Defer RemoteCertificate assignment after X509 Chain build

[rzikm]

Defer the assignment of the remote certificate until after the X509 chain validation process, this prevents weird exceptions being thrown if SslStream is disposed in parallel with chain building, as in:

    System.Net.Security.Tests.SslStreamDisposeTest.Dispose_ParallelWithHandshake_ThrowsODE [FAIL]
      System.ArgumentException : The chain context handle is invalid. (Parameter 'certificate')
      Stack Trace:
        /_/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs(99,0): at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
        /_/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Chain.cs(91,0): at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate)
        /_/src/libraries/Common/src/System/Net/Security/CertificateValidation.Unix.cs(22,0): at System.Net.Security.CertificateValidation.BuildChainAndVerifyProperties(X509Chain chain, X509Certificate2 remoteCertificate, Boolean checkCertName, Boolean _, String hostName)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs(1099,0): at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(579,0): at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(592,0): at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStream.IO.cs(379,0): at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamDisposeTest.cs(150,0): at System.Net.Security.Tests.SslStreamDisposeTest.<Dispose_ParallelWithHandshake_ThrowsODE>g__ValidateExceptionAsync|3_1(Task task)
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamDisposeTest.cs(142,0): at System.Net.Security.Tests.SslStreamDisposeTest.<>c__DisplayClass3_0.<<Dispose_ParallelWithHandshake_ThrowsODE>b__0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/System.Threading.Tasks.Parallel/src/System/Threading/Tasks/Parallel.ForEachAsync.cs(301,0): at System.Threading.Tasks.Parallel.<>c__53`1.<<ForEachAsync>b__53_0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamDisposeTest.cs(115,0): at System.Net.Security.Tests.SslStreamDisposeTest.Dispose_ParallelWithHandshake_ThrowsODE()
        --- End of stack trace from previous location ---

[Copilot]

Pull Request Overview

This PR defers the assignment of the remote certificate until after building the X509 chain to prevent exceptions when SslStream is disposed in parallel with chain validation.

• Update the null-check to directly evaluate the certificate parameter rather than the previously assigned _remoteCertificate.
• Adjust the order of the _remoteCertificate assignment to occur after chain validation and update the remote callback usage accordingly.

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[rzikm]

/azp run runtime-libraries-coreclr outerloop

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wfurt]

LGTM