xamarin.android.net.ServerCertificateCustomValidator_TrustManager does not check the TLS certificate chain correctly in .NET MAUI Android app Vulnerability issue

[mrsathish24]

Description: X509TrustManager.checkServerTrusted(...) needs to throw a java.security.cert.CertificateException if the certificate chain cannot be trusted.
The class xamarin.android.net.ServerCertificateCustomValidator_TrustManager never does this.

Recommendations: Use the default X509TrustManager whenever possible. If you have to use a custom
implementation, make sure to properly verify the certificate chain.

Regrading this TLS certificate issue we have tried below steps to provide fixes from .NET MAUI framework but no luck for the solution.

(1) By setting AndroidHttpClientHandlerType property value to Unset/the empty string
(2) By explicitly passing the handler property in all httpclient API instances.
(3) By explicitly setting the TLS 1.2
(4) By increasing the minimum SDK verion to 26 from 24

In Visual Studio .NET MAUI framework By default, X509TrustManager is being used in the application.

Please help us to provide the solution for this certificate issue.

Thanks you!!

[jonpryor]

@Sathish-kumar94 wrote:

X509TrustManager.checkServerTrusted(...) needs to throw a java.security.cert.CertificateException if the certificate chain cannot be trusted.
The class xamarin.android.net.ServerCertificateCustomValidator_TrustManager never does this.

Why do you say this?

Are you using dexdump to see what xamarin.android.net.ServerCertificateCustomValidator_TrustManager.checkServerTrusted() does and what it throws? If so, note this dexdump -d output:

Class #320            -
  Class descriptor  : 'Lxamarin/android/net/ServerCertificateCustomValidator_TrustManager;'
  Access flags      : 0x0001 (PUBLIC)
  Superclass        : 'Ljava/lang/Object;'
  Interfaces        -
    #0              : 'Lmono/android/IGCUserPeer;'
    #1              : 'Ljavax/net/ssl/X509TrustManager;'
    #2              : 'Ljavax/net/ssl/TrustManager;'
…
    #3              : (in Lxamarin/android/net/ServerCertificateCustomValidator_TrustManager;)
      name          : 'n_checkServerTrusted'
      type          : '([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V'
      access        : 0x0102 (PRIVATE NATIVE)
      code          : (none)
…
    #1              : (in Lxamarin/android/net/ServerCertificateCustomValidator_TrustManager;)
      name          : 'checkServerTrusted'
      type          : '([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V'
      access        : 0x0001 (PUBLIC)
      code          -
      registers     : 3
      ins           : 3
      outs          : 3
      insns size    : 4 16-bit code units
01e868:                                        |[01e868] xamarin.android.net.ServerCertificateCustomValidator_TrustManager.checkServerTrusted:([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V
01e878: 7030 5709 1002                         |0000: invoke-direct {v0, v1, v2}, Lxamarin/android/net/ServerCertificateCustomValidator_TrustManager;.n_checkServerTrusted:([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V // method@0957
01e87e: 0e00                                   |0003: return-void
      catches       : (none)
      positions     : 
        0x0000 line=42
        0x0003 line=43
      locals        : 
        0x0000 - 0x0004 reg=0 this Lxamarin/android/net/ServerCertificateCustomValidator_TrustManager; 
        0x0000 - 0x0004 reg=1 (null) [Ljava/security/cert/X509Certificate; 
        0x0000 - 0x0004 reg=2 (null) Ljava/lang/String; 

i.e. checkServerTrusted() calls n_checkServerTrusted(), which calls ServerCertificateCustomValidator.TrustManager.CheckServerTrusted()

ServerCertificateCustomValidator.TrustManager.CheckServerTrusted() can throw java.security.cert.CertificateException.

• https://github.com/xamarin/xamarin-android/blob/3653ec3dfaf090d6f3aec7cd193056a9d10197d7/src/Mono.Android/Xamarin.Android.Net/ServerCertificateCustomValidator.cs#L9
• https://github.com/xamarin/xamarin-android/blob/3653ec3dfaf090d6f3aec7cd193056a9d10197d7/src/Mono.Android/Xamarin.Android.Net/ServerCertificateCustomValidator.cs#L72

The original description is incorrect. (Additionally, ServerCertificateCustomValidator.TrustManager.CheckServerTrusted() is only relevant if AndroidMessageHandler.ServerCertificateCustomValidationCallback is assigned to.)

Please rephrase in the form of a bug report: what are you trying to do, what do you expect to happen, what actually happens?