Initial implementation of X509Certificates, HttpClient, and SslStream for macOS

[bartonjs]

Broken by this change:

• X509Store has no implementation yet on macOS.
• Exporting as a PFX is not yet implemented on macOS.
• A lot of TLS CipherSuites have no metadata defined.
• macOS does not support version skipping in TLS. So Tls | Tls12 is an invalid choice.

In this change:
General:

• All OSStatus related exceptions now look up the error message.

X509Certificates:

• X509Certificate moves to using SecCertificateRef from OpenSSL's X509.
• X509 metadata comes from a managed reader after being loaded by Security.framework,
  due to the significant amount of data that has no public export in Apple's libraries.
• Significant code was factored out to be shared by OpenSSL and Apple implementations for X500DistinguishedName and X509Certficate2Collection.Find.
• Loading a PFX (or, rather, the private keys from a PFX) via Apple's platform
  requires importing into a Keychain, and a Keychain requires a file on disk.
  A temporary keychain is created during cert loading and erased when safe.
  Like the perphemeral key load on Windows this can leak files due to
  abnormal program termination.

HttpClient:

• Initialization no longer wakes up OpenSSL

SslStream:

• New implementation based on Apple SecureTransport.
• Currently has support for SNI (for AuthenticateAsClient)

[bartonjs]

This is a bit of a Work In Progress. But I'd gone on long enough that I wanted to get something out for review.

X509Certificates should fully pass tests. HttpClient will probably explode due to a TODO I left myself, and SslClient I'm trying to see what places the official tests are having trouble with in case my machine is behaving oddly.

My current remaining cleanup notes (aside from "implement deferred functionality"):

• Do a full headers scrub (add/document the shim functions)
• Remove all the printfs (they're all #defined away, but get rid of them
• Remove ForceLoadPrivateKey (it should be vestigial, but something breaks when I do, need to investigate, since it means there's a problem somewhere else)
• Curl VERIFYPEER/VERIFYHOST problem.
• Fix comments that say REVIEW
• ChainPal::Execute => "Handle this failure"
• Two different TLS Protocol ID enums are in use. Oops

Part of what I'm looking for at this juncture is macro-comments; things that might take a day or two of restructuring to fix. Micro-comments are also quite welcome.

[bartonjs]

@dotnet-bot Test Outerloop OSX Debug please

[steveharter]

Cursory review done. Will do a detailed review when we pull things back

[steveharter]

Debugging?

[bartonjs]

Oh, good catch.

[steveharter]

No error checking against detailsAndStuff and detailsPtr here

[steveharter]

More debugging? (I'll stop mentioning that regarding printfs)

[steveharter]

Went from 80000 to 1000000 (an extra 0)?

[steveharter]

PAL_X509ChainHasWeakSignature out of order or need extra 0

[bartonjs]

Values and ordering should be the same as they are in X509ChainStatusFlags.

[steveharter]

Seems like we can have something better.... Just raw Exception?

[steveharter]

verify connection == _toConnection?

[bartonjs]

connection will be NULL since we don't give them one. (It's their callback's way of maintaining object notions; but we got that captured in the delegate)

[steveharter]

How does <3 guarantee that we need to remove the first and last? Vs. 4, 5, etc.?

[bartonjs]

If 1, it's just the first cert.
If 2, it's a cert directly from a root.

In both 1 and 2 we've removed the items we care about by being Array.Empty. At 3 we have things left over after we remove up to two.

And, really, it's because we're about to do Count - 2 as an array size.

[steveharter]

Didn't review. Refactoring of OpenSslCertificateFinder.cs ?

[bartonjs]

Yep

[steveharter]

FWIW I'm working on cleaning up the .props, test .csproj because most of our newer tests are not running due build changes and renaming of netstandard :(

[bartonjs]

Okay, it seems that Sierra (10.12) fixed some bugs in SecTrustEvaluate. On El Capitan (10.11) it segfaults 50% of the time when the evaluation doesn't involve the SSL policy (the other 50% it reports a corrupt keychain when no keychain should be involved).

Hmm.

[bartonjs]

Enough changed that I made a completely new PR (#16445).

To get an idea of the changes: bartonjs/corefx@apple_x509_part1...bartonjs:apple_x509_part2