Add CertificateChainPolicy to ssl options

wfurt · bartonjs · web-flow · commit 388dd6c54c75 · 2022-07-12T16:02:26.000-07:00
Co-authored-by: Jeremy Barton &lt;jbarton@microsoft.com&gt;
diff --git a/src/libraries/System.Net.Security/ref/System.Net.Security.cs b/src/libraries/System.Net.Security/ref/System.Net.Security.cs
@@ -207,6 +207,7 @@ public SslClientAuthenticationOptions() { }
         public System.Net.Security.LocalCertificateSelectionCallback? LocalCertificateSelectionCallback { get { throw null; } set { } }
         public System.Net.Security.RemoteCertificateValidationCallback? RemoteCertificateValidationCallback { get { throw null; } set { } }
         public string? TargetHost { get { throw null; } set { } }
+        public System.Security.Cryptography.X509Certificates.X509ChainPolicy? CertificateChainPolicy { get { throw null; } set { } }
     }
     public readonly partial struct SslClientHelloInfo
     {
@@ -229,6 +230,7 @@ public SslServerAuthenticationOptions() { }
         public System.Security.Cryptography.X509Certificates.X509Certificate? ServerCertificate { get { throw null; } set { } }
         public System.Net.Security.SslStreamCertificateContext? ServerCertificateContext { get { throw null; } set { } }
         public System.Net.Security.ServerCertificateSelectionCallback? ServerCertificateSelectionCallback { get { throw null; } set { } }
+        public System.Security.Cryptography.X509Certificates.X509ChainPolicy? CertificateChainPolicy { get { throw null; } set { } }
     }
     public partial class SslStream : System.Net.Security.AuthenticatedStream
     {
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs
@@ -44,7 +44,8 @@ internal static SslPolicyErrors VerifyCertificateProperties(
         private static X509Certificate2? GetRemoteCertificate(
             SafeDeleteContext? securityContext,
             bool retrieveChainCertificates,
-            ref X509Chain? chain)
+            ref X509Chain? chain,
+            X509ChainPolicy? chainPolicy)
         {
             SafeSslHandle? sslContext = ((SafeDeleteSslContext?)securityContext)?.SslContext;
             if (sslContext == null)
@@ -65,6 +66,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(
             else
             {
                 chain ??= new X509Chain();
+                if (chainPolicy != null)
+                {
+                    chain.ChainPolicy = chainPolicy;
+                }
                 IntPtr[]? ptrs = Interop.AndroidCrypto.SSLStreamGetPeerCertificates(sslContext);
                 if (ptrs != null && ptrs.Length > 0)
                 {
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs
@@ -50,7 +50,8 @@ internal static SslPolicyErrors VerifyCertificateProperties(
         private static X509Certificate2? GetRemoteCertificate(
             SafeDeleteContext? securityContext,
             bool retrieveChainCertificates,
-            ref X509Chain? chain)
+            ref X509Chain? chain,
+            X509ChainPolicy? chainPolicy)
         {
             if (securityContext == null)
             {
@@ -73,6 +74,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(
                 if (retrieveChainCertificates)
                 {
                     chain ??= new X509Chain();
+                    if (chainPolicy != null)
+                    {
+                        chain.ChainPolicy = chainPolicy;
+                    }
 
                     for (int i = 0; i < chainSize; i++)
                     {
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs
@@ -24,7 +24,11 @@ internal static SslPolicyErrors VerifyCertificateProperties(
         //
         // Extracts a remote certificate upon request.
         //
-        private static X509Certificate2? GetRemoteCertificate(SafeDeleteContext? securityContext, bool retrieveChainCertificates, ref X509Chain? chain)
+        private static X509Certificate2? GetRemoteCertificate(
+            SafeDeleteContext? securityContext,
+            bool retrieveChainCertificates,
+            ref X509Chain? chain,
+            X509ChainPolicy? chainPolicy)
         {
             bool gotReference = false;
 
