Merge pull request #1246 from Unity-Technologies/unitytls/custom-chain

Custom tls chain impl to fix callback issue and avoid copying

Author: AndreasReich

mcs/class/System/Mono.UnityTls/CertHelper.cs

@@ -31,25 +31,6 @@ public static void AddCertificateToNativeChain (UnityTls.unitytls_x509list* nati
 				}
 			}
 		}
-
-		public static X509CertificateCollection NativeChainToManagedCollection (UnityTls.unitytls_x509list_ref nativeCertificateChain, UnityTls.unitytls_errorstate* errorState)
-		{
-			X509CertificateCollection certificates = new X509CertificateCollection ();
-
-			var cert = UnityTls.NativeInterface.unitytls_x509list_get_x509 (nativeCertificateChain, (size_t)0, errorState);
-			for (int i = 0; cert.handle != UnityTls.NativeInterface.UNITYTLS_INVALID_HANDLE; ++i) {
-				size_t certBufferSize = UnityTls.NativeInterface.unitytls_x509_export_der (cert, null, (size_t)0, errorState);
-				var certBuffer = new byte[(int)certBufferSize];	// Need to reallocate every time since X509Certificate constructor takes no length but only a byte array.
-				fixed(byte* certBufferPtr = certBuffer) {
-					UnityTls.NativeInterface.unitytls_x509_export_der (cert, certBufferPtr, certBufferSize, errorState);
-				}
-				certificates.Add (new X509Certificate (certBuffer));
-
-				cert = UnityTls.NativeInterface.unitytls_x509list_get_x509 (nativeCertificateChain, (size_t)i, errorState);
-			}
-
-			return certificates;
-		}
 	}
 }
 #endif

mcs/class/System/Mono.UnityTls/UnityTlsContext.cs

@@ -446,13 +446,17 @@ static private UnityTls.unitytls_x509verify_result VerifyCallback (void* userDat
 		private UnityTls.unitytls_x509verify_result VerifyCallback (UnityTls.unitytls_x509list_ref chain, UnityTls.unitytls_errorstate* errorState)
 		{
 			try {
-				X509CertificateCollection certificates = CertHelper.NativeChainToManagedCollection (chain, errorState);
-				remoteCertificate = new X509Certificate (certificates [0]);
-
-				if (ValidateCertificate (certificates))
-					return UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS;
-				else
-					return UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED;
+				using (var chainImpl = new X509ChainImplUnityTls(chain))
+				using (var managedChain = new X509Chain (chainImpl)) {
+					remoteCertificate = managedChain.ChainElements[0].Certificate;
+
+					// Note that the overload of this method that takes a X509CertificateCollection will not pass on the chain to 
+					// user callbacks like ServicePointManager.ServerCertificateValidationCallback which can cause issues along the line.
+					if (ValidateCertificate (remoteCertificate, managedChain))
+						return UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_SUCCESS;
+					else
+						return UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED;
+				}
 			} catch (Exception ex) { // handle all exceptions and store them for later since we don't want to let them go through native code.
 				if (lastException == null)
 					lastException = ex;

mcs/class/System/Mono.UnityTls/UnityTlsProvider.cs

@@ -53,17 +53,26 @@ internal override bool ValidateCertificate (
 			X509CertificateCollection certificates, bool wantsChain, ref X509Chain chain,
 			ref MonoSslPolicyErrors errors, ref int status11)
 		{
-			if (certificates == null) {
-				errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
-				return false;
-			}
+			var errorState = UnityTls.NativeInterface.unitytls_errorstate_create ();
 
-			if (wantsChain)
-				chain = MNS.SystemCertificateValidator.CreateX509Chain (certificates);
+			var unityTlsChainImpl = chain.Impl as X509ChainImplUnityTls;
+			if (unityTlsChainImpl == null)
+			{
+				if (certificates == null || certificates.Count == 0) {
+					errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
+					return false;
+				}
 
