HTTPS X509 Certificate SHA-2 Signature Problems on iOS

For some time now (at least since the first release of Unity 5 and still on Unity 5.1.0f3), Mono's WebRequest throws an exception when parsing the X509 certificate chain for my website. Here's what Xcode's error log/console says while I'm running my project on iOS:

---8<---

Code (CSharp):

1. ERROR building certificate chain: System.ArgumentException:
2. certificate ---> System.Security.Cryptography.CryptographicException:
3. Unsupported hash algorithm: 1.2.840.113549.1.1.12
4.   at Mono.Security.X509.X509Certificate.VerifySignature
5. (System.Security.Cryptography.RSA rsa) [0x00000] in <filename
6. unknown>:0
7.   at Mono.Security.X509.X509Certificate.VerifySignature
8. (System.Security.Cryptography.AsymmetricAlgorithm aa) [0x00000] in
9. <filename unknown>:0
10.   at System.Security.Cryptography.X509Certificates.X509Chain.IsSignedWith
11. (System.Security.Cryptography.X509Certificates.X509Certificate2
12. signed, System.Security.Cryptography.AsymmetricAlgorithm pubkey)
13. [0x00000] in <filename unknown>:0
14.   at System.Security.Cryptography.X509Certificates.X509Chain.Process
15. (Int32 n) [0x00000] in <filename unknown>:0
16.   at System.Security.Cryptography.X509Certificates.X509Chain.ValidateChain
17. (X509ChainStatusFlags flag) [0x00000] in <filename unknown>:0
18.   at System.Security.Cryptography.X509Certificates.X509Chain.Build
19. (System.Security.Cryptography.X509Certificates.X509Certificate2
20. certificate) [0x00000] in <filename unknown>:0
21.   --- End of inner exception stack trace ---
22.   at System.Security.Cryptography.X509Certificates.X509Chain.Build
23. (System.Security.Cryptography.X509Certificates.X509Certificate2
24. certificate) [0x00000] in <filename unknown>:0
25.   at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain
26. (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in
27. <filename unknown>:0
28. Please, report this problem to the Mono team

--->8---

1.2.840.113549.1.1.12 is SHA-384, but my certificate only signs with SHA-256 (1.2.840.113549.1.1.11). Here's OpenSSL's output when parsing my certificate chain:

---8<---

Code (CSharp):

1. % openssl x509 -in cert.crt -noout -text
2. Certificate:
3.     Data:
4.         Version: 3 (0x2)
5.         Serial Number:
6.             c5:da:90:6f:a8:33:4d:79:76:ac:b6:a1:c9:52:45:d1
7.     Signature Algorithm: sha256WithRSAEncryption
8.         Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA
9. Limited, CN=COMODO RSA Domain Validation Secure Server CA
10.         Validity
11.             Not Before: Apr  9 00:00:00 2015 GMT
12.             Not After : Apr  8 23:59:59 2016 GMT
13.         Subject: OU=Domain Control Validated, OU=PositiveSSL,
14. CN=www.dolphingame-online.com
15.         Subject Public Key Info:
16.             Public Key Algorithm: rsaEncryption
17.                 Public-Key: (2048 bit)
18.                 Modulus:
19.                     00:c5:4f:0f:73:69:57:92:79:54:9d:18:28:e5:e2:
20.                     0a:53:71:f9:64:89:eb:44:f9:a9:48:c5:55:7b:0d:
21.                     ad:ba:cb:ae:39:37:64:00:78:af:e6:cf:be:42:24:
22.                     f8:50:36:de:ce:86:e3:89:61:91:ba:4f:e1:c1:01:
23.                     6c:f8:86:c5:d2:1a:5b:79:4e:7b:af:29:25:0c:d5:
24.                     47:32:ab:5d:91:8b:4b:36:2c:a1:a5:b2:05:e4:09:
25.                     8c:9a:4e:44:10:5f:48:5a:fe:6a:80:fc:97:b4:ef:
26.                     a6:aa:2f:cf:66:38:3d:10:39:d3:29:cc:a9:71:e6:
27.                     e8:4e:48:d2:74:7c:ff:69:8b:9f:27:36:7d:ac:df:
28.                     70:51:ba:42:50:0b:fe:75:c1:04:d0:86:69:47:f6:
29.                     db:e4:14:68:b0:db:d8:09:79:df:52:1a:51:f9:e9:
30.                     d9:fc:03:2b:02:1d:3e:68:b5:df:6c:e2:b7:0d:e3:
31.                     be:c9:67:a0:0b:c1:ad:5c:9a:de:ca:4e:62:e6:fa:
32.                     67:8e:64:75:bb:6e:03:01:bd:4b:ac:63:40:f5:27:
33.                     76:bd:b5:ec:57:50:31:7c:bb:ad:02:20:3c:98:da:
34.                     96:83:3e:96:16:61:18:c0:14:05:bb:f8:66:09:c7:
35.                     10:a3:01:0a:d4:42:b5:20:eb:e5:d7:90:bb:97:99:
36.                     47:87
37.                 Exponent: 65537 (0x10001)
38.         X509v3 extensions:
39.             X509v3 Authority Key Identifier:
40.  
41. keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7
42.  
43.             X509v3 Subject Key Identifier:
44.                 59:59:61:24:4B:93:97:55:2B:0A:DF:97:FC:F7:58:C0:55:0B:63:58
45.             X509v3 Key Usage: critical
46.                 Digital Signature, Key Encipherment
47.             X509v3 Basic Constraints: critical
48.                 CA:FALSE
49.             X509v3 Extended Key Usage:
50.                 TLS Web Server Authentication, TLS Web Client Authentication
51.             X509v3 Certificate Policies:
52.                 Policy: 1.3.6.1.4.1.6449.1.2.2.7
53.                   CPS: https://secure.comodo.com/CPS
54.                 Policy: 2.23.140.1.2.1
55.  
56.             X509v3 CRL Distribution Points:
57.  
58.                 Full Name:
59.  
60. URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
61.  
62.             Authority Information Access:
63.                 CA Issuers -
64. URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
65.                 OCSP - URI:http://ocsp.comodoca.com
66.  
67.             X509v3 Subject Alternative Name:
68.                 DNS:www.dolphingame-online.com, DNS:dolphingame-online.com
69.     Signature Algorithm: sha256WithRSAEncryption
70.          0a:ed:ed:af:12:4f:6f:50:c2:fd:89:09:9c:be:89:83:3f:95:
71.          ec:ac:4e:c9:e9:2f:f5:57:c5:91:37:ca:ba:27:01:4e:d0:c2:
72.          13:11:5b:3d:df:38:b8:f5:08:9e:58:38:f8:8e:6d:1f:0b:f2:
73.          69:1b:45:c4:1e:c7:fc:08:0d:26:13:28:23:d0:d4:07:d1:eb:
74.          0f:c5:f9:a5:4f:8f:12:60:34:0c:ed:d9:86:88:ce:7e:03:f3:
75.          09:59:65:76:2a:f2:b2:fe:f5:93:82:16:9c:6b:5e:18:cd:05:
76.          0e:bf:78:1c:2c:7c:63:c9:a8:64:38:24:70:21:de:00:2f:ad:
77.          4f:12:b8:c7:8b:40:e1:65:22:d3:c3:7a:21:6b:0a:02:7d:3a:
78.          0b:d3:ff:f3:07:7a:a6:60:8f:62:13:95:ea:ab:44:e1:78:b5:
79.          9a:83:d1:cd:9e:d2:36:ed:19:fe:db:26:66:c5:11:d1:f4:51:
80.          d7:8c:7e:f5:45:02:dc:70:0b:fd:20:af:d5:ec:43:a8:c2:ab:
81.          db:68:60:39:a7:0f:1a:f8:8d:76:24:c6:26:86:e7:d4:b1:c5:
82.          45:13:b4:b1:d6:87:7d:3e:0d:e2:71:0b:db:96:06:39:80:79:
83.          df:13:b0:3e:fe:42:09:52:dc:1c:ef:b4:dd:43:9b:43:70:c5:
84.          18:2e:ce:a6

