add CertificateChainPolicy to ssl options

[wfurt]

This is replacement for #69908
fixes #71191 #59979 #35839 #59944 #40423

This adds API approved in #71191 so callers of SslStream can specify custom X509ChainPolicy to specify custom trust, AIA download behavior or other options available in X509ChainPolicy.

Unlike original PoC there is no attempt to enforce consistency with other validation fragments. When custom policy is specified it will be used exclusively instead of fragments we currently use to construct it it internally.

TODO: This changes only SslStream. I will follow-up with PR for QUIC once the code there is stable. (#71783 done)

[dotnet-issue-labeler]

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, to please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

This is replacement for #69908
fixes #71191 #59979 #35839 #59944 #40423

This adds API approved in #71191 so callers of SslStream can specify custom X509ChainPolicy to specify custom trust, AIA download behavior or other options available in X509ChainPolicy.

Unlike original PoC there is no attempt to enforce consistency with other validation fragments. When custom policy is specified it will be used exclusively instead of fragments we currently use to construct it it internally.

TODO: This changes only SslStream. I will follow-up with PR for QUIC once the code there is stable. (#71783 done)

Author:	wfurt
Assignees:	wfurt
Labels:	area-System.Net.Security
Milestone:	7.0.0

[bartonjs]

Properties are supposed to have both a summary and a value tag.

https://github.com/dotnet/dotnet-api-docs/wiki/Property-Value

Suggested change

	/// </summary>
	public X509ChainPolicy? ValidationPolicy { get; set; }
	/// </summary>
	/// <value>
	/// An optional customized policy for certificate chain validation.
	/// The default is <see langword="null" />.
	/// </value>
	public X509ChainPolicy? ValidationPolicy { get; set; }

[bartonjs]

All of the feedback from the API docs for the client version also applies here.

[bartonjs]

This (VerificationTime acting as DateTime.Now when VerificationTimeIgnored is set) should be an implementation detail of X509Chain, not acted upon here.

[bartonjs]

runtime/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs

Line 136 in c9feedf

chainPolicy.VerificationTime,

Change

-chainPolicy.VerificationTime,
+chainPolicy.VerificationTimeIgnored ? DateTime.Now : VerificationTime,

[bartonjs]

I want this written by hand.

Suggested change

	return (X509ChainPolicy)MemberwiseClone();
	X509ChainPolicy clone = new X509ChainPolicy
	{
	DisableCertificateDownloads = DisableCertificateDownloads,
	_revocationMode = _revocationMode,
	_revocationFlag = _revocationFlag,
	_verificationFlags = _verificationFlags,
	_trustMode = _trustMode,
	_verificationTime = _verificationTime,
	VerificationTimeIgnored = VerificationTimeIgnored,
	UrlRetrievalTimeout = UrlRetrievalTimeout,
	};
	if (_applicationPolicy?.Count > 0)
	{
	clone.ApplicationPolicy.AddRange(_applicationPolicy);
	}
	if (_certificatePolicy?.Count > 0)
	{
	...
	}
	if (_customTrustStore?.Count > 0)
	{
	...
	}
	}

And then in tests, Assert.NotSame(orig.ApplicationPolicy, clone.ApplicationPolicy); and Assert.Equal(orig.ApplicationPolicy, clone.ApplicationPolicy); (and similar for the other collections)

[bartonjs]

These shouldn't be var, and there should be some tests for clone, but those can get done as a followup if the tests are all green.

[bartonjs]

Some minor issues, but nothing worth missing the branch over.

[ghost]

Added needs-breaking-change-doc-created label because this PR has the breaking-change label.

When you commit this breaking change:

1. Create and link to this PR and the issue a matching issue in the dotnet/docs repo using the breaking change documentation template, then remove this needs-breaking-change-doc-created label.
2. Ask a committer to mail the .NET Breaking Change Notification DL.

Tagging @dotnet/compat for awareness of the breaking change.

[bartonjs]

(Waiting on sending the mail until we actually merge)

[wfurt]

Thanks @bartonjs. Is this breaking because of the time change in X509ChainPolicy? If so, are you going to write the description of the behavior change?

[bartonjs]

Is this breaking because of the time change in X509ChainPolicy?

Yep.

If so, are you going to write the description of the behavior change?

Did that prior to merging it in 😄

[stephentoub]

ChainPolicy.ExtraStore is written into by GetRemoteCertificate as part of establishing connections. If the caller now provides an X509ChainPolicy instance with this feature, doesn't that mean we're then storing into that shared ExtraStore each time? Which would have implications on thread-safety (multiple connections all calling GetRemoteCertificate concurrently and adding to this non-thread-safe collection concurrently), memory leaks (unbounded additions to that ExtraStore each time a new connection is created / the remote is validated), and potentially security issues with the cert from one connection being then used as part of validation / chain building for another connection?

[stephentoub]

@bartonjs pointed out to me offline that we always clone the policy and ensure the clone is only used once.