[Android] Fix SslStreamCertificateContext empty custom trust store ex…

…ception (#104016) * Check if certificate collections are not empty before changing trust mode to custom root trust * Enable SslStream_ClientCertificateContext_SendsChain test on Android * Apply suggestions from reviews * Avoid unnecessary allocations
dotnet · Jun 28, 2024 · 8a3e603 · 8a3e603
1 parent 117c4ab
commit 8a3e603
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs
@@ -56,15 +56,20 @@ internal static SslStreamCertificateContext Create(
 
                 if (trust != null)
                 {
-                    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
                     if (trust._store != null)
                     {
                         chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);
                     }
+
                     if (trust._trustList != null)
                     {
                         chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);
                     }
+
+                    if (chain.ChainPolicy.CustomTrustStore.Count > 0)
+                    {
+                        chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                    }
                 }
 
                 chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
@@ -77,7 +82,7 @@ internal static SslStreamCertificateContext Create(
                     NetEventSource.Error(null, $"Failed to build chain for {target.Subject}");
                 }
 
-                if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates != null)
+                if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates?.Count > 0)
                 {
                     // Some platforms like Android may not be able to build the chain unless the chain root is trusted.
                     // We can try to rebuild the chain with making all extra certificates trused.

diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs
@@ -917,7 +917,6 @@ public async Task SslStream_ClientCertificate_SendsChain()
         [Theory]
         [InlineData(true)]
         [InlineData(false)]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/68206", TestPlatforms.Android)]
         public async Task SslStream_ClientCertificateContext_SendsChain(bool useTrust)
         {
             (X509Certificate2 clientCertificate, X509Certificate2Collection clientChain) = Configuration.Certificates.GenerateCertificates(nameof(SslStream_ClientCertificateContext_SendsChain), serverCertificate: false);