@@ -48,6 +52,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(
                 if (retrieveChainCertificates)
                 {
                     chain ??= new X509Chain();
+                    if (chainPolicy != null)
+                    {
+                        chain.ChainPolicy = chainPolicy;
+                    }
 
                     using (SafeSharedX509StackHandle chainStack =
                         Interop.OpenSsl.GetPeerCertificateChain(((SafeDeleteSslContext)securityContext).SslContext))
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
@@ -29,7 +29,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(
         //
 
         private static X509Certificate2? GetRemoteCertificate(
-            SafeDeleteContext? securityContext, bool retrieveChainCertificates, ref X509Chain? chain)
+            SafeDeleteContext? securityContext,
+            bool retrieveChainCertificates,
+            ref X509Chain? chain,
+            X509ChainPolicy? chainPolicy)
         {
             if (securityContext == null)
             {
@@ -67,6 +70,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(
                     if (retrieveChainCertificates)
                     {
                         chain ??= new X509Chain();
+                        if (chainPolicy != null)
+                        {
+                            chain.ChainPolicy = chainPolicy;
+                        }
 
                         UnmanagedCertificateContext.GetRemoteCertificatesFromStoreContext(remoteContext, chain.ChainPolicy.ExtraStore);
                     }
diff --git a/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.cs b/src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.cs
@@ -19,10 +19,10 @@ internal static partial class CertificateValidationPal
         private static X509Chain? s_chain;
 
         internal static X509Certificate2? GetRemoteCertificate(SafeDeleteContext? securityContext) =>
-            GetRemoteCertificate(securityContext, retrieveChainCertificates: false, ref s_chain);
+            GetRemoteCertificate(securityContext, retrieveChainCertificates: false, ref s_chain, null);
 
-        internal static X509Certificate2? GetRemoteCertificate(SafeDeleteContext? securityContext, ref X509Chain? chain) =>
-            GetRemoteCertificate(securityContext, retrieveChainCertificates: true, ref chain);
+        internal static X509Certificate2? GetRemoteCertificate(SafeDeleteContext? securityContext, ref X509Chain? chain, X509ChainPolicy? chainPolicy) =>
+            GetRemoteCertificate(securityContext, retrieveChainCertificates: true, ref chain, chainPolicy);
 
         static partial void CheckSupportsStore(StoreLocation storeLocation, ref bool hasSupport);
 
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs
@@ -56,6 +56,11 @@ internal void UpdateOptions(SslClientAuthenticationOptions sslClientAuthenticati
             CertificateRevocationCheckMode = sslClientAuthenticationOptions.CertificateRevocationCheckMode;
             ClientCertificates = sslClientAuthenticationOptions.ClientCertificates;
             CipherSuitesPolicy = sslClientAuthenticationOptions.CipherSuitesPolicy;
+
+            if (sslClientAuthenticationOptions.CertificateChainPolicy != null)
+            {
+                CertificateChainPolicy = sslClientAuthenticationOptions.CertificateChainPolicy.Clone();
+            }
         }
 
         internal void UpdateOptions(ServerOptionsSelectionCallback optionCallback, object? state)
@@ -135,6 +140,11 @@ internal void UpdateOptions(SslServerAuthenticationOptions sslServerAuthenticati
             {
                 ServerCertSelectionDelegate = sslServerAuthenticationOptions.ServerCertificateSelectionCallback;
             }
+
+            if (sslServerAuthenticationOptions.CertificateChainPolicy != null)
+            {
+                CertificateChainPolicy = sslServerAuthenticationOptions.CertificateChainPolicy.Clone();
+            }
         }
 
         private static SslProtocols FilterOutIncompatibleSslProtocols(SslProtocols protocols)
@@ -170,5 +180,6 @@ private static SslProtocols FilterOutIncompatibleSslProtocols(SslProtocols proto
         internal CipherSuitesPolicy? CipherSuitesPolicy { get; set; }
         internal object? UserState { get; set; }
         internal ServerOptionsSelectionCallback? ServerOptionDelegate { get; set; }
+        internal X509ChainPolicy? CertificateChainPolicy { get; set; }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslClientAuthenticationOptions.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslClientAuthenticationOptions.cs
@@ -73,5 +73,13 @@ public SslProtocols EnabledSslProtocols
         /// Use extreme caution when changing this setting.
         /// </summary>
         public CipherSuitesPolicy? CipherSuitesPolicy { get; set; }
+
+        /// <summary>
+        /// Gets or sets an optional customized policy for remote certificate
+        /// validation. If not <see langword="null"/>,
+        /// <see cref="CertificateRevocationCheckMode"/> and <see cref="SslCertificateTrust"/>
+        /// are ignored.
+        /// </summary>
+        public X509ChainPolicy? CertificateChainPolicy { get; set; }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslServerAuthenticationOptions.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslServerAuthenticationOptions.cs
@@ -74,5 +74,13 @@ public EncryptionPolicy EncryptionPolicy
         /// Use extreme caution when changing this setting.
         /// </summary>
         public CipherSuitesPolicy? CipherSuitesPolicy { get; set; }
+
+        /// <summary>
+        /// Gets or sets an optional customized policy for remote certificate
+        /// validation. If not <see langword="null"/>,
+        /// <see cref="CertificateRevocationCheckMode"/> and <see cref="SslCertificateTrust"/>
+        /// are ignored.
+        /// </summary>
+        public X509ChainPolicy? CertificateChainPolicy { get; set; }
     }
 }
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs
@@ -936,7 +936,7 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
 
