X509ChainImplUnityTls reports status now

Fixes Fogbugz ticket 1261388.
Impl sticks close to current Mono Btls implementation on _master_ - the implementation on our fork has the same issues as prior to this fix and throws NotImplementedException

Author: AndreasReich

mcs/class/System/Mono.UnityTls/UnityTlsConversions.cs

@@ -9,6 +9,7 @@
 
 using System.Security.Authentication;
 using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
 
 namespace Mono.Unity
 {
@@ -103,6 +104,30 @@ public static SslPolicyErrors VerifyResultToPolicyErrror (UnityTls.unitytls_x509
 				error |= SslPolicyErrors.RemoteCertificateChainErrors;
 			return error;
 		}
+
+		public static X509ChainStatusFlags VerifyResultToChainStatus (UnityTls.unitytls_x509verify_result verifyResult)
+		{
+			// First, check "non-flags"
+			if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS)
+				return X509ChainStatusFlags.NoError;
+			else if (verifyResult == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FATAL_ERROR)
+				return X509ChainStatusFlags.UntrustedRoot; // Inaccurate, throw exception instead?
+
+			// Yes, we ignore user error flags here. They still affect if a chain is accepted, but they are not status flags of the chain!
+			X509ChainStatusFlags error = X509ChainStatusFlags.NoError;
+			if (verifyResult.HasFlag (UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_EXPIRED))
+				error |= X509ChainStatusFlags.NotTimeValid;
+			if (verifyResult.HasFlag (UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_REVOKED))
+				error |= X509ChainStatusFlags.Revoked;
+			if (verifyResult.HasFlag (UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_CN_MISMATCH))
+				// Unclear what to return, behaving like Mono's BTLS impl
+				// https://github.com/mono/mono/blob/1553889bc54f87060158febca7e6b8b9910975f8/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L312
+				error |= X509ChainStatusFlags.UntrustedRoot;
+			if (verifyResult.HasFlag (UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED))
+				error |= X509ChainStatusFlags.UntrustedRoot;
+
+			return error;
+		}
 	}
 }
 #endif

mcs/class/System/Mono.UnityTls/UnityTlsProvider.cs

@@ -128,6 +128,12 @@ internal override bool ValidateCertificate (
 			}
 
 			errors = UnityTlsConversions.VerifyResultToPolicyErrror(result);
+			// There should be a status per certificate, but once again we're following closely the BTLS implementation
+			// https://github.com/mono/mono/blob/1553889bc54f87060158febca7e6b8b9910975f8/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L180
+			// which also provides only a single status for the entire chain.
+			// It is notoriously tricky to implement in OpenSSL to get a status for all invididual certificates without finishing the handshake in the process.
+			// This is partially the reason why unitytls_x509verify_X doesn't expose it (TODO!) and likely the reason Mono's BTLS impl ignores this.
+			unityTlsChainImpl?.AddStatus(UnityTlsConversions.VerifyResultToChainStatus(result));
 			return result == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS && 
 					errorState.code == UnityTls.unitytls_error_code.UNITYTLS_SUCCESS;
 		}

mcs/class/System/Mono.UnityTls/X509ChainImplUnityTls.cs

@@ -1,6 +1,7 @@
 #if SECURITY_DEP
 
 using System;
+using System.Collections.Generic;
 using System.Text;
 using System.Security;
 using System.Security.Cryptography;
@@ -12,9 +13,10 @@ namespace Mono.Unity
 	// Follows mostly X509ChainImplBtls
 	class X509ChainImplUnityTls : X509ChainImpl
 	{
-		X509ChainElementCollection elements;
-		UnityTls.unitytls_x509list_ref nativeCertificateChain;
-		X509ChainPolicy policy = new X509ChainPolicy ();
+		private X509ChainElementCollection elements;
+		private UnityTls.unitytls_x509list_ref nativeCertificateChain;
+		private X509ChainPolicy policy = new X509ChainPolicy ();
+		private List<X509ChainStatus> chainStatusList;
 
 		internal X509ChainImplUnityTls (UnityTls.unitytls_x509list_ref nativeCertificateChain)
 		{
@@ -61,16 +63,18 @@ public override X509ChainElementCollection ChainElements {
 
 		public override void AddStatus (X509ChainStatusFlags error) 
 		{
+			if (chainStatusList == null)
+				chainStatusList = new List<X509ChainStatus>();
+			chainStatusList.Add (new X509ChainStatus(error));
 		}
 
 		public override X509ChainPolicy ChainPolicy {
 			get { return policy; }
 			set { policy = value; }
 		}
 
-		public override X509ChainStatus[] ChainStatus {
-			get { throw new NotImplementedException (); }
-		}
+		public override X509ChainStatus[] ChainStatus => chainStatusList?.ToArray() ?? new X509ChainStatus[0];
+
 
 		public override bool Build (X509Certificate2 certificate)
 		{