Unify certificate chain building between SslStream and WinHttpHandler (#115761)

* Initial plan for issue

* Update WinHttpRequestCallback to use CertificateValidation

Co-authored-by: liveans <[email protected]>

* Remove unused WinHttpCertificateHelper.cs file

Co-authored-by: liveans <[email protected]>

* Fix formatting issues in WinHttpRequestCallback.cs

Co-authored-by: liveans <[email protected]>

* Fix compatibility with .NET Framework by using GetLastWin32Error

Co-authored-by: liveans <[email protected]>

* Fix FakeX509Certificates.cs to clarify empty namespace

Co-authored-by: krwq <[email protected]>

* Remove unnecessary code per review comments

Co-authored-by: liveans <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: liveans <[email protected]>
Co-authored-by: krwq <[email protected]>

Author: 3 people

src/libraries/Common/src/System/Net/Security/CertificateValidation.Windows.cs

@@ -26,7 +26,11 @@ internal static SslPolicyErrors BuildChainAndVerifyProperties(X509Chain chain, X
             if (!chainBuildResult       // Build failed on handle or on policy.
                 && chain.SafeHandle!.DangerousGetHandle() == IntPtr.Zero)   // Build failed to generate a valid handle.
             {
+#if NETFRAMEWORK
+                throw new CryptographicException(Marshal.GetLastWin32Error());
+#else
                 throw new CryptographicException(Marshal.GetLastPInvokeError());
+#endif
             }
 
             if (checkCertName)

src/libraries/System.Net.Http.WinHttpHandler/src/System.Net.Http.WinHttpHandler.csproj

@@ -72,6 +72,8 @@ System.Net.Http.WinHttpHandler</PackageDescription>
              Link="Common\System\Net\Security\CertificateHelper.cs" />
     <Compile Include="$(CommonPath)\System\Net\Security\CertificateHelper.Windows.cs"
              Link="Common\System\Net\Security\CertificateHelper.Windows.cs" />
+    <Compile Include="$(CommonPath)\System\Net\Security\CertificateValidation.Windows.cs"
+             Link="Common\System\Net\Security\CertificateValidation.Windows.cs" />
     <Compile Include="$(CommonPath)\System\Runtime\ExceptionServices\ExceptionStackTrace.cs"
              Link="Common\System\Runtime\ExceptionServices\ExceptionStackTrace.cs" />
     <Compile Include="$(CommonPath)\System\Threading\Tasks\RendezvousAwaitable.cs"
@@ -80,7 +82,6 @@ System.Net.Http.WinHttpHandler</PackageDescription>
     <Compile Include="System\Net\Http\NetEventSource.WinHttpHandler.cs" />
     <Compile Include="System\Net\Http\NoWriteNoSeekStreamContent.cs" />
     <Compile Include="System\Net\Http\WinHttpAuthHelper.cs" />
-    <Compile Include="System\Net\Http\WinHttpCertificateHelper.cs" />
     <Compile Include="System\Net\Http\WinHttpChannelBinding.cs" />
     <Compile Include="System\Net\Http\WinHttpChunkMode.cs" />
     <Compile Include="System\Net\Http\WinHttpCookieContainerAdapter.cs" />

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpCertificateHelper.cs

@@ -10,6 +10,7 @@
 using System.Net.Sockets;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
+using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using SafeWinHttpHandle = Interop.WinHttp.SafeWinHttpHandle;
@@ -21,6 +22,8 @@ namespace System.Net.Http
     /// </summary>
     internal static class WinHttpRequestCallback
     {
+        private static readonly Oid ServerAuthOid = new Oid("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.1");
+
         public static Interop.WinHttp.WINHTTP_STATUS_CALLBACK StaticCallbackDelegate =
             new Interop.WinHttp.WINHTTP_STATUS_CALLBACK(WinHttpCallback);
 
@@ -370,13 +373,34 @@ private static void OnRequestSendingRequest(WinHttpRequestState state)
 
                 try
                 {
-                    WinHttpCertificateHelper.BuildChain(
+                    // Create and configure the X509Chain
+                    chain = new X509Chain();
+                    chain.ChainPolicy.RevocationMode = state.CheckCertificateRevocationList ? X509RevocationMode.Online : X509RevocationMode.NoCheck;
+                    chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
+                    // Authenticate the remote party: (e.g. when operating in client mode, authenticate the server).
+                    chain.ChainPolicy.ApplicationPolicy.Add(ServerAuthOid);
+
+                    if (remoteCertificateStore.Count > 0)
+                    {
+                        if (NetEventSource.Log.IsEnabled())
+                        {
+                            foreach (X509Certificate cert in remoteCertificateStore)
+                            {
+                                NetEventSource.Info(remoteCertificateStore, $"Adding cert to ExtraStore: {cert.Subject}");
+                            }
+                        }
+
+                        chain.ChainPolicy.ExtraStore.AddRange(remoteCertificateStore);
+                    }
+
+                    // Call the shared BuildChainAndVerifyProperties method
+                    // isServer=false because WinHttpHandler is a client validating a server certificate
+                    sslPolicyErrors = System.Net.CertificateValidation.BuildChainAndVerifyProperties(
+                        chain,
                         serverCertificate,
-                        remoteCertificateStore,
-                        state.RequestMessage.RequestUri.Host,
-                        state.CheckCertificateRevocationList,
-                        out chain,
-                        out sslPolicyErrors);
+                        checkCertName: true,
+                        isServer: false,
+                        hostName: state.RequestMessage.RequestUri.Host);
 
                     result = state.ServerCertificateValidationCallback(
                         state.RequestMessage,

src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpRequestCallback.cs

@@ -6,20 +6,13 @@
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
 
-namespace System.Net.Http
+namespace System.Net
 {
-    internal static class WinHttpCertificateHelper
+    internal static partial class CertificateValidation
     {
-        public static void BuildChain(
-            X509Certificate2 certificate,
-            X509Certificate2Collection remoteCertificateStore,
-            string hostName,
-            bool checkCertificateRevocationList,
-            out X509Chain chain,
-            out SslPolicyErrors sslPolicyErrors)
+        internal static SslPolicyErrors BuildChainAndVerifyProperties(X509Chain chain, X509Certificate2 remoteCertificate, bool checkCertName, bool isServer, string? hostName)
         {
-            chain = null;
-            sslPolicyErrors = SslPolicyErrors.None;
+            return SslPolicyErrors.None;
         }
     }
 }