Description
Description
in a configuration like this where all certificates and chains are valid/NOT expired:
root1 o o root2 (root1 & root2 have different subjects & public keys)
| |
int1 o o int2 (int1 & int2 have same subject/public key)
\ /
v
o leaf
chain building fails on linux with this X509Chain configuration:
o root2
|
int1 o o int2
\ /
v
o leaf
but succeeds with this X509Chain configuration:
o root2
|
o int2
/
/
o leaf
Reproduction Steps
Run the attached tests. They pass on windows but fail on linux.
An example with real let's encrypt certificates has been included, very similar to the following:
(image source: https://scotthelme.co.uk/cross-signing-alternate-trust-paths-how-they-work/)
Note that time validity has been disabled for the let's encrypt tests as one of the intermediates signed by DST Root CA X3 has already expired (however, the problem still exists with certificates that haven't expired as shown by the other test)
Expected behavior
Chain building should succeed when there are multiple equivalent intermediate certificates (sharing the same public key) and a valid chain to the root. It appears that only one path is considered when there are multiple possible paths.
Actual behavior
Chain building fails with PartialChain. However, it succeeds when excluding one of the equivalent intermediate certificates.
Regression?
No response
Known Workarounds
When chain building fails with PartialChain, re-run chain building, excluding some of the intermediate certificates. However, this is not an efficient workaround. there may be many possibilities if there are many intermediates/multiple intermediate levels.
Configuration
.NET: 8.0.100
OS: Ubuntu 22.04
Architecture: x64
It is specific to linux. openssl version:
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)