Handle IdLinkage X509 chain building status.

[vcsjones]

In macOS, when building an X509 chain, if a leaf and issuing certificate form a chain, but the subject and authority key identifiers do not match, an IdLinkage status is reported.

To match Windows, we ignore this chain status.

Linux appears to use these extensions when building a chain, and reports PartialChain even if the attributes were not strictly needed to aid in building a chain.

Additionally, this updates the debugging output for macOS to use an allocating function to convert a CFString to a C string. CFStringGetCStringPtr will return "NULL if the internal storage of theString does not allow this to be returned efficiently." which it appears to have started doing for me.

Closes #41678

[ghost]

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq
See info in area-owners.md if you want to be subscribed.

[bartonjs]

We should probably port this to 5, but I don't think it'll get accepted into 3.1 or 2.1 without a "why it happens in the real world" problem.

[vcsjones]

We should probably port this to 5, but I don't think it'll get accepted into 3.1 or 2.1 without a "why it happens in the real world" problem.

Yeah this is one of the weirder ones. Off the top of my head I think this would be a Mozilla root store policy violation, so unlikely a real CA will issue a cert like this.

[bartonjs]

Apparently I haven't been remembering to look at PR tabs to see if tests finished. There's a merge conflict in this one now :(

[vcsjones]

@bartonjs no worries. If you still want to port this one to 5, I don't know what the backport bot will do with the merge commit. If it doesn't work I can manually port.

[bartonjs]

/backport to release/5.0-rc2

[github-actions]

Started backporting to release/5.0-rc2: https://github.com/dotnet/runtime/actions/runs/246798667