fix SslStream.IsMutuallyAuthenticated with cached credentials

[wfurt]

fixes #65563

We can query Schannel after handshake is done to see if certificate was used. This is no-op for test of the platforms at the moment.
The test is essentially repro @rzikm put together during investigation.

not 100% about android. cc: @simonrozsival

[ghost]

Tagging subscribers to this area: @dotnet/ncl, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

fixes #65563

We can query Schannel after handshake is done to see if certificate was used. This is no-op for test of the platforms at the moment.
The test is essentially repro @rzikm put together during investigation.

not 100% about android. cc: @simonrozsival

Author:	wfurt
Assignees:	wfurt
Labels:	area-System.Net.Security
Milestone:	-

[simonrozsival]

I'm not very familiar with the client selection code on Android and it's not very easy to follow, but this is my current interpretation of the what we do:

• whenever there's a CertificateContext in the auth options, we initialize the Java KeyStore with the client certificate. The Java SSLEngine may or may not send the client certificate to the server. We never call the SelectClientCertificate. We don't check if the client sent the certificate to the server or not.
• the CertificateContext is set by the AcquireClientCredentials method which calls SelectClientCertificate method that sets the _selectedClientCertificate field.
• So from what I can tell, on Android the IsMutuallyAuthenticated property could be true even though we never sent the client certificate to the server.

But... don't we call AcquireClientCredentials on all platforms? Isn't that the same case also on mac/iOS?

I think we should at least run tests on Android for this PR and see if the new test fails or not. I can do some more digging if necessary. It should be fairly easy to implement IsLocalCertificateUsed to actually check which certificate we sent to the server (using SSLSession#getLocalCertificates()).

[simonrozsival]

/azp run runtime-android

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[rzikm]

https://helixre107v0xdeko0k025g8.blob.core.windows.net/dotnet-runtime-refs-pull-79128-merge-1d0bff68b72b460f94/System.Net.Security.Tests/3/console.e5e0dbcd.log?helixlogtype=result

 System.Net.Security.Tests.SslStreamMutualAuthenticationTest.SslStream_CachedCredentials_IsMutuallyAuthenticatedCorrect(protocol: Tls12) [FAIL]
      Assert.Equal() Failure
      Expected: True
      Actual:   False
      Stack Trace:
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs(121,0): at System.Net.Security.Tests.SslStreamMutualAuthenticationTest.SslStream_CachedCredentials_IsMutuallyAuthenticatedCorrect(SslProtocols protocol)
        --- End of stack trace from previous location ---

Looks like we fail on Win7

[simonrozsival]

@wfurt The test is failing on Android. I have a fix ready so you can skip the test on Android and I'll open a follow-up PR once this one is merged.

[wfurt]

One day I'll learn how to run tests on Android locally ... but it may not be this PR.

[wfurt]

I disabled the test on Android with active issue pointing at original one. I'll keep it open until you are ready with the fix.
(and thanks for looking into it)

[wfurt]

Last test (CertificateValidationClientServer_EndToEnd_Ok) was failing on server 2012. I investigated and the call would finish with SEC_E_NO_CREDENTIALS if the connection was resumed. That seems like issue with older schannel versions - never windows return the certificate status according to the previous.

For now, I updated the test avoid this case. I'm not sure what we can do about it. I feel it would be better if we report the status correctly on current Windows, hopefully 2012 will go out of support soon.
Let me know if you have any suggestions @rzikm.

[wfurt]

/backport to release/6.0

[github-actions]

Started backporting to release/6.0: https://github.com/dotnet/runtime/actions/runs/6040352662

[wfurt]

/backport to release/7.0

[github-actions]

Started backporting to release/7.0: https://github.com/dotnet/runtime/actions/runs/6040355498

[wfurt]

/backport to release/7.0-staging

[github-actions]

@wfurt backporting to release/6.0 failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: fix SslStream.IsMutuallyAuthenticated with cached credentials
Using index info to reconstruct a base tree...
M	src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs
M	src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs
M	src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs
M	src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs
M	src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
A	src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs
A	src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs deleted in HEAD and modified in fix SslStream.IsMutuallyAuthenticated with cached credentials. Version fix SslStream.IsMutuallyAuthenticated with cached credentials of src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamMutualAuthenticationTest.cs left in tree.
Auto-merging src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs
CONFLICT (content): Merge conflict in src/libraries/System.Net.Security/src/System/Net/Security/SecureChannel.cs
Auto-merging src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Windows.cs
Auto-merging src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Unix.cs
Auto-merging src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.OSX.cs
Auto-merging src/libraries/System.Net.Security/src/System/Net/CertificateValidationPal.Android.cs
Auto-merging src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs
CONFLICT (content): Merge conflict in src/libraries/Common/src/Interop/Windows/SspiCli/SSPIWrapper.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 fix SslStream.IsMutuallyAuthenticated with cached credentials
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

[github-actions]

@wfurt an error occurred while backporting to release/6.0, please check the run log for details!

Error: git am failed, most likely due to a merge conflict.

[github-actions]

Started backporting to release/7.0-staging: https://github.com/dotnet/runtime/actions/runs/6040373273