[Foundation] Implement the server certificate custom validation callback usage in NSUrlSessionHandler

src/Foundation/NSUrlSessionHandler.cs

@@ -639,13 +639,7 @@ public IWebProxy? Proxy {
 		[UnsupportedOSPlatform ("macos")]
 		public SslProtocols SslProtocols { get; set; } = SslProtocols.Tls12 | SslProtocols.Tls13;
 
-		// We're ignoring this property, just like Xamarin.Android does:
-		// https://github.com/xamarin/xamarin-android/blob/09e8cb5c07ea6c39383185a3f90e53186749b802/src/Mono.Android/Xamarin.Android.Net/AndroidMessageHandler.cs#L160
-		[UnsupportedOSPlatform ("ios")]
-		[UnsupportedOSPlatform ("maccatalyst")]
-		[UnsupportedOSPlatform ("tvos")]
-		[UnsupportedOSPlatform ("macos")]
-		public Func<HttpRequestMessage, X509Certificate2, X509Chain, SslPolicyErrors, bool>? ServerCertificateCustomValidationCallback { get; set; }
+		public Func<HttpRequestMessage, X509Certificate2?, X509Chain?, SslPolicyErrors, bool>? ServerCertificateCustomValidationCallback { get; set; }
 
 		// There's no way to turn off automatic decompression, so yes, we support it
 		public bool SupportsAutomaticDecompression {
@@ -886,19 +880,21 @@ public override void DidReceiveChallenge (NSUrlSession session, NSUrlSessionTask
 #endif
 				var trustCallbackForUrl = sessionHandler.TrustOverrideForUrl;
 #if NET
-				var hasCallBack = trustCallbackForUrl is not null;
+				var hasCallBack = trustCallbackForUrl is not null || sessionHandler.ServerCertificateCustomValidationCallback is not null;
 #else
-				var hasCallBack = trustCallback is not null || trustCallbackForUrl is not null;
+				var hasCallBack = trustCallback is not null || trustCallbackForUrl is not null || sessionHandler.ServerCertificateCustomValidationCallback is not null;
 #endif
 				if (hasCallBack && challenge.ProtectionSpace.AuthenticationMethod == NSUrlProtectionSpace.AuthenticationMethodServerTrust) {
 #if NET
 					// if the trust delegate allows to ignore the cert, do it. Since we are using nullables, if the delegate is not present, by default is false
-					var trustSec = (trustCallbackForUrl?.Invoke (sessionHandler, inflight.RequestUrl, challenge.ProtectionSpace.ServerSecTrust) ?? false);
+					var trustSec = (trustCallbackForUrl?.Invoke (sessionHandler, inflight.RequestUrl, challenge.ProtectionSpace.ServerSecTrust) ?? false) ||
+						(InvokeServerCertificateCustomValidationCallback (inflight.Request, challenge.ProtectionSpace.ServerSecTrust));
 #else
 					// if one of the delegates allows to ignore the cert, do it. We check first the one that takes the url because is more precisse, later the
 					// more general one. Since we are using nullables, if the delegate is not present, by default is false
-					var trustSec = (trustCallbackForUrl?.Invoke (sessionHandler, inflight.RequestUrl, challenge.ProtectionSpace.ServerSecTrust) ?? false) || 
-						(trustCallback?.Invoke (sessionHandler, challenge.ProtectionSpace.ServerSecTrust) ?? false);
+					var trustSec = (trustCallbackForUrl?.Invoke (sessionHandler, inflight.RequestUrl, challenge.ProtectionSpace.ServerSecTrust) ?? false) ||
+						(trustCallback?.Invoke (sessionHandler, challenge.ProtectionSpace.ServerSecTrust) ?? false) ||
+						(InvokeServerCertificateCustomValidationCallback (inflight.Request, challenge.ProtectionSpace.ServerSecTrust));
 #endif
 
 					if (trustSec) {
@@ -973,6 +969,44 @@ public override void DidReceiveChallenge (NSUrlSession session, NSUrlSessionTask
 				}
 			}
 
+			bool InvokeServerCertificateCustomValidationCallback (HttpRequestMessage request, SecTrust secTrust)
+			{
+				if (sessionHandler.ServerCertificateCustomValidationCallback is null)
+					return false;
+
+				var originalChain = secTrust.GetCertificateChain (); // TODO does this work for older iOS and mac versions?
+				var certificates = new X509Certificate2 [originalChain.Length];
+				for (int i = 0; i < originalChain.Length; ++i)
+					certificates [i] = originalChain [i].ToX509Certificate2 ();
+
+				X509Certificate2? certificate = certificates.Length > 0 ? certificates [0] : null;
+
+				// TODO is NSURLAuthenticationMethodServerTrust used for every request or only when there is a problem
+				// with the remote certificate?
+				var sslPolicyErrors = SslPolicyErrors.None;
+				// var sslPolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors;
+
+				// the chain initialization is based on dotnet/runtime implementation in System.Net.Security.SecureChannel
+				var chain = new X509Chain ();
+				chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
+				chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+				chain.ChainPolicy.ExtraStore.AddRange (certificates);
+
+				// TODO the Build function doesn't work on Android, but maybe it works on iOS/OSX?
+				try {
+					if (certificate is null) {
+						sslPolicyErrors |= SslPolicyErrors.RemoteCertificateNotAvailable;
+					}
+					else if (!chain.Build (certificate)) {
+						sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
+					}
+				} catch {
+					sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
+				}
+
+				return sessionHandler.ServerCertificateCustomValidationCallback (request, certificate, chain, sslPolicyErrors);
+			}
+
 			static readonly string RejectProtectionSpaceAuthType = "reject";
 
 			static bool TryGetAuthenticationType (NSUrlProtectionSpace protectionSpace, [NotNullWhen (true)] out string? authenticationType)

tests/monotouch-test/System.Net.Http/MessageHandlers.cs

@@ -489,6 +489,58 @@ public void RejectSslCertificatesServicePointManager (Type handlerType)
 			}
 		}
 
