[AppleTls]: Send server certificate and all intermediates.

(cherry picked from commit 5f063a6a2e603ea9e4384f5f2d3f22628115b014) (cherry picked from commit bf9b64e6ec8a3b07c346db8909058ddb5e7eff81)
2016-07-28 18:45:26 -04:00 · 2016-07-28 18:45:26 -04:00 · 6ef1390a5c
--- a/src/Security/Certificate.cs
+++ b/src/Security/Certificate.cs
@ -93,7 +93,7 @@ namespace XamCore.Security {
 			 * Using 'XAMARIN_APPLETLS' as a conditional because 'XAMCORE_2_0' is
 			 * defined for tvos and watch, which have a recent-enough runtime.
 			 */
-			handle = certificate.Handle;
+			handle = certificate.Impl.GetNativeAppleCertificate ();
 			if (handle != IntPtr.Zero) {
 				CFObject.CFRetain (handle);
 				return;
@ -105,13 +105,28 @@ namespace XamCore.Security {
 			}
 		}

+#if XAMARIN_APPLETLS
+		internal SecCertificate (X509CertificateImpl impl)
+		{
+			handle = impl.GetNativeAppleCertificate ();
+			if (handle != IntPtr.Zero) {
+				CFObject.CFRetain (handle);
+				return;
+			}
+
+			using (NSData cert = NSData.FromArray (impl.GetRawCertData ())) {
+				Initialize (cert);
+			}
+		}
+#endif
+
 		public SecCertificate (X509Certificate2 certificate)
 		{
 			if (certificate == null)
 				throw new ArgumentNullException ("certificate");

 #if XAMARIN_APPLETLS
-			handle = certificate.Handle;
+			handle = certificate.Impl.GetNativeAppleCertificate ();
 			if (handle != IntPtr.Zero) {
 				CFObject.CFRetain (handle);
 				return;
--- a/src/Security/Tls/AppleTlsContext.cs
+++ b/src/Security/Tls/AppleTlsContext.cs
@ -173,10 +173,14 @@ namespace XamCore.Security.Tls
 			SetSessionOption (SslSessionOption.BreakOnServerAuth, true);

 			if (IsServer) {
-				serverIdentity = MobileCertificateHelper.GetIdentity (LocalServerCertificate);
+				SecCertificate[] intermediateCerts;
+				serverIdentity = MobileCertificateHelper.GetIdentity (LocalServerCertificate, out intermediateCerts);
 				if (serverIdentity == null)
 					throw new SSA.AuthenticationException ("Unable to get server certificate from keychain.");
-				SetCertificate (serverIdentity, new SecCertificate [0]);
+
+				SetCertificate (serverIdentity, intermediateCerts);
+				for (int i = 0; i < intermediateCerts.Length; i++)
+					intermediateCerts [i].Dispose ();
 			}
 		}

--- a/src/Security/Tls/MobileCertificateHelper.cs
+++ b/src/Security/Tls/MobileCertificateHelper.cs
@ -43,6 +43,28 @@ namespace XamCore.Security.Tls
 			}
 		}

+		public static SecIdentity GetIdentity (X509Certificate certificate, out SecCertificate[] intermediateCerts)
+		{
+			var identity = GetIdentity (certificate);
+
+			var impl2 = certificate.Impl as X509Certificate2Impl;
+			if (impl2 == null || impl2.IntermediateCertificates == null) {
+				intermediateCerts = new SecCertificate [0];
+				return identity;
+			}
+
+			try {
+				intermediateCerts = new SecCertificate [impl2.IntermediateCertificates.Count];
+				for (int i = 0; i < intermediateCerts.Length; i++)
+					intermediateCerts [i] = new SecCertificate (impl2.IntermediateCertificates [i]);
+
+				return identity;
+			} catch {
+				identity.Dispose ();
+				throw;
+			}
+		}
+
 		public static bool Validate (string targetHost, bool serverMode, ICertificateValidator2 validator, X509CertificateCollection certificates)
 		{
 			var result = validator.ValidateCertificate (targetHost, serverMode, certificates);