             try
             {
-                X509Certificate2? certificate = CertificateValidationPal.GetRemoteCertificate(_securityContext, ref chain);
+                X509Certificate2? certificate = CertificateValidationPal.GetRemoteCertificate(_securityContext, ref chain, _sslAuthenticationOptions.CertificateChainPolicy);
                 if (_remoteCertificate != null && certificate != null &&
                     certificate.RawDataMemory.Span.SequenceEqual(_remoteCertificate.RawDataMemory.Span))
                 {
@@ -955,25 +955,37 @@ internal bool VerifyRemoteCertificate(RemoteCertificateValidationCallback? remot
                 else
                 {
                     chain ??= new X509Chain();
-                    chain.ChainPolicy.RevocationMode = _sslAuthenticationOptions.CertificateRevocationCheckMode;
-                    chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
 
-                    // Authenticate the remote party: (e.g. when operating in server mode, authenticate the client).
-                    chain.ChainPolicy.ApplicationPolicy.Add(_sslAuthenticationOptions.IsServer ? s_clientAuthOid : s_serverAuthOid);
-
-                    if (trust != null)
+                    if (_sslAuthenticationOptions.CertificateChainPolicy != null)
                     {
-                        chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
-                        if (trust._store != null)
-                        {
-                            chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);
-                        }
-                        if (trust._trustList != null)
+                        chain.ChainPolicy = _sslAuthenticationOptions.CertificateChainPolicy;
+                    }
+                    else
+                    {
+                        chain.ChainPolicy.RevocationMode = _sslAuthenticationOptions.CertificateRevocationCheckMode;
+                        chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+
+                        if (trust != null)
                         {
-                            chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);
+                            chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                            if (trust._store != null)
+                            {
+                                chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);
+                            }
+                            if (trust._trustList != null)
+                            {
+                                chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);
+                            }
                         }
                     }
 
+                    // set ApplicationPolicy unless already provided.
+                    if (chain.ChainPolicy.ApplicationPolicy.Count == 0)
+                    {
+                        // Authenticate the remote party: (e.g. when operating in server mode, authenticate the client).
+                        chain.ChainPolicy.ApplicationPolicy.Add(_sslAuthenticationOptions.IsServer ? s_clientAuthOid : s_serverAuthOid);
+                    }
+
                     sslPolicyErrors |= CertificateValidationPal.VerifyCertificateProperties(
                         _securityContext!,
                         chain,
diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslAuthenticationOptionsTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslAuthenticationOptionsTest.cs
@@ -49,6 +49,7 @@ public async Task ClientOptions_ServerOptions_NotMutatedDuringAuthentication()
 #pragma warning restore SYSLIB0040
                 RemoteCertificateValidationCallback serverRemoteCallback = new RemoteCertificateValidationCallback(delegate { return true; });
                 SslStreamCertificateContext certificateContext = SslStreamCertificateContext.Create(serverCert, null, false);
+                X509ChainPolicy policy = new X509ChainPolicy();
 
                 (Stream stream1, Stream stream2) = TestHelper.GetConnectedStreams();
                 using (var client = new SslStream(stream1))
@@ -65,7 +66,8 @@ public async Task ClientOptions_ServerOptions_NotMutatedDuringAuthentication()
                         EncryptionPolicy = clientEncryption,
                         LocalCertificateSelectionCallback = clientLocalCallback,
                         RemoteCertificateValidationCallback = clientRemoteCallback,
-                        TargetHost = clientHost
+                        TargetHost = clientHost,
+                        CertificateChainPolicy = policy,
                     };
 
