[Android] Fix SslStreamCertificateContext empty custom trust store exception (#104016)

simonrozsival · web-flow · commit 8a3e6032595c · 2024-06-28T12:34:43.000+02:00
* Check if certificate collections are not empty before changing trust mode to custom root trust

* Enable SslStream_ClientCertificateContext_SendsChain test on Android

* Apply suggestions from reviews

* Avoid unnecessary allocations
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs
@@ -56,15 +56,20 @@ internal static SslStreamCertificateContext Create(
 
                 if (trust != null)
                 {
-                    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
                     if (trust._store != null)
                     {
                         chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);
                     }
+
                     if (trust._trustList != null)
                     {
                         chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);
                     }
+
+                    if (chain.ChainPolicy.CustomTrustStore.Count > 0)
+                    {
+                        chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                    }
                 }
 
                 chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
@@ -77,7 +82,7 @@ internal static SslStreamCertificateContext Create(
                     NetEventSource.Error(null, $"Failed to build chain for {target.Subject}");
                 }
 
-                if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates != null)
+                if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates?.Count > 0)
                 {
                     // Some platforms like Android may not be able to build the chain unless the chain root is trusted.
                     // We can try to rebuild the chain with making all extra certificates trused.
diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs
@@ -917,7 +917,6 @@ public async Task SslStream_ClientCertificate_SendsChain()
         [Theory]
         [InlineData(true)]
         [InlineData(false)]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/68206", TestPlatforms.Android)]
         public async Task SslStream_ClientCertificateContext_SendsChain(bool useTrust)
         {
             (X509Certificate2 clientCertificate, X509Certificate2Collection clientChain) = Configuration.Certificates.GenerateCertificates(nameof(SslStream_ClientCertificateContext_SendsChain), serverCertificate: false);

Original file line number	Diff line number	Diff line change
`@@ -56,15 +56,20 @@ internal static SslStreamCertificateContext Create(`
`56`	`56`
`57`	`57`	`if (trust != null)`
`58`	`58`	`{`
`59`		`- chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;`
`60`	`59`	`if (trust._store != null)`
`61`	`60`	`{`
`62`	`61`	`chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);`
`63`	`62`	`}`
	`63`	`+`
`64`	`64`	`if (trust._trustList != null)`
`65`	`65`	`{`
`66`	`66`	`chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);`
`67`	`67`	`}`
	`68`	`+`
	`69`	`+ if (chain.ChainPolicy.CustomTrustStore.Count > 0)`
	`70`	`+ {`
	`71`	`+ chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;`
	`72`	`+ }`
`68`	`73`	`}`
`69`	`74`
`70`	`75`	`chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;`
`@@ -77,7 +82,7 @@ internal static SslStreamCertificateContext Create(`
`77`	`82`	`NetEventSource.Error(null, $"Failed to build chain for {target.Subject}");`
`78`	`83`	`}`
`79`	`84`
`80`		`- if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates != null)`
	`85`	`+ if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates?.Count > 0)`
`81`	`86`	`{`
`82`	`87`	`// Some platforms like Android may not be able to build the chain unless the chain root is trusted.`
`83`	`88`	`// We can try to rebuild the chain with making all extra certificates trused.`
Original file line number	Diff line number	Diff line change
`@@ -917,7 +917,6 @@ public async Task SslStream_ClientCertificate_SendsChain()`
`917`	`917`	`[Theory]`
`918`	`918`	`[InlineData(true)]`
`919`	`919`	`[InlineData(false)]`
`920`		`- [ActiveIssue("https://github.com/dotnet/runtime/issues/68206", TestPlatforms.Android)]`
`921`	`920`	`public async Task SslStream_ClientCertificateContext_SendsChain(bool useTrust)`
`922`	`921`	`{`
`923`	`922`	`(X509Certificate2 clientCertificate, X509Certificate2Collection clientChain) = Configuration.Certificates.GenerateCertificates(nameof(SslStream_ClientCertificateContext_SendsChain), serverCertificate: false);`