Description
Describe the bug
When validating a certificate, where the issuer is known to the application, but not installed in the Trusted Root certificate store, I believe the correct approach is to add the known issuer certificate to the ExclusiveTrustRoots collection and then build the chain.
This works using the X509Certificate2 and X509Chain in .NET.
However, using the classes in namespace Windows.Security.Cryptography.Certificates does not work as expected.
I've tried all possible combinations of calls, but they all fail when building the chain.
The use case is validation of certificates using the Windows.Web.HttpClient and HttpServerCustomValidationRequestedEventArgs which contains a server certificate to be validated.
To Reproduce
Create a Console application with TargetFramework:
net8.0-windows10.0.22621.0
using System.Diagnostics;
using System.Runtime.InteropServices.WindowsRuntime;
using Windows.Security.Cryptography.Certificates;
internal class Program
{
private static async Task Main(string[] args)
{
// Issuer cert (TestRoot) is a self signed certificate expiring 2029-12-31
var testRootBlob = Convert.FromBase64String("MIIFLDCCAxSgAwIBAgIQG6GgIwJQhZ1OnoPKkKzHzzANBgkqhkiG9w0BAQsFADBBMREwDwYDVQQDEwhUZXN0Um9vdDEfMB0GA1UEChMWRGlzdHJpYnV0ZWQgTWVkaWNhbCBBQjELMAkGA1UEBhMCU0UwHhcNMjUwNTEyMDY1NzA4WhcNMjkxMjMxMDAwMDAwWjBBMREwDwYDVQQDEwhUZXN0Um9vdDEfMB0GA1UEChMWRGlzdHJpYnV0ZWQgTWVkaWNhbCBBQjELMAkGA1UEBhMCU0UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDQR4wEHEQbbElaePkf6bpUodBw/eAoYPjqlVd9SEtOA3t7gqwOHHxS02LjbwU6fAUJRsVH2MJ5eraOL7mfTe+SFWmjWMkd4zsEGKC0+DF0jJvJLbmn3VFURGRG1yHJZHEBnVx0VyO5Vc/SLnu7AoGJtFjlk1zlZnqKSZ/Rlzgh5qT5ITNfH+RLFgAF8jARoH1bOqnrsDzAyB1qd5QvrpWr+HMhuZWPa6CgdCCfvWlLqdKExpiCn30Fg41AH87DFR6CwDX8ULWdpgPWFE5A72/6kuBWy3lDEe3PMQhAhWVtvnpUudE5iiPf0442S08zH16mo4HFsilV7xz/GwbQ2iKo1I0tST6BAWBIwPTFjGKVGkknSghcDpVuZd2YTacxpmGknP7gbrykC2eJtQxR097O7PSnmCdd4/Al8Baob+WL8EO58klxBwwG+Qmh05RAD3Zah8+jiFwR5kXQF5Rhcj8IHkuAAnBGrQD0cot0EeusaMxushet4k6+eRir8gOCeLUUxrxtYLTweVMXIGFVRfhOIZkCkYprBsnzcD18ZF4W34GneE/7ARjFDSQZU8CAngioR/48bZYxQPIZIiOW+emN0V1vurZA+4nD1F4AL72mzc4dcIjt4i3FW/zgw8aOtgiFPX3Nmz2HStG5rxHKPapN+QF4PGFppkqk2o5Cu41qkQIDAQABoyAwHjAPBgNVHRMECDAGAQH/AgECMAsGA1UdDwQEAwIB/jANBgkqhkiG9w0BAQsFAAOCAgEAIEgZ8WoVGy5IjhKS4kg1ga+S8GQCQaHKbpslcF/9cDnHuOx9Kx2bHPwqz/n4imZ9+NK9NwVPMcySlJOC+Hj9XBrGZHVohfQpV5oDtxHKQwLHdnTm2vka7agxVMQxUXSMIdG1eRhiYIOFThjvDbsJ4Ejp6so1aqxFws2Ef69+++j94o6tCe1cbvfE/ctYXWsMdLuJL5OqIMbubCpkw9gU8AfhvktizXFan4vkVH3pWNE2a8EzHQYeQoK92EVPjFnj1kLaA8JemOujkfUyX7E/xQv4/RQhZMHyHQdEdbWS/rnAkjqGrPLaXtMPVw2lWj8DsL3acRWNwSu5JaI8yReb8wnLwmZMQTDq6SqX2qLWBurBp5s1glkA/M7q6Wpd6Z2yVwfNLkfy+s1PdUBobl6IYaXemebvbVquFHvSbsJzUC8RFhtnf1gq0N2x4lfUG8X+aqXOovAhaN9Rt7EONGnWeHgqiQy0yrvhHMsPUlZABEcFOxCp23LTIEnPampsmH3qPhrC+/ffOpvUEyaBvq1Ek7PkCcPj2/sVyfePCR+krvOaPxLCO1ZGHisA7A6fqn3hL+yRLb0jBLIqm9ZxTDa9L29Zesmeur2HPA0Z3cch7uiik1FQ7oGXWVU63wt4QaDfC+K7DLCImHLuwBbXv7UqGA7xLupEV6BIy92cRrLZO/g=");
