Tweak which tests get run on .NET 6 Android #1505
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Actual code fixes in EE repo
Very little functions as it should in .NET 6, and there are two specific large workarounds needed. First of all, none of this works without first either having a certificate issued by a CA trusted by default on Android, or adding in a trusted CA via network security config XML. This creates a temporary contract that by the time the certificate reaches this callback, it is already trusted anyway...so a lot of this is just yak shaving until .NET 8. 1. When operating in normal mode (not "only self signed"), ask the underlying Java API is the certificate is trusted or not because X509Chain does not seem aware of everything that the Java API is aware of (specifically network security config trusted certificates). This may or may not change in .NET 8, but for now at least it lines up with the fact that this is already trusted purely by the fact that it made it into this callback 2. When operating in self signed only mode, work around the non-functioning X509Chain by looking at the leaf cert directly (there is only supposed to be one entry anyway. If it is self signed, that means there are no more certs in the chain)
jianminzhao
approved these changes
Apr 4, 2023
|
Is this something we need to document? Should we create a ticket, right now, to remove these exceptions? |
bmeike
approved these changes
Apr 4, 2023
|
We will absolutely need to document the life out of this. .NET 6 iOS and Android will need their own quirks and shortcomings section (respectively). I'll try to find the appropriate place to put a docs comment. As for a ticket we can file it but it will remain blocked for probably months. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Actual code fixes in EE repo. The status is that dynamically generated X509 certificates will never function until .NET 8. Static certificates not trusted by default will need a network security config entry. Intermediate certificate pinning is also not going to work, and no fix for that seems to be scheduled yet.
Ref: dotnet/runtime#84202 and dotnet/runtime#45741