-			if (certificates == null || certificates.Count == 0) {
-				errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
-				return false;
+				if (wantsChain)
+					chain = MNS.SystemCertificateValidator.CreateX509Chain (certificates);
+			}
+			else
+			{
+				var cert = UnityTls.NativeInterface.unitytls_x509list_get_x509 (unityTlsChainImpl.NativeCertificateChain, (size_t)0, &errorState);
+				if (cert.handle == UnityTls.NativeInterface.UNITYTLS_INVALID_HANDLE) {
+					errors |= MonoSslPolicyErrors.RemoteCertificateNotAvailable;
+					return false;
+				}
 			}
 
 			// fixup targetHost name by removing port
@@ -73,10 +82,9 @@ internal override bool ValidateCertificate (
 					targetHost = targetHost.Substring (0, pos);
 			}
 
-			// convert cert to native
-			var errorState = UnityTls.NativeInterface.unitytls_errorstate_create ();
-			var certificatesNative = UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
+			// convert cert to native or extract from unityTlsChainImpl.
 			var result = UnityTls.unitytls_x509verify_result.UNITYTLS_X509VERIFY_NOT_DONE;
+			UnityTls.unitytls_x509list* certificatesNative = null;
 			try
 			{
 				// Things the validator provides that we might want to make use of here:
@@ -85,28 +93,40 @@ internal override bool ValidateCertificate (
 				//validator.Settings.CertificateValidationTime
 				//validator.Settings.CertificateSearchPaths				// currently only used by MonoBtlsProvider
 
-				CertHelper.AddCertificatesToNativeChain (certificatesNative, certificates, &errorState);
-				var certificatesNativeRef = UnityTls.NativeInterface.unitytls_x509list_get_ref (certificatesNative, &errorState);
+				UnityTls.unitytls_x509list_ref certificatesNativeRef;
+				if (unityTlsChainImpl == null)
+				{
+					certificatesNative = UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
+					CertHelper.AddCertificatesToNativeChain (certificatesNative, certificates, &errorState);
+					certificatesNativeRef = UnityTls.NativeInterface.unitytls_x509list_get_ref (certificatesNative, &errorState);
+				}
+				else
+					certificatesNativeRef = unityTlsChainImpl.NativeCertificateChain;
+				
 				var targetHostUtf8 = Encoding.UTF8.GetBytes (targetHost);
 
 				if (validator.Settings.TrustAnchors != null) {
-					var trustCAnative = UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
-					CertHelper.AddCertificatesToNativeChain (trustCAnative, validator.Settings.TrustAnchors, &errorState);
-					var trustCAnativeRef = UnityTls.NativeInterface.unitytls_x509list_get_ref (certificatesNative, &errorState);
-
-					fixed (byte* targetHostUtf8Ptr = targetHostUtf8) {
-						result = UnityTls.NativeInterface.unitytls_x509verify_explicit_ca (certificatesNativeRef, trustCAnativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, null, null, &errorState);
+					UnityTls.unitytls_x509list* trustCAnative = null;
+					try
+					{
+						trustCAnative = UnityTls.NativeInterface.unitytls_x509list_create (&errorState);
+						CertHelper.AddCertificatesToNativeChain (trustCAnative, validator.Settings.TrustAnchors, &errorState);
+						var trustCAnativeRef = UnityTls.NativeInterface.unitytls_x509list_get_ref (trustCAnative, &errorState);
+
+						fixed (byte* targetHostUtf8Ptr = targetHostUtf8) {
+							result = UnityTls.NativeInterface.unitytls_x509verify_explicit_ca (certificatesNativeRef, trustCAnativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, null, null, &errorState);
+						}
+					}
+					finally {
+						UnityTls.NativeInterface.unitytls_x509list_free (trustCAnative);
 					}
-
-					UnityTls.NativeInterface.unitytls_x509list_free (trustCAnative);
 				} else {
 					fixed (byte* targetHostUtf8Ptr = targetHostUtf8) {
 						result = UnityTls.NativeInterface.unitytls_x509verify_default_ca (certificatesNativeRef, targetHostUtf8Ptr, (size_t)targetHostUtf8.Length, null, null, &errorState);
 					}
 				}
 			}
-			finally
-			{
+			finally	{
 				UnityTls.NativeInterface.unitytls_x509list_free (certificatesNative);
 			}
 