                     // Create server options
@@ -80,6 +82,7 @@ public async Task ClientOptions_ServerOptions_NotMutatedDuringAuthentication()
                         RemoteCertificateValidationCallback = serverRemoteCallback,
                         ServerCertificate = serverCert,
                         ServerCertificateContext = certificateContext,
+                        CertificateChainPolicy = policy,
                     };
 
                     // Authenticate
@@ -99,6 +102,8 @@ public async Task ClientOptions_ServerOptions_NotMutatedDuringAuthentication()
                     Assert.Same(clientLocalCallback, clientOptions.LocalCertificateSelectionCallback);
                     Assert.Same(clientRemoteCallback, clientOptions.RemoteCertificateValidationCallback);
                     Assert.Same(clientHost, clientOptions.TargetHost);
+                    Assert.Same(clientHost, clientOptions.TargetHost);
+                    Assert.Same(policy, clientOptions.CertificateChainPolicy);
 
                     // Validate that server options are unchanged
                     Assert.Equal(serverAllowRenegotiation, serverOptions.AllowRenegotiation);
@@ -111,6 +116,7 @@ public async Task ClientOptions_ServerOptions_NotMutatedDuringAuthentication()
                     Assert.Same(serverRemoteCallback, serverOptions.RemoteCertificateValidationCallback);
                     Assert.Same(serverCert, serverOptions.ServerCertificate);
                     Assert.Same(certificateContext, serverOptions.ServerCertificateContext);
+                    Assert.Same(policy, serverOptions.CertificateChainPolicy);
                 }
             }
         }
diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs
@@ -745,32 +745,23 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
         [InlineData(true)]
         [InlineData(false)]
         [ActiveIssue("https://github.com/dotnet/runtime/issues/68206", TestPlatforms.Android)]
-        public async Task SslStream_UntrustedCaWithCustomCallback_OK(bool usePartialChain)
+        public async Task SslStream_UntrustedCaWithCustomTrust_OK(bool usePartialChain)
         {
             int split = Random.Shared.Next(0, certificates.serverChain.Count - 1);
 
             var clientOptions = new SslClientAuthenticationOptions() { TargetHost = "localhost" };
-            clientOptions.RemoteCertificateValidationCallback =
-                (sender, certificate, chain, sslPolicyErrors) =>
+            clientOptions.CertificateChainPolicy = new X509ChainPolicy() { RevocationMode = X509RevocationMode.NoCheck,
+                                                                     TrustMode = X509ChainTrustMode.CustomRootTrust };
+            clientOptions.CertificateChainPolicy.CustomTrustStore.Add(certificates.serverChain[certificates.serverChain.Count - 1]);
+            // Add only one CA to verify that peer did send intermediate CA cert.
+            // In case of partial chain, we need to make missing certs available.
+            if (usePartialChain)
+            {
+                for (int i = split; i < certificates.serverChain.Count - 1; i++)
                 {
-                    // add our custom root CA
-                    chain.ChainPolicy.CustomTrustStore.Add(certificates.serverChain[certificates.serverChain.Count - 1]);
-                    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
-                    // Add only one CA to verify that peer did send intermediate CA cert.
-                    // In case of partial chain, we need to make missing certs available.
-                    if (usePartialChain)
-                    {
-                        for (int i = split; i < certificates.serverChain.Count - 1; i++)
-                        {
-                            chain.ChainPolicy.ExtraStore.Add(certificates.serverChain[i]);
-                        }
-                    }
-
-                    bool result = chain.Build((X509Certificate2)certificate);
-                    Assert.True(result);
-
-                    return result;
-                };
+                    clientOptions.CertificateChainPolicy.ExtraStore.Add(certificates.serverChain[i]);
+                }
+            }
 
             var serverOptions = new SslServerAuthenticationOptions();
             X509Certificate2Collection serverChain;
diff --git a/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs b/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs
@@ -2916,6 +2916,8 @@ public X509ChainPolicy() { }
         public System.TimeSpan UrlRetrievalTimeout { get { throw null; } set { } }
         public System.Security.Cryptography.X509Certificates.X509VerificationFlags VerificationFlags { get { throw null; } set { } }
         public System.DateTime VerificationTime { get { throw null; } set { } }
+        public bool VerificationTimeIgnored { get { throw null; } set { } }
+        public System.Security.Cryptography.X509Certificates.X509ChainPolicy Clone() { throw null; }
         public void Reset() { }
     }
     public partial struct X509ChainStatus
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs
@@ -133,7 +133,7 @@ internal bool Build(X509Certificate2 certificate, bool throwOnException)
                     chainPolicy.RevocationFlag,
                     chainPolicy._customTrustStore,
                     chainPolicy.TrustMode,
-                    chainPolicy.VerificationTime,
+                    chainPolicy.VerificationTimeIgnored ? DateTime.Now : chainPolicy.VerificationTime,
                     chainPolicy.UrlRetrievalTimeout,
                     chainPolicy.DisableCertificateDownloads);
 
diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509ChainPolicy.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509ChainPolicy.cs

Original file line number	Diff line number	Diff line change
`@@ -207,6 +207,7 @@ public SslClientAuthenticationOptions() { }`
`207`	`207`	`public System.Net.Security.LocalCertificateSelectionCallback? LocalCertificateSelectionCallback { get { throw null; } set { } }`
`208`	`208`	`public System.Net.Security.RemoteCertificateValidationCallback? RemoteCertificateValidationCallback { get { throw null; } set { } }`
`209`	`209`	`public string? TargetHost { get { throw null; } set { } }`
	`210`	`+ public System.Security.Cryptography.X509Certificates.X509ChainPolicy? CertificateChainPolicy { get { throw null; } set { } }`
`210`	`211`	`}`
`211`	`212`	`public readonly partial struct SslClientHelloInfo`
`212`	`213`	`{`
`@@ -229,6 +230,7 @@ public SslServerAuthenticationOptions() { }`
`229`	`230`	`public System.Security.Cryptography.X509Certificates.X509Certificate? ServerCertificate { get { throw null; } set { } }`
`230`	`231`	`public System.Net.Security.SslStreamCertificateContext? ServerCertificateContext { get { throw null; } set { } }`
`231`	`232`	`public System.Net.Security.ServerCertificateSelectionCallback? ServerCertificateSelectionCallback { get { throw null; } set { } }`
	`233`	`+ public System.Security.Cryptography.X509Certificates.X509ChainPolicy? CertificateChainPolicy { get { throw null; } set { } }`
`232`	`234`	`}`
`233`	`235`	`public partial class SslStream : System.Net.Security.AuthenticatedStream`
`234`	`236`	`{`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,8 @@ internal static SslPolicyErrors VerifyCertificateProperties(`
`50`	`50`	`private static X509Certificate2? GetRemoteCertificate(`
`51`	`51`	`SafeDeleteContext? securityContext,`
`52`	`52`	`bool retrieveChainCertificates,`
`53`		`- ref X509Chain? chain)`
	`53`	`+ ref X509Chain? chain,`
	`54`	`+ X509ChainPolicy? chainPolicy)`
`54`	`55`	`{`
`55`	`56`	`if (securityContext == null)`
`56`	`57`	`{`
`@@ -73,6 +74,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(`
`73`	`74`	`if (retrieveChainCertificates)`
`74`	`75`	`{`
`75`	`76`	`chain ??= new X509Chain();`
	`77`	`+ if (chainPolicy != null)`
	`78`	`+ {`
	`79`	`+ chain.ChainPolicy = chainPolicy;`
	`80`	`+ }`
`76`	`81`
`77`	`82`	`for (int i = 0; i < chainSize; i++)`
`78`	`83`	`{`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(`
`29`	`29`	`//`
`30`	`30`
`31`	`31`	`private static X509Certificate2? GetRemoteCertificate(`
`32`		`- SafeDeleteContext? securityContext, bool retrieveChainCertificates, ref X509Chain? chain)`
	`32`	`+ SafeDeleteContext? securityContext,`
	`33`	`+ bool retrieveChainCertificates,`
	`34`	`+ ref X509Chain? chain,`
	`35`	`+ X509ChainPolicy? chainPolicy)`
`33`	`36`	`{`
`34`	`37`	`if (securityContext == null)`
`35`	`38`	`{`
`@@ -67,6 +70,10 @@ internal static SslPolicyErrors VerifyCertificateProperties(`
`67`	`70`	`if (retrieveChainCertificates)`
`68`	`71`	`{`
`69`	`72`	`chain ??= new X509Chain();`
	`73`	`+ if (chainPolicy != null)`
	`74`	`+ {`
	`75`	`+ chain.ChainPolicy = chainPolicy;`
	`76`	`+ }`
`70`	`77`
`71`	`78`	`UnmanagedCertificateContext.GetRemoteCertificatesFromStoreContext(remoteContext, chain.ChainPolicy.ExtraStore);`
