Make it easier to add certs to the extra store

[HaoK]

Fixes #29679

[HaoK]

@bartonjs I added the new ExtraStore property but its not clear to me how exactly do I test that they are working as intended? They are being added to the chain's property now but I'm not sure how to measure the effect externally, is this just additional certs that developers would use themselves?

[bartonjs]

I don't know where all the chain can appear, so I'll stick to a high level test concept:

• Have a 3+ certificate chain which does not come from a public trust system and does not use Authority Information Access (AIA) chaining (either statically generated or on the fly using the CertificateRequest API).
• Add the root to the custom trust store (and set the mode to CustomRootTrust), add all of the intermediates to AdditionalChainCertificates.
• When the chain builds, it builds successfully.
• Bonus test, first do it without adding the certs to AdditionalChainCertificates and see that the chain can't be built.
• Other bonus test, add the root to AdditionalChainCertificates and don't add it to custom trust. The chain should have all of the certificates but be untrusted.

[HaoK]

Thanks @bartonjs that's exactly what I was hoping for, a high level overview. The bonus test is actually what this current test is doing, (and it fails). So one thing is we don't actually expose the ChainPolicy that we use to validate externally. So there's no easy way to do anything with the ExtraStore since we don't pass the X509Chain we build to any of our events.

See

aspnetcore/src/Security/Authentication/Certificate/src/CertificateAuthenticationHandler.cs

Line 125 in 39dad31

var chainPolicy = BuildChainPolicy(clientCertificate);

[HaoK]

Cool updated and added a test for a positive case and a rejected/forbidden one.

[Tratcher]

@aalsamoht FYI

[HaoK]

Thanks for your help @bartonjs !