@@ -62,9 +62,6 @@ internal override bool ValidateCertificate (
62
62
errors |= SslPolicyErrors . RemoteCertificateNotAvailable ;
63
63
return false ;
64
64
}
65
-
66
- if ( wantsChain )
67
- chain = MNS . SystemCertificateValidator . CreateX509Chain ( certificates ) ;
68
65
}
69
66
else
70
67
{
@@ -89,8 +86,7 @@ internal override bool ValidateCertificate (
89
86
// convert cert to native or extract from unityTlsChainImpl.
90
87
var result = UnityTls . unitytls_x509verify_result . UNITYTLS_X509VERIFY_NOT_DONE ;
91
88
UnityTls . unitytls_x509list * certificatesNative = null ;
92
- UnityTls . unitytls_x509list * finalCertificateChainNative =
93
- chain == null ? null : UnityTls . NativeInterface . unitytls_x509list_create ( & errorState ) ;
89
+ UnityTls . unitytls_x509list * finalCertificateChainNative = UnityTls . NativeInterface . unitytls_x509list_create ( & errorState ) ;
94
90
try
95
91
{
96
92
// Things the validator provides that we might want to make use of here:
@@ -142,21 +138,20 @@ internal override bool ValidateCertificate (
142
138
UnityTls . NativeInterface . unitytls_x509list_free ( certificatesNative ) ;
143
139
}
144
140
145
- if ( finalCertificateChainNative != null ) {
146
- chain ? . Dispose ( ) ;
147
- chain = new X509Chain ( new X509ChainImplUnityTls (
148
- UnityTls . NativeInterface . unitytls_x509list_get_ref ( finalCertificateChainNative , & errorState ) ,
149
- reverseOrder : true // the verify callback starts with the root and ends with the leaf. That's the opposite of chain ordering.
150
- ) ) ;
151
- }
141
+ chain ? . Dispose ( ) ;
142
+ var chainImpl = new X509ChainImplUnityTls (
143
+ UnityTls . NativeInterface . unitytls_x509list_get_ref ( finalCertificateChainNative , & errorState ) ,
144
+ reverseOrder : true // the verify callback starts with the root and ends with the leaf. That's the opposite of chain ordering.
145
+ ) ;
146
+ chain = new X509Chain ( chainImpl ) ;
152
147
153
148
errors = UnityTlsConversions . VerifyResultToPolicyErrror ( result ) ;
154
149
// There should be a status per certificate, but once again we're following closely the BTLS implementation
155
150
// https://github.com/mono/mono/blob/1553889bc54f87060158febca7e6b8b9910975f8/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L180
156
151
// which also provides only a single status for the entire chain.
157
152
// It is notoriously tricky to implement in OpenSSL to get a status for all invididual certificates without finishing the handshake in the process.
158
153
// This is partially the reason why unitytls_x509verify_X doesn't expose it (TODO!) and likely the reason Mono's BTLS impl ignores this.
159
- unityTlsChainImpl ? . AddStatus ( UnityTlsConversions . VerifyResultToChainStatus ( result ) ) ;
154
+ chainImpl . AddStatus ( UnityTlsConversions . VerifyResultToChainStatus ( result ) ) ;
160
155
return result == UnityTls . unitytls_x509verify_result . UNITYTLS_X509VERIFY_SUCCESS &&
161
156
errorState . code == UnityTls . unitytls_error_code . UNITYTLS_SUCCESS ;
162
157
}
0 commit comments