add SslStreamCertificateContext to SslClientAuthenticationOptions #71194
Description
Background and motivation
We added SslStreamCertificateContext ServerCertificateContext to SslServerAuthenticationOptions in #37933. That allows sever to create pre-validate immutable chain and use it over and over again. Back then, it was not clear if that would be much benefit for client side.
While the client side is more rare, the situation is somewhat more complicated. SslClientAuthenticationOptions has X509CertificateCollection? ClientCertificates so it is possible to pass in collection of client certificate candidates. SslStream will choose one of them and in corner cases we may fail to do that even if the collection contains exactly one item.
More pressing issue is the certificate chain. As we added more overloads to load certificates from PEM and PFX the intermediate certificates may not be certificate store and since there is no way how to pass them in we fail to send them on the wire as we should. That leads to validation issues and situations difficult to troubleshoot.
We can add SslStreamCertificateContext to client options to add ability to use exact certificate and pass in all necessary intermediate certificates.
API Proposal
namespace System.Net.Security
{
public partial class SslServerAuthenticationOptions
{
.....
public SslStreamCertificateContext? ServerCertificateContext;
}
public partial class SslClientAuthenticationOptions
{
....
+ public SslStreamCertificateContext? ClientCertificateContext;
}
}API Usage
X509Certificate2Collection chain = X509Certificate2Collection.Import(file, null);
SslClientAuthenticationOptions options = new SslClientAuthenticationOptions();
options.TargetName = "myServer";
options. ClientCertificateContext = SslStreamCertificateContext.Create(chain[0], chain);
var ssl = new SslStream(transportStream);
ssl.AuthenticateAsClientAsync(options, cancellationToken);
Alternative Designs
No response
Risks
This makes client and server options more symmetric. We already internally convert selected client certificate to SslStreamCertificateContext and this will make it more obvious. Proposed ClientCertificateContext will take precedence over legacy ClientCertificates.