Skip to content

Commit 5e6786e

Browse files
AndreasReichUnityAlex
authored andcommitted
[unitytls] chain is now always updated with new cert data
fixed not setting chainstatus on final chain
1 parent 994793a commit 5e6786e

File tree

1 file changed

+8
-13
lines changed

1 file changed

+8
-13
lines changed

mcs/class/System/Mono.UnityTls/UnityTlsProvider.cs

Lines changed: 8 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -62,9 +62,6 @@ internal override bool ValidateCertificate (
6262
errors |= SslPolicyErrors.RemoteCertificateNotAvailable;
6363
return false;
6464
}
65-
66-
if (wantsChain)
67-
chain = MNS.SystemCertificateValidator.CreateX509Chain (certificates);
6865
}
6966
else
7067
{
@@ -89,8 +86,7 @@ internal override bool ValidateCertificate (
8986
// convert cert to native or extract from unityTlsChainImpl.
9087
var result = UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_NOT_DONE;
9188
UnityTls.unitytls_x509list* certificatesNative = null;
92-
UnityTls.unitytls_x509list* finalCertificateChainNative =
93-
chain == null ? null : UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
89+
UnityTls.unitytls_x509list* finalCertificateChainNative = UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
9490
try
9591
{
9692
// Things the validator provides that we might want to make use of here:
@@ -142,21 +138,20 @@ internal override bool ValidateCertificate (
142138
UnityTls.NativeInterface.unitytls_x509list_free (certificatesNative);
143139
}
144140

145-
if (finalCertificateChainNative != null) {
146-
chain?.Dispose();
147-
chain = new X509Chain(new X509ChainImplUnityTls(
148-
UnityTls.NativeInterface.unitytls_x509list_get_ref (finalCertificateChainNative, &errorState),
149-
reverseOrder: true // the verify callback starts with the root and ends with the leaf. That's the opposite of chain ordering.
150-
));
151-
}
141+
chain?.Dispose();
142+
var chainImpl = new X509ChainImplUnityTls(
143+
UnityTls.NativeInterface.unitytls_x509list_get_ref (finalCertificateChainNative, &errorState),
144+
reverseOrder: true // the verify callback starts with the root and ends with the leaf. That's the opposite of chain ordering.
145+
);
146+
chain = new X509Chain(chainImpl);
152147

153148
errors = UnityTlsConversions.VerifyResultToPolicyErrror(result);
154149
// There should be a status per certificate, but once again we're following closely the BTLS implementation
155150
// https://github.com/mono/mono/blob/1553889bc54f87060158febca7e6b8b9910975f8/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L180
156151
// which also provides only a single status for the entire chain.
157152
// It is notoriously tricky to implement in OpenSSL to get a status for all invididual certificates without finishing the handshake in the process.
158153
// This is partially the reason why unitytls_x509verify_X doesn't expose it (TODO!) and likely the reason Mono's BTLS impl ignores this.
159-
unityTlsChainImpl?.AddStatus(UnityTlsConversions.VerifyResultToChainStatus(result));
154+
chainImpl.AddStatus(UnityTlsConversions.VerifyResultToChainStatus(result));
160155
return result == UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS &&
161156
errorState.code == UnityTls.unitytls_error_code.UNITYTLS_SUCCESS;
162157
}

0 commit comments

Comments
 (0)