--->8---

Unity's Mono seems to think that my certificates use SHA-384, but they're only using SHA-256. I only see this problem on iOS builds. Has anyone else seen this, too?

I've attached a ZIP file containing a project that'll reproduce this problem. Keep an eye on Xcode's console output when you run it. The ZIP also contains my certificate both encoded (.crt) and decoded (.txt).

Thanks!

 

I have the same issue on iOS builds.

Edit: Reported bug as requested by @lukaszunity , Case: 763536

 

Please file a bug report for this issue and post the case number here.

 

I'm getting same error on iOS still with 5.3.2p2

 

I'm seeing the same error, and believe this is fixed in mono by commit 95ab3c8d2a43eb3fa47279a560e58340b7806615. Is it possible to get this backported into the mono version that Unity uses?

 

Has there been any progress on this issue? I'm still getting it on iOS with 5.3.5p2

 

Good news, I'm looking forward to testing it!

 

Hi Josh,
Did the above fix go in?
I am on 5.3.6p6 (for Mac) and get this similar looking error about 33% of the time when building from command line.
The error first started happening for me when I went from 5.3.4 to 5.3.5.
Is it related to the issue above?

Thanks,
Mark.
Reloading assemblies after script compilation.
Begin MonoManager ReloadAssembly
ERROR building certificate chain: System.Threading.ThreadAbortException: Thread was being aborted
at (wrapper managed-to-native) System.IO.MonoIO:GetFileSystemEntries (string,string,int,int,System.IO.MonoIOError&)
at System.IO.Directory.GetFileSystemEntries (System.String path, System.String searchPattern, FileAttributes mask, FileAttributes attrs) [0x00147] in /Users/builduser/buildslave/mono/build/mcs/class/corlib/System.IO/Directory.cs:523
at System.IO.Directory.GetFiles (System.String path, System.String searchPattern) [0x00000] in /Users/builduser/buildslave/mono/build/mcs/class/corlib/System.IO/Directory.cs:308
at Mono.Security.X509.X509Store.BuildCertificatesCollection (System.String storeName) [0x00000] in <filename unknown>:0
at Mono.Security.X509.X509Store.get_Certificates () [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Store.Open (OpenFlags flags) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.get_CertificateAuthorities () [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.get_CertificateCollection () [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.FindParent (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.BuildChainFrom (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0
at System.Security.Cryptography.X509Certificates.X509Chain.Build (System.Security.Cryptography.X509Certificates.X509Certificate2 certificate) [0x00000] in <filename unknown>:0
at System.Net.ServicePointManager+ChainValidationHelper.ValidateChain (Mono.Security.X509.X509CertificateCollection certs) [0x00000] in <filename unknown>:0
Please, report this problem to the Mono team

 

Thanks for your reply Josh.
I spent several days working on this.
I tried to repro on a PC, but I couldn't get it to happen. Unfortunately I need it to work on our only Mac.
I found that I was getting several different callstacks within the Cryptography module.
I suspect that something else was failing, and it just happened to die at different points in that module, based on timing.
Opening the project in the Unity GUI would make the problem go away for a while, but this wasn't a workable long term workaround due to it being an automated build machine.
I found that Unity GUI was touching a handful of files when it fixed the problem.
Ultimately I found that deleting the \Libary\ScriptAssemblies folder before starting the build prevented the crash from happening.
I don't understand what the root of the problem is, but this workaround is good enough for me.