ERR_AKID_SKID_MISMATCH to PartialChain fixes the tests, so I can open a fix for that soon. Right now I am trying to understand if we have any test holes for other things that seem like they are being returned now (What about X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH now?)

[bartonjs]

Those codes are in the enum already, but they're not handled in the callback, which suggests I couldn't previously get the code to fire.

runtime/src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.X509.cs

Lines 299 to 300 in c2ec86b

	X509_V_ERR_AKID_SKID_MISMATCH = 30,
	X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = 31,

I don't know that we want to map it in as PartialChain. Presumably if we just ignore it then we'd still conclude partial chain?