// Child cert (TestChild) is issued by TestRoot
var testChildBlob = Convert.FromBase64String("MIIFOjCCAyKgAwIBAgIgUcoa9naHZLQHtY9VfAx+yD66yBFArQGbW4cOig+nmX4wDQYJKoZIhvcNAQELBQAwQTERMA8GA1UEAxMIVGVzdFJvb3QxHzAdBgNVBAoTFkRpc3RyaWJ1dGVkIE1lZGljYWwgQUIxCzAJBgNVBAYTAlNFMB4XDTI1MDUxMTIyMDAwMFoXDTI5MTIzMDIzMDAwMFowQjELMAkGA1UEBhMCU0UxHzAdBgNVBAoTFkRpc3RyaWJ1dGVkIE1lZGljYWwgQUIxEjAQBgNVBAMTCVRlc3RDaGlsZDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOl3X4p59+GvYVI9aM6L61bLtOA6NLSW0TRVsx6v/n2z8qyDHCAu+IisvBjBb0nakrCVCNs97h7AJbBifOfii58hRSFtTDjiy0rz/BxZKEdyJIix1BhphEXsPVbaz4HmNG27bYocVIKOGUiFxt5VC9plq5Tco5K9IuH4sQeBtWWRR4w3ZwhYa9q2zC4QadiQqCdhgsAa0YH0D3brbbEmPgPvj2LEPLpi0ax0ZWPWXSYuxceLhDVG3eMS9vlB82UU5cAp/3YIf04rzt5+C3Uewrk2Fgw7d4efoMxDLovUWCNldONexssgum8RN4LlU8X3DAnl4v5pI3hsg5vRi90VS0KnU0JV52qwEu0YLExTUrrJ66CSEOFl/08Pk2txDqw6yzNiP2yLIoNQjUXDyyCSU7UZgCzSvRZzOA4apkt6JxOLNMOt4bJCnXyBjN89j7iUOiZcKliwXEoadbw7eyrg8zQ9sCF811HA49n+n3xIsXziXSw0qwrkOoxXgPve0KnTDL8jXvVkUIqMsi/01N4v/rWPU8r5Fkw9e0/NdOtkueF3VRnuY0YyXF8np9Gj6utUjXTvasOobdaqbMcVSBpU5rYFug0wb6lzgnp//MDd8C+pWTCP6rlUiyOyFwSb2P12YDUqd2s4+WJ2RX2DfH+uC1b33t4biK40YiVrwhLrjARRAgMBAAGjHTAbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgOIMA0GCSqGSIb3DQEBCwUAA4ICAQCf70k9kzaotP4q6n5v3bPaeUE+dKnan7WGwX1J+QiSgezxfnUmjF3EO4Q8i6XAmXmyFsi1+3J8DCfH9N3ZDLDV4zwog01eYtDphH/Cq2pQcL0Jm6taZ4Xio6L6DtIG3swTiae5SOrq9Xq1QraDWtJ646Q02F4FpgSmuGGI94P7NM62IWjVEifEIRxD11Xm9RgFagUAaaTW95+EeKo6p5lnBhSKxJcCPZy8Brnpwva4gWQm5UVA2uO0hzG0NsmPi8PfGiS4FA4Hg2vc4fdomk6gi/ifhMT0qnZ98fd2E8tVfyAJbnl+4Q0Hqc0W9P5sqow1jhGvqWHV6xBzxU5YT3Y5vtjrxsXEiquxcxabzDqCzLYUWwrrJpGUwJn7WuZZBI/QrWYWrddatzwq2NZl4XoZ/M/2ovTpmrGlXavXKBZeShZsG3afn7ZG+8dZvJ+heiIeT/8EAx5p6E8IafDxfhZONBonStgDqBEkASEObCLHoejOp33a8SHauVNP6oQhFi+5UkEzO6c4JP3SIb1eZvyRf1pwOj3xNmV4lLlABi/hG62xz6lFkdfKhM6V/z9OwG1LdSROeKPo1Xc9qf/3NuwkZ5fPwbdCt7CEDyfeJxOpiZ0n6QpbuoJbeWkY3pRJd0ZyfCQD+OB3YbqpL+ISRxxC8JvUcXKE1ICOKT/3dU/Cxg==");
var testRootCert = new Windows.Security.Cryptography.Certificates.Certificate(testRootBlob.AsBuffer());
var testChildCert = new Windows.Security.Cryptography.Certificates.Certificate(testChildBlob.AsBuffer());
var builderParams = new Windows.Security.Cryptography.Certificates.ChainBuildingParameters()
{
CurrentTimeValidationEnabled = true,
NetworkRetrievalEnabled = false,
RevocationCheckEnabled = false,
};
// TestRoot is not trusted by the local system
// but this is expected to do the trick