mcs/class/System/Mono.UnityTls/X509ChainImplUnityTls.cs

@@ -0,0 +1,93 @@
+#if SECURITY_DEP
+
+using System;
+using System.Text;
+using System.Security;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using size_t = System.IntPtr;
+
+namespace Mono.Unity
+{
+	// Follows mostly X509ChainImplBtls
+	class X509ChainImplUnityTls : X509ChainImpl
+	{
+		X509ChainElementCollection elements;
+		UnityTls.unitytls_x509list_ref nativeCertificateChain;
+		X509ChainPolicy policy = new X509ChainPolicy ();
+
+		internal X509ChainImplUnityTls (UnityTls.unitytls_x509list_ref nativeCertificateChain)
+		{
+			this.elements = null;
+			this.nativeCertificateChain = nativeCertificateChain;
+		}
+
+		public override bool IsValid {
+			get { return nativeCertificateChain.handle != UnityTls.NativeInterface.UNITYTLS_INVALID_HANDLE; }
+		}
+
+		public override IntPtr Handle {
+			get { return new IntPtr((long)nativeCertificateChain.handle); }
+		}
+
+		internal UnityTls.unitytls_x509list_ref NativeCertificateChain => nativeCertificateChain;
+
+		public override X509ChainElementCollection ChainElements {
+			get {
+				ThrowIfContextInvalid ();
+				if (elements != null)
+					return elements;
+
+				unsafe
+				{
+					elements = new X509ChainElementCollection ();
+					UnityTls.unitytls_errorstate errorState = UnityTls.NativeInterface.unitytls_errorstate_create ();
+					var cert = UnityTls.NativeInterface.unitytls_x509list_get_x509 (nativeCertificateChain, (size_t)0, &errorState);
+					for (int i = 0; cert.handle != UnityTls.NativeInterface.UNITYTLS_INVALID_HANDLE; ++i) {
+						size_t certBufferSize = UnityTls.NativeInterface.unitytls_x509_export_der (cert, null, (size_t)0, &errorState);
+						var certBuffer = new byte[(int)certBufferSize];	// Need to reallocate every time since X509Certificate constructor takes no length but only a byte array.
+						fixed(byte* certBufferPtr = certBuffer) {
+							UnityTls.NativeInterface.unitytls_x509_export_der (cert, certBufferPtr, certBufferSize, &errorState);
+						}
+						elements.Add (new X509Certificate2 (certBuffer));
+
+						cert = UnityTls.NativeInterface.unitytls_x509list_get_x509 (nativeCertificateChain, (size_t)i, &errorState);
+					}
+				}
+
+				return elements;
+			}
+		}
+
+		public override X509ChainPolicy ChainPolicy {
+			get { return policy; }
+			set { policy = value; }
+		}
+
+		public override X509ChainStatus[] ChainStatus {
+			get { throw new NotImplementedException (); }
+		}
+
+		public override bool Build (X509Certificate2 certificate)
+		{
+			return false;
+		}
+
+		public override void Reset ()
+		{
+			if (elements != null) {
+				nativeCertificateChain.handle = UnityTls.NativeInterface.UNITYTLS_INVALID_HANDLE;
+				elements.Clear ();
+				elements = null;
+			}
+		}
+
+		protected override void Dispose (bool disposing)
+		{
+			Reset();
+			base.Dispose (disposing);
+		}
+	}
+}
+
+#endif

mcs/class/System/common.sources

@@ -261,6 +261,7 @@ Mono.UnityTls/UnityTlsProvider.cs
 Mono.UnityTls/UnityTlsStream.cs
 Mono.UnityTls/UnityTlsContext.cs
 Mono.UnityTls/UnityTlsConversions.cs
+Mono.UnityTls/X509ChainImplUnityTls.cs
 Mono.UnityTls/Debug.cs
 Mono.UnityTls/CertHelper.cs