From 49913fe8b28e60984e1394c9579cb2688db9be02 Mon Sep 17 00:00:00 2001
From: Rolf Bjarne Kvinge <rolf@xamarin.com>
Date: Fri, 20 Feb 2026 10:54:40 +0100
Subject: [PATCH] [Foundation] Treat any exception during X509Chain.Build as a
 remote certificate chain error. Fixes #24739.

In iOS 26.4 beta 4, X509Chain.Build started throwing CryptographicException:

```
System.Security.Cryptography.Interop+AppleCrypto+AppleCommonCryptoCryptographicException: Unable to decode the provided data.
    at System.Security.Cryptography.X509Certificates.SecTrustChainPal.Execute(:0)
    at System.Security.Cryptography.X509Certificates.ChainPal.BuildChain(:0)
    at System.Security.Cryptography.X509Certificates.X509Chain.Build(:0)
    at Foundation.NSUrlSessionHandler+ServerCertificateCustomValidationCallbackHelper.EvaluateSslPolicyErrors(:0)
    at Foundation.NSUrlSessionHandler+ServerCertificateCustomValidationCallbackHelper.Invoke(:0)
    at Foundation.NSUrlSessionHandler.TryInvokeServerCertificateCustomValidationCallback(:0)
    at Foundation.NSUrlSessionHandler+NSUrlSessionHandlerDelegate.DidReceiveChallengeImpl(:0)
    at Foundation.NSUrlSessionHandler+NSUrlSessionHandlerDelegate.DidReceiveChallenge(:0)
    at InvokeStub_NSUrlSessionHandlerDelegate.DidReceiveChallenge(:0)
```

The underlying cause of these exceptions is handled in this issue:
https://github.com/dotnet/runtime/issues/124552, this change is only dealing
with the fact that the process crashes when an unexpected exception occurs in
this code path in NSUrlSessionHandler.

The fix is to handle all exceptions in the call X509Chain.Build, and report
them as a certificate chain error in the custom server validation callback;
then the app developer can handle them as they see fit.

Fixes https://github.com/dotnet/macios/issues/24739.

See also:

* https://github.com/dotnet/runtime/issues/124552
---
 src/Foundation/NSUrlSessionHandler.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Foundation/NSUrlSessionHandler.cs b/src/Foundation/NSUrlSessionHandler.cs
index c12d535b6ce5..f053cc26c954 100644
--- a/src/Foundation/NSUrlSessionHandler.cs
+++ b/src/Foundation/NSUrlSessionHandler.cs
@@ -830,7 +830,7 @@ SslPolicyErrors EvaluateSslPolicyErrors (X509Certificate2? certificate, X509Chai
 					} else if (!chain.Build (certificate)) {
 						sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
 					}
-				} catch (ArgumentException) {
+				} catch {
 					sslPolicyErrors |= SslPolicyErrors.RemoteCertificateChainErrors;
 				}