`72`	`79`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,11 @@ internal void UpdateOptions(SslClientAuthenticationOptions sslClientAuthenticati`
`56`	`56`	`CertificateRevocationCheckMode = sslClientAuthenticationOptions.CertificateRevocationCheckMode;`
`57`	`57`	`ClientCertificates = sslClientAuthenticationOptions.ClientCertificates;`
`58`	`58`	`CipherSuitesPolicy = sslClientAuthenticationOptions.CipherSuitesPolicy;`
	`59`	`+`
	`60`	`+ if (sslClientAuthenticationOptions.CertificateChainPolicy != null)`
	`61`	`+ {`
	`62`	`+ CertificateChainPolicy = sslClientAuthenticationOptions.CertificateChainPolicy.Clone();`
	`63`	`+ }`
`59`	`64`	`}`
`60`	`65`
`61`	`66`	`internal void UpdateOptions(ServerOptionsSelectionCallback optionCallback, object? state)`
`@@ -135,6 +140,11 @@ internal void UpdateOptions(SslServerAuthenticationOptions sslServerAuthenticati`
`135`	`140`	`{`
`136`	`141`	`ServerCertSelectionDelegate = sslServerAuthenticationOptions.ServerCertificateSelectionCallback;`
`137`	`142`	`}`
	`143`	`+`
	`144`	`+ if (sslServerAuthenticationOptions.CertificateChainPolicy != null)`
	`145`	`+ {`
	`146`	`+ CertificateChainPolicy = sslServerAuthenticationOptions.CertificateChainPolicy.Clone();`
	`147`	`+ }`
`138`	`148`	`}`
`139`	`149`
`140`	`150`	`private static SslProtocols FilterOutIncompatibleSslProtocols(SslProtocols protocols)`
`@@ -170,5 +180,6 @@ private static SslProtocols FilterOutIncompatibleSslProtocols(SslProtocols proto`
`170`	`180`	`internal CipherSuitesPolicy? CipherSuitesPolicy { get; set; }`
`171`	`181`	`internal object? UserState { get; set; }`
`172`	`182`	`internal ServerOptionsSelectionCallback? ServerOptionDelegate { get; set; }`
	`183`	`+ internal X509ChainPolicy? CertificateChainPolicy { get; set; }`
`173`	`184`	`}`
`174`	`185`	`}`
Original file line number	Diff line number	Diff line change
`@@ -73,5 +73,13 @@ public SslProtocols EnabledSslProtocols`
`73`	`73`	`/// Use extreme caution when changing this setting.`
`74`	`74`	`/// </summary>`
`75`	`75`	`public CipherSuitesPolicy? CipherSuitesPolicy { get; set; }`
	`76`	`+`
	`77`	`+ /// <summary>`
	`78`	`+ /// Gets or sets an optional customized policy for remote certificate`
	`79`	`+ /// validation. If not <see langword="null"/>,`
	`80`	`+ /// <see cref="CertificateRevocationCheckMode"/> and <see cref="SslCertificateTrust"/>`
	`81`	`+ /// are ignored.`
	`82`	`+ /// </summary>`
	`83`	`+ public X509ChainPolicy? CertificateChainPolicy { get; set; }`
`76`	`84`	`}`
`77`	`85`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,5 +74,13 @@ public EncryptionPolicy EncryptionPolicy`
`74`	`74`	`/// Use extreme caution when changing this setting.`
`75`	`75`	`/// </summary>`
`76`	`76`	`public CipherSuitesPolicy? CipherSuitesPolicy { get; set; }`
	`77`	`+`
	`78`	`+ /// <summary>`
	`79`	`+ /// Gets or sets an optional customized policy for remote certificate`
	`80`	`+ /// validation. If not <see langword="null"/>,`
	`81`	`+ /// <see cref="CertificateRevocationCheckMode"/> and <see cref="SslCertificateTrust"/>`
	`82`	`+ /// are ignored.`
	`83`	`+ /// </summary>`
	`84`	`+ public X509ChainPolicy? CertificateChainPolicy { get; set; }`
`77`	`85`	`}`
`78`	`86`	`}`