[unitytls] User facing certificate callbacks contain now certificates from system store

AndreasReich · AndreasReich · commit c21712414a87 · 2021-02-16T13:27:06.000+01:00
diff --git a/mcs/class/System/Mono.UnityTls/UnityTlsProvider.cs b/mcs/class/System/Mono.UnityTls/UnityTlsProvider.cs
@@ -48,6 +48,13 @@ internal override IMonoSslStream CreateSslStreamInternal (
 			return new UnityTlsStream (innerStream, leaveInnerStreamOpen, sslStream, settings, this);
 		}
 
+		static UnityTls.unitytls_x509verify_result x509verify_callback(void* userData, UnityTls.unitytls_x509_ref cert, UnityTls.unitytls_x509verify_result result, UnityTls.unitytls_errorstate* errorState)
+		{
+			if (userData != null)
+				UnityTls.NativeInterface.unitytls_x509list_append ((UnityTls.unitytls_x509list*)userData, cert, errorState);
+			return result;
+		}
+
 		internal override bool ValidateCertificate (
 			ICertificateValidator2 validator, string targetHost, bool serverMode,
 			X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
@@ -85,6 +92,8 @@ internal override bool ValidateCertificate (
 			// convert cert to native or extract from unityTlsChainImpl.
 			var result = UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_NOT_DONE;
 			UnityTls.unitytls_x509list* certificatesNative = null;
+			UnityTls.unitytls_x509list* finalCertificateChainNative = 
+				chain == null ? null : UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
 			try
 			{
 				// Things the validator provides that we might want to make use of here:
@@ -114,22 +123,36 @@ internal override bool ValidateCertificate (
 						var trustCAnativeRef = UnityTls.NativeInterface.unitytls_x509list_get_ref (trustCAnative, &errorState);
 
 						fixed (byte* targetHostUtf8Ptr = targetHostUtf8) {
-							result = UnityTls.NativeInterface.unitytls_x509verify_explicit_ca (certificatesNativeRef, trustCAnativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, null, null, &errorState);
+							result = UnityTls.NativeInterface.unitytls_x509verify_explicit_ca (
+								certificatesNativeRef, trustCAnativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, x509verify_callback, finalCertificateChainNative, &errorState);
 						}
 					}
 					finally {
 						UnityTls.NativeInterface.unitytls_x509list_free (trustCAnative);
 					}
 				} else {
 					fixed (byte* targetHostUtf8Ptr = targetHostUtf8) {
-						result = UnityTls.NativeInterface.unitytls_x509verify_default_ca (certificatesNativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, null, null, &errorState);
+						result = UnityTls.NativeInterface.unitytls_x509verify_default_ca (
+							certificatesNativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, x509verify_callback, finalCertificateChainNative, &errorState);
 					}
 				}
 			}
+			catch {
+				UnityTls.NativeInterface.unitytls_x509list_free (finalCertificateChainNative);
+				throw;
+			}
 			finally	{
 				UnityTls.NativeInterface.unitytls_x509list_free (certificatesNative);
 			}
 
+			if (finalCertificateChainNative != null) {
+				chain?.Dispose();
+				chain = new X509Chain(new X509ChainImplUnityTls(
+					UnityTls.NativeInterface.unitytls_x509list_get_ref (finalCertificateChainNative, &errorState),
+					reverseOrder: true // the verify callback starts with the root and ends with the leaf. That's the opposite of chain ordering.
+				));
+			}
+
 			errors = UnityTlsConversions.VerifyResultToPolicyErrror(result);
 			// There should be a status per certificate, but once again we're following closely the BTLS implementation
 			// https://github.com/mono/mono/blob/1553889bc54f87060158febca7e6b8b9910975f8/mcs/class/System/Mono.Btls/MonoBtlsProvider.cs#L180
diff --git a/mcs/class/System/Mono.UnityTls/X509ChainImplUnityTls.cs b/mcs/class/System/Mono.UnityTls/X509ChainImplUnityTls.cs
@@ -17,11 +17,13 @@ class X509ChainImplUnityTls : X509ChainImpl
 		private UnityTls.unitytls_x509list_ref nativeCertificateChain;
 		private X509ChainPolicy policy = new X509ChainPolicy ();
 		private List<X509ChainStatus> chainStatusList;
+		private bool reverseOrder;
 
-		internal X509ChainImplUnityTls (UnityTls.unitytls_x509list_ref nativeCertificateChain)
+		internal X509ChainImplUnityTls (UnityTls.unitytls_x509list_ref nativeCertificateChain, bool reverseOrder = false)
 		{
 			this.elements = null;
 			this.nativeCertificateChain = nativeCertificateChain;
+			this.reverseOrder = reverseOrder;
 		}
 
 		public override bool IsValid {
@@ -57,6 +59,13 @@ public override X509ChainElementCollection ChainElements {
 					}
 				}
 
+				if (reverseOrder) {
+					var reversed = new X509ChainElementCollection ();
+					for (int i=elements.Count - 1; i>=0; --i)
+						reversed.Add(elements[i].Certificate);
+					elements = reversed;
+				}
+
 				return elements;
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -17,11 +17,13 @@ class X509ChainImplUnityTls : X509ChainImpl`
`17`	`17`	`private UnityTls.unitytls_x509list_ref nativeCertificateChain;`
`18`	`18`	`private X509ChainPolicy policy = new X509ChainPolicy ();`
`19`	`19`	`private List<X509ChainStatus> chainStatusList;`
	`20`	`+ private bool reverseOrder;`
`20`	`21`
`21`		`- internal X509ChainImplUnityTls (UnityTls.unitytls_x509list_ref nativeCertificateChain)`
	`22`	`+ internal X509ChainImplUnityTls (UnityTls.unitytls_x509list_ref nativeCertificateChain, bool reverseOrder = false)`
`22`	`23`	`{`
`23`	`24`	`this.elements = null;`
`24`	`25`	`this.nativeCertificateChain = nativeCertificateChain;`
	`26`	`+ this.reverseOrder = reverseOrder;`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`public override bool IsValid {`
`@@ -57,6 +59,13 @@ public override X509ChainElementCollection ChainElements {`
`57`	`59`	`}`
`58`	`60`	`}`
`59`	`61`
	`62`	`+ if (reverseOrder) {`
	`63`	`+ var reversed = new X509ChainElementCollection ();`
	`64`	`+ for (int i=elements.Count - 1; i>=0; --i)`
	`65`	`+ reversed.Add(elements[i].Certificate);`
	`66`	`+ elements = reversed;`
	`67`	`+ }`
	`68`	`+`
`60`	`69`	`return elements;`
`61`	`70`	`}`
`62`	`71`	`}`