Unify certificate validation code on OSX between SslStream and QuicConnection #117611
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rzikm
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR removes the legacy macOS-specific hostname‐matching code paths and redirects certificate validation on OSX to the shared BuildChainAndVerifyProperties logic.
- Removes
AppleCryptoNative_SslIsHostnameMatchimplementation and related P/Invoke/entrypoint. - Refactors
CertificateValidationPal.OSX.VerifyCertificatePropertiesto call the unified validator. - Adds common validation helper file and updates the project to include it.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/native/libs/System.Security.Cryptography.Native.Apple/pal_ssl.h | Dropped the old hostname-matching export. |
| src/native/libs/System.Security.Cryptography.Native.Apple/pal_ssl.c | Removed the entire SslIsHostnameMatch implementation. |
| src/native/libs/System.Security.Cryptography.Native.Apple/entrypoints.c | Deleted the DllImport entry for hostname matching. |
| src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs | Replaced platform code with call to BuildChainAndVerifyProperties. |
| src/libraries/System.Net.Security/src/System.Net.Security.csproj | Added new common validation source for OSX. |
| src/libraries/Common/src/Interop/OSX/System.Security.Cryptography.Native.Apple/Interop.Ssl.cs | Removed IDN mapping and hostname-check P/Invoke shim. |
Comments suppressed due to low confidence (2)
src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs:8
- [nitpick] Consider using a file-scoped namespace declaration (e.g.,
namespace System.Net;) to align with project conventions and reduce indentation.
namespace System.Net
src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs:20
- Add unit tests covering the unified certificate validation logic on macOS—particularly hostname matching and chain validation—to verify parity with the previous implementation.
return CertificateValidation.BuildChainAndVerifyProperties(chain, remoteCertificate, checkCertName, isServer, hostName, Span<byte>.Empty);
|
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
|
Seems like this is affecting some test cases: OSX Tests |
This was referenced Jul 15, 2025
Open
liveans
approved these changes
Jul 15, 2025
wfurt
approved these changes
Jul 15, 2025
|
/ba-g infrastructure faliures are unrelated |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Follow-up on #117472, now that we have managed implementation of X509 name check, we can get rid of the code which was originally bound to SslContext. This PR unifies certificate validation code between SslStream and QuicConnection.