+		[Test]
+		public void RejectSslCertificatesWithCustomValidationCallbackNSUrlSessionHandler ()
+		{
+			TestRuntime.AssertSystemVersion (ApplePlatform.MacOSX, 10, 9, throwIfOtherPlatform: false);
+			TestRuntime.AssertSystemVersion (ApplePlatform.iOS, 7, 0, throwIfOtherPlatform: false);
+
+#if __MACOS__
+			if (TestRuntime.CheckSystemVersion (ApplePlatform.MacOSX, 10, 10, 0) && !TestRuntime.CheckSystemVersion (ApplePlatform.MacOSX, 10, 11, 0))
+				Assert.Ignore ("Fails on macOS 10.10: https://github.com/xamarin/maccore/issues/1645");
+#endif
+
+			bool validationCbWasExecuted = false;
+			bool done = false;
+			Exception ex = null;
+			Type expectedExceptionType = null;
+			HttpResponseMessage result = null;
+
+			var handler = new NSUrlSessionHandler {
+				ServerCertificateCustomValidationCallback = (sender, certificate, chain, errors) => {
+					validationCbWasExecuted = true;
+					// return false, since we want to test that the exception is raised
+					return false;
+				}
+			};
+
+			TestRuntime.RunAsync (DateTime.Now.AddSeconds (30), async () =>
+			{
+				try {
+					HttpClient client = new HttpClient (handler);
+					client.BaseAddress = NetworkResources.Httpbin.Uri;
+					var byteArray = new UTF8Encoding ().GetBytes ("username:password");
+					client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue ("Basic", Convert.ToBase64String(byteArray));
+					result = await client.GetAsync (NetworkResources.Httpbin.GetRedirectUrl (3));
+				} catch (Exception e) {
+					ex = e;
+				} finally {
+					done = true;
+				}
+			}, () => done);
+
+			if (!done) { // timeouts happen in the bots due to dns issues, connection issues etc.. we do not want to fail
+				Assert.Inconclusive ("Request timedout.");
+			} else {
+				Assert.True (validationCbWasExecuted, "Validation Callback called");
+				// assert the exception type
+				Assert.IsNotNull (ex, (result == null)? "Expected exception is missing and got no result" : $"Expected exception but got {result.Content.ReadAsStringAsync ().Result}");
+				Assert.IsInstanceOf (typeof (HttpRequestException), ex, "Exception type");
+				Assert.IsNotNull (ex.InnerException, "InnerException");
+				Assert.IsInstanceOf (expectedExceptionType, ex.InnerException, "InnerException type");
+			}
+		}
+
 #if !__WATCHOS__
 		[TestCase (typeof (HttpClientHandler))]
 #endif
@@ -546,6 +598,47 @@ public void AcceptSslCertificatesServicePointManager (Type handlerType)
 			}
 		}
 
+		[Test]
+		public void AcceptSslCertificatesWithCustomValidationCallbackNSUrlSessionHandler ()
+		{
+			TestRuntime.AssertSystemVersion (ApplePlatform.MacOSX, 10, 9, throwIfOtherPlatform: false);
+			TestRuntime.AssertSystemVersion (ApplePlatform.iOS, 7, 0, throwIfOtherPlatform: false);
+
+			bool callbackWasExecuted = false;
+			bool done = false;
+			Exception ex = null;
+
+			var handler = new NSUrlSessionHandler {
+				ServerCertificateCustomValidationCallback = (sender, certificate, chain, errors) => {
+					callbackWasExecuted = true;
+					return true;
+				}
+			};
+
+			TestRuntime.RunAsync (DateTime.Now.AddSeconds (30), async () =>
+			{
+				try {
+					var client = new HttpClient (handler);
+					var result = await client.GetAsync ("https://self-signed.badssl.com/"); // TODO move the URL to a constant
+				} catch (Exception e) {
+					ex = e;
+				} finally {
+					done = true;
+				}
+			}, () => done);
+
+			if (!done) { // timeouts happen in the bots due to dns issues, connection issues etc.. we do not want to fail
+				Assert.Inconclusive ("Request timedout.");
+			} else {
+				Assert.True (validationCbWasExecuted, "Validation Callback called");
+				// assert that we did not get an exception
+				if (ex != null && ex.InnerException != null) {
+					// we could get here.. if we have a diff issue, in that case, lets get the exception message and assert is not the trust issue
+					Assert.AreNotEqual (ex.InnerException.Message, "Error: TrustFailure");
+				}
+			}
+		}
+
 		[Test]
 		public void AssertDefaultValuesNSUrlSessionHandler ()
 		{