builderParams.ExclusiveTrustRoots.Add(testRootCert);
// None of these works!
var certs = new List<Certificate>();
certs.Add(testChildCert); // Only TestChild
try { await testRootCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
try { await testChildCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
certs.Clear();
certs.Add(testRootCert); // Only TestRoot
try { await testRootCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
try { await testChildCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
certs.Clear();
certs.Add(testRootCert); // Both TestRoot and TestChild
certs.Add(testChildCert);
try { await testRootCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
try { await testChildCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
certs.Clear();
certs.Add(testChildCert); // Both TestRoot and TestChild (different order)
certs.Add(testRootCert);
try { await testRootCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
try { await testChildCert.BuildChainAsync(certs, builderParams); } catch { Debug.Assert(false); }
// Clearing the trusted roots will work...
builderParams.ExclusiveTrustRoots.Clear();
var chain = await testChildCert.BuildChainAsync(certs, builderParams);
var result = chain.Validate();
// ... but the result is now Untrusted (which of course is expected)
Debug.Assert(result == Windows.Security.Cryptography.Certificates.ChainValidationResult.Success);
}
}
Exceptions (if any)
{"Specified argument was out of the range of valid values."} | System.ArgumentOutOfRangeException
Further technical details
C:\Program Files\Microsoft Visual Studio\2022\Professional>dotnet --info
.NET SDK:
Version: 9.0.203
Commit: dc7acfa
Workload version: 9.0.200-manifests.12d79ccf
MSBuild version: 17.13.20+a4ef1e90f
Runtime Environment:
OS Name: Windows
OS Version: 10.0.26100
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\9.0.203\
.NET workloads installed:
There are no installed workloads to display.
Configured to use loose manifests when installing new manifests.
Host:
Version: 9.0.4
Architecture: x64
Commit: f57e6dc747
.NET SDKs installed:
9.0.203 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 8.0.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 9.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 8.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 6.0.36 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.10 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 8.0.15 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 9.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]
Environment variables:
Not set
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
https://aka.ms/dotnet/download